Cisco 2951, Cisco 3925 and Cisco 3945 Integrated Services Routers (ISRs)

Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs) Haae vesions: 2951[1][2], 3925[1][3], 3945[1][3], FIPS Kit (CISCO-FIPS-KIT=), Revision -B0[1], ISR: FIPS- SHIELD-2951=[2] an FIPS-SHIELD-3900=[3] Fimae vesions: 15.1(2)T2A an 15.1(2)T3 FIPS 140-2 Non-Popietay Secuity Policy Oveall Level 2 (Sections 3 an 10 Level 3) Valiation Vesion 0.13 July 2011

Intouction... 3 Refeences... 3 FIPS 140-2 Submission Package... 3 Moule Desciption... 4 Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs)... 4 Moule Valiation Level... 4 Cyptogaphic Bounay... 5 Cyptogaphic Moule Pots an Intefaces... 5 Roles, Sevices, an Authentication... 8 Use Sevices... 8 Cyptogaphic Office Sevices... 9 Unauthenticate Use Sevices... 9 Cyptogaphic Key/CSP Management... 10 Cyptogaphic Algoithms... 14 Appove Cyptogaphic Algoithms... 14 Non-Appove Algoithms... 14 Self-Tests... 14 Physical Secuity... 16 Moule Opacity an Tampe Evience... 16 Secue Opeation... 27 Initial Setup... 27 System Initialization an Configuation... 27 IPSec Requiements an Cyptogaphic Algoithms... 28 Potocols... 28 Remote Access... 29 Cisco Unifie Boe Element (CUBE) TLS Configuation... 29 Relate Documentation... 30 Obtaining Documentation... 30 Cisco.com... 30 Pouct Documentation DVD... 30 Oeing Documentation... 31 Documentation Feeback... 31 Cisco Pouct Secuity Ovevie... 31 Repoting Secuity Poblems in Cisco Poucts... 32 Obtaining Technical Assistance... 32 Cisco Technical Suppot & Documentation Website... 32 Submitting a Sevice Request... 33 Definitions of Sevice Request Seveity... 33 Obtaining Aitional Publications an Infomation... 34 Definition List... 35 2

Intouction This is a non-popietay Cyptogaphic Moule Secuity Policy fo the Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs) fom Cisco Systems, Inc. (Haae Vesions: 2951[1][2], 3925[1][3], 3945[1][3], FIPS Kit (CISCO-FIPS-KIT=), Revision -B0[1], ISR: FIPS-SHIELD-2951=[2] an FIPS-SHIELD-3900=[3]; Fimae Vesions: IOS 15.1(2)T2A an 15.1(2)T3, efee to in this ocument as the moules, outes, o by thei specific moel name. This secuity policy escibes ho moules meet the secuity equiements of FIPS 140-2 an ho to un the moules in a FIPS 140-2 moe of opeation. FIPS 140-2 (Feeal Infomation Pocessing Stanas Publication 140-2 Secuity Requiements fo Cyptogaphic Moules) etails the U.S. Govenment equiements fo cyptogaphic moules. Moe infomation about the FIPS 140-2 stana an valiation pogam is available on the NIST ebsite at http://csc.nist.gov/goups/stm/cmvp/inex.html. Refeences This ocument eals only ith opeations an capabilities of the moule in the technical tems of a FIPS 140-2 cyptogaphic moule secuity policy. Moe infomation is available on the moule fom the folloing souces: The Cisco Systems ebsite (http://.cisco.com) contains infomation on the full line of poucts fom Cisco Systems. The NIST Cyptogaphic Moule Valiation Pogam ebsite (http://csc.nist.gov/goups/stm/cmvp/inex.html) contains contact infomation fo anses to technical o sales-elate questions fo the moule. FIPS 140-2 Submission Package The secuity policy ocument is one ocument in a FIPS 140-2 Submission Package. In aition to this ocument, the submission package inclues: Veno Evience Finite State Machine Othe suppoting ocumentation as aitional efeences With the exception of this non-popietay secuity policy, the FIPS 140-2 valiation ocumentation is popietay to Cisco Systems, Inc. an is eleasable only une appopiate non-isclosue ageements. Fo access to these ocuments, please contact Cisco Systems, Inc. See Obtaining Technical Assistance section fo moe infomation. 3

Moule Desciption Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs) The Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs) ae outing platfoms that povies VPN functionality, as ell as, SIP Gateay Signaling Ove TLS Tanspot. The Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs) povie connectivity an secuity sevices in a single, secue evice. These outes offe boaban spees an simplifie management to small businesses, an entepise small banch an teleokes. In suppot of the outing capabilities, the Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs) povie IPSec, GetVPN (GDOI), an SSL v3.1 connection capabilities fo VPN enable clients connecting though the Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs). The evaluate platfoms consist of the folloing components: Cisco 2951 ISR Cisco 3925 ISR Cisco 3945 ISR Moule Valiation Level Moel Fimae Cisco 2951 ISR 15.1(2)T2A an 15.1(2)T3 Cisco 3925 ISR 15.1(2)T2A an 15.1(2)T3 Cisco 3945 ISR 15.1(2)T2A an 15.1(2)T3 Table 1: Moule Haae Configuations The folloing table lists the level of valiation fo each aea in the FIPS PUB 140-2. No. Aea Title Level 1 Cyptogaphic Moule Specification 2 2 Cyptogaphic Moule Pots an Intefaces 2 3 Roles, Sevices, an Authentication 3 4 Finite State Moel 2 5 Physical Secuity 2 6 Opeational Envionmentxfomes-tme N/A 7 Cyptogaphic Key management 2 8 Electomagnetic Inteface/Electomagnetic Compatibility 2 9 Self-Tests 2 10 Design Assuance 3 11 Mitigation of Othe Attacks N/A Oveall Oveall moule valiation level 2 Table 2: Moule Valiation Level 4

