Cisco Integrated Services Router Security Policy

2y ago
58 Views
2 Downloads
1.84 MB
26 Pages
Last View : 7d ago
Last Download : 5m ago
Upload by : Joanna Keil
Transcription

Cisco Integrated Services Router Security PolicyCisco 819G-4G-A-K9, 819G-4G-V-K9, 819H-K9, 819G-S-K9, 819HG-4G-G-K9, 891, 881,1905, 1921 and 1941Firmware Version: IOS 15.2(4)M6AFIPS 140-2 Non Proprietary Security PolicyLevel 2 ValidationVersion 0.6June 2014 Copyright 2014 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Table of Contents1INTRODUCTION . 31.11.21.31.41.52MODULE DESCRIPTION . 52.12.22.32.42.52.62.72.82.93PURPOSE . 3MODULE VALIDATION LEVEL . 3REFERENCES . 3TERMINOLOGY . 3DOCUMENT ORGANIZATION . 3MODULE INTERFACES . 8ROLES AND SERVICES . 9UNAUTHENTICATED SERVICES . 10CRYPTOGRAPHIC KEY MANAGEMENT . 10CRYPTOGRAPHIC ALGORITHMS . 13NON-FIPS APPROVED ALGORITHMS . 13SELF-TESTS . 14PHYSICAL SECURITY . 14MODULE OPACITY . 15SECURE OPERATION . 253.13.23.33.43.5INITIAL SETUP . 25SYSTEM INITIALIZATION AND CONFIGURATION . 25IPSEC REQUIREMENTS AND CRYPTOGRAPHIC ALGORITHMS . 26SSLV3.1/TLS REQUIREMENTS AND CRYPTOGRAPHIC ALGORITHMS . 26ACCESS. 26 Copyright 2014 Cisco Systems, Inc.2This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

11.1IntroductionPurposeThis is the non-proprietary Cryptographic Module Security Policy for the Cisco 819G-4G-A-K9, 819G-4G-V-K9,819H-K9, 819G-S-K9, 819HG-4G-G-K9, 891, 881, 1905, 1921 and 1941 Integrated Services Router (FirmwareVersion: IOS 15.2(4)M6A). This security policy describes how the modules meet the security requirements of FIPS140-2 Level 2 and how to run the modules in a FIPS 140-2 mode of operation and may be freely distributed.FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — Security Requirements forCryptographic Modules) details the U.S. Government requirements for cryptographic modules. More informationabout the FIPS 140-2 standard and validation program is available on the NIST website dule Validation LevelThe following table lists the level of validation for each area in the FIPS PUB 140-2.No.12345678910111.3Area TitleCryptographic Module SpecificationCryptographic Module Ports and InterfacesRoles, Services, and AuthenticationFinite State ModelPhysical SecurityOperational EnvironmentCryptographic Key managementElectromagnetic Interface/Electromagnetic CompatibilitySelf-TestsDesign AssuranceMitigation of Other AttacksOverall module validation levelTable 1 Module Validation LevelLevel22322N/A2223N/A2ReferencesThis document deals only with the capabilities and operations of the Cisco 819G-4G-A-K9, 819G-4G-V-K9, 819HK9, 819G-S-K9, 819HG-4G-G-K9, 891, 881, 1905, 1921 and 1941 routers in the technical terms of a FIPS 140-2cryptographic module security policy. More information is available on the routers from the following sources:For answers to technical or sales related questions please refer to the contacts listed on the CiscoSystems website at www.cisco.com.The NIST Validated Modules website tml) containscontact information for answers to technical or sales-related questions for the module.1.4TerminologyIn this document, these Cisco Integrated Services Router models identified above are referred to as IntegratedServices Router, ISR or the systems.1.5Document OrganizationThe Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this document, theSubmission Package contains:Vendor Evidence documentFinite State Machine Copyright 2014 Cisco Systems, Inc.3This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Other supporting documentation as additional referencesThis document provides an overview of the routers and explains their secure configuration and operation. Thisintroduction section is followed by Section 2, which details the general features and functionality of the router.Section 3 specifically addresses the required configuration for the FIPS-mode of operation.With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentationis Cisco-proprietary and is releasable only under appropriate non-disclosure agreements. For access to thesedocuments, please contact Cisco Systems. Copyright 2014 Cisco Systems, Inc.4This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

