Cisco Systems 7206VXR NPE-400 User Manual

Introduction

Note This document may be copied in its entirety and without modification. All copies must include the

FIPS 140-2 Nonproprietary Security Policy for
Cisco 7206VXR NPE-400 Router with VAM

This is a non-proprietary Cryptographic Module Security Policy for Cisco Systems. This security policy
describes how the 7206 VXR NPE-400 with VPN Acceleration Module (VAM) (Hardware Version:
7206-VXR; VAM: Hardware Version 1.0, Board Version A0; Firmware Version: Cisco IOS software
Version12.3(3d)) meets the security requirements of FIPS 140-2 and how to run the module in a secure
FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the module.

copyright notice and statements on the last page.

FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the NIST website at

http://csrc.nist.gov/cryptval/.

This document includes the following sections:

• Introduction, page 1

• FIPS 140-2 Submission Package, page 2

• Overview, page 2

• Cryptographic Module, page 3

• Module Interfaces, page 3

• Roles and Services, page 6

• Physical Security, page 8

• Cryptographic Key Management, page 9

• Self-Tests, page 15

• Secure Operation, page 16

• Obtaining Documentation, page 17

Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Copyright © 2004 Cisco Systems, Inc. All rights reserved.

FIPS 140-2 Submission Package

• Documentation Feedback, page 18

• Obtaining Technical Assistance, page 18

• Obtaining Additional Publications and Information, page 20

FIPS 140-2 Submission Package

The Security Policy document is one item in the FIPS 140-2 Submission Package. In addition to this
document, the Submission Package includes:

• Vendor evidence document

• Finite state machine

• Module software listing

• Other supporting documentation as additional references

With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission
Documentation is proprietary to Cisco Systems, Inc. and is releasable only under appropriate
non-disclosure agreements. For access to these documents, contact Cisco Systems, Inc. See “Obtaining

Technical Assistance” section on page 18.

Overview

Cisco 7206VXR routers support gigabit capabilities to improve data, voice, and video integration in both
the service provider and enterprise environments. Cisco 7206VXR routers support a high-speed network
services engine (NSE), the high-speed network processing engine (NPE-400), and other network
processing engines.

Cisco 7206VXR routers accommodate a variety of network interface port adapters and an Input/Output
(I/O) controller. A Cisco 7206VXR router equipped with an NPE-400 supports up to six high-speed port
adapters and higher-speed port adapter interfaces including Gigabit Ethernet and OC-12 ATM (Optical
Carrier-12 Asynchronous Transfer Mode). Cisco 7206VXR routers accommodate up to two AC-input or
DC-input power supplies.

Cisco 7206VXR routers support the following features:

• Online insertion and removal (OIR)—Adds, replaces, or removes port adapters without interrupting

the system.

• Dual hot-swappable, load-sharing power supplies—Provides system power redundancy; if one

power supply or power source fails, the other power supply maintains system power without
interruption. Also, when one power supply is powered off and removed from the router, the second
power supply immediately takes over the router power requirements without interrupting normal
operation of the router.

• Environmental monitoring and reporting functions—Maintains normal system operation by

resolving adverse environmental conditions prior to loss of operation.

• Downloadable software—Loads new images into Flash memory remotely, without having to

physically access the router.

The Cisco 7206 VXR router incorporates a single VPN Acceleration Module (VAM) cryptographic
accelerator card. The VAM is installed in one of the port adapter slots.

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

2

OL-3959-01

Cryptographic Module

The Cisco 7206VXR NPE-400 router with VAM is a multiple-chip standalone cryptographic module.
The Cisco 7206VXR supports multi-protocol routing and bridging with a wide variety of protocols and
port adapter combinations available for Cisco 7200 series routers. The metal casing that fully encloses
the module establishes the cryptographic boundary for the router, all the functionality discussed in this
document is provided by components within the casing. The Cisco 7206VXR has six slots for port
adapters, one slot for an input/output (I/O) controller, and one slot for a network processing engine or
network services engine.

