Table Of Contents
Cisco 7140 VPN Router Security Policy
The Cisco 7140 VPN Router Cryptographic Module
Cisco 7140 VPN Router Slot Numbering
Cryptographic Officer Services
Secure Operation of the Cisco 7140 VPN Router
System Initialization and Configuration
Obtaining Technical Assistance
Contacting TAC by Using the Cisco TAC Website
Cisco 7140 VPN Router Security Policy
Introduction
This nonproprietary Cryptographic Module Security Policy describes how Cisco 7140 VPN routers meet the security requirements of the Federal Information Processing Standards (FIPS) 140-1, and how they operate in a secure FIPS 140-1 mode. The policy was prepared as part of the Level 2 FIPS 140-1 certification of Cisco 7140 VPN routers.
Note
This document may be copied in its entirety and without modification. All copies must include the copyright notice and statements on the last page.
The FIPS 140-1 publication, "Security Requirements for Cryptographic Modules" details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-1 standard and validation program is available at the following National Institute of Standards and Technology (NIST) website:
http://csrc.nist.gov/cryptval/
This document contains the following sections:
•
•
References
This document deals with operations and capabilities of Cisco 7140 VPN routers in the technical terms of a FIPS 140-1 cryptographic module security policy. For more information on Cisco 7140 VPN routers and the entire Cisco 7100 VPN series, check the following sources:
•
www.cisco.com.
•
www.cisco.com/warp/public/cc/pd/rt/7100/
•
www.cisco.com.
Terminology
In this document, the cryptographic module is referred to as the 7140 VPN router, the router, or the system.
Document Organization
The security policy document is part of the complete FIPS 140-1 Submission Package. In addition to this document, the complete submission package contains:
•
•
•
•
This document provides an overview of Cisco 7140 VPN routers and explains the secure configuration and operation of the router. It also explains the general features and functionality of Cisco 7140 VPN routers and addresses the required configuration for the FIPS mode of operation.
Note
Cisco 7140 VPN Routers
Cisco 7140 VPN routers provide superior routing and VPN services performance for the most demanding VPN deployments, as well as dual WAN interfaces and power supplies for increased VPN solution reliability. Cisco 7140 VPN routers integrate key features of VPNs—tunneling, data encryption, security, firewall, advanced bandwidth management, and service-level validation—to deliver self-healing, self-defending site-to-site VPN platforms that better and more cost-effectively accommodate remote-office and extranet connectivity using public data services.
Cisco 7140 VPN routers offer specific hardware configurations and a processing architecture optimized for VPN applications and Customer Premises Equipment (CPE) environments, delivering turnkey VPN solutions for headend locations. Cisco 7140 VPN routers feature integrated LAN interfaces for connectivity to the corporate LAN or VPN termination behind the WAN edge, as well as optional multiport WAN interfaces, providing multihomed connectivity to the VPN cloud. With its MIPS RISC processor, Cisco 7140 VPN routers deliver robust VPN features, such as bandwidth management and firewall, at speeds greater than 90 Mbps, as well as scalable tunneling and encryption services.
Cisco 7140 VPN routers are further customizable through hardware and software options to accommodate diverse network architectures and requirements. An open expansion slot enables LAN/WAN interface customization by utilizing a Cisco 7000 family port adapter. Highly scalable tunneling and encryption is provided by the Integrated Services Module (ISM), which is described later in this document. With scalable support for IPSec, PPTP/MPPE, and L2TP, Cisco 7140 VPN routers provide flexibility in remote access deployment models for enterprises with both remote access and site-to-site VPN requirements. Advanced perimeter security and intrusion detection, key features in a self-defending VPN solution, are also provided on Cisco 7140 VPN routers via the Cisco IOS Firewall Feature Set.
Cisco 7140 VPN routers are available in seven models. Key features common to all models include:
•
•
•
•
•
•
•
•
•
•
•
•
The Cisco 7140 VPN Router Cryptographic Module
The metal casing that fully encloses the router establishes the router's cryptographic boundary. All the functionality discussed in this document is provided by components within the casing. Cisco 7140 VPN routers come equipped with two 280-Watt AC-input power supplies for power-load sharing and redundancy.
Figure 1 shows the front of a Cisco 7140 router.
Figure 1 The Cisco 7140 VPN Router
Router Interfaces and LEDs
This section describes Cisco 7140 VPN router interfaces and LEDs. This section contains the following topics:
•
•
•
Rear Panel Interface LEDs
The interfaces are located on the back of the router. The rear panel LEDs shown in Figure 2 provides an overall status of the router operation.
Figure 2 Rear Panel LEDs
Table 1 provides more detailed information conveyed by the LEDs on the rear panel of the router:
FIPS 140-1 Logical Interfaces
All of these physical interfaces are separated into the logical interfaces from FIPS as described in Table 2:
* Disabled in FIPS mode. See the "Secure Operation of the Cisco 7140 VPN Router" section for more information.
The module also has two other RJ-45 connectors for a console terminal for local system access and an auxiliary port for remote system access or dial backup using a modem. Additionally, Cisco 7140 VPN routers have different physical interfaces available in the two fixed WAN ports.