Cyptogaphic Bounay The cyptogaphic bounay fo the Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs) is efine as the moules chassis along ith the opacity shiels. Cyptogaphic Moule Pots an Intefaces Each moule povies a numbe of physical an logical intefaces to the evice, an the physical intefaces povie by the moule ae mappe to fou FIPS 140-2 efine logical intefaces: ata input, ata output, contol input, an status output. The logical intefaces an thei mapping ae escibe in the folloing tables: Physical Intefaces FIPS 140-2 Logical Intefaces EHWIC Slots (4) Data Input Inteface GigE Pots (3) SM Slots (2) Console Pot USB Console Pot Auxiliay Pot EHWIC Slots (4) Data Output Inteface GigE Pots (3) SM Slots (2) Console Pot USB Console Pot Auxiliay Pot EHWIC Slots (4) Contol Input Inteface GigE Pots (3) SM Slots (2) Console Pot USB Console Pot Auxiliay Pot Activity LED Status Output Inteface System LED GigE Link LED (1 pe GigE pot) GigE Spee LED (1 pe GigE pot) SM LED Compact Flash LED (2) RPS Boost LED Poe LED (2) GigE pots (3) Console Pot Auxiliay Pot USB Console Pot Poe Plug Poe inteface Table 3: Cisco 2951 ISR Intefaces Physical Intefaces EHWIC Slots (4) SM Slots (2) GigE Pots (3) Console Pot USB Console Pot FIPS 140-2 Logical Intefaces Data Input Inteface 5

Physical Intefaces FIPS 140-2 Logical Intefaces Auxiliay Pot EHWIC Slots (4) Data Output Inteface SM Slots (2) GigE Pots (3) Console Pot USB Console Pot Auxiliay Pot EHWIC Slots (4) Contol Input Inteface SM Slots (2) GigE Pots (3) Console Pot USB Console Pot Auxiliay Pot Activity LED Status Output Inteface System LED GigE Link LED (1 pe GigE pot) GigE Spee LED (1 pe GigE pot) SM LED Compact Flash LED (2) RPS Boost LED Poe LED (2) GigE pots (3) Console Pot Auxiliay Pot USB Console Pot Poe Plug Poe inteface Table 4: Cisco 3925 ISR Intefaces Physical Intefaces EHWIC Slots (4) SM Slots (4) GigE Pots (3) Console Pot USB Console Pot Auxiliay Pot EHWIC Slots (4) SM Slots (4) GigE Pots (3) Console Pot USB Console Pot Auxiliay Pot EHWIC Slots (4) SM Slots (4) GigE Pots (3) Console Pot USB Console Pot Auxiliay Pot Activity LED System LED GigE Link LED (1 pe GigE pot) GigE Spee LED (1 pe GigE pot) SM LED Compact Flash LED (2) RPS Boost LED FIPS 140-2 Logical Intefaces Data Input Inteface Data Output Inteface Contol Input Inteface Status Output Inteface 6

Poe LED (2) GigE pots (3) Console Pot Auxiliay Pot USB Console Pot Poe Plug Physical Intefaces Poe inteface Table 5: Cisco 3945 ISR Intefaces FIPS 140-2 Logical Intefaces NOTE: Each moule inclues to USB pots an to compact flash slots. These pots an slots ae isable by coveing Tampe Evient Labels (TELs)hile opeating in FIPS-moe. 7

Roles, Sevices, an Authentication Authentication is ientity-base. Each use is authenticate upon initial access to the moule. Thee ae to oles in the oute that opeatos may assume: the Cypto Office ole an the Use ole. The aministato of the oute assumes the Cypto Office ole in oe to configue an maintain the oute using Cypto Office sevices, hile the Uses execise only the basic Use sevices. The moule suppots RADIUS an TACACS+ fo authentication. A complete esciption of all the management an configuation capabilities of the moules can be foun in the IOS vesion 12.4T Configuation Guie Manual an in the online help fo the moules. The Use an Cypto Office passos an all shae secets must each be at least eight (8) chaactes long, incluing at least one lette an at least one numbe chaacte, in length (enfoce poceually). See the Secue Opeation section fo moe infomation. If six (6) integes, one (1) special chaacte an one (1) alphabet ae use ithout epetition fo an eight (8) igit PIN, the pobability of anomly guessing the coect sequence is one (1) in 832,000,000. In oe to successfully guess the sequence in one minute oul equie the ability to make ove 13,000,000 guesses pe secon, hich fa excees the opeational capabilities of the moule. Incluing the est of the alphanumeic chaactes astically eceases the os of guessing the coect sequence. Aitionally, hen using RSA base authentication, RSA key pai has moulus size of 1024 bit to 2048 bit, thus poviing beteen 80 bits an 112 bits of stength. Assuming the lo en of that ange, an attacke oul have a 1 in 2 80 chance of anomly obtaining the key, hich is much stonge than the one in a million chance equie by FIPS 140-2. To excee a one in 100,000 pobability of a successful anom key guess in one minute, an attacke oul have to be capable of appoximately 1.8x10 21 attempts pe minute, hich fa excees the opeational capabilities of the moules to suppot. Use Sevices A Use entes the system by accessing the console/auxiliay pot ith a teminal pogam o SSH v2 session to a LAN pot. The moule pompts the Use fo thei usename/passo combination. If the usename/passo combination is coect, the Use is alloe enty to the moule management functionality. The sevices available to the Use ole consist of the folloing: Status Functions - Vie state of intefaces an potocols, fimae vesion Netok Functions - Connect to othe netok evices an initiate iagnostic netok sevices (i.e., ping, mtace). Teminal Functions - Ajust the teminal session (e.g., lock the teminal, ajust flo contol) Diectoy Sevices - Display iectoy of files kept in memoy Pefom Self-Tests Pefom the FIPS 140 stat-up tests on eman 8

