Cisco 7206VXR/NPE-G2 - 7206 VXR with NPE-G2
Contents
1. FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis OL 15484 01 Module Descriptions W Table 4 Critical Security Parameters continued CSP Name Description Storage CSP 3 The shared secret within IKE exchange Zeroized when IKE session is DRAM terminated plaintext CSP4 Same as above DRAM plaintext CSP 5 Same as above DRAM plaintext CSP 6 Same as above DRAM plaintext CSP7 The IKE session encrypt key The zeroization is the same as above DRAM plaintext CSP 8 The IKE session authentication key The zeroization is the same as DRAM above plaintext CSP 9 The key used to generate IKE skeyid during preshared key NVRAM authentication The no crypto isakmp key command zeroizes it This plaintext key can have two forms based on whether the key is related to the hostname or the IP address CSP 10 This key generates keys 3 4 5 and 6 This key is zeroized after DRAM generating those keys plaintext CSP 11 The fixed key used in Cisco vendor ID generation This key is NVRAM embedded in the module binary image and can be deleted by erasing the plaintext Flash CSP 12 The IPSec encryption key Zeroized when IPSec session is terminated DRAM plaintext CSP 13 The IPSec authentication key The zeroization is the same as above DRAM plaintext CSP 14 This key is used by the router to authenti2. FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR NPE G1 Cisco 7206 VXR NPE G2 Cisco 7206 VXR NPE G1 with VSA and the Cisco 7301 with VAM2 Cisco 7206 VXR Chassis with NPE G1 or NPE G2 and VAM2 Encryption Module Cisco 7206 VXR Chassis with NPE G1 or NPE G2 VAM2 Encryption Module and 7200 Port Adapter Jacketcard Cisco 7206 VXR Chassis with NPE G1 or NPE G2 and VSA Encryption Module Cisco 7301 Chassis with NPE G1 and VAM2 Encryption Module Level 2 Validation Document Version Version 1 6 November 16 2007 Introduction stfeot das CISCO This is a non proprietary Cryptographic Module Security Policy for the 7206VXR NPE G1 7206VXR NPE G2 and 7301 with VAM and 7206VXR NPE G2 with VSA from Cisco Systems Inc referred to in this document as the modules routers or by their specific model name This security policy describes how modules meet the security requirements of FIPS 140 2 and how to run the modules in a FIPS 140 2 mode of operation This policy was prepared as part of the FIPS 140 2 Level 2 validation of the following modules e 7206VXR NPE G1 or NPE G2 with VAM2 e 7206VXR NPE G1 or NPE G2 with c7200 JC PA and VAM2 e 7206VXR NPE G2 with VSA and e 7301 with VAM2 FIPS 140 2 Federal Information Processing Standards Publication 140 2 Security Requirements for Cryptographic Modules details the U S Government requirements for cryptographic modules More information about the FIPS 140 2 standard and
3. PASSWORD login local The Crypto Officer shall not assign users to privilege level other than Level 1 the default The Crypto Officer may configure the module to use RADIUS or TACACS for authentication Configuring the module to use RADIUS or TACACS for authentication is optional If the module is configured to use RADIUS or TACACS 4 the Crypto Officer must define RADIUS or TACACS shared secret keys that are at least 8 characters long including at least one letter and at least one number The Crypto Officer must apply tamper evidence labels as described later in this document The module must be configured to only use hardware acceleration As such if there is a failure in the VAM2 or VSA card the module is considered to be out of FIPS Approved Mode of operation e A failure in the integrity check for VAM2 will be indicated via the following console message lt DATE gt VPN_HW 1 INITFAIL Slot lt SLOT NUMBER gt File doesn t verify lt DATE gt VPN_HW 1 INITFAIL Slot lt SLOT NUMBER gt microcode download failure The status of the VAM2 can also be verified with the show crypto engine config command e A failure in the integrity check for VSA will be indicated via the following console message FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis OL 15484 01 Secure Operation W VSA boot error POST FAILURE The status of the VSA can also
4. the module also provides the following conditional self tests Table 8 Module Conditional Self Tests Implementation Tests Performed IOS e Continuous Random Number Generator test for the FIPS approved RNG e Continuous Random Number Generator test for the non approved RNGs e Conditional Bypass test VAM2 e Continuous Random Number Generator test for the FIPS approved RNG e Continuous Random Number Generator test for the non approved RNGs VSA e Continuous Random Number Generator test for the non approved RNG Secure Operation These routers meet all the applicable Level 2 requirements for FIPS 140 2 Follow the setting instructions provided below to place the module in FIPS mode Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation All configuration activities must be performed via the command line interface via the console for initial configuration or IPSec protected SSH v2 or telnet sessions neither the web configuration tools CSRW or SDM may be used OL 15484 01 FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis W Secure Operation System Initialization and Configuration Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 The Crypto Officer must perform the initial configuration The following advanced enterprise builds are the only