2Module DescriptionCisco Integrated Service Routers (ISRs) are multifunctional networking devices delivering fast, reliable, datatransfers with a high standard in security. These routers offer full network security, and other capabilities to fillnetworking needs for a small to medium size network. The Cisco Integrated Services Router (ISR) provides ascalable, secure, manageable remote access server that meets FIPS 140-2 Level 2 requirements.The following subsections describe the physical characteristics of the ISRs which contains a multiple-chipstandalone cryptographic module. This module is used to support SSH, TLS (VPN,Mgt), IPSec, GetVPN, andSNMPv3.The Cisco 819G-4G-A-K9, 819G-4G-V-K9, 819H-K9, 819G-S-K9 and 819HG-4G-G-K9 are all Cisco819. Designed in a compact hardened and non-hardened form factor and differ in support for 3G, 4G, and 3Gcombined with full features of Cisco IOS Software. The Cisco 819 ISR combines the latest cellular standards (4GLTE), 3G standards (High-Speed Packet Access Plus [HSPA ] release 7 and Evolution Data Optimized [EVDO]Rev A) with Cisco enterprise-class LAN solutions into a single platform.The cryptographic boundary of the module is defined as the device’s case along with opacity shields associated withthe system. All of the functionality discussed in this document is provided by components within this cryptographicboundary. The CF card that stored the IOS image is considered an internal memory module, because the IOS imagestored in the card may not be modified or upgraded. The card itself must never be removed from the drive. Tamperevident seal will be placed over the card in the drive.The following configurations are tested:Hardware ModelsFirmware VersionCisco 819G-4G-A-K9 Integrated Solutions Router15.2(4)M6ACisco 819G-4G-V-K9 Integrated Solutions Router15.2(4)M6ACisco 819H-K9 Integrated Solutions Router15.2(4)M6ACisco 819G-S-K9 Integrated Solutions Router15.2(4)M6ACisco 819HG-4G-G-K9 Integrated Solutions Router15.2(4)M6ACisco 891 Integrated Solutions Router15.2(4)M6ACisco 881 Integrated Solutions Router15.2(4)M6ACisco 1905 Integrated Solutions Router15.2(4)M6ACisco 1921 Integrated Solutions Router15.2(4)M6ACisco 1941 Integrated Solutions Router15.2(4)M6ATable 2: ISR Test Configurations Copyright 2014 Cisco Systems, Inc.5This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