Figure 1 Cisco 7206VXR NPE-400 Router (Front View)

Port adapter

lever

I/O controller

Cisco 7200

Series

5

1

0

ENABLED

3

EN

CD

LB

RC

RD

TC

TD

1

ENABLED

PC card slots

0

3

2

LINK

3

1

2

0

TC

TD

CD

LB

RC

RD

TC

TD

EJECT

PCMCIA

SLOT 0

ETHERNET 10BT

ENABLED

L

IA

FAST SER

N
E

CD

LB

RC

RD

TC

TD

CD

LB

RC

RD

FE MII

SLOT 1

X

X

X

R

T

R

1

0

S
E

R
PU
C

J-45

R

MII

RJ45

RJ45

EN

OK

EN

1O PWR

LINK

Optional Fast Ethernet port
(MII receptacle and RJ-45 receptacle)

Port adapters

1

5

K

4

J

II

IN

R

L

M

0

X

X

X
X
T

T
E

R

T

R

2

FAST ETHERNET INPUT/OUTPUT CONTROLLER

Auxiliary

port

TOKEN RING

3

2

E

T

S

A

F

ETHERNET-10BFL

X

X

R

T

3

Console

port

Cryptographic Module

6

T

E

N

R

E

H

T

4

TX

2

4

0

H5997

The Cisco 7206VXR NPE-400 uses an RM7000 microprocessor that operates at an internal clock speed
of 350 MHz. The NPE-400 uses SDRAM for storing all packets received or sent from network interfaces.
The SDRAM memory array in the system allows concurrent access by port adapters and the processor.
The NPE-400 has three levels of cache: a primary and a secondary cache that are internal to the
microprocessor, and a tertiary 4-MB external cache that provides additional high-speed storage for data
and instructions.

The Cisco 7206VXR router comes equipped with one 280W AC-input power supply. (A 280W DC-input
power supply option is available.) A power supply filler plate is installed over the second power supply
bay. A fully configured Cisco 7206VXR router operates with only one installed power supply; however,
a second, optional power supply of the same type provides hot-swappable, load-sharing, redundant
power.

Module Interfaces

The interfaces for the router are located on the front panel Input/Output (I/O) Controller, with the
exception of the power switch and power plug. The module has two Fast Ethernet (10/100 RJ-45)
connectors for data transfers in and out. The module also has two other RJ-45 connectors for a console
terminal for local system access and an auxiliary port for remote system access or dial backup using a
modem.

OL-3959-01

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

3

Module Interfaces

Table 1 shows the front panel LEDs, which provide overall status of the router operation. The front panel

displays whether or not the router is booted, if the redundant power is attached and operational, and
overall activity/link status.

Figure 2 Cisco 7206VXR Router Front Panel LEDs

C7200-I/O-2FE/E

ENABLED

ENABLED

SLOT 1

SLOT 0

EJECT

PCMCIA

SLOT 1

SLOT 0

LINK

FE/E 0

100 Mbps

100 Mbps

DUAL FAST ETHERNET INPUT/OUTPUT CONTROLLER

LINK

IO
O

FE/E 1

100 Mbps

LINK

R
PW
K

CPU

AUX

RESET

CONSOLE

IO PWR

OK

CPU

RESET

33444

LED Indication Description

Enabled Green Indicates that the network processing engine or network

services engine and the I/O controller are enabled for
operation by the system; however, it does not mean that
the Fast Ethernet port on the I/O controller is functional or
enabled. This LED goes on during a successful router boot
and remains on during normal operation of the router.

IO POWER OK Amber Indicates that the I/O controller is on and receiving DC

power from the router midplane. This LED comes on
during a successful router boot and remains on during
normal operation of the router.

Off Power off or failed

Slot 0

Slot 1

Green These LEDs indicate which PC Card slot is in use by

coming on when either slot is being accessed by the
system. These LEDs remain off during normal operation
of the router.

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

4

OL-3959-01

Module Interfaces

LED Indication Description

Link Green Indicates that the Ethernet RJ-45 receptacle has

established a valid link with the network.

Off This LED remains off during normal operation of the

router unless there is an incoming carrier signal.

100 Mbps Green Indicates that the port is configured for 100-Mbps

operation (speed 100), or if configured for auto
negotiation (speed auto), the port has detected a valid link
at 100 Mbps.

Off If the port is configured for 10-Mbps operation, or if it is

configured for auto negotiation and the port has detected a
valid link at 10 Mbps, the LED remains off.

The VPN Acceleration Module (VAM) is a single-width acceleration module that provides
high-performance, hardware-assisted tunneling and encryption services suitable for virtual private
network (VPN) remote access, site-to-site intranet, and extranet applications. It also provides platform
scalability and security while working with all services necessary for successful VPN
deployments—security, quality of service (QoS), firewall and intrusion detection, and service-level
validation and management. The VAM off-loads IPSec processing from the main processor, thus freeing
resources on the processor engines for other tasks.

The VAM has three LEDs, as shown in Figure 3.

Figure 3 VAM LEDs

ENCRYPT/COMP

ENABLE

BOOT

ERROR

SA-VAM

61177

LED Label Color State Function

ENABLE Green On Indicates the VAM is powered up and enabled for

operation.