5. Cisco Systems Inc Module Descriptions Cisco 7206VXR NPE G1 and NPE G2 Cisco 7206 VXR routers are designed to support gigabit capabilities and to improve data voice and video integration in both service provider and enterprise environments Cisco 7206 VXR routers support a high speed network processing engines like NPE G1 NPE G2 and all other available network processing engines Cisco 7206 VXR routers accommodate a variety of network interface port adapters and an Input Output I O controller A Cisco 7206 VXR router equipped with an NPE G1 or NPE G2 can support up to six high speed port adapters and can also support higher speed port adapter interfaces including Gigabit Ethernet and OC 12 ATM Optical Carrier 12 Asynchronous Transfer Mode In addition a Cisco 7206VXR router with an NPE G2 provides integrated I O functionality Cisco 7206 VXR routers also contain bays for up to two AC input or DC input power supplies Cisco 7206 VXR routers support the following features e Online insertion and removal OIR Add replace or remove port adapters without interrupting the system e Dual hot swappable load sharing power supplies Provide system power redundancy if one power supply or power source fails the other power supply maintains system power without interruption Also when one power supply is powered off and removed from the router the second power supply immediately takes over the router power requirements without interrup
6. FIPS PUB 140 2 Table 1 Validation Level by Section No Area Title Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles Services and Authentication 2 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N A 7 Cryptographic Key management 2 8 Electromagnetic Interface Electromagnetic Compatibility 2 9 Self Tests 2 10 Design Assurance 2 11 Mitigation of Other Attacks N A The Cryptographic Module The cryptographic boundary for the 7206VXR NPE G1 or NPE G2 with VAM2 is defined as encompassing the top front left right and bottom surfaces of the case all portions of the backplane of the case which are not designed to accommodate a removable port adapter and the FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis OL 15484 01 Module Descriptions W inverse of the three dimensional space within the case that would be occupied by an installed port adapter The cryptographic boundary includes the connection apparatus between the port adapter and the motherboard daughterboard that hosts the port adapter but the boundary does not include the port adapter itself except when a VAM2 is inserted into an available port adapter slot In other words the cryptographic boundary encompasses all hardware components within the case of the device except
7. VSA Router Physical Interface FIPS 140 2 Logical Interface 10 100 1000 RJ 45 Port SFP Gigabit Ethernet Port Port Adapter Mid plane Interface Console Port Auxiliary Port 10 100 Management Port Not present in 7206VXR NPE G1 Data Input Interface 10 100 1000 BASE TX LAN Port Gigabit Ethernet Port Port Adapter Interface Console Port Auxiliary Port 10 100 Management Port Not present in 7206VXR NPE G1 Data Output Interface 10 100 1000 BASE TX LAN Port Gigabit Ethernet Port Port Adapter Interface Power Switch Reset Switch Console Port Auxiliary Port 10 100 Management Port Not present in 7206VXR NPE G1 Control Input Interface 10 100 1000 BASE TX LAN Port Port Adapter Interface Gigabit Ethernet Port LEDs Console Port Auxiliary Port 10 100 Management Port Not present in NPE G1 Status Output Interface Power Plug Power Interface Table 3 FIPS 140 2 Logical Interfaces 7301 with VAM2 Router Physical Interface FIPS 140 2 Logical Interface Gigabit Ethernet 0 2 RJ 45 Ports Data Input Interface Gigabit Ethernet 0 2 SFP GBIC Ports Alarm Port Console Port Auxiliary Port Gigabit Ethernet 0 2 RJ 45 Ports Data Output Interface Gigabit Ethernet 0 2 SFP GBIC Ports Alarm Port Console Port Auxiliary Port FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis OL 15484 01 Module
8. any installed modular port adapter except when a VAM2 is inserted into an available port adapter interface The cryptographic boundary for the 7206VXR NPE G1 or NPE G2 with c7200 JC PA and VAM2 is defined as encompassing the top front left right and bottom surfaces of the case all portions of the backplane of the case which are not designed to accommodate a removable port adapter and the inverse of the three dimensional space within the case that would be occupied by an installed port adapter The cryptographic boundary includes the connection apparatus between the port adapter and the motherboard daughterboard that hosts the port adapter but the boundary does not include the port adapter itself except when a VAM2 is inserted into the port adapter jacket card in the I O controller slot In other words the cryptographic boundary encompasses all hardware components within the case of the device except any installed modular port adapter except when a VAM2 is inserted into the port adapter jacket card interface in the I O controller slot The 7206VXR can support single and dual VAM2 modules in FIPS mode of operation The cryptographic boundary for the 7301 with VAM2 is the module case The 7301 has one port adapter slot which is populated with the VAM2 All of the functionality discussed in this document is provided by components within this cryptographic boundary Each module is a multi chip standalone module The cr