The following pictures are representative each of the modules hardware model:Figure 1 - Cisco 819G-4G-A-K9 ISRFigure 2 - Cisco 819G-4G-V-K9 ISRFigure 3 - Cisco 819H-K9 ISR Copyright 2014 Cisco Systems, Inc.6This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Figure 4 - Cisco 819G-S-K9 ISRFigure 5 - Cisco 819HG-4G-G-K9 ISRFigure 6 - Cisco 891 ISRFigure 7 - Cisco 881 ISRFigure 8 - Cisco 1905 ISR Copyright 2014 Cisco Systems, Inc.7This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Figure 9 - Cisco 1921 ISRFigure 10 - Cisco 1941 ISR2.1Module InterfacesEach of ISRs is a multiple-chip standalone cryptographic module. The module provides a number of physical andlogical interfaces to the device, and the physical interfaces provided by the module are mapped to the followingFIPS 140-2 defined logical interfaces: data input, data output, control input, status output, and power. The moduleprovided no power to external devices and takes in its power through normal power input/cord. The following tablelists all possible logical interface configurations and their associated mapping for all of the various ISR systemsdetailed in this Security 19H-K9, Fast Ethernet (FE) ports (4),Gigabit Ethernet (GE) port(1), Console/ Aux PortFast Ethernet (FE)ports (5),Console/ Aux PortEHWIC (1),Gigabit Ethernet(GE) ports (2),Console Port,Auxilary PortEHWIC (2),Gigabit Ethernet(GE) ports (2),Console Port,Auxilary PortEHWIC (2),Gigabit Ethernet(GE) ports (2),Console Port,Auxilary PortDataOutputFast Ethernet (FE) ports (4),Gigabit Ethernet (GE) port(1), Console/ Aux PortFast Ethernet (FE)ports (5),Console/ Aux PortEHWIC (1),Gigabit Ethernet(GE) ports (2),Console Port,Auxilary PortEHWIC (2),Gigabit Ethernet(GE) ports (2),Console Port,Auxilary PortEHWIC (2),Gigabit Ethernet(GE) ports (2),Console Port,Auxilary PortControlInputFast Ethernet (FE) ports (4),Gigabit Ethernet (GE) port(1), Console/ Aux PortFast Ethernet (FE)ports (5),Console/ Aux PortEHWIC (1),Gigabit Ethernet(GE) ports (2),Console Port,Auxilary PortEHWIC (2),Gigabit Ethernet(GE) ports (2),Console Port,Auxilary PortEHWIC (2),Gigabit Ethernet(GE) ports (2),Console Port,Auxilary PortStatusOutputConsole/ Aux Port,Fast Ethernet (FE) ports (4),Gigabit Ethernet (GE) port(1)Console/ Aux Port,Fast Ethernet (FE)ports (5)Power5v DC power supplyFast Ethernet(FE) ports (9),Gigabit Ethernet(GE) port (1),Console Port,Auxilary PortFast Ethernet(FE) ports (9),Gigabit Ethernet(GE) port (1),Console Port,Auxilary PortFast Ethernet(FE) ports (9),Gigabit Ethernet(GE) port (1),Console Port,Auxilary PortConsole Port,Auxilary Port,Fast Ethernet(FE) ports (9),Gigabit Ethernet(GE) port (1)12v DC powersupply,POE power portConsole Port,Auxilary Port,USB ConsolePort,Gigabit Ethernet(GE) ports (2)110v 240v ACpower supply,POE power portConsole Port,Auxilary Port,USB ConsolePort,Gigabit Ethernet(GE) ports (2)110v 240v ACpower supply,POE power portConsole Port,Auxilary Port,USB ConsolePort,Gigabit Ethernet(GE) ports (2)110v 240v ACpower supply,POE power port12v DC powersupply,POE power portTable 3: ISR Interfaces Copyright 2014 Cisco Systems, Inc.8This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