VPN functions - Negotiation an encypte ata tanspot via VPN Cyptogaphic Office Sevices A Cypto Office entes the system by accessing the console/auxiliay pot ith a teminal pogam o SSH v2 session to a LAN pot. The Cypto Office authenticates as a Use an then authenticates as the Cypto Office ole. Duing initial configuation of the oute, the Cypto Office passo (the enable passo) is efine. A Cypto Office may assign pemission to access the Cypto Office ole to aitional accounts, theeby ceating aitional Cypto Offices. The Cypto Office ole is esponsible fo the configuation an maintenance of the oute. The Cypto Office sevices consist of the folloing: Configue the moule - Define netok intefaces an settings, ceate comman aliases, set the potocols the oute ill suppot, enable intefaces an netok sevices, set system ate an time, an loa authentication infomation. Define Rules an Filtes - Ceate packet Filtes that ae applie to Use ata steams on each inteface. Each Filte consists of a set of Rules, hich efine a set of packets to pemit o eny base chaacteistics such as potocol ID, aesses, pots, TCP connection establishment, o packet iection. Status Functions - Vie the moule configuation, outing tables, active sessions, use get commans to vie SNMP MIB statistics, health, tempeatue, memoy status, voltage, packet statistics, evie accounting logs, an vie physical inteface status. Manage the moule - Log off uses, shuton o eloa the oute, manually back up oute configuations, vie complete configuations, manage use ights, initiate poe-on self tests on eman an estoe oute configuations. Configue Encyption/Bypass - Set up the configuation tables fo IP tunneling. Set keys an algoithms to be use fo each IP ange o allo plaintext packets to be set fom specifie IP aess. Pefom Self-Tests Pefom the FIPS 140 stat-up tests on eman The Cypto Office also has access to all Use sevices. Unauthenticate Use Sevices The sevices fo someone ithout an authoize ole ae to vie the status output fom the moule s LED an cycle poe. 9

Cyptogaphic Key/CSP Management The moule secuely aministes both cyptogaphic keys an othe citical secuity paametes such as passos. The tampe evience seals povie physical potection fo all keys. All keys ae also potecte by the passo-potection on the Cypto Office ole login, an can be zeoize by the Cypto Office. All zeoization consists of oveiting the memoy that stoe the key. Keys ae exchange an entee electonically o via Intenet Key Exchange (IKE)/Goup Domain of Intepetation (GDOI). The moule suppots the folloing citical secuity paametes (CSPs): ID Algoithm Size Desciption Stoage Zeoization Metho RNG See X9.31 64-bits This is the see fo X9.31 RNG. This CSP is stoe in DRAM an upate peioically afte the geneation of 400 bytes afte this it is eseee ith oute-eive entopy; hence, it is zeoize peioically. Also, the opeato can tun off the oute to zeoize this CSP. DRAM RNG See Key X9.31 128-bits This is the see key fo the RNG. DRAM Diffie Hellman pivate exponent Diffie Hellman Shae Secet DH 1024 2048 bits DH 1024- bits/2048- bits The pivate exponent use in Diffie-Hellman (DH) exchange. Zeoize afte DH shae secet has been geneate. Shae secet geneate by the Diffie-Hellman Key exchange Skeyi Keye SHA-1 160-bits Value eive fom the shae secet ithin IKE exchange. Zeoize hen IKE session is teminate. skeyi_ Keye SHA-1 160-bits The IKE key eivation key fo non ISAKMP secuity associations. IKE session encypt key IKE session authentication key Tiple-DES/AES 168- bits/256- bits The IKE session encypt key. DRAM DRAM DRAM DRAM DRAM SHA-1 HMAC 160-bits The IKE session authentication key. DRAM ISAKMP peshae Secet At least eight chaacte s IKE RSA Authentication pivate Key RSA 1024 2048 bits The key use to geneate IKE skeyi uing peshae-key authentication. no cypto isakmp key comman zeoizes it. This key can have to foms base on hethe the key is elate to the hostname o the IP aess. RSA pivate key fo IKE authentication. Geneate o entee like any RSA key, set as IKE RSA Authentication Key ith the cypto keying o ca tust- NVRAM (plaintext o encypte) NVRAM Automatically evey 400 bytes, o tun off the oute. Tun off the oute Automatically afte shae secet geneate. Automatically afte session is teminate Automatically afte IKE session teminate. Automatically afte IKE session teminate. Automatically afte IKE session teminate. Automatically afte IKE session teminate. # no cypto isakmp key # cypto key zeoize sa" 10