9. be verified with the show crypto engine accelerator statistic and show crypto eli commands Note The keys and CSPs generated in the cryptographic module during FIPS mode of operation cannot be used when the module transitions to non FIPS mode and vice versa While the module transitions from FIPS to non FIPS mode or from non FIPS to FIPS mode all the keys and CSPs are to be zeroized by the Crypto Officer Note For an overview of the VAM2 and c7200 JC PA LEDs please refer to the Installation and Configuration Guide at the following URL http www cisco com en US products hw modules ps2033 products_installation_and_configur ation_guide_chapter09186a0080369590 html wp 1038368 IPSec Requirements and Cryptographic Algorithms Step 1 Step 2 Step 3 Protocols Step 1 Step 2 The only type of key management that is allowed in FIPS mode is Internet Key Exchange IKE Although the IOS implementation of IKE allows a number of algorithms only the following algorithms are allowed in a FIPS 140 2 configuration e ah sha hmac e esp sha hmac e esp 3des e esp aes The following algorithms shall not be used e MD 5 for signing e MD 5 HMAC e DES e Software implementations of AES DES Triple DES SHA 1 HMAC and RSA SNMP v3 over a secure IPSec tunnel may be employed for authenticated secure SNMP gets and sets Since SNMP v2C uses community strings for authentication only gets are allowed under SNMP v2C Secure DNS is not a
10. services necessary for successful VPN deployments security quality of service QoS firewall and intrusion detection and service level validation and management The VAM2 off loads IPSec processing from the main processor thus freeing resources on the processor engines for other tasks OL 15484 01 FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis Hs Module Descriptions Cisco VPN Services Adapter VSA The Cisco 7206VXR NPE G2 routers incorporate the VPN Services Adapter VSA cryptographic accelerator card that fits into the I O controller slot of the 7206VXR The VSA features hardware acceleration for various cryptographic algorithms providing increased performance for site to site and remote access IPSec VPN services The Cisco VSA supports full Layer 3 routing quality of service QoS multicast and multiprotocol traffic and broad support of integrated LAN WAN media The VSA off loads IPSec processing from the main processor thus freeing resources on the processor engines for other tasks The evaluated platform consists of the following e 7206VXR Hardware Version 2 9 e 7301VXR Hardware Version 2 0 e NPE G1 Hardware Version 2 1 e NPE G2 Hardware Version 1 0 e C7200 JC PA Hardware Version 1 0 e VAM2 Hardware Version 1 0 e VSA Hardware Version 1 0 Module Validation Level The following table lists the level of validation for each area in the
11. Descriptions W Table 3 FIPS 140 2 Logical Interfaces 7301 with VAM2 continued Router Physical Interface FIPS 140 2 Logical Interface Gigabit Ethernet 0 2 RJ 45 Ports Control Input Interface Gigabit Ethernet 0 2 SFP GBIC Port Alarm Port Console Port Auxiliary Port Gigabit Ethernet 0 2 RJ 45 Ports Status Output Interface Gigabit Ethernet 0 2 SFP GBIC Ports Alarm Port Console Port Auxiliary Port LEDs Power Plug Power Interface Roles Services and Authentication Authentication is role based There are two main roles in the router that operators may assume the Crypto Officer role and the User role The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services while the Users exercise only the basic User services The module supports RADIUS and TACACS for authentication A complete description of all the management and configuration capabilities of the modules can be found in the Performing Basic System Management manual and in the online help for the modules The User and Crypto Officer passwords and the RADIUS TACACS shared secrets must each be at least 8 characters long including at least one letter and at least one number character in length See the Secure Operation section for more information If 6 integers one special character and one alphabet are used without repetition for an 8 digit PIN the probability of randoml