2.2Roles and ServicesAuthentication is identity-based. Each user is authenticated upon initial access to the module. The module alsosupports RADIUS or TACACS for authentication. There are two roles in the router that operators can assume: theCrypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role and associatedservices in order to configure the router, while the Users exercise only the basic User services. A completedescription of all the management and configuration capabilities of the router can be found in the Performing BasicSystem Management manual or Configuration Guide Manual and in the online help for the routers.All CO/User passwords must be 8 characters up to 25 characters with a minimum of one letter and one number. Ifsix (6) integers, one (1) special character and one (1) alphabet are used without repetition for an eight (8) digit PIN,the probability of randomly guessing the correct sequence is one (1) in 251,596,800 (this calculation is based on theassumption that the typical standard American QWERTY computer keyboard has 10 Integer digits, 52 alphabeticcharacters, and 32 special characters providing 94 characters to choose from in total. The calculation should be 10 x9 x 8 x 7 x 6 x 5 x 32 x 52 251, 596, 800 ). Therefore, the associated probability of a successful random attempt isapproximately 1 in 251,596,800, which is less than 1 in 1,000,000 required by FIPS 140-2.When using RSA based authentication, RSA key pair has modulus size of 2048 bit, thus providing 112 bits ofstrength. Therefore, an attacker would have a 1 in 2 112 chance of randomly obtaining the key, which is muchstronger than the one in a million chance required by FIPS 140-2.2.2.1User ServicesUsers enter the system by accessing the console port through a terminal program or via IPSec protected telnet orSSH session to a LAN port. The IOS prompts the User for username and password. If the password is correct, theUser is allowed entry to the IOS executive program.The services available to the User role consist of the following:Services and AccessDescriptionKeys and CSPsStatus Functions (r)Network Functions (r,w)View state of interfaces and protocols, version of IOS currently running.Connect to other network devices through outgoing telnet, PPP, etc. and initiatediagnostic network services (i.e., ping, mtrace).Terminal Functions (r)Adjust the terminal session (e.g., lock the terminal, adjust flow control).Directory Services (r)Display directory of files kept in flash memory.Self-Tests (r)Execute the FIPS 140 start-up tests on demandSSL VPN (TLSv1.0) (r, w, d)Negotiation and encrypted data transport via SSL VPN (TLSv1.0)IPsec VPN (r, w, d)Negotiation and encrypted data transport via IPSec VPNGetVPN (GDOI) (r, w, d)Negotiation and encrypted data transport via GetVPNSSH Functions(r, w, d)Negotiation and encrypted data transport via SSHHTTPS Functions (TLS) (r, w, d) Negotiation and encrypted data transport via HTTPSSNMPv3 Functions(r, w, d)Negotiation and encrypted data transport via SNMPv3User passwordUser passwordUser passwordUser passwordN/AUser passwordUser passwordUser passwordUser passwordUser passwordUser passwordTable 4: User Services (r read w write d delete)2.2.2Crypto Officer ServicesDuring initial configuration of the router, the Crypto Officer password (the “enable” password) is defined. A CryptoOfficer can assign permission to access the Crypto Officer role to additional accounts, thereby creating additionalCrypto Officers. The Crypto Officer role is responsible for the configuration of the router.The Crypto Officer services consist of the following:Services and AccessDescriptionKeys and CSPsConfigure the router(r,w)Define network interfaces and settings, create command aliases,set the protocols the router will support, enable interfaces andnetwork services, set system date and time, and loadauthentication