IPSec encyption key IPSec authentication key GDOI Key encyption Key (KEK) GDOI Taffic Encyption Key (TEK) GDOI TEK Integity key TLS Seve RSA pivate key TLS pe-maste secet SSL Taffic Keys Configuation encyption key SSH RSA pivate key SSH session key Use passo Enable passo Tiple-DES/AES 168- bits/256- bits point comman. The IPSec encyption key. Zeoize hen IPSec session is teminate. SHA-1 HMAC 160-bits The IPSec authentication key. The zeoization is the same as above. AES (128, 192 an 256 bits) 168- bits/256- bits Tiple-DES/AES 168- bits/256- bits This key is ceate using the GROUPKEY- PULL egistation potocol ith GDOI. It is use potect GDOI ekeying ata. This key is ceate using the GROUPKEY- PULL egistation potocol an upate using the GROUPKEY-PUSH egistation potocol ith GDOI. It is use to encypt ata taffic beteen Get VPN pees HMAC SHA-1 160-bits This key is ceate using the GROUPKEY- PULL egistation potocol an upate using the GROUPKEY-PUSH egistation potocol ith GDOI. It is use to ensue ata taffic integity beteen Get VPN pees. RSA 1024/153 6/2048 Ientity cetificates fo moule itself an also use in TLS negotiations. This CSP is use fo both SSL VPN an SIP Gateay Signaling Ove TLS Tanspot. Shae Secet 384-bits Shae secet ceate using asymmetic cyptogaphy fom hich ne HTTPS session keys can be ceate. This CSP is use fo both SSL VPN an SIP Gateay Signaling Ove TLS Tanspot. Tiple-DES/AES HMAC SHA-1 keys 160- bits/168- bits/256- bits Geneate using the TLS potocol (X9.31RNG + HMAC-SHA1 + eithe Diffie- Hellman o RSA). This CSP is use fo both SSL VPN an SIP Gateay Signaling Ove TLS Tanspot. AES 256-bits The key use to encypt values of the configuation file. This key is zeoize hen the no key config-key is issue. Note that this comman oes not ecypt the configuation file, so zeoize ith cae. DH 168- bits/256- bits Tiple-DES/AES HMAC SHA-1 keys Shae Secet Shae Secet 160- bits/168- bits/256- bits At least eight chaacte s At least eight Shae secet geneate by the Diffie- Hellman Key exchange This is the SSH session key. It is zeoize hen the SSH session is teminate. The passo of the Use ole. This passo is zeoize by oveiting it ith a ne passo. The plaintext passo of the CO ole. This passo is zeoize by oveiting it ith a DRAM DRAM DRAM DRAM DRAM NVRAM (plaintext o encypte) DRAM DRAM NVRAM (plaintext o encypte) DRAM DRAM NVRAM (plaintext o encypte) NVRAM (plaintext o Automatically hen IPSec session teminate. Automatically hen IPSec session teminate. Automatically hen session teminate. Automatically hen session teminate. Automatically hen session teminate. Automatically hen session teminate. Automatically hen session teminate. Automatically hen session teminate. # no key configkey Automatically afte session is teminate Automatically hen SSH session teminate Oveite ith ne passo Oveite ith ne passo 11

chaacte s ne passo. encypte) Enable secet Shae Secet At least eight chaacte s The ciphetext passo of the CO ole. Hoeve, the algoithm use to encypt this passo is not FIPS appove. Theefoe, this passo is consiee plaintext fo FIPS puposes. This passo is zeoize by oveiting it ith a ne passo. NVRAM (plaintext o encypte) Oveite ith ne passo RADIUS secet Shae Secet At least eight chaacte s The RADIUS shae secet. This shae secet is zeoize by executing the no aius-seve key comman. NVRAM (plaintext o encypte), DRAM # no aius-seve key TACACS+ secet Shae Secet At least eight chaacte s The TACACS+ shae secet. This shae secet is zeoize by executing the no tacacs-seve key comman. NVRAM (plaintext o encypte), DRAM # no tacacs-seve key Table 6: CSP Table The sevices accessing the CSPs, the type of access an hich ole accesses the CSPs ae liste belo. Role/Sevice Use Role Status Function Netok Function Teminal Function Diectoy Sevices Pefom Selftests VPN Function CO Role Configue the moule Define Rules CSP RNG See RNG See Key Diffie Hellman pivate exponent Diffie Hellman Shae Secet Skeyi skeyi_ IKE session encypt key IKE session authentication key ISAKMP peshae IKE RSA Authentication pivate Key IPSec encyption key IPSec authentication key GDOI Key encyption Key (KEK) GDOI Taffic Encyption Key (TEK) GDOI TEK Integity Key Configuation encyption key TLS Seve RSA Pivate Key TLS pe-maste Secet SSL Taffic Key SSH RSA Pivate Key SSH session key Use passo Enable passo Enable secet RADIUS secet TACACS+ secet 12

13 an Filtes Status Functions Manage the moule Set Encyption/ Bypass Pefom Selftests = ea = ite = elete Table 7: Role CSP Access