12. allowable images no other image may be loaded e 7206VXR NPE G1 or NPE G2 with VAM2 7206VXR NPE G2 with VSA c7200 adventerprisek9 mz 124 11 T1 IOS version 12 4 11 T1 e 7206VXR NPE G1 or NPE G2 with c7200 JC PA and VAM2 c7200 adventerprisek9p mz IOS version 12 4 11 T1 e 7301 with VAM2 c7301 adventerprisek9 mz 124 11 T IOS version 12 4 11 T1 The value of the boot field must be 0x0102 This setting disables break from the console to the ROM monitor and automatically boots the IOS image From the configure terminal command line the Crypto Officer enters the following syntax config register 0x0102 The Crypto Officer must enter the following command to prevent failover to software implementation no crypto engine software ipsec The Crypto Officer must create the enable password for the Crypto Officer role The password must be at least 8 characters including at least one letter and at least one number and is entered when the Crypto Officer first engages the enable command The Crypto Officer enters the following syntax at the prompt enable secret PASSWORD The Crypto Officer must always assign passwords of at least 8 characters including at least one letter and at least one number to users Identification and authentication on the console auxiliary port is required for Users From the configure terminal command line the Crypto Officer enters the following syntax line con 0 password
13. cate itself to the peer The DRAM router itself gets the password that is used as this key from the AAA plaintext server and sends it onto the peer The password retrieved from the AAA server is zeroized upon completion of the authentication attempt CSP 15 The authentication key used in PPP This key is in the DRAM and not DRAM zeroized at runtime One can turn off the router to zeroize this key plaintext because it is stored in DRAM CSP 16 This key is used by the router to authenticate itself to the peer The key NVRAM is retrieved from the local database on the router itself Issuing the plaintext no username password command zeroizes the password that is used as this key from the local database CSP 17 The password of the User role This password is zeroized by NVRAM overwriting it with a new password plaintext CSP 18 The plaintext password of the CO role This password is zeroized by NVRAM overwriting it with a new password plaintext OL 15484 01 FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis Hs Module Descriptions Table 4 Critical Security Parameters continued CSP Name Description Storage CSP 19 The ciphertext password of the CO role However the algorithm used NVRAM to encrypt this password is not FIPS approved Therefore this password plaintext is considered plaintext for FIPS purposes This password is z
14. e label shall be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 3 FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis OL 15484 01 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Secure Operation W A tamper evidence label shall be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 4 A tamper evidence label shall be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 5 A tamper evidence label shall be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 6 In the case of 7206VXR NPE G1 NPE G2 with VAM2 a tamper evidence label shall be placed so that one half of the label covers the enclosure and the other half covers the I O Controller blank face plate In the case of 7206VXR NPE G1 NPE G2 with c7200 JC PA and VAM2 a tamper evidence label shall be placed so that one half of the label covers the enclosure and the other half covers the port adapter jacket card face plate and the port adapter slot In the case of 7206VXR NPE G2 with VSA a tamper evidence label shall be placed such that one half of the label covers the enclosure and the other half covers the VSA A tamper evidence label shall be placed so that one half of the label cover
15. eed upon for individual tunnels are directly associated with that specific tunnel only via the IKE protocol All of the keys and CSPs of the module can be zeroized Please refer to Figure 4 for information on methods to zeroize each key and CSP The modules include an array of self tests that are run during startup and periodically during operations to prevent any secure data from being released and to insure all components are functioning correctly The modules implement the following power on self tests FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis OL 15484 01 Secure Operation W Table 7 Module Power On Self Tests Implementation Tests Performed TOS Software firmware test Bypass test SHA 1 KAT PRNG KAT DH Test VAM2 Firmware integrity test Triple DES KAT AES KAT SHA 1 KAT HMAC SHA 1 KAT PRNG KAT VSA Firmware integrity test Triple DES KAT AES KAT SHA 1 KAT HMAC SHA 1 KAT DH Test 1 IOS implementation of DH is not used in 7206VXR NPE G2 with VSA The modules perform all power on self tests automatically at boot All power on self tests must be passed before any operator can perform cryptographic services The power on self tests are performed after the cryptographic systems are initialized but prior to the initialization of the LANs this prevents the module from passing any data during a power on self test failure In addition