information.ISAKMP pre-shared keys, IKEAuthentication key, IKE Encryption Key,IPSec authentication keys, IPSec traffickeys, User passwords, Enable password,Enable secret, Copyright 2014 Cisco Systems, Inc.9This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Define Rules and Filters(r,w,d)View Status Functions(r)Manage the router(r,w,d)Configure Encryption/Bypass(r,w,d)Create packet Filters that are applied to User data streams oneach interface. Each Filter consists of a set of Rules, whichdefine a set of packets to permit or deny based oncharacteristics such as protocol ID, addresses, ports, TCPconnection establishment, or packet direction.View the router configuration, routing tables, active sessions,use gets to view SNMP MIB statistics, health, temperature,memory status, voltage, packet statistics, review accountinglogs, and view physical interface status.Log off users, shutdown or reload the router, erase the flashmemory, manually back up router configurations, viewcomplete configurations, manager user rights, and restore routerconfigurations.Set up the configuration tables for IP tunneling. Set presharedkeys and algorithms to be used for each IP range or allowplaintext packets to be set from specified IP address.passwordpasswordpasswordISAKMP pre-shared keys, IKEAuthentication key, IKE Encryption Key,IPSec authentication keys, IPSec traffickeys, Enable secret,passwordSNMPv3(r)SSL VPN (using TLSv1.0)(r,w,d)Non security-related monitoring by the COusing SNMPv3.Configure SSL VPN parameters, provide entry and output ofCSPs.SSH v2 (r, w, d)HTTPS (using TLSv1.0)(r,w,d)Configure SSHv2 parameter, provide entry and output of CSPs.Configure HTTPS parameters, provide entry and output ofCSPs.SSHv2 Traffic KeysTLS pre-master secret, TLS Traffic KeysIPsec VPN (r, w, d)Configure IPsec VPN parameters, provide entry and output ofCSPs.GetVPN (GDOI) (r, w, d)Configure GetVPN parameters, provide entry and output ofCSPs.Self-Tests(r)User services.(r,w,d)Zeroization (d)Execute the FIPS 140 start-up tests on demandskeyid, skeyid d, IKE session encryptionkey, IKE session authentication key,ISAKMP pre-shared, IKE authenticationprivate Key, IKE authentication public key,IPSec encryption key, IPSec authenticationkeyGDOI key encryption key (KEK), GDOItraffic encryption key (TEK), GDOI TEKintegrity keyN/AThe Crypto Officer has access to all User services.passwordZeroize cryptographic keysAll CSPsTLS pre-master secret, TLS Traffic KeysTable 5: Crypto Officer Services (r read w write d delete)2.3Unauthenticated ServicesThe services available to unauthenticated users are: Viewing the status output from the module’s LEDs Powering the module on and off using the power switch Sending packets in bypass2.4Cryptographic Key ManagementThe router securely administers both cryptographic keys and other critical security parameters such as passwords.All keys are protected by the Crypto Officer role login password-protection, and these keys can be zeroized by theCrypto Officer. Zeroization consists of overwriting the memory that stored the key.The router is in the approved mode of operation only when FIPS 140-2 approved algorithms are used (except DHand RSA key transport which are allowed in the approved mode for key establishment despite being non-approved).All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected by apassword. Therefore, the CO password is associated with all the pre-shared keys. The Crypto Officer needs to beauthenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual tunnels are directly associatedwith that specific tunnel only via the Internet Key Exchange (IKE)/Group Domain of Interpretation (GDOI). RSAPublic keys are entered into the modules using digital certificates which contain relevant data such as the name of Copyright 2014 Cisco Systems, Inc.10This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

