Cisco 2811 - Voice Security Bundle Router, Operations

Page 1: ...be freely reproduced and distributed whole and intact including this Copyright Notice Cisco 2811 and Cisco 2821 Integrated Services Routers with AIM VPN EPII Plus FIPS 140 2 Non Proprietary Security Policy Level 2 Validation Version 1 6 September 08 2008 ...

Page 2: ...SERVICES 12 2 3 1 User Services 12 2 3 2 Crypto Officer Services 12 2 3 3 Unauthenticated Services 13 2 3 4 Strength of Authentication 14 2 4 PHYSICAL SECURITY 14 2 5 CRYPTOGRAPHIC KEY MANAGEMENT 19 2 6 SELF TESTS 27 2 6 1 Self tests performed by the IOS image 27 2 6 2 Self tests performed by NetGX Chip 27 2 6 3 Self tests performed by AIM 28 3 SECURE OPERATION OF THE CISCO 2811 OR 2821 ROUTER 28 ...

Page 3: ...perations and capabilities of the 2811 and 2821 routers with AIM modules in the technical terms of a FIPS 140 2 cryptographic module security policy More information is available on the routers from the following sources The Cisco Systems website contains information on the full line of Cisco Systems routers Please refer to the following website http www cisco com en US products hw routers index h...

Page 4: ...f the router Section 3 specifically addresses the required configuration for the FIPS mode of operation With the exception of this Non Proprietary Security Policy the FIPS 140 2 Validation Submission Documentation is Cisco proprietary and is releasable only under appropriate non disclosure agreements For access to these documents please contact Cisco Systems ...

Page 5: ... the routers The following subsections describe the physical characteristics of the routers 2 1 The 2811 Cryptographic Module Physical Characteristics Figure 1 The 2811 router case The 2811 Router is a multiple chip standalone cryptographic module The router has a processing speed of 350MHz Depending on configuration installed AIM VPN EPII Plus module or the internal NetGX chip or the IOS software...

Page 6: ...3 shows the rear panel The front panel contains 4 LEDs that output status data about the system power auxiliary power system activity and compact flash busy status The back panel consists of 12 LEDs two Ethernet activity LEDs two duplex LEDs two speed LEDs two link LEDs two PVDM LEDs and two AIM LEDs The front panel contains the following 1 Power inlet 2 Power switch 3 Optional RPS input 4 Console...

Page 7: ...lled and initialized PVDM0 installed and initialized error AIM1 Off Solid Green Solid Orange AIM1 not installed AIM1 installed and initialized AIM1 installed and initialized error AIM0 Off Solid Green Solid Orange AIM0 not installed AIM0 installed and initialized AIM0 installed and initialized error Table 2 2811 Rear Panel Indicators The following table describes the meaning of Ethernet LEDs on th...

Page 8: ...B Ports Status Output Interface Main Power Plug Redundant Power Supply Plug Power Interface Table 4 2811 FIPS 140 2 Logical Interfaces The CF card that stored the IOS image is considered an internal memory module because the IOS image stored in the card may not be modified or upgraded The card itself must never be removed from the drive Tamper evident seal will be placed over the card in the drive...

Page 9: ...rnet RJ45 ports a Enhanced Network Module ENM slot a Voice Network Module VeNoM slot and a Compact Flash CF drive The 2821 router supports one single width network module four single width or two double width HWICs has two slots for AIM VPN BPII Plus cards2 three internal packet voice data modules PVDMs two fast Ethernet connections and 16 ports of IP phone power output Figure 5 shows the front pa...

Page 10: ...and functional 48V PS or RPS present and failure detected Activity Off Blinking Green Solid Green No interrupts or packet transfer occurring System is servicing interrupts System is actively transferring packets Compact Flash Off Solid Green No ongoing accesses eject permitted Device is busy do not eject Table 5 2821 Front Panel Indicators Name State Description PVDM2 Off Solid Green Solid Orange ...

Page 11: ...Ethernet link is established Table 7 2821 Ethernet Indicators The physical interfaces are separated into the logical interfaces from FIPS 140 2 as described in the following table Router Physical Interface FIPS 140 2 Logical Interface 10 100 Ethernet LAN Ports HWIC Ports Console Port Auxiliary Port ENM Slot VeNoM Slot USB Ports Data Input Interface 10 100 Ethernet LAN Ports HWIC Ports Console Port...

Page 12: ...Management manual and in the online help for the router 2 3 1 User Services Users enter the system by accessing the console port with a terminal program or via IPSec protected telnet or SSH session to a LAN port The IOS prompts the User for username and password If the password is correct the User is allowed entry to the IOS executive program The services available to the User role consist of the ...

Page 13: ...er configurations Set Encryption Bypass Set up the configuration tables for IP tunneling Set preshared keys and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address Bypass Mode The routers implement an alternating bypass capability in which some connections may be cryptographically authenticated and encrypted while others may not Two independent in...

Page 14: ...r exceeds the operational capabilities of the modules to support When using preshared key based authentication the security policy stipulates that all preshared keys must be 8 alphanumeric characters so the key space is 2 8 trillion possible combinations The possibility of randomly guessing this is thus far less than one in one million To exceed a one in 100 000 probability of a successful random ...

Page 15: ...g this Copyright Notice 15 Figure 7 2811 Opacity Shields Figure 8 2821 opacity shield placement Once the router has been configured in to meet FIPS 140 2 Level 2 requirements the router cannot be accessed without signs of tampering To seal the system apply serialized tamper evidence labels as follows For Cisco 2811 ...

