Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550 .
Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580-20,ASA 5580-40, ASA 5585-X SSP-10, 5585-X SSP-20, 5585-X SSP-40 and5585-X SSP-60 Security AppliancesFIPS 140-2 Non Proprietary Security PolicyLevel 2 ValidationVersion 0.2February 19, 2013
Table of Contents1 INTRODUCTION. 11.11.21.31.41.51.62PURPOSE . 1MODELS . 1MODULE VALIDATION LEVEL . 2REFERENCES . 2TERMINOLOGY . 2DOCUMENT ORGANIZATION . 3CISCO ASA 5500 SECURITY APPLIANCES . 42.12.22.3ASA 5500 AND CRYPTOGRAPHIC MODULE PHYSICAL CHARACTERISTICS . 4MODULE INTERFACES . 4ROLES AND SERVICES . 10User Services . 11Crypto Officer Services . 112.42.52.6UNAUTHENTICATED SERVICES . 12CRYPTOGRAPHIC KEY MANAGEMENT . 12CRYPTOGRAPHIC ALGORITHMS . 15Approved Cryptographic Algorithms . 15Non-FIPS Approved Algorithms Allowed in FIPS Mode . 15Non-Approved Cryptographic Algorithms . 152.72.8SELF-TESTS . 16PHYSICAL SECURITY . 17ASA 5505 Opacity Shield . 17ASA 5580-20 and 5580-40 Opacity Shield . 18ASA 5585-X Opacity Shield . 19ASA 5505. 21ASA 5510, 5520, 5540 and 5550. 22ASA 5580. 22ASA 5585-X . 23Appling Tamper Evidence Labels . 253SECURE OPERATION . 253.13.23.3CRYPTO OFFICER GUIDANCE - SYSTEM INITIALIZATION . 25CRYPTO OFFICER GUIDANCE - SYSTEM CONFIGURATION. 27IDENTIFYING ROUTER OPERATION IN AN APPROVED MODE . 28
1 Introduction1.1 PurposeThis is a non-proprietary Cryptographic Module Security Policy for the Cisco ASA 5500 SeriesAdaptive Security Appliances running Firmware 8.4.4.1; referred to in this document asappliances. This security policy describes how the modules meet the security requirements ofFIPS 140-2 Level 2 and how to run the modules in a FIPS 140-2 mode of operation and may befreely distributed.1.2 Models ASA 5505ASA 5510ASA 5520ASA 5540ASA 5550ASA 5580o ASA 5580-20o ASA 5580-40ASA 5585-Xo ASA 5585-X SSP 10o ASA 5585-X SSP 20o ASA 5585-X SSP 40o ASA 5585-X SSP 60The ASA5505 handles 100 Mbps VPN traffic with 25 concurrent users. These users can be acombination of SSL or IPSec.The ASA5510 handles 170 Mbps VPN traffic with 250 concurrent users. These users can bea combination of SSL or IPSec.The ASA5520 handles 225 Mbps VPN traffic with 750 concurrent users. These users can bea combination of SSL or IPSec.The ASA5540 handles 325 Mbps VPN traffic with up to 2500 concurrent SSL users and upto 5000 IPSec users. Both IPSec and SSL VPN can be used simultaneously and the userlimit will be between 2500 and 5000.The ASA5550 handles 425 Mbps VPN traffic with 5000 concurrent users. These users can beSSL or IPSec.The ASA5580 handles 1Gps. VPN traffic and scales from 5000 to 10000 concurrent users.These users can be IPSEC or SSL VPN. Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.1
The ASA5585-X handles 3Gps. to 5Gps. of VPN traffic and scales with 10000 concurrentusers. These users can be IPSEC or SSL VPN.FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — SecurityRequirements for Cryptographic Modules) details the U.S. Government requirements forcryptographic modules. More information about the FIPS 140-2 standard and validation programis available on the NIST website at http://csrc.nist.gov/groups/STM/index.html.1.3 Module Validation LevelThe following table lists the level of validation for each area in the FIPS PUB 140-2.No.1234567891011Area TitleCryptographic Module SpecificationCryptographic Module Ports and InterfacesRoles, Services, and AuthenticationFinite State ModelPhysical SecurityOperational EnvironmentCryptographic Key managementElectromagnetic Interface/Electromagnetic CompatibilitySelf-TestsDesign AssuranceMitigation of Other AttacksOverall module validation levelLevel22322N/A2222N/A2Table 1 Module Validation Level1.4 ReferencesThis document deals only with operations and capabilities of those Cisco ASA 5500 models listsabove in section 1.2 in the technical terms of a FIPS 140-2 cryptographic module security policy.More information is available on the routers from the following sources:The Cisco Systems website contains information on the full line of Cisco Systems ASA 5500modules. Please refer to the following /vpndevc/ps6032/ps6094/ps6120/product data US/products/ps6120/index.htmlThe Cisco Systems website at www.cisco.com.The NIST Validated Modules website tml)contains contact information for answers to technical or sales-related questions for the module.1.5 TerminologyIn this document, those Cisco ASA 5500 models identified above are referred to as ASA 5500Security Appliances, Appliances or the systems. Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.2
1.6 Document OrganizationThe Security Policy document is part of the FIPS 140-2 Submission Package. In addition to thisdocument, the Submission Package contains:Vendor Evidence documentFinite State MachineOther supporting documentation as additional referencesThis document provides an overview of the Cisco ASA 5500 Security Appliances modelsidentified in section 1.2 above and explains the secure configuration and operation of themodule. This introduction section is followed by Section 2, which details the general featuresand functionality of the appliances. Section 3 specifically addresses the required configurationfor the FIPS-mode of operation.With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 ValidationSubmission Documentation is Cisco-proprietary and is releasable only under appropriate nondisclosure agreements. For access to these documents, please contact Cisco Systems. Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.3
2Cisco ASA 5500 Security AppliancesThe Cisco ASA 5500 Security Appliances leverage Cisco's expertise in security and VPNsolutions, and integrates the latest technologies from Cisco PIX 500 series security appliances,Cisco IPS 4200 Series Intrusion Prevention Systems, and Cisco VPN 3000 series concentrators.The following subsections describe the physical characteristics of the ASA 5500 appliances.Cisco ASA 5500 Series Adaptive Security Appliances integrate world-class firewall, unifiedcommunications security, VPN, IPS, and content security services in a unified platform.2.1 ASA 5500 and Cryptographic Module Physical CharacteristicsThe Cisco ASA 5500 Security Appliances delivers enterprise-class security for mediumbusiness-to-enterprise networks in a modular, purpose-built appliance. Its versatile one-rack unit(1RU, ASA 5505, 5510, 5520, 5540 and 5550), two-rack unit (2RU, ASA 5585-10, 5585-20,5585-40 and 5585-60) and four-rack unit (4RU, ASA 5580-20 and 5580-40) design supports upto 8 10/100/1000 Gigabit Ethernet ports interfaces (on the ASA 5520, ASA 5540 and ASA5550), 1 10/100 Fast Ethernet ports Management interface, and 4 10/100/1000 Gigabit Ethernetports RJ45 interfaces, 4 Port Gigabit Ethernet ports fiber, and 2 10/100/1000 Gigabit Ethernetports Management interface (on the ASA 5580 and ASA 5585-X) making it an excellent choicefor businesses requiring a cost-effective, resilient security solution with demilitarized zone(DMZ) support.Each appliance is a multi-chip standalone security appliance with the cryptographic boundarydefined as-the modules’ chassis along with the opacity shields.2.2Module InterfacesThe module provides a number of physical and logical interfaces to the device, and the physicalinterfaces provided by the module are mapped to the following FIPS 140-2 defined logicalinterfaces: data input, data output, control input, status output, and power. The module providedno power to external devices and takes in its power through normal power input/cord. Thelogical interfaces and their mapping are described in the following tables:FIPS 140-2LogicalInterfaceData InputInterfaceASA 5505PhysicalInterfaceEthernet portsConsole PortData OutputInterfaceEthernet portsConsole PortControl InputInterfaceEthernet portsReset SwitchConsole PortASA 5510, 5520, 5540Physical InterfaceEthernet portsMGMT PortConsole PortEthernet portsMGMT PortConsole PortEthernet portsMGMT PortConsole PortASA 5550PhysicalInterfaceEthernet portsMGMT PortConsole PortEthernet portsMGMT PortConsole PortEthernet portsMGMT PortPower SwitchASA 5580 PhysicalInterfaceASA 5585 PhysicalInterfaceEthernet portsMGMT PortConsole PortEthernet portsMGMT PortConsole PortEthernet portsMGMT PortConsole PortEthernet portsMGMT PortConsole PortEthernet portsMGMT PortConsole PortEthernet portsMGMT PortConsole Port Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.4
