Cisco 2811 Security Policy

Cisco 2811 - Voice Security Bundle Router Manual

Get Cisco 2811 - Voice Security Bundle Router PDF manuals and user guides
UPC - 882658101816
View all Cisco 2811 manuals
Add to My Manuals
Save this manual to your list of manuals

Cisco 2811 manual content summary:

  • Cisco 2811 | Security Policy - Page 1
    Cisco 2811 and Cisco 2821 Integrated Services Routers with AIM-VPN/EPII-Plus FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 1.6 September 08, 2008 © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this
  • Cisco 2811 | Security Policy - Page 2
    ORGANIZATION 3 2 CISCO 2811 AND 2821 ROUTERS 5 2.1 THE 2811 CRYPTOGRAPHIC MODULE PHYSICAL CHARACTERISTICS 5 2.2 THE 2821 CRYPTOGRAPHIC MODULE PHYSICAL CHARACTERISTICS 8 2.3 ROLES AND SERVICES ...12 2.3.1. User Services 12 2.3.2 Crypto Officer Services 12 2.3.3 Unauthenticated Services 13
  • Cisco 2811 | Security Policy - Page 3
    non-proprietary Cryptographic Module Security Policy for the Cisco 2811 and 2821 Integrated Services Routers with AIM-VPN/EPII-Plus installed. This security policy describes how the Cisco 2811 and 2821 Integrated Services Routers (Hardware Version: 2811 or 2821; Firmware Version: IOS 12.4 (15) T3
  • Cisco 2811 | Security Policy - Page 4
    and functionality of the router. Section 3 specifically addresses the required configuration for the FIPS-mode of operation. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate
  • Cisco 2811 | Security Policy - Page 5
    2811 Cryptographic Module Physical Characteristics Figure 1 - The 2811 router case The 2811 Router is a multiple-chip standalone cryptographic module. The router has a processing speed of 350MHz. Depending on configuration, installed AIM-VPN/EPII-Plus module, or the internal NetGX chip or the IOS
  • Cisco 2811 | Security Policy - Page 6
    Gigabit Ethernet RJ45 ports, an Enhanced Network Module (ENM) slot, and a Compact Flash (CF) drive. The 2811 router supports one single-width network module, four single-width or two double-width HWICs, two slots for AIM-VPN/BPII-Plus cards1, two internal packet voice data modules (PVDMs), two fast
  • Cisco 2811 | Security Policy - Page 7
    from FIPS 140-2 as described in the following table: Router Physical Interface 10/100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot USB Ports FIPS 140-2 Logical Interface Data Input Interface © Copyright 2007 Cisco Systems, Inc. 7 This document may be freely reproduced and
  • Cisco 2811 | Security Policy - Page 8
    Port USB Ports Main Power Plug Redundant Power Supply Plug FIPS 140-2 Logical Interface Data Output Interface Control Input Interface Status Output Interface Power Interface Table 4 - 2811 FIPS 140-2 Logical Interfaces The CF card that stored the IOS image is considered an internal memory module
  • Cisco 2811 | Security Policy - Page 9
    (CF) drive. The 2821 router supports one single-width network module, four single-width or two double-width HWICs, has two slots for AIM-VPN/BPII-Plus cards2, three internal packet voice data modules (PVDMs), two fast Ethernet connections, and 16 ports of IP phone power output. Figure 5 shows the
  • Cisco 2811 | Security Policy - Page 10
    router: Name System Power Auxiliary Power servicing installed PVDM0 installed and initialized PVDM0 installed and initialized error AIM1 not installed AIM1 installed and initialized AIM1 installed and initialized error AIM0 not installed AIM0 installed and initialized © Copyright 2007 Cisco
  • Cisco 2811 | Security Policy - Page 11
    10/100 Ethernet LAN Port LEDs AIM LEDs PVDM LEDs Power LED Activity LEDs Auxiliary LED Compact Flash LED Console Port Auxiliary Port USB Ports FIPS 140-2 Logical Interface Data Input Interface Data Output Interface Control Input Interface Status Output Interface © Copyright 2007 Cisco Systems, Inc
  • Cisco 2811 | Security Policy - Page 12
    considered an internal memory module. The reason is the IOS image stored in the card cannot be modified or upgraded. The card itself must never be removed from the drive. Tamper evident seal will be placed over the card in the drive. 2.3 Roles and Services Authentication in Cisco 2811 and 2821 is
  • Cisco 2811 | Security Policy - Page 13
    SNMP MIB statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status. Log off users, shutdown or reload the router, erase the flash memory, manually back up router configurations, view complete configurations, manager user
  • Cisco 2811 | Security Policy - Page 14
    capabilities of the module to support. 2.4 Physical Security The router is entirely encased by a metal, opaque case. The rear of the unit contains HWIC/WIC/VIC connectors, LAN connectors, a CF drive, power connector, console connector, auxiliary connector, USB port, and fast Ethernet connectors. The
  • Cisco 2811 | Security Policy - Page 15
    opacity shield placement Once the router has been configured in to meet FIPS 140-2 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamperevidence labels as follows: For Cisco 2811: © Copyright 2007 Cisco Systems, Inc. 15 This
  • Cisco 2811 | Security Policy - Page 16
    9, 10 and 11 show the additional tamper evidence label placements for the 2811. Figure 9 - 2811 Tamper Evident Label Placement (Back View) Figure 10 - 2811 Tamper Evident Label Placement (Front View) © Copyright 2007 Cisco Systems, Inc. 16 This document may be freely reproduced and distributed