Table 3 gives a description of the Cisco 7140 VPN router series and physical interfaces.
Further information about the different WAN options and their respective status indications (such as LED descriptions) can be found in the "Cisco 7100 Series VPN Router Product Overview" at the following website:
http://www.cisco.com/univercd/cc/td/doc/product/core/7100/hwicg/overegr.htm
Cisco 7140 VPN Router Slot Numbering
Slots in Cisco 7140 VPN routers are numbered as follows:
•
•
•
•
•
•
Figure 3 shows the slots in a Cisco 7140 VPN router.
Figure 3 Cisco 7140 Slot Numbering
Roles and Services
There are two main roles in the router (as required by FIPS 140-1) that operators can assume: crypto officer or administrator role and user role. The administrator of the router assumes the crypto officer role in order to configure and maintain the router using crypto officer services, while the users exercise only the basic user services.
This section also contains the following subsections:
•
Cryptographic Officer Services
During initial configuration of the router, a crypto officer password is defined and all management services are available from this role. The crypto officer connects to the router through the console port through terminal program. A router administrator might assign permission to distribute the crypto officer role to additional accounts, thereby creating additional administrators.
At the highest level, crypto officer services include the following:
•
•
•
•
•
•
User Services
A user enters the system by accessing the console port with a terminal program. The IOS prompts the user for their password. If it matches the plaintext password stored in IOS memory, the user is allowed entry to the IOS executive program. At the highest level, user services include the following:
•
•
•
•
Physical Security
The router is entirely encased by a thick steel chassis. The back of the router provides one port adapter slot, one service module slot, on-board LAN connectors, PCMCIA slots, Console/Auxiliary connectors, the power cable connections, and the power switch.
Once the router has been configured to meet FIPS 140-1 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamper-evidence labels as follows:
•
•
•
•
•
•
•
Figure 4 shows the tamper evidence label placements.
Figure 4 Tamper Evidence Label Placement
The tamper evidence seals are produced from a special thin gauge vinyl with self-adhesive backing. Any attempt to remove port adapters or service modules will damage the tamper evidence seals or the painted surface and metal of the module cover. Since the tamper evidence labels have nonrepeated serial numbers, the labels can be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered with. Tamper evidence labels can also be inspected for signs of tampering, which include the following: curled corners, bubbling, crinkling, rips, tears, and slices. The word "Opened" can appear if the label was peeled back.
Note
Cryptographic Key Management
The router securely administers both cryptographic keys and other critical security parameters such as passwords. The tamper evidence seals provide physical protection for all keys. Keys are also password protected and can be zeroized by the crypto officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). The Cisco 7140 router supports the following FIPS-approved algorithms: DES, 3DES, and SHA-1. These algorithms received certification numbers 74, 17, and 26 respectively.
Self-Tests
In order to prevent any secure data from being released, it is important to test the cryptographic components of a security module to insure all components are functioning correctly. The router includes an array of self-tests that are run during startup and periodically during operations. The self-tests run at power-up includes a cryptographic known answer test (KAT) on the FIPS-approved cryptographic algorithms (DES, 3DES), on the message digest (SHA-1), and on the Diffie-Hellman algorithm. Also performed at startup are a software integrity test using an EDC and a set of Statistical Random Number Generator (RNG) tests. The following tests are also run periodically or conditionally: a bypass mode test performed conditionally prior to executing IPSec, a software load test for upgrades, and the continuous random number generator test. If any of these self-tests fail, the router transitions into an error state. Within the error state, all secure data transmission is halted and the router outputs status information indicating the failure.
Secure Operation of the Cisco 7140 VPN Router
Cisco 7140 VPN routers meet all the Level 2 requirements for FIPS 140-1. Follow the setting instructions provided below to place the module in FIPS mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation.
Initial Setup
•
•
System Initialization and Configuration
•
•
config-register 0x0101
•
enable secret [password]
•
line con 0
password [password]
login local
•
•
•
Non FIPS-Approved Algorithms
•
–
–
–
–
–
Protocols
•
•
Remote Access
•
line aux 0
no exec
•
Obtaining Documentation
The following sections provide sources for obtaining documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at the following sites:
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and can be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
•
http://www.cisco.com/cgi-bin/order/order_root.pl
•
http://www.cisco.com/go/subscription
•
Documentation Feedback
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:
Attn Document Resource Connection
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
To access Cisco.com, go to the following website:
Technical Assistance Center
The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
Contacting TAC by Using the Cisco TAC Website
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website:
P3 and P4 level problems are defined as follows:
•
•
In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.
To register for Cisco.com, go to the following website:
http://www.cisco.com/register/
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website:
http://www.cisco.com/tac/caseopen
Contacting TAC by Telephone
If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
P1 and P2 level problems are defined as follows:
•
•
AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
By printing or making a copy of this document, the user agrees to use this information for product evaluation purposes only. Sale of this information in whole or in part is not authorized by Cisco Systems.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0110R)
Cisco 7140 VPN Router Security Policy
Copyright © 2001, Cisco Systems, Inc.
All rights reserved.
Guest