16. eroized by overwriting it with a new password CSP 20 The RADIUS shared secret This shared secret is zeroized by executing NVRAM the no form of the RADIUS shared secret set command plaintext DRAM plaintext CSP 21 The TACACS shared secret This shared secret is zeroized by NVRAM executing the no form of the RADIUS shared secret set command _ plaintext DRAM plaintext CSP 22 The SSH session key It is zeroized automatically when the SSH DRAM plaintext session is terminated CSP 23 The keys and CSPs above from no 1 to 21 are located in the router DRAM of VAM2 outside VAM2 or VSA However the ByteArray key object is located plaintext in the RAM of the VAM2 All key objects of the VAM2 are built upon the ByteArray key object The destructor of the ByteArray object uses memset function to overwrite all bytes of the object to 0x00 1 This key not present in 7206VXR NPE G2 with VSA The services accessing the CSPs the type of access and which role accesses the CSPs are listed in Table 5 The module supports IOS implementations of Triple DES DES MAC Triple DES MAC AES SHA 1 HMAC SHA 1 MD5 HMAC MDS Diffie Hellman RNG and RSA cryptographic algorithms Except for SHA 1 and RNG none of the other software algorithm implementations are used when operating in FIPS mode IOS implementation of Diffie Hellman is used in all module configurations except 7206VXR NPE G2 with VSA which uses hardware impleme
17. he Crypto Officer authenticates as a User and then authenticates as the Crypto Officer role During initial configuration of the router the Crypto Officer password the enable password is defined A Crypto Officer may assign permission to access the Crypto Officer role to additional accounts thereby creating additional Crypto Officers The Crypto Officer role is responsible for the configuration and maintenance of the router The Crypto Officer services consist of the following e Configure the Router Define network interfaces and settings create command aliases set the protocols the router will support enable interfaces and network services set system date and time and load authentication information e Define Rules and Filters Create packet Filters that are applied to User data streams on each interface Each Filter consists of a set of Rules which define a set of packets to permit or deny based characteristics such as protocol ID addresses ports TCP connection establishment or packet direction e Status Functions View the router configuration routing tables active sessions use get commands to view SNMP MIB statistics health temperature memory status voltage packet statistics review accounting logs and view physical interface status e Manage the Router Log off users shutdown or reload the router manually back up router configurations view complete configurations manager user rights and restore router co
18. llowed in FIPS mode of operation and shall not be configured OL 15484 01 FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis W Secure Operation Remote Access Step 1 Step 2 Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec using FIPS approved algorithms Note that all users must still authenticate after remote access is granted SSH access to the module is allowed in FIPS approved mode of operation using SSH v2 and a FIPS approved algorithm Tamper Evidence Any port adapter slot not populated with a port adapter must be populated with an appropriate slot cover in order to operate in a FIPS compliant mode The slot covers are included with each router and additional covers may be ordered from Cisco The same procedure mentioned below to apply tamper evidence labels for port adapters must also be followed to apply tamper evidence labels for the slot covers 7206VXR NPE G1 NPE G2 with VAM2 7206VXR NPE G1 NPE G2 with c7200 JC PA and VAM2 and 7206VXR NPE G2 with VSA Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 The front of the router provides 6 port adapter slots An additional port adapter slot is available when a port adapter jacket card is inserted into the I O controller slo
19. nduasaq einpoy Hs Module Descriptions Self Tests Each cryptographic implementation has achieved the following validations Table 6 Algorithm Certificates Algorithm 10S NPE G1 10S NPE G2 VAM2 VSA AES Not supported in Not supported in 173 91 FIPS mode FIPS mode Triple DES Not supported in Not supported in 275 204 FIPS mode FIPS mode SHA 1 557 556 258 500 HMAC SHA 1 Not supported in Not supported in 39 203 FIPS mode FIPS mode RNG 267 266 83 RSA Not supported in Not supported in Not supported in Not supported in FIPS mode FIPS mode FIPS mode FIPS mode The module supports the following key management schemes e Pre shared key exchange via electronic key entry Triple DES AES key and HMAC SHA 1 key are exchanged and entered electronically e Internet Key Exchange method with support for pre shared keys exchanged and entered electronically The pre shared keys are used with Diffie Hellman key agreement technique to derive DES Triple DES or AES keys The pre shared key is also used to derive HMAC SHA 1 key The Diffie Hellman key establishment methodology provides 80 or 96 bits of encryption strength All pre shared keys are associated with the CO role that created the keys and the CO role is protected by a password Therefore the CO password is associated with all the pre shared keys The Crypto Officer needs to be authenticated to store keys All Diffie Hellman DH keys agr
