Resumen del contenido incluido en la página 1
Cisco 7206 VXR Router with ISA Security Policy
Introduction
This nonproprietary Cryptographic Module Security Policy describes how the 7206 VXR NPE-400
routers meet the security requirements of Federal Information Processing Standards (FIPS) 140-1, and
how they operate in a secure FIPS 140-1 mode. The policy was prepared as part of the Level 2 FIPS
140-1 certification of the 7206 VXR NPE-400 router.
Note This document may be copied in its entirety and without modification. All copies must inc
Resumen del contenido incluido en la página 2
The 7206 VXR NPE-400 Router References This document deals with operations and capabilities of the 7206 VXR NPE-400 router in the technical terms of a FIPS 140-1 cryptographic module security policy. For more information on Cisco 7206 VXR NPE-400 router and the entire 7200 series, check the following sources: � The Cisco Systems website contains information on the full line of Cisco Systems products. Refer to the following website: www.cisco.com. � The 7200 series product descriptions can be
Resumen del contenido incluido en la página 3
The 7206 VXR NPE-400 Router Cisco 7200 VXR routers accommodate a variety of network interface port adapters and an I/O controller. A Cisco 7200 VXR router equipped with an NPE-400 can support up to six high-speed port adapters and can also support higher-speed port adapter interfaces including Gigabit Ethernet and OC-12 ATM. Cisco 7200 VXR routers also contain bays for up to two AC-input or DC-input power supplies. Cisco 7200 VXR routers support the following features: � Online insertion and
Resumen del contenido incluido en la página 4
The 7206 VXR NPE-400 Router The NPE-400 has three levels of cache: a primary and a secondary cache that are internal to the microprocessor, and a tertiary 4-MB external cache that provides additional high-speed storage for data and instructions. Cisco 7206 VXR routers come equipped with one 280W AC-input power supply. (A 280W DC-input power supply option is available.) A power supply filler plate is installed over the second power supply bay. A fully configured Cisco 7206 VXR router operates
Resumen del contenido incluido en la página 5
The 7206 VXR NPE-400 Router . Table 1 Front Panel LEDs and Descriptions LED Indication Description Enabled Green Indicates that the network processing engine or network services engine and the I/O controller are enabled for operation by the system; however, it does not mean that the Fast Ethernet port on the I/O controller is functional or enabled. This LED goes on during a successful router boot and remains on during normal operation of the router. IO POWER OK Amber Indicates that the I/O
Resumen del contenido incluido en la página 6
The 7206 VXR NPE-400 Router Figure 3 LEDs for ISA Crypto Card ENCRYPT/COMP SA-ISA Refer to Table 2 for further description of the ISA LEDs Table 2 ISA LEDs and Descriptions LED Indication Description ENABLED Green Indicates the ISA is powered up. After system initialization, the enabled LED goes on to indicate that power is received and that the ISA is enabled for operation. All the following conditions must be met before the enabled LED goes on: � The ISA is correctly connected to the back
Resumen del contenido incluido en la página 7
The 7206 VXR NPE-400 Router Table 3 FIPS 140-1 Logical Interfaces Router Physical Interface FIPS 140-1 Logical Interface 10/100BASE-TX LAN Port Data Input Interface Port Adapter Interface Service Module Interface Console Port Auxiliary Port* PCMCIA Slot* 10/100BASE-TX LAN Port Data Output Interface Port Adapter Interface Service Module Interface Console Port Auxiliary Port* PCMCIA Slot* Power Switch Control Input Interface Console Port Auxiliary Port* 10/100BASE-TX LAN Port Status Out
Resumen del contenido incluido en la página 8
The 7206 VXR NPE-400 Router Cryptographic Officer Services During initial configuration of the router, a cryptographic officer (crypto officer) password (the “enable” password) is defined and all management services are available from this role. The crypto officer connects to the router through the console port through the terminal program. A crypto officer can assign permission to access the crypto officer role to additional accounts, thereby creating additional crypto officers. At the hig
Resumen del contenido incluido en la página 9
The 7206 VXR NPE-400 Router Once the router has been configured to meet FIPS 140-1 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamper-evidence labels as follows: � Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The ambient air must be above 10C, otherwise the labels may not properly cure. � The tamper evidence label sh
Resumen del contenido incluido en la página 10
NETWORK PROCESSING ENGINE-150 The 7206 VXR NPE-400 Router Figure 4 shows the tamper evidence label placements. Figure 4 Tamper Evidence Label Placement Port adapters Blank port adapter Port adapter lever I/O controller Auxiliary Console PC Card slots port port Optional Fast Ethernet port (MII receptacle and RJ-45 receptacle) Chassis grounding Internal fans receptacles Power supply AC-input filler plate receptacle AC-input Network processing engine power supply or network services engine Power sw
Resumen del contenido incluido en la página 11
Secure Operation of the Cisco 7206 VXR NPE-400 Router Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords. The tamper evidence seals provide physical protection for all keys. Keys are also password protected and can be zeroized by the crypto officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). Self-Tests In order to prevent any secure da
Resumen del contenido incluido en la página 12
Secure Operation of the Cisco 7206 VXR NPE-400 Router � The crypto officer must create the “enable” password for the crypto officer role. The password must be at least 8 characters and is entered when the crypto officer first engages the enable command. The crypto officer enters the following syntax at the “#” prompt: enable secret [PASSWORD] � The crypto officer must always assign passwords (of at least 8 characters) to users. Identification and authentication of the console port is required
Resumen del contenido incluido en la página 13
Obtaining Documentation � Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module. The crypto officer must configure the module so that any remote connections via telnet are secured through IPSec. Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: � http://www.cisco.com
Resumen del contenido incluido en la página 14
Obtaining Technical Assistance To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address: Attn Document Resource Connection Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Obtaining Technical Assistance Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from
Resumen del contenido incluido en la página 15
Obtaining Technical Assistance P3 and P4 level problems are defined as follows: � P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue. � P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration. In each of the above cases, use the Cisco TAC website to quickly find answers to your questions. To register for Cisco.com, go to the following website: http://www.
Resumen del contenido incluido en la página 16
Obtaining Technical Assistance Cisco 7206 VXR Router with ISA Security Policy 16������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