Cyptogaphic Algoithms Appove Cyptogaphic Algoithms The Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs) suppot many iffeent cyptogaphic algoithms. Hoeve, only FIPS appove algoithms may be use hile in the FIPS moe of opeation. The folloing table ientifies the appove algoithms inclue in the Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs) fo use in the FIPS moe of opeation. Algoithm IOS Cet. # Feescale Acceleato Cet. # AES #1527 #963, #1536 SHS (SHA-1, SHA256 an SHA 512) #1359 #934 HMAC SHA-1 #891 #538 RNG (ANSI X9.31) #823 N/A Tiple-DES #1010 #758 RSA #743 N/A Table 8: FIPS-Appove Algoithms fo use in FIPS Moe Non-Appove Algoithms The Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs) cyptogaphic moule implements the folloing non-appove algoithms: MD5 DES, HMAC-MD5 RC4 The moules suppot the folloing key establishment schemes: Diffie-Hellman (key establishment methoology povies beteen 80 an 112 bits of encyption stength) RSA key tanspot (key establishment methoology povies beteen 80 an 112 bits of encyption stength) Intenet Key Exchange Key Establishment (IKEv1/IKEv2) Goup Domain of Intepetation (GDOI) Self-Tests The moules inclue an aay of self-tests that ae un uing statup an peioically uing opeations to pevent any secue ata fom being elease an to insue all 14

components ae functioning coectly. The moules implement the folloing poe-on self-tests: IOS Knon Anse Tests: AES KAT, SHS KAT, HMAC KAT, Tiple-DES KAT, RNG KAT, RSA KAT Feescale Acceleato Knon Anse Tests: AES KAT, HMAC KAT, Tiple- DES KAT Fimae Integity Test (32-bit CRC) The moules pefom all poe-on self-tests automatically at boot. All poe-on selftests must be passe befoe any opeato can pefom cyptogaphic sevices. The poeon self-tests ae pefome afte the cyptogaphic systems ae initialize but pio any othe opeations; this pevents the moule fom passing any ata uing a poe-on selftest failue. In aition, the moules also povie the folloing conitional self-tests: CRNG test fo the FIPS-appove RNG CRNG tests fo the non-appove RNG RSA PWCT Bypass Test 15

Physical Secuity This moule is a multi-chip stanalone cyptogaphic moule. The FIPS 140-2 level 2 physical secuity equiements fo the moules ae met by the use of opacity shiels coveing the font panels of moules to povie the equie opacity an tampe evient seals to povie the equie tampe evience. The tampe evient labels an opacity shiels shall be installe fo the moule to opeate in a FIPS Appove moe of opeation. The folloing sections illustate the physical secuity povie by the moule. Moule Opacity an Tampe Evience All Citical Secuity Paametes ae stoe an potecte ithin each moule's tampe evient enclosue. The Cypto Office is esponsible fo popely placing all tampe evient labels. The secuity labels ecommene fo FIPS 140-2 compliance ae povie in the FIPS Kit (Pat Numbe CISCO-FIPS-KIT=), Revision -B0. The FIPS kit inclues 15 of the seals, as ell as a ocument etailing the numbe of seals equie pe platfom an placement infomation. Please be aae that the exta tampe evient labels/seals shall be secuely stoe by the Cypto Office. These secuity labels ae vey fagile an cannot be emove ithout clea signs of amage to the labels. The outes also equie that a special opacity shiel be installe ove the sie ai vents in oe to opeate in FIPS-appove moe. The shiel eceases the suface aea of the vent holes, eucing visibility ithin the cyptogaphic bounay to FIPS-appove specifications. These ae obtaine by oeing the appopiate FIPS shiel, as follos: Cisco 2951 ISR: FIPS-SHIELD-2951= Cisco 3925 ISR: FIPS-SHIELD-3900= Cisco 3945 ISR: FIPS-SHIELD-3900= Once the moule has been configue to meet oveall FIPS 140-2 Level 2 equiements, the moule cannot be accesse ithout signs of tampeing. The Cypto Office shoul inspect the tampe evient labels peioically to veify they ae intact an the seial numbes on the applie tampe evient labels match the ecos in the secuity log. The Tampe evient labels shall be applie as shon in the pictues belo, fo the moule to opeate in FIPS moe. Moule Cisco 2951 ISR Cisco 3925 ISR Cisco 3945 ISR Numbe of Tampe Seals 30 (to FIPS Kits (CISCO-FIPS-KIT=) equie) 31 (thee FIPS Kits (CISCO-FIPS-KIT=) equie) 31 (thee FIPS Kits (CISCO-FIPS-KIT=) equie) 16

Install the opacity plates an apply seialize tampe-evience labels as specifie in the pictues belo: Figue 1: Cisco 2951 ISR Font Figue 2: Cisco 2951 ISR Back 17