20. nfigurations e Set Encryption Bypass Set up the configuration tables for IP tunneling Set keys and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address e Change Port Adapters Insert and remove adapters in a port adapter slot e Change VSA Insert and remove VSA in an I O Controller slot This service available only for 7206VXR NPE G2 with VSA Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords The tamper evidence seals provide physical protection for all keys All keys are also protected by the password protection on the Crypto Officer role login and can be zeroized by the Crypto Officer All zeroization consists of overwriting the memory that stored the key Keys are exchanged and entered electronically or via Internet Key Exchange IKE The module supports the following critical security parameters CSPs Table 4 Critical Security Parameters CSP Name Description Storage CSP 1 This is the seed key for X9 31 PRNG This key is stored in DRAM and DRAM updated periodically after the generation of 400 bytes hence it is plaintext zeroized periodically Also the operator can turn off the router to zeroize this key CSP 2 The public and private exponents used in Diffie Hellman DH DRAM exchange Zeroized after DH shared secret has been generated plaintext
21. nksys MeetingPlace MGX Networkers Networking Academy Network Registrar PIX ProConnect ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Quotient and TransPath are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0710R 2007 Cisco Systems Inc All rights reserved FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis 20 OL 15484 01
22. ntation of DH Note Pursuant to the DES Transition Plan and the approval of the Withdrawal of Federal Information Processing Standard FIPS 46 3 Data Encryption Standard DES FIPS 74 Guidelines for Implementing and Using the NBS Data Encryption Standard and FIPS 81 DES Modes of Operation the DES algorithm shall not be used in FIPS approved mode of operation FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis OL 15484 01 LO p8ySI 10 SISSEY LOEL 09819 ay PUL SISSeYD YXA 90Z 09819 ay 104 AdIjOg AyNIag Mez udoad UON Z ObL Sdld Table 5 Role and Service Access to CSPs SRDI Role Service Access Policy CSP 1 User role CSP 2 CSP 3 CSP 4 CSP 5 CSP 6 CSP7 CSP 8 CSP 8 CSP 10 CSP 11 CSP 12 CSP 13 CSP 14 CSP 15 CSP 16 CSP 17 CSP 18 CSP 19 CSP 20 CSP 21 CSP 22 CSP 23 Status Functions Network Functions r lr Terminal Functions Directory Services Crypto Officer Role Configure the Router rw rw Define Rules and Filters Status Functions Manage the Router rw rw rw rw rw rw rw rw rw jrw Set Encryption Bypass d jd rw rw rw rw rw rw rw rw rw rw rw Change Port Adapters Change VSA suo
23. rotocol RAM Random Access Memory RSA Rivest Shamir and Adleman method for asymmetric encryption SHA Secure Hash Algorithm VAM VPN Acceleration Module OL 15484 01 FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis g HI Obtaining Documentation Obtaining Support and Security Guidelines Obtaining Documentation Obtaining Support and Security Guidelines For information on obtaining documentation obtaining support providing documentation feedback security guidelines and also recommended aliases and general Cisco documents see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html CCVP the Cisco logo and Welcome to the Human Network are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn is a service mark of Cisco Systems Inc and Access Registrar Aironet BPX Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study LightStream Li
24. s the enclosure and the other half covers the power supply plate A tamper evidence label shall be placed so that one half of the label covers the enclosure and the other half covers the redundant power supply plate Allow the labels to cure for five minutes Figure 1 Cisco 7206VXR Front Tamper Evident Label Placement ol SSeS Py eee ats as gta fod Cisco 7200 Series VXR 119799 Figure 2 Cisco 7206VXR Back Tamper Evident Label Placement TN r r r t E ppEE OL 15484 01 FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis jg W Secure Operation 7301 with VAM2 The 7301 router requires that a special opacity shield be installed over the intake side air vents in order to operate in FIPS approved mode The shield decreases the surface area of the vent holes reducing visibility within the cryptographic boundary to FIPS approved specifications Installing the Opacity Shield To install an opacity shield on the Cisco 7301 router follow these steps Step 1 The opacity shield is designed to be installed on a Cisco 7301 router chassis that is already rack mounted If your 7301 router chassis is not rack mo
25. sure and the other half covers the side FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis 18 OL 15484 01 Definition List W Step5 A tamper evidence label shall be placed over each of the four corners of the opacity shield Step6 Allow the labels to cure for five minutes Figure 4 Cisco 7301 Front Tamper Evident Label Placement The tamper evident seals are produced from a special thin gauge vinyl with self adhesive backing Any attempt to open the device will damage the tamper evident seals or the material of the module cover Since the tamper evident seals have non repeated serial numbers they may be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered with Tamper evident seals can also be inspected for signs of tampering which include the following curled corners rips and slices Definition List AAA Authentication Authorization and Accounting AES Advanced Encryption Standard CMVP Cryptographic Module Validation Program CSP Critical Security Parameter DES Data Encryption Standard FIPS Federal Information Processing Standard HTTP Hyper Text Transfer Protocol KAT Known Answer Test LED Light Emitting Diode NPE Network Processing Engine NIST National Institute of Standards and Technology NVLAP National Voluntary Laboratory Accreditation Program PPP Point to Point P