the public key's owner, which associates the key with the correct entity. All other keys are associated with theuser/role that entered them.The module supports the following keys and critical security parameters (CSPs).Key/CSP NameDRBG oization MethodThis is the entropy for SP 800-90a RNG.SDRAM(plaintext)power cycle the deviceThis is the seed for SP 800-90a RNG.SDRAM(plaintext)power cycle the deviceInternal V value used as part of SP800-90a CTR DRBGSDRAM(plaintext)power cycle the deviceInternal Key value used as part of SP800-90a CTR DRBGSDRAM(plaintext)power cycle the deviceDiffie-Hellmanprivate keySP 800-90CTR DRBG(256-bits)SP 800-90CTR DRBG(384-bits)SP 800-90CTR DRBG(256-bits)SP 800-90CTR DRBG(256-bits)DH (224 – 379bits)The private key used in Diffie-Hellman (DH)exchange.SDRAM(plaintext)Automatically after sharedsecret generated.Diffie-Hellmanpublic keyDH (2048 – 4096bits)The p used in Diffie-Hellman (DH) exchange.SDRAM(plaintext)Automatically after sharedsecret generated.Diffie-Hellmanshared secretDH (2048 – 4096bits)The shared key used in Diffie-Hellman (DH)exchange. Created per the Diffie-Hellmanprotocol.SDRAM(plaintext)Zeroized upon deletion.EC Diffie- Hellmanprivate keyECDH ( P-256/P384)The private key used in Elliptic Curve DiffieHellman (ECDH) exchange.SDRAM(plaintext)Automatically after sharedsecret generated.EC Diffie-Hellmanpublic keyECDH (P-256/P384)The p used in Elliptic Curve Diffie-Hellman(ECDH) exchange.SDRAM(plaintext)Automatically after sharedsecret generated.EC Diffie-Hellmanshared secretECDH (P-256/P384)SDRAM(plaintext)Zeroized upon deletion.skeyidHMAC-SHA-1(160-bits)The shared key used in Elliptic Curve DiffieHellman (ECDH) exchange. Created per theElliptic Curve Diffie-Hellman (ECDH)protocol.Value derived from the shared secret withinIKE exchange. Zeroized when IKE session isterminated.SDRAM(plaintext)Automatically after IKEsession terminated.skeyid dHMAC-SHA-1(160-bits)The IKE key derivation key for non ISAKMPsecurity associations.SDRAM(plaintext)Automatically after IKEsession terminated.IKE sessionencryption keyThe IKE session encrypt key.SDRAM(plaintext)Automatically after IKEsession terminated.IKE sessionauthentication keyTriple-DES he IKE session authentication key.SDRAM(plaintext)Automatically after IKEsession terminated.ISAKMP presharedShared secret ( 8– 25 characters)The key used to generate IKE skeyid duringpreshared-key authentication.NVRAM(plaintext)“# no crypto isakmp key”IKE authenticationprivate KeyRSA (2048/3072bits); ECDSA (P256/P-384)RSA private key for IKE authentication.NVRAM(plaintext)“# crypto key zeroize rsa"IKE authenticationpublic keyRSA (2048/3072bits); ECDSA (P256/P-384)RSA public key for IKE authentication.SDRAM(plaintext)“# crypto key zeroize rsa"DRBG seedDRBG VDRBG key Copyright 2014 Cisco Systems, Inc.11This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Key/CSP NameIPSec roization MethodThe IPSec encryption key. Zeroized whenIPSec session is terminated.SDRAM(plaintext)“# Clear Crypto IPSec SA”IPSecauthentication keyTriple-DES he IPSec authentication key. The zeroizationis the same as above.SDRAM(plaintext)“# Clear Crypto IPSec SA”SSH RSA privatekeyRSA (2048/3072bits)The SSH v2 private key for the module.SDRAM(plaintext)“# crypto key zeroize rsa"SSH RSA publickeyRSA (2048/3072bits)The SSH v2 public key for the module.SDRAM(plaintext)“# crypto key zeroize rsa"SSH session keysThis is the SSH v2 session key. It is zeroizedwhen the SSH v2 session is terminated.SDRAM(plaintext)Automatically when SSH v2session terminatedTLS server privatekeyTriple-DES (168bits/AES(128/196/256bits)RSA (2048/3072bits)Private key used for SSLv3.1/TLS.NVRAM(plaintext)“# crypto key zeroize rsa"TLS server publickeyRSA (2048/3072bits)Public key used for SSLv3.1/TLS.NVRAM(plaintext)“# crypto key zeroize rsa"TLS pre-mastersecretShared Secret(384-bits)Shared Secret created using asymmetriccryptography from which new TLS sessionkeys can be createdSDRAM(plaintext)Automatically when TLSsession is terminatedTLS sessionencryption keyTriple-DES ey used to encrypt TLS session dataSDRAM(plaintext)Automatically when TLSsession is terminatedHMAC-SHA-1 used for TLS data integrityprotectionSDRAM(plaintext)Automatically when TLSsession is terminatedGDOI keyencryption key(KEK)AES (128, 192and 256 bits)This key is created using the “GROUPKEYPULL” registration protocol with GDOI. It isused protect GDOI rekeying data.”SDRAM(plaintext)Automatically when sessionterminated.GDOI trafficencryption key(TEK)Triple-DES atically when