Cisco 2621XM and Cisco 2651XM Modular
Access Routers with AIM-VPN/EP FIPS 140-2
Non-Proprietary Security Policy
Level 2 Validation
Version 1.3
June 2, 2004
Introduction
This is the non-proprietary Cryptographic Module Security Policy for the 2621XM and 2651XM
Modular Access Routers with AIM-VPN/EP. This security policy describes how the 2621XM and
2651XM routers (Hardware Version: 2621XM, 2651XM; AIM-VPN/EP: Hardware Version 1.0, Board
Version B0; Firmwar e Version: IOS 12.3(3d)) meet the security requirements of FIPS 140-2, and ho w t o
operate the 2621XM and 2651XM routers in a secure FIPS 140-2 mode. This policy was prepared as
part of the Level 2 FIPS 140-2 validation of the 2621XM and 2651XM routers.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2—Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at
http://csrc.nist.gov/cryptval/.
This document contains the following sections:
• Introduction, page 1
• The 2621XM/2651XM Router, page 2
• Secure Operation of the Cisco 2621XM/2651XM Router, page 17
• Related Documentation, page 19
• Obtaining Documentation, page 19
• Documentation Feedback, page 20
• Obtaining Technical Assistance, page 20
• Obtaining Additional Publications and Information, page 22
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2001. Cisco Systems, Inc. All rights reserved.
The 2621XM/2651XM Router
References
Terminology
This document deals only with operations and capabilities of the Cisco 2621XM and Cisco 2651XM
routers in the technical terms of a FIPS 140-2 cryptographic module security policy. More information
is available on the Cisco 2621XM and Cisco 2651XM routers and the Cisco 2600 Series from the
following sources:
• The Cisco Systems website contains information on the full line of products at www.cisco.com. The
Cisco 1700 Series product descriptions can be found at:
http://www.cisco.com/en/US/products/hw/routers/ps221/index.html
• For answers to technical or sales related questions please refer to the contacts listed on the Cisco
Systems website at www.cisco.com.
• The NIST Validated Modules website (http://csrc.nist.gov/cryptval) contains contact information
for answers to technical or sales-related questions for the module
In this document, the Cisco 2621XM and Cisco 2651XM routers are referred to as the routers, the
modules, or the systems.
Document Organization
The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this
document, the Submission Package contains:
• Vendor Evidence document
• Finite State Machine
• Module Software Listing
• Other supporting documentation as additional references
This document provides an ov ervie w of the Cisco 2621XM and 2651XM routers an d explains th e secure
configuration and operation of the modules. This introduction section is followed by “The
2621XM/2651XM Router”, w hich d etails the genera l featu res and functionality of the Cisco 2621XM
and 2651XM routers. “Secure Operation of the Cisco 26 21XM/ 26 51XM Rou ter” specifically addresses
the required configuration for the FIPS-mode of operation.
With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission
Documentation is Cisco-proprietary and is releasable only under appropriate n on-disclosure agreements.
For access to these documents, please contact Cisco Systems
The 2621XM/2651XM Router
Branch office networking requirements are dramatically evolving, driven by web and e-commerce
applications to enhance productivit y and merging the voice and d ata inf rastructu re to reduce costs. The
Cisco 2621XM and 2651XM routers offer versatility, integration, and security to branch offices. With
over 100 Network Modules (NMs) and WAN Interface Cards (WICs), the modular architecture of the
Cisco router easily allows interfaces to be upgraded to accommodate network expansi on. The Cis co
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
2
OL-6262-01
2621XM and 2651XM provide a scalable, secure, manageable remote access server that meets FIPS
140-2 Level 2 requirements. This section describes the general features and functionality provided by
the Cisco 2621XM and 2651XM routers.
The 2621XM/2651XM Cryptographic Module
Figure 1 The 2621XM/2651XM Router
The 2621XM/2651XM Router
POWER
RPS
ACTIVITY
Cisco 2600
SERIES
9493
The 2621XM and 2651XM Routers are multiple-chip standalone cryptographic modules. The
cryptographic boundary is defined as encompassing the "top," "front," "left," "right," and "bottom"
surfaces of the case; all portions of the "backplane" of the case which are not designed to accommodate
a WIC or Network Module; and the inverse of the three-dimensional space within the case that would be
occupied by an installed WIC or Network Modu le. The cryptographic boundary includ es the connection
apparatus between the WIC or Network Module and the motherboard/daughterboard that hosts the WIC
or Network Module, but the boundary does not include the WIC or Network Module itself. In other
words, the cryptographic boundary encompasses all hardware components within the case of the device
except any installed modular WICs or Network Modules. All of the functionality discussed in this
document is provided by components within this cryptographic boundary.
The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card.
The AIM-VPN/EP is located inside the module chassis, and is installed directly on the motherboard.
Cisco IOS features such as tunneling, data encryption, and termination of Remote Access WANs via
IPSec, Layer 2 Forwarding (L2F) and Layer 2 T unnelin g Protocols (L2TP) make t he Cisco 2600 an ideal
platform for building virtual private networks or outsourced dial solutions. Cisco 2600`s RISC-based
processor provides the power needed for the dynamic requirements of the remote branch office,
achieving wire speed Ethernet to Ethernet routing with up to 30 thousand packets per second (Kpps)
throughput capacity for the 2621XM, an d 40 Kpps for t he 2651XM .
