Cisco 2851 User Guide

Cisco 2851 - Integrated Services Router Manual

Get Cisco 2851 - Integrated Services Router PDF manuals and user guides
UPC - 746320911748
View all Cisco 2851 manuals
Add to My Manuals
Save this manual to your list of manuals

Cisco 2851 manual content summary:

  • Cisco 2851 | User Guide - Page 1
    This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 2851 Integrated Services Router without an AIM card installed. This security policy describes how the Cisco 2851 Integrated Services Router (Hardware Version: 2851; Firmware Version: 12.3(11)T03) meet the
  • Cisco 2851 | User Guide - Page 2
    Cisco 2851 Routers References This document deals only with operations and capabilities of the Cisco 2851 Integrated Services Router in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the routers from the following sources: • The Cisco
  • Cisco 2851 | User Guide - Page 3
    RPS INPUT COMPACT FLASH 1 Do Not Remove During Network Operation 0 12V -48V 11A 4A CONSOLE AUX 100-240 50/60 V~ Hz 4A 95903 The Cisco 2851 router is a multiple-chip standalone cryptographic module. The router has a processing speed of 450MHz. Depending on configuration, either the
  • Cisco 2851 | User Guide - Page 4
    Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two10/100 Gigabit Ethernet RJ45 ports, a Enhanced Network Module (ENM) slot, a Voice Network Module (VeNoM) slot, and a Compact Flash (CF) drive. The Cisco 2851 router supports one single-width network module, four single-width or two
  • Cisco 2851 | User Guide - Page 5
    initialized AIM1 installed and initialized error AIM0 not installed AIM0 installed and initialized AIM0 installed and initialized error Table 3 describes the meaning of Ethernet LEDs on the rear panel: OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 5
  • Cisco 2851 | User Guide - Page 6
    Port ENM Slot VeNoM Slot 10/100 Ethernet LAN Ports HWIC Ports Power Switch Console Port Auxiliary Port ENM Slot FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 6 OL
  • Cisco 2851 | User Guide - Page 7
    an internal memory module, because the IOS image stored in the card may not be modified or upgraded. The card itself must never be removed from the drive. Tamper evident seal will be placed over the card in the drive. Roles and Services Authentication in Cisco 2851 is role-based. There are
  • Cisco 2851 | User Guide - Page 8
    slots. Once the router has been configured in to meet FIPS 140-2 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamper-evidence labels as follows: Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy
  • Cisco 2851 | User Guide - Page 9
    the memory that stored the key. Keys are exchanged and entered electronically or via Internet Key Exchange (IKE). The routers support the following FIPS 140-2 approved algorithm implementations: OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 9
  • Cisco 2851 | User Guide - Page 10
    used to derive HMAC-SHA-1 key. The module supports commercially available Diffie-Hellman for key establishment. See the Cisco IOS Reference Guide. All pre-shared keys are associated with the hex-key-data Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 10 OL-8717-01
  • Cisco 2851 | User Guide - Page 11
    configuration must be copied to the start-up configuration in NVRAM in order to completely zeroize the keys. The module supports used in Diffie-Hellman (DH) exchange as part of IKE. Zeroized after the DH shared secret Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 11
  • Cisco 2851 | User Guide - Page 12
    " Automatically upon completion of authentication attempt. Turn off the router. "# no username password" Automatically when SSH session terminated Overwrite with new password Overwrite with new password Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 12 OL-8717-01
  • Cisco 2851 | User Guide - Page 13
    Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryptions/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy Security Relevant Data Item PRNG Seed r DH private exponent r DH public key r dr w d r w d r w d OL-8717-01 Cisco 2851
  • Cisco 2851 | User Guide - Page 14
    Cards SRDI/Role/Service Access Policy skeyid skeyid_d skeyid_a skeyid_e IKE session encrypt key IKE session authentication key ISAKMP preshared IKE hash key secret_1_0_0 IPSec encryption key IPSec encryption key r r r r r r r r r r w d r r Cisco 2851 Integrated Services Router
  • Cisco 2851 | User Guide - Page 15
    key 2 SSH session key User password Enable password Enable secret RADIUS secret TACACS+ secret r r w w d d r r w d r dr w r r w d r r w d r r w d r w d r w d r w d r w d OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 15
  • Cisco 2851 | User Guide - Page 16
    • Conditional tests - Conditional bypass test - Continuous random number generation test Self-tests performed by Safenet Safenet Self Tests • POST tests - AES Known Answer Test - DES Known Answer Test Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 16 OL-8717-01
  • Cisco 2851 | User Guide - Page 17
    "configure terminal" command line, the Crypto Officer enters the following syntax: line con 0 password [PASSWORD] login local • RADIUS and TACACS+ shared secret key sizes must be at least 8 characters long. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy
  • Cisco 2851 | User Guide - Page 18
    : • Cisco 2800 Series Integrated Services Routers Quick Start Guides • Cisco 2800 Series Hardware Installation documents • Cisco 2800 Series Software Configuration documents • Cisco 2800 Series Cards and Modules Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 18 OL
  • Cisco 2851 | User Guide - Page 19
    011 408 519-5055. You can also order documentation by e-mail at [email protected] or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 19
  • Cisco 2851 | User Guide - Page 20
    should be reported. All other conditions are considered nonemergencies. • Nonemergencies - [email protected] In an emergency, you can also reach PSIRT by telephone: • 1 877 228-7302 • 1 408 525-6532 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 20 OL-8717-01
  • Cisco 2851 | User Guide - Page 21
    results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call. OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 21
  • Cisco 2851 | User Guide - Page 22
    sources. • Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 22
  • Cisco 2851 | User Guide - Page 23
    at this URL: http://www.cisco.com/discuss/networking • World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.html OL-8717-01 Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 23
  • Cisco 2851 | User Guide - Page 24
    mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R) Cisco 2851 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy 24 OL-8717-01
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
Corporate Headquarters:
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706
USA
Cisco 2851 Integrated Services Router FIPS
140-2 Non Proprietary Security Policy
Level 2 Validation
Version 1.3
November 23, 2005
Introduction
This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 2851
Integrated Services Router without an AIM card installed. This security policy describes how the Cisco
2851 Integrated Services Router (Hardware Version: 2851; Firmware Version: 12.3(11)T03) meet the
security requirements of FIPS 140-2, and how to operate the router with on-board crypto enabled in a
secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the
Cisco 2851 Integrated Services Router.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2—
Security Requirements for
Cryptographic Modules
) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at
.
This document contains the following sections:
Introduction, page 1
Cisco 2851 Routers, page 2
Secure Operation of the Cisco 2851 Router, page 17
Related Documentation, page 18
Obtaining Documentation, page 19
Documentation Feedback, page 20
Cisco Product Security Overview, page 20
Obtaining Technical Assistance, page 21
Obtaining Additional Publications and Information, page 22