BOOT Amber Pulses Indicates the VAM is operating.

On Indicates the VAM is booting or a packet is being

encrypted or decrypted.

ERROR Amber On Indicates an encryption error has occurred. This

LED is normally off.

All physical interfaces are separated into the logical interfaces from FIPS as shown in Table 1.

OL-3959-01

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

5

Roles and Services

Table 1 FIPS 140-2 Logical Interface

Router Physical Interface FIPS 140-2 Logical Interface

10/100BASE-TX LAN Port
Port Adapter Interface
Console Port
Auxiliary Port
PCMCIA Slot

10/100BASE-TX LAN Port
Port Adapter Interface
Console Port
Auxiliary Port
PCMCIA Slot

Power Switch
Console Port
Auxiliary Port

10/100BASE-TX LAN Port LEDs
Enabled LED
PCMCIA LEDs
IO Pwr Ok LED
VA M L E Ds
Console Port
Auxiliary Port

Power Plug Power Interface

Data Input Interface

Data Output Interface

Control Input Interface

Status Output Interface

In addition to the built-in interfaces, the router also has additional port adapters that can optionally be
placed in an available slot. These port adapters have many embodiments, including multiple Ethernet,
token ring, and modem cards to handle frame relay, ATM, and ISDN connections.

Note These additional port adapters were excluded from this FIPS 140-2 Validation.

Roles and Services

Authentication is role-based. There are two main roles in the router that operators may assume: the
Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role to
configure and maintain the router using Crypto Officer services, while Users exercise only the basic User
services. Both roles are authenticated by providing a valid username and password. The configuration
of the encryption and decryption functionality is performed only by the Crypto Officer after
authentication to the Crypto Officer role by providing a valid Crypto Officer username and password.
Once the Crypto Officer configured the encryption and decryption functionality, the User can use this
functionality after authentication to the User role by providing a valid User username and password. The
Crypto Officer can also use the encryption and decryption functionality after authentication to the
Crypto Officer role. The module supports RADIUS and TACACS+ for authentication and they are used
in the FIPS mode. See the Cisco 7206VXR Installation and Configuration Guide for more configuration
information.

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

6

OL-3959-01

The User and Crypto Officer passwords and the RADIUS/TACACS+ shared secrets must each be at least
8 alphanumeric characters in length. See the “Secure Operation” section on page 16 for more
information. If only integers 0-9 are used without repetition for an 8 digit PIN, the probability of
randomly guessing the correct sequence is 1 in 1,814,400. Including the rest of the alphanumeric
characters drastically decreases the odds of guessing the correct sequence.

Crypto Officer Role

During initial configuration of the router, the Crypto Officer password (the “enable” password) is
defined. A Crypto Officer assigns permission to access the Crypto Officer role to additional accounts,
thereby creating additional Crypto Officers.

The Crypto Officer role is responsible for the configuration and maintenance of the router. The Crypto
Officer services consist of the following:

• Configures the Router: Defines network interfaces and settings, creates command aliases, sets the

protocols the router will support, enables interfaces and network services, sets system date and time,
and loads authentication information.

• Defines Rules and Filters: Creates packet filters that are applied to User data streams on each

interface. Each Filter consists of a set of rules, which define a set of packets to permit or deny based
characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet
direction.

• Status Functions: Views the router configuration, routing tables, active sessions; views SNMP MIB

II statistics, health, temperature, memory status, voltage, packet statistics; reviews accounting logs,
and views physical interface status.

Roles and Services

User Role

• Manages the Router: Logs off users, shuts down or reloads the router, manually backs up router

configurations, views complete configurations, manager user rights, and restores router
configurations.

• Sets Encryption/Bypass: Sets up the configuration tables for IP tunneling; sets keys and algorithms

to be used for each IP range or allow plaintext packets to be set from specified IP address.

• Changes Port Adapters: Inserts and removes adapters in a port adapter slot.

A User enters the system by accessing the console port with a terminal program. The IOS prompts the
User for their password. If the password is correct, the User is allowed entry to the IOS executive
program. The services available to the User role consist of the following:

• Status Functions: Views state of interfaces, state of layer 2 protocols, and version of IOS currently

running

• Network Functions: Connects to other network devices (via outgoing telnet or PPP) and initiates

diagnostic network services (i.e., ping, mtrace)

• Terminal Functions: Adjusts the terminal session (e.g., lock the terminal, adjust flow control)

• Directory Services: Displays directory of files kept in flash memory

OL-3959-01

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

7