Figue 3: Cisco 2951 ISR Top 18

Figue 4: Cisco 2951 ISR Bottom Figue 5: Cisco 2951 ISR Right Sie 19

Figue 6: Cisco 2951 ISR Left Sie Figue 7: Cisco 3925 ISR Font 20

Figue 8: Cisco 3925 ISR Back Figue 9: Cisco 3925 ISR Top 21

Figue 10: Cisco 3925 ISR Bottom Figue 11: Cisco 3925 ISR Right Sie 22

Figue 12: Cisco 3925 ISR Left Sie Figue 13: Cisco 3945 ISR Font 23

Figue 14: Cisco 3945 ISR Back Figue 15: Cisco 3945 ISR Top 24

Figue 16: Cisco 3945 ISR Bottom Figue 17: Cisco 3945 ISR Right Sie 25

Figue 18: Cisco 3945 ISR Left Sie 26

Secue Opeation The Cisco 2951, Cisco 3925 an Cisco 3945 Integate Sevices Routes (ISRs) meet all the oveall Level 2 equiements fo FIPS 140-2. Follo the setting instuctions povie belo to place the moule in FIPS-appove moe. Opeating this oute ithout maintaining the folloing settings ill emove the moule fom the FIPS appove moe of opeation. Initial Setup 1. The Cypto Office must install the FIPS opacity shiels as escibe in this ocument. 2. The Cypto Office must apply tampe evience labels as escibe in this ocument. 3. The Cypto Office must isable IOS Passo Recovey by executing the folloing commans: configue teminal no sevice passo-ecovey en sho vesion NOTE: Once Passo Recovey is isable, aministative access to the moule ithout the passo ill not be possible. System Initialization an Configuation 1. The value of the boot fiel must be 0x0102. This setting isables beak fom the console to the ROM monito an automatically boots. Fom the configue teminal comman line, the Cypto Office entes the folloing syntax: config-egiste 0x0102 2. The Cypto Office must ceate the enable passo fo the Cypto Office ole. Poceually, the passo must be at least 8 chaactes, incluing at least one lette an at least one numbe, an is entee hen the Cypto Office fist engages the enable comman. The Cypto Office entes the folloing syntax at the # pompt: enable secet [PASSWORD] 3. The Cypto Office must alays assign passos (of at least 8 chaactes, incluing at least one lette an at least one numbe) to uses. Ientification an authentication on the console/auxiliay pot is equie 27

fo Uses. Fom the configue teminal comman line, the Cypto Office entes the folloing syntax: line con 0 passo [PASSWORD] login local 4. The Cypto Office may configue the moule to use RADIUS o TACACS+ fo authentication. Configuing the moule to use RADIUS o TACACS+ fo authentication is optional. If the moule is configue to use RADIUS o TACACS+, the Cypto-Office must efine RADIUS o TACACS+ shae secet keys that ae at least 8 chaactes long, incluing at least one lette an at least one numbe. 5. Fimae upate is not alloe in FIPS moe. IPSec Requiements an Cyptogaphic Algoithms 1. The only types of IPSec key management that ae alloe in FIPS moe is Intenet Key Exchange (IKE) an Goup Domain of Intepetation (GDOI). 2. Although the IOS implementation of IKE allos a numbe of algoithms, only the folloing algoithms ae alloe in a FIPS 140-2 configuation: ah-sha-hmac esp-sha-hmac esp-3es esp-aes esp-aes-192 esp-aes-256 3. The folloing algoithms shall not be use: MD-5 fo signing MD-5 HMAC DES Potocols 1. SNMP v3 ove a secue IPSec tunnel may be employe fo authenticate, secue SNMP gets an sets. Since SNMP v2c uses community stings fo authentication, only gets ae alloe une SNMP v2c. 28

Remote Access 1. SSH access to the moule is alloe in FIPS appove moe of opeation, using SSH v2 an a FIPS appove algoithm. 2. Telnet access to the moule is only alloe via a secue IPSec tunnel beteen the emote system an the moule. The Cypto office must configue the moule so that any emote connections via telnet ae secue though IPSec, using FIPS-appove algoithms. Note that all uses must still authenticate afte emote access is gante. 3. HTTPS/TLS management is not alloe in FIPS moe Cisco Unifie Boe Element (CUBE) TLS Configuation 1. When configuing CUBE TLS connections, the folloing configuation comman option must be execute to limit the TLS session options to FIPS-appove algoithms. cypto signaling [stict-ciphe] Ientifying Opeation in an Appove Moe The folloing activities ae equie to veify that that the moule is opeating in an Appove moe of opeation. 1. Veify that the tampe evience labels an FIPS opacity shiels have been popely place on the moule base on the instuctions specifie in the Physical Secuity an Secue Opeation sections of this ocument. 2. Veify that the length of Use an Cypto Office passos an all shae secets ae at least eight (8) chaactes long, inclue at least one lette, an inclue at least one numbe chaacte, as specifie in the Secue Opeation section of this ocument. 3. Issue the folloing commans: 'sho cypto ipsec sa', 'sho cypto isakmp policy', an sho sip-ua connections tcp tls etail. Veify that only FIPS appove algoithms ae use. 29

Relate Documentation This ocument eals only ith opeations an capabilities of the secuity appliances in the technical tems of a FIPS 140-2 cyptogaphic evice secuity policy. Moe infomation is available on the secuity appliances fom the souces liste in this section an fom the folloing souce: The NIST Cyptogaphic Moule Valiation Pogam ebsite (http://csc.nist.gov/goups/stm/cmvp/inex.html) contains contact infomation fo anses to technical o sales-elate questions fo the secuity appliances. Obtaining Documentation Cisco ocumentation an aitional liteatue ae available on Cisco.com. Cisco also povies seveal ays to obtain technical assistance an othe technical esouces. These sections explain ho to obtain technical infomation fom Cisco Systems. Cisco.com You can access the most cuent Cisco ocumentation at this URL: http://.cisco.com/techsuppot You can access the Cisco ebsite at this URL: http://.cisco.com You can access intenational Cisco ebsites at this URL: http://.cisco.com/public/counties_languages.shtml Pouct Documentation DVD Cisco ocumentation an aitional liteatue ae available in the Pouct Documentation DVD package, hich may have shippe ith you pouct. The Pouct Documentation DVD is upate egulaly an may be moe cuent than pinte ocumentation. The Pouct Documentation DVD is a compehensive libay of technical pouct ocumentation on potable meia. The DVD enables you to access multiple vesions of haae an softae installation, configuation, an comman guies fo Cisco poucts an to vie technical ocumentation in HTML. With the DVD, you have access to the same ocumentation that is foun on the Cisco ebsite ithout being connecte to the Intenet. Cetain poucts also have.pf vesions of the ocumentation available. The Pouct Documentation DVD is available as a single unit o as a subsciption. Registee Cisco.com uses (Cisco iect customes) can oe a Pouct Documentation DVD (pouct numbe DOC-DOCDVD=) fom Cisco Maketplace at this URL: http://.cisco.com/go/maketplace/ 30