Page 16: ...be placed over the CF card in the slot so that any attempt to remove the card will show sign of tampering 4 The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the port adapter slot 5 The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the rear panel 6 Pla...

Page 17: ...overs the front panel and the other half covers the enclosure 3 The tamper evidence label should be placed over the CF card in the slot so that any attempt to remove the card will show sign of tampering 4 The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the port adapter slot 5 The tamper evidence label should be placed so t...

Page 18: ...ced and distributed whole and intact including this Copyright Notice 18 Figure 12 Cisco 2821 Tamper Evident Label Placement Back View Figure 13 Cisco 2821 Tamper Evident Label Placement Front View Figure 14 Cisco 2821 Tamper Evident Label Placement on the Opacity Shield ...

Page 19: ...so protected by the password protection on the Crypto Officer role login and can be zeroized by the Crypto Officer All zeroization consists of overwriting the memory that stored the key Keys are exchanged and entered electronically or via Internet Key Exchange IKE or SSL handshake protocols The routers support the following FIPS 2 approved algorithm implementations Algorithm Algorithm Certificate ...

Page 20: ...ve HMAC SHA 1 key 3 RSA digital signatures based authentication is used for IKE with Diffie Hellman Key agreement technique to derive AES or Triple DES keys 4 RSA encrypted nonces based authentication is used for IKE with Diffie Hellman Key agreement technique to derive AES or Triple DES keys 5 RSA key transport is used to derive the Triple DES or AES keys during SSLv3 1 TLS handshake The module s...

Page 21: ...d updated periodically after the generation of 400 bytes after this it is reseeded with router derived entropy hence it is zeroized periodically Also the operator can turn off the router to zeroize this CSP DRAM Automatically every 400 bytes or turn off the router PRNG Seed Key X9 31 This is the seed key for the PRNG DRAM Turn off the router Diffie Hellman private exponent DH The private exponent ...

Page 22: ...cation Generated or entered like any RSA key set as IKE RSA Authentication Key with the crypto keyring or ca trust point command NVRAM crypto key zeroize rsa IKE RSA Encrypted Nonce Private Key RSA RSA private key for IKE encrypted nonces Generated like any RSA with the usage keys parameter included NVRAM crypto key zeroize rsa IKE RSA Encrypted Nonce Public Key RSA RSA public key for IKE encrypte...

Page 23: ...e plaintext password of the CO role This password is zeroized by overwriting it with a new password NVRAM Overwrite with new password Enable secret Shared Secret The ciphertext password of the CO role However the algorithm used to encrypt this password is not FIPS approved Therefore this password is considered plaintext for FIPS purposes This password is zeroized by overwriting it with a new passw...

Page 24: ...le Service Access Policy r read w write d delete Roles Service User Role Status Functions Network Functions Terminal Functions Directory Services SSL TLS VPN EASY VPN Crypto Officer Role Configure the Router Define Rules and Filters Status Functions Manage the Router Set Encryption Bypass Change WAN Interface Cards Security Relevant Data Item PRNG Seed r d r w d PRNG Seed Key r d r w d Diffie Hell...

Page 25: ...blic Key r r w d r w r w d IKE RSA Encrypted Nonce Private Key r r w d r w r w d IKE RSA Encrypted Nonce Public Key r r w d r w r w d IPSec encryption key r r w d r w d IPSec authentication key r r w d r w d Configuration encryption key r w d r w d Router authentication key 1 r r w d PPP authentication key r d r w Router authentication key 2 r r w d SSH session key r r w d User password r r w d En...

Page 26: ...hole and intact including this Copyright Notice 26 TACACS secret r w d TLS server private key r r w d r w r w d TLS server public key r r w d r w r w d TLS pre master secret r r w d r w d TLS Encryption Key r r w d r w d TLS Integrity Key r r w d r w d Table 6 Role and Service Access to CSP ...

Page 27: ...y prior to executing IPSec and a continuous random number generator test If any of the self tests fail the router transitions into an error state In the error state all secure data transmission is halted and the router outputs status information indicating the failure Examples of the errors that cause the system to transition to an error state IOS image integrity checksum failed Microprocessor ove...

Page 28: ...est for the hardware RNG 3 Secure Operation of the Cisco 2811 or 2821 router The Cisco 2811 and 2821 routers meet all the Level 2 requirements for FIPS 140 2 Follow the setting instructions provided below to place the module in FIPS approved mode Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation 3 1 Initial Setup 1 The ...

Page 29: ...cters except are accepted and is entered when the Crypto Officer first engages the enable command The Crypto Officer enters the following syntax at the prompt enable secret PASSWORD 4 The Crypto Officer must always assign passwords of at least 8 characters to users Identification and authentication on the console port is required for Users From the configure terminal command line the Crypto Office...

Page 30: ...sed in FIPS mode of operation The following algorithms are not FIPS approved and should not be used in the FIPS approved mode MD5 RC4 RC2 DES 3 6 Remote Access 1 Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec using FIPS app...

Page 31: ...include all standard Cisco information included in all documentation produced by Cisco Be sure that the following line is in the legal statements at the end of the document By printing or making a copy of this document the user agrees to use this information for product evaluation purposes only Sale of this information in whole or in part is not authorized by Cisco Systems ...