Status OutputInterfaceEthernet portsLEDsConsole PortPowerInterfaceUnusedInterfacePower PlugConsole PortReset SwitchEthernet portsMGMT PortLEDsConsole PortPower PlugEthernet portsMGMT PortLEDsConsole PortPower PlugUSB PortUSB PortCompact Flash Slot(disabled by TEL)Aux PortUSB PortCompact FlashSlot (disabledby TEL)Aux PortReset SwitchReset SwitchEthernet portsMGMT PortLEDsConsole PortPower PlugEthernet portsMGMT PortLEDsConsole PortPower PlugUSB PortUSB PortAux PortPlease notice that USB port on each module and Aux port on each 5510/5520/5540/5550 module are non-functional.Table 2 Module InterfacesFigure 2 –1234Cisco ASA 5505 Series Security Appliance Front PanelUSB 2.0 interface100 MbpsLINK/ACT LEDsPowerFigure 3 –5678StatusActiveVPNSSCCisco ASA 5505 Series Security Appliance Rear Panel123Power 48VDCSSC SlotNetwork Interface LEDs567Console PortUSB 2.0 InterfaceReset Button4Network Interfaces8Lock Slot Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.5
Figure 4 –12Cisco ASA 5510, 5520, 5540 and 5550 Series Security Appliance Front OnFlashingThe system has power.The power‐up diagnostics are running or the system isbootingSolidThe system has passed power‐up diagnostics.AmberSolidThe power‐up diagnostics have failed.GreenFlashingThere is network activity.3Active4VPNGreenSolidVPN tunnel is established.5FlashGreenSolidThe CompactFlash is being accessed.Figure 5a –4 RJ-45 Ethernet PortsFigure 5b –Cisco ASA 5510, 5520, 5540 Series Security Appliance Rear Panel4 SFP fiber Ethernet PortsCisco ASA 5550 Series Security Appliance Rear Panel (same ports and interfaces identified above and described below as5510, 5520, 5540 except 5550 has additional ports)1Management port8Power indicator LED2External CompactFlash slot9Status indicator LED3Serial Console port10Active LED4Power switch11VPN LED5Power indicator LED12Flash LED6USB 2.0 interfaces13Aux Port7Network interfaces14Power connector Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.6
Figure 6 –1Cisco ASA 5510, 5520, 5540 and 5550 Series Security Appliance Rear Panel Link and Speed IndicatorMGMT indicator LEDsMGMT indicator andNetwork interface LEDsLeft sideRight sideFigure 7 –2Network interface LEDsColorDescriptionSolid greenGreen flashingPhysical linkNetwork activityNot lit10 MbpsGreen100 MbpsAmber1000 MbpsCisco ASA 5580 Series Security Appliance Front PanelLEDFunction12ActiveSystem3Power Status4Management 0/05Management 0/16Power Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.7
Figure 8 –Cisco ASA 5580 Series Security Appliance Rear Panel Indicators1Power Indicator23Link IndicatorActivity IndicatorFigure 9 –12345Cisco ASA 5580 Series Security Appliance Rear PanelPower SupplyInterface Expansion SlotsPower SupplyT‐15 Torx ScrewdriverUSB Ports43678910Reserved SlotExample of Populated SlotReserved SlotConsole portManagement ports31236Figure 10 –16148 9 101315 3&1211Cisco ASA 5585-X SSP-10 and SSP-20 Series Security Appliance Front Panel7 Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.8
4331235Figure 11 –1234567867131512Cisco ASA 5585-X SSP-40 and SSP-60 Series Security Appliance Front PanelIPS SSPSSPSSP/IPS SSP removal screwsReserved bays for hard-disk drivesEthernet ports (not present on SSP 10 or SSP 20)Vent (on SSP 10 and SSP 20)Ethernet portsEthernet portsManagementFigure 12 –910111213ManagementUSB portUSB portFront panel indicatorsAuxiliary port (RJ45)141516Console port (RJ45)EjectVent (on SSP 40 and SSP 60) andEthernet ports (on SSP 10 or SSP 20)Cisco ASA 5585-X Series Security Appliance Rear Panel Indicators12345Figure 13 –123148 9 10&11PWRBOOTALARMACTVPN6789PS1PS0HDD1HDD2Cisco ASA 5585-X Series Security Appliance Rear PanelPower supply modulePower supply module/fan module removalscrews56Power supply module indicatorsPower supply module or fanmodule handle Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.9