Oeing Documentation Beginning June 30, 2005, egistee Cisco.com uses may oe Cisco ocumentation at the Pouct Documentation Stoe in the Cisco Maketplace at this URL: http://.cisco.com/go/maketplace/ Nonegistee Cisco.com uses can oe technical ocumentation fom 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the Unite States an Canaa, o elsehee by calling 011 408 519-5055. You can also oe ocumentation by e-mail at tech-oc-stoe-mkpl@extenal.cisco.com o by fax at 1 408 519-5001 in the Unite States an Canaa, o elsehee at 011 408 519-5001. Documentation Feeback You can ate an povie feeback about Cisco technical ocuments by completing the online feeback fom that appeas ith the technical ocuments on Cisco.com. You can sen comments about Cisco ocumentation to bug-oc@cisco.com. You can submit comments by using the esponse ca (if pesent) behin the font cove of you ocument o by iting to the folloing aess: Cisco Systems Attn: Custome Document Oeing 170 West Tasman Dive San Jose, CA 95134-9883 We appeciate you comments. Cisco Pouct Secuity Ovevie Cisco povies a fee online Secuity Vulneability Policy potal at this URL: http://.cisco.com/en/us/poucts/poucts_secuity_vulneability_policy.html Fom this site, you can pefom these tasks: Repot secuity vulneabilities in Cisco poucts. Obtain assistance ith secuity incients that involve Cisco poucts. Registe to eceive secuity infomation fom Cisco. A cuent list of secuity avisoies an notices fo Cisco poucts is available at this URL: http://.cisco.com/go/psit If you pefe to see avisoies an notices as they ae upate in eal time, you can access a Pouct Secuity Incient Response Team Really Simple Synication (PSIRT RSS) fee fom this URL: http://.cisco.com/en/us/poucts/poucts_psit_ss_fee.html 31

Repoting Secuity Poblems in Cisco Poucts Cisco is committe to eliveing secue poucts. We test ou poucts intenally befoe e elease them, an e stive to coect all vulneabilities quickly. If you think that you might have ientifie a vulneability in a Cisco pouct, contact PSIRT: Emegencies secuity-alet@cisco.com An emegency is eithe a conition in hich a system is une active attack o a conition fo hich a sevee an ugent secuity vulneability shoul be epote. All othe conitions ae consiee nonemegencies. Nonemegencies psit@cisco.com In an emegency, you can also each PSIRT by telephone: 1 877 228-7302 1 408 525-6532 Tip We encouage you to use Petty Goo Pivacy (PGP) o a compatible pouct to encypt any sensitive infomation that you sen to Cisco. PSIRT can ok fom encypte infomation that is compatible ith PGP vesions 2.x though 8.x. Neve use a evoke o an expie encyption key. The coect public key to use in you coesponence ith PSIRT is the one linke in the Contact Summay section of the Secuity Vulneability Policy page at this URL: http://.cisco.com/en/us/poucts/poucts_secuity_vulneability_policy.html The link on this page has the cuent PGP key ID in use. Obtaining Technical Assistance Cisco Technical Suppot povies 24-hou-a-ay aa-inning technical assistance. The Cisco Technical Suppot & Documentation ebsite on Cisco.com featues extensive online suppot esouces. In aition, if you have a vali Cisco sevice contact, Cisco Technical Assistance Cente (TAC) enginees povie telephone suppot. If you o not have a vali Cisco sevice contact, contact you eselle. Cisco Technical Suppot & Documentation Website The Cisco Technical Suppot & Documentation ebsite povies online ocuments an tools fo toubleshooting an esolving technical issues ith Cisco poucts an technologies. The ebsite is available 24 hous a ay, at this URL: http://.cisco.com/techsuppot Access to all tools on the Cisco Technical Suppot & Documentation ebsite equies a Cisco.com use ID an passo. If you have a vali sevice contact but o not have a use ID o passo, you can egiste at this URL: http://tools.cisco.com/rpf/egiste/egiste.o Note 32