sessionterminated.GDOI TEKintegrity ly when sessionterminated.snmpEngineIDShared Secret(32-bits)Shared Secret ( 8– 25 characters)AES(128 bits)Shared Secret ( 8– 25 characters)This key is created using the “GROUPKEYPULL” registration protocol and updated usingthe “GROUPKEY-PUSH” registration protocolwith GDOI. It is used to encrypt data trafficbetween Get VPN peersThis key is created using the “GROUPKEYPULL” registration protocol and updated usingthe “GROUPKEY-PUSH” registration protocolwith GDOI. It is used to ensure data trafficintegrity between Get VPN peers.A unique string used to identify the SNMPengine.The password use to setup SNMP v3connection.Encryption key used to protect SNMP ntext)NVRAM(plaintext)Overwrite with new engineIDOverwrite with newpasswordAutomatically when sessionterminated.Overwrite with newpasswordTLS sessionintegrity keySNMP v3 passwordSNMP session keyUser passwordThe password used to authenticate the Userrole.Enable secretShared Secret ( 8– 25 characters)The password used to authenticate the CO role.NVRAM(plaintext)Overwrite with newpasswordRADIUS secretShared Secret ( 8– 25 characters)The RADIUS shared secret. This shared secretis zeroized by executing the “no radius-serverkey” command.NVRAM(plaintext)“# no radius-server key” Copyright 2014 Cisco Systems, Inc.12This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Key/CSP NameTACACS secretAlgorithmShared Secret ( 8– 25 characters)DescriptionThe TACACS shared secret. This sharedsecret is zeroized by executing the “no tacacsserver key” command.StorageLocationNVRAM(plaintext)Zeroization Method“# no tacacs-server key”Table 6: CSPs TableCryptographic Algorithms2.5The router is in the approved mode of operation only when FIPS 140-2 approved/allowed algorithms are used. Themodule implements a variety of approved and non-approved algorithms.2.5.1Approved Cryptographic AlgorithmsThe routers support the following FIPS 140-2 approved algorithm RBGIOS on Router#2620#1566#2182#1606#1338#450#231#401Router HW Accelerator#962, #1115, #1535 and #1648#757, #758 and #812#933, 934 and #1038#537, #538 and #627N/AN/AN/AN/ATable 7: Algorithm CertificatesIOS Image SigningN/AN/A#2208N/A#1347N/AN/AN/ANote: RSA (Cert. #1338; non-compliant with the functions from the CAVP Historical RSA List).o FIPS186-4:186-4KEY(gen): PGM(ProvPrimeCondition) (1024 SHA( 256 ))ALG[RSASSA-PKCS1 V1 5] SIG(gen) (1024 SHA( 1 , 256 )) (2048 SHA(1)) (3072 SHA(1))The following key establishments despite being non-approved are available:2.6 Diffie-Hellman (key establishment methodology provides between 112 and 150 bits of encryptionstrength; non-compliant less than 112 bits of encryption strength) EC Diffie-Hellman (key establishment methodology provides between 128 and 192 bits of encryptionstrength) RSA (key wrapping; key establishment methodology provides between 112 and 128 bits of encryptionstrength; non-compliant less than 112 bits of encryption strength) GDOI (key wrapping; key establishment methodology provides between 112 and 150 bits ofencryption strength)Non-FIPS Approved AlgorithmsIntegrated Services Routers (ISRs) cryptographic module implements the following non-Approved algorithms: MD5 DES, HMAC-MD5 RC4 Copyright 2014 Cisco Systems, Inc.13This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Self-Tests2.7In order to prevent any secure data from being released, it is important to test the cryptographic components of asecurity module to insure all components are functioning correctly. The router includes an array of self-tests that arerun during startup and periodically during operations. In the error state, all secure data transmission is halted and therouter outputs status information indicating the failure.2.7.1Power-On Self-Tests (POSTs) IOS Algorithm Self-Testso AES (encrypt/decrypt) Known Answer Testso AES GCM Known Answer Testo DRBG Known Answer Testo ECDSA Sign/Verifyo HMAC (SHA-1) Known Answer Testo RSA Known Answer Testo SHS (SHA-1/256/512) Known Answer Testso Triple-DES (encrypt/decrypt) Known Answer Tests Hardware Accelerator Self-Testso AES (encrypt/decrypt) Known Answer Testso Triple-DES (encrypt/decrypt) Known Answer Testso HMAC (SHA-1) Known Answer Test Firmware Integrity Testo RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA-5122.7.2Conditional testsoooo2.8Conditional Bypass testContinuous random number generation test for approved and non-approved RNGsPairwise consistency test for ECDSAPairwise consistency test for RSAPhysical SecurityThe router is entirely encased by a metal, op