  • Cisco 2811 | Security Policy - Page 17
    Figure 11 - 2811 Tamper Evident Label Placement on the Opacity Shield For Cisco 2821: 1. Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10°C. 2. The
  • Cisco 2811 | Security Policy - Page 18
    2821 Tamper Evident Label Placement (Back View) Figure 13 - Cisco 2821 Tamper Evident Label Placement (Front View) Figure 14 - Cisco 2821 Tamper Evident Label Placement on the Opacity Shield © Copyright 2007 Cisco Systems, Inc. 18 This document may be freely reproduced and distributed whole
  • Cisco 2811 | Security Policy - Page 19
    password-protection on the Crypto Officer role login, and can be zeroized by the Crypto Officer. All zeroization consists of overwriting the memory that stored the key. Keys are exchanged and entered electronically or via Internet Key Exchange (IKE) or SSL handshake protocols. The routers support
  • Cisco 2811 | Security Policy - Page 20
    entity. All other keys are associated with the user/role that entered them. Key Zeroization: Each key can be zeroized by sending the "no" command prior to the key function commands. This will zeroize each key from the DRAM, the running configuration. "Clear Crypto IPSec SA" will zeroize the Triple
  • Cisco 2811 | Security Policy - Page 21
    configuration in NVRAM in order to completely zeroize the keys. The RSA keys are zeroized by issuing the CLI command "crypto key zeroize rsa". All SSL/TLS session keys are zeroized automatically at the end of the SSL/TLS session. The module supports the following keys and critical security router
  • Cisco 2811 | Security Policy - Page 22
    is zeroized when the "no key configkey" is issued. Note that this command does not decrypt the configuration file, so zeroize with care. This key is used by the router to authenticate itself to the peer. The router itself gets the password (that is used as this key) from the AAA server and sends it
  • Cisco 2811 | Security Policy - Page 23
    local database (on the router itself). Issuing the "no username password" zeroizes the password (that is used as this key) from the local database. This is the SSH session key. It is zeroized when the SSH session is terminated. The password of the User role. This password is zeroized by overwriting
  • Cisco 2811 | Security Policy - Page 24
    Functions Directory Services SSL-TLS/VPN EASY VPN Crypto Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryption/Bypass Change WAN Interface Cards SRDI/Role/Service Access Policy (r = read, w = write, d = delete) Security Relevant Data Item PRNG
  • Cisco 2811 | Security Policy - Page 25
    Nonce Public Key r IPSec encryption key r IPSec authentication key r Configuration encryption key Router authentication key 1 r PPP authentication key r Router authentication key 2 r SSH session key r User password r Enable password Enable secret RADIUS secret secret_1_0_0
  • Cisco 2811 | Security Policy - Page 26
    public key r r w d r w r w d TLS pre-master secret r r r w w d d TLS Encryption Key r r r w w d d TLS Integrity Key r r r w w d d Table 6 - Role and Service Access to CSP © Copyright 2007 Cisco Systems, Inc. 26 This document may be freely reproduced and distributed
  • Cisco 2811 | Security Policy - Page 27
    an error state. In the error state, all secure data transmission is halted and the router outputs status information indicating the failure. Examples of the errors that cause the system to transition to an error state: • IOS image integrity checksum failed • Microprocessor overheats and burns out
  • Cisco 2811 | Security Policy - Page 28
    executing the following commands: configure terminal no service password-recovery end show version NOTE: Once Password Recovery is disabled, administrative access to the module without the password will not be possible. 3 Unless disabled by Crypto Officer. © Copyright 2007 Cisco Systems, Inc. 28
  • Cisco 2811 | Security Policy - Page 29
    syntax at the "#" prompt: enable secret [PASSWORD] 4. The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification and authentication on the console port is required for Users. From the "configure terminal" command line, the Crypto Officer enters the following
  • Cisco 2811 | Security Policy - Page 30
    so that any remote connections via telnet are secured through IPSec, using FIPS-approved algorithms. Note that all users must still authenticate after remote access is granted. 2. SSH access to the module is only allowed if SSH is configured to use a FIPS-approved algorithm. The Crypto officer
  • Cisco 2811 | Security Policy - Page 31
    EDITOR'S NOTE: You may now include all standard Cisco information included in all documentation produced by Cisco. Be sure that the following line is in the legal statements at the end of the document: By printing or making a copy of this document, the user agrees to use this information for product
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
© Copyright 2007 Cisco Systems, Inc.
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Cisco 2811 and Cisco 2821
Integrated Services Routers
with
AIM-VPN/EPII-Plus
FIPS 140-2 Non Proprietary Security Policy
Level 2 Validation
Version 1.6
September 08, 2008