34Power supply module plugToggle On/Off switch for powerFigure 14 –12.378Fan moduleFan module indicatorCisco ASA 5585-X Series Security Appliance Rear Panel IndicatorsAC ON2FAN OK3OUT FAILRoles and ServicesThe security appliances can be accessed in one of the following ways: Console Port Telnet over IPSec SSH v2 ASDM via HTTPS/TLSAuthentication is identity-based. Each user is authenticated by the module upon initial access tothe module. As required by FIPS 140-2, there are two roles in the security appliances thatoperators may assume: a Crypto Officer role and User role. The administrator of the securityappliances assumes the Crypto Officer role in order to configure and maintain the router usingCrypto Officer services, while the Users exercise only the basic User services. The module alsosupports RADIUS and TACACS as another means of authentication.The User and Crypto Officer passwords and all shared secrets must each be at least eight (8)characters long, including at least one letter and at least one number character, in length(enforced procedurally). See the Secure Operation section for more information. If six (6)integers, one (1) special character and one (1) alphabet are used without repetition for an eight(8) digit PIN, the probability of randomly guessing the correct sequence is one (1) in832,000,000. In order to successfully guess the sequence in one minute would require the abilityto make over 13,000,000 guesses per second, which far exceeds the operational capabilities ofthe module. Including the rest of the alphanumeric characters drastically decreases the odds ofguessing the correct sequence.”Additionally, when using RSA based authentication, RSA key pair has modulus size of 1024 bitsto 2048 bits, thus providing between 80 bits and 112 bits of strength. Assuming the low end of Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.10
that range, an attacker would have a 1 in 280 chance of randomly obtaining the key, which ismuch stronger than the one in a million chance required by FIPS 140-2. To exceed a one in100,000 probability of a successful random key guess in one minute, an attacker would have tobe capable of approximately 1.8x1021 attempts per minute, which far exceeds the operationalcapabilities of the modules to supportUser ServicesUsers can access the system in two ways:1. By accessing the console port with a terminal program or via IPSec protected telnet orSSH session to an Ethernet ports port. The IOS prompts the User for username andpassword. If the password is correct, the User is allowed entry to the IOS executiveprogram.2. Via an IPSec session. This session is authenticated either using a shared secret or RSAdigital signature authentication mechanism.The services available to the User role consist of the following:Services & AccessStatus Functions (r)Network Functions (r, w, x)VPN functions (r, x)Directory Services (r, x)Perform Self-Tests (r, x)DescriptionImage version currently running, installed hardwarecomponents, and version of hardware installed.Initiate diagnostic network services, such as ping.Negotiation and encrypted data transport via VPNDisplay directory of files kept in flash memory.Execute Known Answer Test on Algorithms within thecryptographic module.Keys & CSPsUser passwordUser passwordISAKMP pre-shared keys, IKE Authenticationkey, IKE Encryption Key, IPSec authenticationkeys, IPSec traffic keys, User passwordsUser passwordN/ATable 3 - User ServicesCrypto Officer ServicesThe Crypto Officer role is responsible for the configuration and maintenance of the securityappliances and authenticates