Use the Cisco Pouct Ientification (CPI) tool to locate you pouct seial numbe befoe submitting a eb o phone equest fo sevice. You can access the CPI tool fom the Cisco Technical Suppot & Documentation ebsite by clicking the Tools & Resouces link une Documentation & Tools. Choose Cisco Pouct Ientification Tool fom the Alphabetical Inex op-on list, o click the Cisco Pouct Ientification Tool link une Alets & RMAs. The CPI tool offes thee seach options: by pouct ID o moel name; by tee vie; o fo cetain poucts, by copying an pasting sho comman output. Seach esults sho an illustation of you pouct ith the seial numbe label location highlighte. Locate the seial numbe label on you pouct an eco the infomation befoe placing a sevice call. Submitting a Sevice Request Using the online TAC Sevice Request Tool is the fastest ay to open S3 an S4 sevice equests. (S3 an S4 sevice equests ae those in hich you netok is minimally impaie o fo hich you equie pouct infomation.) Afte you escibe you situation, the TAC Sevice Request Tool povies ecommene solutions. If you issue is not esolve using the ecommene esouces, you sevice equest is assigne to a Cisco enginee. The TAC Sevice Request Tool is locate at this URL: http://.cisco.com/techsuppot/seviceequest Fo S1 o S2 sevice equests o if you o not have Intenet access, contact the Cisco TAC by telephone. (S1 o S2 sevice equests ae those in hich you pouction netok is on o seveely egae.) Cisco enginees ae assigne immeiately to S1 an S2 sevice equests to help keep you business opeations unning smoothly. To open a sevice equest by telephone, use one of the folloing numbes: Asia-Pacific: +61 2 8446 7411 (Austalia: 1 800 805 227)EMEA: +32 2 704 55 55USA: 1 800 553-2447 Fo a complete list of Cisco TAC contacts, go to this URL: http://.cisco.com/techsuppot/contacts Definitions of Sevice Request Seveity To ensue that all sevice equests ae epote in a stana fomat, Cisco has establishe seveity efinitions. Seveity 1 (S1) You netok is on, o thee is a citical impact to you business opeations. You an Cisco ill commit all necessay esouces aoun the clock to esolve the situation. Seveity 2 (S2) Opeation of an existing netok is seveely egae, o significant aspects of you business opeation ae negatively affecte by inaequate pefomance of Cisco poucts. You an Cisco ill commit full-time esouces uing nomal business hous to esolve the situation. Seveity 3 (S3) Opeational pefomance of you netok is impaie, but most business opeations emain functional. You an Cisco ill commit esouces uing nomal business hous to estoe sevice to satisfactoy levels. 33

Seveity 4 (S4) You equie infomation o assistance ith Cisco pouct capabilities, installation, o configuation. Thee is little o no effect on you business opeations. Obtaining Aitional Publications an Infomation Infomation about Cisco poucts, technologies, an netok solutions is available fom vaious online an pinte souces. Cisco Maketplace povies a vaiety of Cisco books, efeence guies, ocumentation, an logo mechanise. Visit Cisco Maketplace, the company stoe, at this URL: http://.cisco.com/go/maketplace/ Cisco Pess publishes a ie ange of geneal netoking, taining an cetification titles. Both ne an expeience uses ill benefit fom these publications. Fo cuent Cisco Pess titles an othe infomation, go to Cisco Pess at this URL: http://.ciscopess.com Packet magazine is the Cisco Systems technical use magazine fo maximizing Intenet an netoking investments. Each quate, Packet elives coveage of the latest inusty tens, technology beakthoughs, an Cisco poucts an solutions, as ell as netok eployment an toubleshooting tips, configuation examples, custome case stuies, cetification an taining infomation, an links to scoes of in-epth online esouces. You can access Packet magazine at this URL: http://.cisco.com/packet iq Magazine is the quately publication fom Cisco Systems esigne to help going companies lean ho they can use technology to incease evenue, steamline thei business, an expan sevices. The publication ientifies the challenges facing these companies an the technologies to help solve them, using eal-ol case stuies an business stategies to help eaes make soun technology investment ecisions. You can access iq Magazine at this URL: http://.cisco.com/go/iqmagazine o vie the igital eition at this URL: http://ciscoiq.texteity.com/ciscoiq/sample/ Intenet Potocol Jounal is a quately jounal publishe by Cisco Systems fo engineeing pofessionals involve in esigning, eveloping, an opeating public an pivate intenets an intanets. You can access the Intenet Potocol Jounal at this URL: http://.cisco.com/ipj Netoking poucts offee by Cisco Systems, as ell as custome suppot sevices, can be obtaine at this URL: 34

http://.cisco.com/en/us/poucts/inex.html Netoking Pofessionals Connection is an inteactive ebsite fo netoking pofessionals to shae questions, suggestions, an infomation about netoking poucts an technologies ith Cisco expets an othe netoking pofessionals. Join a iscussion at this URL: http://.cisco.com/iscuss/netoking Wol-class netoking taining is available fom Cisco. You can vie cuent offeings at this URL: http://.cisco.com/en/us/leaning/inex.html Definition List AES Avance Encyption Stana CMVP Cyptogaphic Moule Valiation Pogam CSEC Communications Secuity Establishment Canaa CSP Citical Secuity Paamete FIPS Feeal Infomation Pocessing Stana HMAC Hash Message Authentication Coe HTTP Hype Text Tansfe Potocol KAT Knon Anse Test LED Light Emitting Dioe MAC Message Authentication Coe NIST National Institute of Stanas an Technology NVRAM Non-Volatile Ranom Access Memoy RAM Ranom Access Memoy RNG Ranom Numbe Geneato RSA Rivest Shami an Aleman metho fo asymmetic encyption SHA Secue Hash Algoithm TDES Tiple Data Encyption Stana 35