26. t and the rear of the router provides on board LAN connectors PC Card slots and Console Auxiliary connectors The power cable connection a power switch and the access to the Network Processing Engine are at the rear of the router Once the router has been configured to meet FIPS 140 2 Level 2 requirements the router cannot be accessed without signs of tampering The Crypto Officer shall be instructed to record serial numbers and to inspect for these signs of tampering or changed numbers periodically To seal the system apply serialized tamper evidence labels as depicted in Figure and Figure 2 as follows Clean the cover of any grease dirt or oil before applying the tamper evidence labels Alcohol based cleaning pads are recommended for this purpose The ambient air must be above 10 C otherwise the labels may not properly cure A tamper evidence label shall be placed so that the one half of the label covers the enclosure and the other half covers the NPE G1 or NPE G2 A tamper evidence label shall be placed over the Compact Flash card slot on the NPE G1 NPE G2 A tamper evidence label shall be placed over the USB ports of the NPEG2 A tamper evidence label shall be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 1 A tamper evidence label shall be placed so that one half of the label covers the enclosure and the other half covers the port adapter slot 2 A tamper evidenc
27. ting normal operation of the router FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis 2 OL 15484 01 Cisco 7301 Module Descriptions W e Environmental monitoring and reporting functions Maintain normal system operation by resolving adverse environmental conditions prior to loss of operation e Downloadable software Load new images into Flash memory remotely without having to physically access the router This capability is not permitted in FIPS mode of operations however The Cisco 7300 Series is optimized for flexible feature rich IP MPLS services at the customer network edge where service providers and enterprises link together The Cisco 7300 Series can be used for enterprise campus or Internet gateway applications or be deployed by service providers as a high end CPE router for managed service offerings Other applications for the Cisco 7301 include service provider broadband aggregation and metro Ethernet CPE applications The compact Cisco 7301 router is the industry s highest performance single rack unit router with million packets per second processing With 3 built in Gigabit Ethernet interfaces copper or optical and a single slot for any Cisco 7000 Series port adapter the Cisco 7301 is highly flexible for a variety of applications Additionally for broadband aggregation the Cisco 7301 supports up to 16 000 subscribers sessions making it ideal for pay as you gro
28. unted install the chassis in the rack using the procedures contained in the Cisco 7301 router Installation Guide Step2 Open the FIPS kit packaging The kit contains the following items e A packaged opacity shield assembly with installation hardware for the Cisco 7301 router e An envelope with FIPS tamper evidence labels e An envelope containing a disposable ESD wrist strap Step3 Open the protective packaging and remove the opacity shield Step4 Remove the sticker cover on the back of the opacity shield Step5 Line up the opacity shield with the rack mount screw holes on the router and press it against the chassis of the router Figure 3 Cisco 7301 with Opacity Shield Installed To seal the system apply serialized tamper evidence labels as depicted in Figure 4 and as follows Step 1 Clean the cover of any grease dirt or oil before applying the tamper evidence labels Alcohol based cleaning pads are recommended for this purpose The ambient air must be above 10 C otherwise the labels may not properly cure Step2 A tamper evidence label shall be placed over the Compact Flash card slot Step3 A tamper evidence label shall be placed so that one half of the label covers the top of the enclosure and the other half covers the port adapter slot Step4 A tamper evidence label shall be placed so that one half of the label covers the top of the enclo