from the enable command (for local authentication) or the logincommand (for AAA authentication) from the user services. The Crypto Officer services consistof the following:The Crypto Officer services consist of the following:Services & AccessConfigure the SecurityAppliance(r, w, d)DescriptionDefine network interfaces and settings; provide for theentry and output of CSPs; set the protocols the securityappliances will support; enable interfaces and networkservices; set system date and time; load authenticationinformation; and configure authentication servers, filtersand access lists for interfaces and users, and privileges.Keys & CSPsISAKMP pre-shared keys, IKEAuthentication key, IKE Encryption Key,IPSec authentication keys, IPSec traffic keys,User passwords, Enable password, Enablesecret, Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.11
Define Rules and Filters (r, w,d)Create packet Filters that are applied to User data streamson each interface. Each Filter consists of a set of Rules,which define a set of packets to permit or deny based oncharacteristics such as protocol ID, addresses, ports, TCPconnection establishment, or packet direction.passwordView Status Functions(r, x)View the configuration, routing tables, active sessions,use SNMP queries to view SNMP MIB statistics, health,temperature, memory status, packet statistics, reviewaccounting logs, and view physical interface status.Log off users, provide for the entry and output of CSPs,shutdown or reload the security appliances, viewcomplete configurations, view full status, manage userrights, and restore configurations.Set up the configuration tables for IP tunneling. Set keysand algorithms to be used for each IP range or allow plaintext packets to be sent from specified IP address. Set upsite to site VPN for IPv6.Execute Known Answer Test on Algorithms within thecryptographic module.Configure SSL VPN parameters, provide entry andoutput of CSPs.Allows the ASA to be configured as a Root CertificateAuthority and issue user certificates for SSL VPN use(AnyConnect and Clientless). The ASA can then beconfigured to require client certificates for authentication.passwordManage the Security Appliance(r, w, d)Set Encryption/Bypass (r, w, x,d)Perform Self-Tests(r, x)SSL VPN (using TLSv1.0)(r, w, x, d)Local Certificate Authority(r, w, d)passwordISAKMP pre-shared keys, IKEAuthentication key, IKE Encryption Key,IPSec authentication keys, IPSec traffic keys,Enable secret,N/ATLS pre-master secret, TLS Traffic KeysN/ATable 4 - Crypto Officer Services2.4Unauthenticated ServicesThe services available to unauthenticated users are: Viewing the status output from the module’s LEDs Powering the module on and off using the power switch on the third-party chassis Performing bypass service2.5Cryptographic Key ManagementThe ASA 5500 administers both cryptographic keys and other critical security parameters suchas passwords. All keys and CSPs are protected by the password-protection on theCrypto Officer role login, and can be zeroized by the Crypto Officer. Zeroization consists ofoverwriting the memory that stored the key or refreshing the volatile memory. Keys are bothmanually and electronically distributed but entered electronically. Persistent keys with manualdistribution are used for pre-shared keys whereas protocols such as IKE, TLS and SSH are usedfor electronic distribution.The ASA 5500 module securely administers both cryptographic keys and other critical securityparameters such as passwords. The tamper evidence seals provide physical protection for allkeys. All pre-shared keys are associated with the CO role that created the keys, and the CO roleis protected by a password. Therefore, the CO password is associated with all the pre-sharedkeys. The Crypto Officer needs to be authenticated to store keys. Only an authenticated CryptoOfficer can view the keys. All Diffie-Hellman (DH) keys agreed upon for individual tunnels are Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.12