Module Interfaces
The interfaces for the router are located on the rear panel as shown in Figure 2.
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
OL-6262-01
3
The 2621XM/2651XM Router
port (RJ-45)
N
Figure 2 Cisco 2621XM and Cisco 2651XM Physical Interfaces
WIC slots
Cisco 2650
SERIAL 1
SERIAL 0
CONN
CONN
SEE MANUAL BEFORE INSTALLATION
W1
LINK
ETHERNET 1
ACT
SERIAL 1
Cisco 2650
100-240V– 1A
WIC
SERIAL 0
2A/S
LINK
ETHERNET 0
CONN
SEE MANUAL BEFORE INSTALLATION
WIC
CONN
2T
W0
ACT
CONSOLE
AUX
50/60 Hz 47 W
10/100BASE-T
etwork
module
Ethernet 0/1
(RJ-45)
10/100BASE-T
Ethernet 0/0
(RJ-45)
Console
Auxiliary port
(RJ-45)
99494
The Cisco 2621XM and 2651XM routers feature a console port, an auxiliary port, dual fixed LAN
interfaces, a Network Module slot, and two WIC slots.
LAN support includes single and dual Ethernet options; 10/100 Mbps auto-sensing Ethernet; mixed
Token-Ring and Ethernet; and single Token Ring chassis versions.
WAN interface cards support a variety of serial, ISDN BRI, and integrated CSU/DSU options for
primary and backup WAN connectivity. Available Network Modules support multi-service
voice/data/fax integration, departmental dial concentration, and high-density serial options
All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing,
ideal for back-up WAN connectivity.
When a Network Module is inserted, it fits into an adapter called the Network Module expansion bus.
The expansion bus interacts with the PCI bridge i n the same w ay that the f ixed LAN ports do; therefore,
no critical security parameters pass through the Network Module (just as they don't pass through the
LAN ports). Network modules do not perform any cryptographic functions.
WICs are similar to Network Modules in that they greatly increase the router's flexibility. A WIC is
inserted into one of two slots, which are l ocated abov e the fix ed LAN ports. WICs interface di rectly with
the processor. They do not interface with the cryptographic card; therefore no security parameters will
pass through them. WICs cannot perform cryptographic functions; they only serve as a data input and
data output physical interface.
The physical interfaces include a power plug for the power supply and a power switch. The router has
two Fast Ethernet (10/100 RJ-45 ) connectors for data transfers in and out. The module also has two other
RJ-45 connectors on the back panel for a console terminal for local system access and an auxiliary port
for remote system access or dial backup using a modem. The 10/100Base-T LAN ports have
Link/Activity, 10/100Mbps, and half/full duplex LEDs. Figure 3 shows the LEDs located on the rear
panel with descriptions de tailed in Table 1:
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
4
OL-6262-01
SEE MANUAL BEFORE INSTALLATION
SERIAL 1
SERIAL 0
CONN
CONN
WIC
2A/S
SEE MANUAL BEFORE INSTALLATION
SERIAL 1
SERIAL 0
CONN
CONN
WIC
2A/S
Cisco 2621
W0
W1
AUX
CONSOLE
10/100 ETHERNET 0/0
10/100 ETHERNET 0/1
1
99496
Figure 3 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs
The 2621XM/2651XM Router
00 Mbps
LED
100 Mbps
Link
LED
Link
10/100BASE-T
Ethernet 0/1
(RJ-45)
100 Mbps
FDX
LED
FDX
LED
100 Mbps
Link
LED
Link
10/100BASE-T
Ethernet 0/0
(RJ-45)
FDX
LED
FDX
99495
Auxiliary
port (RJ-45)
Console
port (RJ-45)
Table 1 Cisco 2621XM and Cisco 2651XM Rear Panel LEDs and Descriptions
LED Indication Description
LINK Green An Ethernet link has been established
Off No Ethernet link established
FDX Green The interface is transmitting data in full-duplex mode
Off When off, the interface is transmitting data in half-duplex mode
100 Mbps Green The speed of the interface is 100 Mbps
Off The speed of the interface is 10 Mbps or no link is established
Figure 4 shows the front panel LEDs, which provide overall status of the router's operation. The front
panel displays whether or not the router is booted, if the redundant po wer is (successfu lly) at tached and
operational, and overall activity/link status.