Cisco 819G-S-K9 Integrated Solutions Router 15.2(4)M6A Cisco 819HG-4G-G-K9 Integrated Solutions Router 15.2(4)M6A Cisco 891 Integrated Solutions Router 15.2(4)M6A Cisco 881 Integrated Solutions Router 15.2(4)M6A Cisco 1905 Integrated Solutions Router 15.2(4)M6A Cisco 1921 Integrated Solutions Router 15.2(4)M6A Cisco 1941 Integrated Solutions .

Related Documents:

Cisco 2951 2 2 Cisco 3925 4 4 Cisco 3945 4 4 Cisco 3925E 3 3 Cisco 3945E 3 3 Cisco 1841 1 1 Cisco 2801 2 1 Cisco 2811 2 1 Cisco 2821 2 1 Cisco 2851 2 1 Cisco 3825 4 2 Cisco 3845 4 4 Table 1A provides relevant software information Router Chassis Software Release Minimum Software Package Cisco 1921 15.0(1)M2 IP Base

Cisco ASA 5505 Cisco ASA 5505SP Cisco ASA 5510 Cisco ASA 5510SP Cisco ASA 5520 Cisco ASA 5520 VPN Cisco ASA 5540 Cisco ASA 5540 VPN Premium Cisco ASA 5540 VPN Cisco ASA 5550 Cisco ASA 5580-20 Cisco ASA 5580-40 Cisco ASA 5585-X Cisco ASA w/ AIP-SSM Cisco ASA w/ CSC-SSM Cisco C7600 Ser

Cisco 2951 ISR, Cisco 3925 ISR, Cisco 3925E ISR, Cisco 3945 ISR, and Cisco 3945E ISR, running Cisco IOS Release 15.1.2.T3. 1.5 Physical Scope of the TOE The TOE is a hardware and software solution that makes up the following router models Cisco 881 ISR, Cisco 881G ISR, Cisco 891 ISR, Cisco 1905 ISR, Cisco 1921 ISR, Cisco

Dec 22, 2015 · Cisco ISR G2, ISR-800 and CGR 2010 Security Target 8 TOE Hardware Models ISR G2 (ISM-VPN-19, ISM-VPN-29, ISM-VPN-39) - Cisco 1905 ISR Cisco 1921 ISR Cisco 1941 ISR Cisco 1941W ISR Cisco 2901 ISR Cisco 2911 ISR Cisco 2921 ISR Cisco 2951 ISR Cisco 3925 ISR

Cisco ASR 1001-X Router Overview 1-1 Hardware Features of the Cisco ASR 1001-X Router 1-1 Cisco ASR 1001-X Overall Chassis Front View 1-2 Cisco ASR 1001-X Router LEDs 1-3 Cisco ASR 1001-X Management Storage Connections 1-3 Cisco ASR 1001-X Chassis Rear View 1-4 Cisco ASR 1001-X SPA GE and TE Ports 1-5 Field-Replaceable Units for the Cisco ASR .

router. KDDI will monitor the router and KDDI NOC team find any alarm on it 24x7 Access Type Router E1 (2Mbps) CISCO 1841, CISCO 2801 E3 (34Mbps) CISCO 3825, CISCO 3845, CISCO 7204VXR NPE 400 STM-1 (155Mbps) CISCO7304, JUNIPER M7i STM-4 (622Mbps) CISCO 7604 10M Ether CISCO 1841 100M Ether CISCO 2811, CISCO3825, CISCO 3845, CISCO 7206VXR NPE- G2

Supported Devices - Cisco SiSi NetFlow supported Cisco devices Cisco Catalyst 3560 Cisco 800 Cisco 7200 Cisco Catalyst 3750 Cisco 1800 Cisco 7600 Cisco Catalyst 4500 Cisco 1900 Cisco 12000 Cisco Catalyst 6500 Cisco 2800 Cisco ASR se

Introduction to Quantum Field Theory for Mathematicians Lecture notes for Math 273, Stanford, Fall 2018 Sourav Chatterjee (Based on a forthcoming textbook by Michel Talagrand) Contents Lecture 1. Introduction 1 Lecture 2. The postulates of quantum mechanics 5 Lecture 3. Position and momentum operators 9 Lecture 4. Time evolution 13 Lecture 5. Many particle states 19 Lecture 6. Bosonic Fock .