directly associated with that specific tunnel only via the IKE protocol. RSA Public keys areentered into the modules using digital certificates which contain relevant data such as thename of the public key's owner, which associates the key with the correct entity. All otherkeys are associated with the user/role that entered them.Key/CSP NameRNG seedRNG seed keyDiffie-Hellman privateexponentGeneration/AlgorithmANSI X9.31Appendix A.2.4Using the 3-KeyTriple DESAlgorithmsANSI X9.31Appendix A.2.4Using the 3-KeyTriple zationX9.31 RNG Seed. This keywas generated by the moduleDRAM (plain text)Power cycle themoduleX9.31 Seed key. This key wasgenerated by the moduleDRAM (plain text)Power cycle themoduleKey agreement for IKE, TLS,and SSH sessions. DiffieHellman groups 1 (768 bits ofkeying strength), 2 (1024bits), 5 (1536 bits) and 7(2048 bits) are supported.This key was generated bycalling FIPS approved RNGThis is the shared secretagreed upon as part of DHexchange. This key wasgenerated by the module.DRAM (plain text)Automatically whensession expiresDRAM (plain text)Automatically whensession expiresIdentity certificates for thesecurity appliance itself andalso used in IPSec, TLS, andSSH negotiations. Thesecurity appliances support512, 768, 1024 and 2048 bitkey sizes (512- and 768-bitkey lengths are not to be usedin FIPS mode). This key wasgenerated by calling FIPSapproved RNGValue derived from theshared secret within IKEexchange.Private Key - NVRAM(plain text)Zeroized by “# nocrypto key generatersaDRAM (plain text)Automatically afterIKE session isterminatedDiffie-Hellman sharedsecretDiffie-HellmanRSA private keysRSAskeyidHMACSHA1/256/384/512skeyid dHMACSHA1/256/384/512Value derived from theshared secret within IKEexchange.DRAM (plain text)Automatically afterIKE session isterminatedISAKMP pre-sharedsecretShared SecretUsed for authenticationduring IKE. This key wasconfigured by Crypto Officer.NVRAM (plain text)Zeroized by “# nocrypto isakmp key”IKE authentication keyHMACSHA1/256/384/512This key is used toauthenticate IKE sessions.This key was derived in themodule.DRAM (plain text)Automatically afterIKE session isterminated Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.13
IKE encryption keyTriple-Des/AESUsed to encrypt IKEnegotiations. This key wasderived in the module.DRAM (plain text)Automatically afterIKE session isterminatedIPSec authenticationkeyHMACSHA1/256/384/512DRAM (plain text)Automatically afterIPSec session isterminatedIPSec traffic keysTriple-Des/AES/HMACSHA1/256/384/512DRAM (plain text)Automatically afterIPSec session isterminatedRADIUS shared secretShared SecretNVRAM (plain text)Zeroized by “# noradius-server key”TACACS sharedsecretShared SecretNVRAM (plain text)Zeroized by “# notacacs-server key”User passwordShared SecretNVRAM(plaintext)Overwrite with newpasswordEnable passwordSharedSecretExchanged using the IKEprotocol and thepublic/private key pairs.These are Triple-DES or AESkeys. This key was derived inthe module.Exchanged using the IKEprotocol and thepublic/private key pairs.These are Triple-DES or AESkeys. This key was derived inthe module.Used for authenticating theRADIUS server to thesecurity appliances and viceversa. This key wasconfigured by Crypto Officer.Used for authenticating theTACACS server to thesecurity appliances and viceversa. This key wasconfigured by Crypto Officer.Critical security parametersused to authenticate theUser/Crypto-Officer login.This key was configured byCrypto Officer.Configured by CryptoOfficer. It is used toauthenticate Crypto officer.NVRAM(plaintext)Overwrite with newpasswordEnable secretSharedSecretConfigured by CryptoOfficer. It is used toauthenticate Crypto officerrole.NVRAM(plaintext )Overwrite with newpasswordTLS pre-master secretShared SecretDRAM(plaintext)Automatically whenTLS session isterminated.TLS traffic keysTriple-DES/AES/HMACSHA1/256/384/512Shared secret created/derivedusing