29. validation program is available on the NIST website at http csrc nist gov cryptval Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA 2007 Cisco Systems Inc All rights reserved This document may be freely reproduced and distributed whole and intact including this copyright notice Hs Module Descriptions References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140 2 cryptographic module security policy More information is available on the module from the following sources e The Cisco Systems website http www cisco com contains information on the full line of products from Cisco Systems e The NIST Cryptographic Module Validation Program website http csrc ncsl nist gov cryptval contains contact information for answers to technical or sales related questions for the module Document Organization The Security Policy document is one document in a complete FIPS 140 2 Submission Package In addition to this document the complete Submission Package contains e Vendor Evidence document e Finite State Machine e Other supporting documentation as additional references With the exception of this Non Proprietary Security Policy the FIPS 140 2 Validation Documentation is proprietary to Cisco Systems Inc and is releasable only under appropriate non disclosure agreements For access to these documents please contact
30. w broadband deployment models Cisco 7200 series Port Adapter Jacket Card c7200 JC PA The Cisco 7200 VXR Series Port Adapter Jacket Card is plugged into the I O card slot of the 7206VXR router This addresses the demand on the Cisco 7206VXR router for additional slot density and flexibility by enabling the I O slot to hold a single port or service adapter for additional capacity on Cisco 7206VXR systems with the NPE G1 or NPE G2 The Cisco 7200 VXR Series Port Adapter Jacket Card offers the following e Provides one additional slot for single port or service adapter e Allows a high bandwidth port adapter such as the Cisco VPN Acceleration Module 2 VAM2 to be moved onto a dedicated PCI bus that Cisco NPE G1 or NPE G2 provides e Reduces PCI contention among other port adapters e Provides a cost effective way to increase the slot density in parallel to the increased switching capacity of Cisco NPE G2 Cisco VPN Acceleration Module 2 PLUS VAM2 The Cisco 7206VXR NPE G1 or NPE G2 and 7301 routers incorporate the VPN Acceleration Module 2 VAM2 cryptographic accelerator card The VAM2 is a single width acceleration module that provides high performance hardware assisted tunneling and encryption services suitable for virtual private network VPN remote access site to site intranet and extranet applications and is installed in an available port adapter slot It also provides platform scalability and security while working with all
31. y guessing the correct sequence is 1 in 832 000 000 In order to successfully guess the sequence in one minute would require the ability to make over 13 000 000 guesses per second which far exceeds the operational capabilities of the module Including the rest of the alphanumeric characters drastically decreases the odds of guessing the correct sequence User Services A User enters the system by accessing the console auxiliary port with a terminal program or via IPSec protected Telnet or SSH v2 session to a LAN port The IOS prompts the User for their password If the password is correct the User is allowed entry to the IOS executive program The services available to the User role consist of the following e Status Functions View state of interfaces and protocols version of IOS currently running e Network Functions Connect to other network devices through outgoing telnet PPP etc and initiate diagnostic network services i e ping mtrace e Terminal Functions Adjust the terminal session e g lock the terminal adjust flow control e Directory Services Display directory of files kept in flash memory FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis ou 15484 01 7 Hs Module Descriptions Crypto Officer Services A Crypto Officer enters the system by accessing the console auxiliary port with a terminal program or via IPSec protected telnet or SSH v2 session to a LAN port T
32. yptographic boundary for the 7206VXR NPE G 2 with VSA is defined as encompassing the top front left right and bottom surfaces of the case all portions of the backplane of the case which are not designed to accommodate a removable port adapter the inverse of the three dimensional space within the case that would be occupied by an installed port adapter and the VSA installed into the I O controller slot The cryptographic boundary includes VSA installed into the I O controller slot and the connection apparatus between the port adapter and the motherboard daughterboard that hosts the port adapter but the boundary does not include the port adapter itself In other words the cryptographic boundary encompasses all hardware components within the case of the device except any installed modular port adapter Module Interfaces Each module provides a number of physical and logical interfaces to the device and the physical interfaces provided by the module are mapped to four FIPS 140 2 defined logical interfaces data input data output control input and status output The logical interfaces and their mapping are described in the following tables OL 15484 01 FIPS 140 2 Non Proprietary Security Policy for the Cisco 7206 VXR Chassis and the Cisco 7301 Chassis Hs Module Descriptions Table 2 FIPS 140 2 Logical Interfaces 7206VXR NPE G1 or NPE G2 with VAM2 7206VXR NPE G1 or NPE G2 with c7200JC PA and VAM2 7206VXR NPE G2 with
Download Pdf Manuals
Related Search