Figure 4 Front Panel LEDs
POWER RPS ACTIVITY
Table 2 provides more detailed information conveyed by the LEDs on the front panel of the router:
OL-6262-01
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
5
The 2621XM/2651XM Router
Table 2 Cisco 2621XM and Cisco 2651XM Front Panel LEDs and Descriptions
LED Indication Description
Power Green Power is supplied to the router and the router is operational
Off The router is not powered on
1
RPS
Activity Off In the Cisco IOS software, but no network activity
1. RPS = Redundant Power System
Green RPS is attached and operational
Off No RPS is attached
Blink RPS is attached, but has a failure
Blink (500 ms ON, 500 ms OFF) In ROMMON, no errors
Blink (500 ms ON, 500 ms OFF,
In ROMMON, error detected
2 sec between codes)
Blink (less than 500 ms) In the Cisco IOS software, the blink rate reflects the level of activity
All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in
Table 3:
Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces
Router Physical Interface FIPS 140-2 Logical Interface
10/100BASE-TX LAN Port
Data Input Interface
WIC Interface
Network Module Interface
Console Port
Auxiliary Port
10/100BASE-TX LAN Port
Data Output Interface
WIC Interface
Network Module Interface
Console Port
Auxiliary Port
10/100BASE-TX LAN Port
Control Input Interface
WIC Interface
Network Module Interface
Power Switch
Console Port
Auxiliary Port
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
6
OL-6262-01
Table 3 Cisco 2621XM and Cisco 2651XM FIPS 140-2 Logical Interfaces (continued)
Router Physical Interface FIPS 140-2 Logical Interface
10/100BASE-TX LAN Port
WIC Interface
Network Module Interface
LAN Port LEDs
10/100BASE-TX LAN Port LEDs
Power LED
Redundant Power LED
Activity LED
Console Port
Auxiliary Port
Power Plug Power Interface
Roles and Services
Authentication is role-based. There are two main roles in the router that operators may assume: the
Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role
in order to configure and maintain the ro uter using Crypto Off icer services, while the Users exercise only
the basic User services. Both roles are authenticated by providing a valid username and password. The
configuration of the encryption and decryption functionality is performed only by the Crypto Officer
after authentication to the Crypto Officer role by providing a valid Crypto Officer username and
password. Once the Crypto Of ficer conf igured the encryption an d decryption functionality, the User can
use this functionality after authentication to the User role by providing a valid User username and
password. The Crypto Officer can also use the encryption and decryption functionality after
authentication to the Crypto Officer role. The module supports RADIUS and TACACS+ for
authentication and they are used in the FIPS mode. A complete description of all the management and
configuration capabilities of the Cisco 2621XM and 2651XM Routers can be found in the Performing
Basic System Management manual and in the online help for the router.
The User and Crypto Officer passwords and the RADIUS/TACACS+ shared secrets must each be at least
8 alphanumeric characters in length. See the “Secure Operation of the Cisco 2621XM/2651XM Router”
section on page 17, for more information. If only integers 0-9 are used without repetition for an 8 digit
PIN, the probability of randomly guessing the correct sequence is 1 in 1,814,400. Including the rest of
the alphanumeric characters drastically decreases the odds of guessing the correct sequence.
The 2621XM/2651XM Router
Status Output Interface
Crypto Officer Services
During initial configuration of the router, the Cr ypto Officer password (the “enable” password) is
defined. A Crypto Officer may assign permission to access the Crypto Officer role to additional
accounts, thereby creating additional Crypto Officers.
The Crypto Officer role is responsible for the configuration and maintenance of the router. The Crypto
Officer services consist of the following:
• Configure the router—define network interfaces and settings, create command aliases, set the
protocols the router will support, enable interfaces and network services, set system date and time,
and load authentication information.
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
OL-6262-01
7
The 2621XM/2651XM Router
User Services
• Define Rules and Filters—create packet Filters that are applied to User data streams on each
interface. Each Filter consists of a set of Rules, which define a set o f packets to permit or deny based
characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet
direction.
• Status Functions—view the router configuration, routing tables, active sessions, use Gets to view
SNMP MIB II statistics, health, temperature, memory status, voltage, packet statistics, review
accounting logs, and view physical interface status
• Manage the router—log off users, shutdown or reload the outer, manually back up router
configurations, view complete configurations, manager user rights, and restore router
configurations.
• Set Encryption/Bypass—set up the configuration tables for IP tunneling. Set keys and algorithms
to be used for each IP range or allow plaintext packets to be set from specified IP address.
• Change Network Modules—insert and remove modules in the Network Module slot as described
in the “Initial Setup” section of this document.
• Change WAN Interface Cards—insert and remove WICs in the WAN interface slot as described
in the “Initial Setup” section of this document.
A User enters the system by accessing the console port with a terminal program. The IOS prompts the
User for their password. If the password is correct, the User is allowed entry to the IOS executive
program. The services available to the User role consist of the following:
• Status Functions—view state of interfaces, state of layer 2 protocols, version of IOS currently
• Network Functions—connect to other network devices through outgoing telnet, PPP, etc. and
• Terminal Functions—adjust the terminal session (e.g., lock the terminal, adjust flow control)
• Directory Services—display directory of files kept in flash memory
Physical Security
The router is entirely encased by a thick steel chassis. The rear of the unit provides 1 Network Module
slot, 2 WIC slots, on-board LAN connectors, Console/Aux iliary connectors, the po wer cable connection
and a power switch. The top portion of the chassis may be remov ed (see Figure 5) to allo w access to the
motherboard, memory, and expansion slots.
running
initiate diagnostic network services (i.e., ping, mtrace)
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
8
OL-6262-01
Loading...