asymmetriccryptography from which newHTTPS session keys can becreated. This key entered intothe module in cipher textform, encrypted by RSApublic key.Used in HTTPS connections.Generated using TLSprotocol. This key wasderived in the module.DRAM (plain text)Automatically whenTLS session isterminatedSSH v2 authenticationkeysHMACSHA1/256/384/512DRAM (plain text)Zeroizedautomatically whenSSH sessions isclosedSSH v2 sessionencryption keysTriple-Des/AESThis key is used to performthe authentication betweenthe SSH client and SSHserver. This key was derivedin the module.This is the symmetric SSHkey used to protect SSHsession. This key was derivedin the module.DRAM (plain text)Zeroizedautomatically whenSSH sessions isclosedTable 5 Cryptographic Keys and CSPs Copyright 2013 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.14
2.6Cryptographic AlgorithmsThe module implements a variety of approved and non-approved algorithms.Approved Cryptographic AlgorithmsThe routers support the following FIPS-2 approved algorithm ASecurityAppliance OS(Firmware)ASA On-board(Cavium NitroxLite) (ASA 5505)2047132
2.1 ASA 5500 and Cryptographic Module Physical Characteristics The Cisco ASA 5500 Security Appliances delivers enterprise-class security for medium business-to-enterprise networks in a modular, purpose-built appliance. Its versatile one-rack unit (1RU, ASA 5505, 5510, 5520, 5540 and 5550), two-rack unit (2RU, ASA 5585-10, 5585-20,File Size: 1MB
Cisco ASA 5505 Cisco ASA 5505SP Cisco ASA 5510 Cisco ASA 5510SP Cisco ASA 5520 Cisco ASA 5520 VPN Cisco ASA 5540 Cisco ASA 5540 VPN Premium Cisco ASA 5540 VPN Cisco ASA 5550 Cisco ASA 5580-20 Cisco ASA 5580-40 Cisco ASA 5585-X Cisco ASA w/ AIP-SSM Cisco ASA w/ CSC-SSM Cisco C7600 Ser
Cisco ASA 5505 Cisco ASA 5506 Series Cisco ASA 5508-X Cisco ASA 5512-X Cisco ASA 5515-X Cisco ASA 5516-X 1/21. Cisco ASA 5525-X Cisco ASA 5545-X Cisco ASA 5555-X . Cisco ASA Configuration - Quick Guide Once you are satisfied with your setup, configure your Cisco ASA client to use the LoginTC RADIUS Connector.
Cisco ASA 5510-X Cisco ASA 5512-X Cisco ASA 5515-X Cisco ASA 5516-X Cisco ASA 5525-X Cisco ASA 5545-X Cisco ASA 5555-X Cisco ASA 5585-X Series Cisco appliance supporting RADIUS authentication Appliance not listed? We probably support it. Contact us if you have any questions. Compatibility Guide Any other Cisco appliance which have configurable .
For this Security Target, the ASA is considered to be a dedicated-function VPN platform providing pack et filtering functionality for self protection. The appliance is provided on a number of platforms. The ASA platforms included within the scope of this evaluation are the Cisco ASA-5505, ASA-5510, ASA-5520, ASA-5540 and ASA-5550. From hereon
An ASA 5505 cannot, however function as both a client and a server simultaneously. To configure an ASA 5505 as a server, see “Specifying the Client/Server Role of the Cisco ASA 5505” section on page 34-1 . Then configure the ASA 5505 as you would any other ASA, beginning with the “Getting Started” section on page 2-1 of this guide.
The Cisco ASA 5505 teleworker solution offers: Low cost—With this solution, you get a Cisco ASA 5505, a Cisco iP phone, and the necessary license on the organization's internet edge Cisco ASAs. Flexible connectivity—The Cisco ASA 5505's integrated Ethernet switch can accommodate multiple
Cisco ASA 5500-X シリーズ次世代ファイアウォール 機能 Cisco ASA 5506-X Cisco ASA 5506H-X Cisco ASA 5508-X Cisco ASA 5516-X Cisco ASA 5525-X Cisco ASA 5545-X Cisco ASA 5555-X フォーム ファ クタ プ、ラックマ デスクトッ ウント型 デスクトッ プ、ラック マウント 型、壁マウ ント可能、 DIN .
BIOGRAFÍA ACADÉMICA DE ALFREDO LÓPEZ AUSTIN Enero de 2020 I. DATOS PERSONALES Nacimiento: Ciudad Juárez, Estado de Chihuahua, México, 12 de marzo de 1936. Nacionalidad: mexicano. Estado civil: casado. Investigador emérito de la Universidad Nacional Autónoma de México, por acuerdo del Consejo Universitario, con fecha 21 de junio de 2000. Sistema Nacional de Investigadores. Nivel III .
