Xformers Security Policy 1941 2901 2911 2921

Transcription

Cisco 1905, Cisco 1921, Cisco 1941, Cisco 2901, Cisco 2911,and Cisco 2921 Integrated Services Routers (ISRs)Hardware versions: 1905[1][2], 1921[1][2], 1941[1][2],2901[1][3], 2911[1][4], 2921[1][5], FIPS Kit (CISCO-FIPSKIT ), Revision -B0[1], ISR: FIPS-SHIELD-1900 [2], FIPSSHIELD-2901 [3], FIPS-SHIELD-2911 [4] and FIPSSHIELD-2921 [5]Firmware versions: 15.1(2)T2A and 15.1(2)T3FIPS 140-2 Non-Proprietary Security PolicyOverall Level 2 (Sections 3 and 10 Level 3) ValidationVersion 0.12July 2011

Introduction . 3References . 3FIPS 140-2 Submission Package . 3Module Description . 4Cisco 1905, Cisco 1921, Cisco 1941, Cisco 2901, Cisco 2911, and Cisco 2921Integrated Services Routers (ISRs) . 4Module Validation Level . 4Cryptographic Boundary. 6Cryptographic Module Ports and Interfaces . 6Roles, Services, and Authentication . 10User Services . 10Cryptographic Officer Services . 11Unauthenticated User Services . 11Cryptographic Key/CSP Management. 12Cryptographic Algorithms . 16Approved Cryptographic Algorithms . 16Non-Approved Algorithms . 16Self-Tests . 17Physical Security. 18Module Opacity and Tamper Evidence . 18Secure Operation. 36Initial Setup . 36System Initialization and Configuration . 36IPSec Requirements and Cryptographic Algorithms . 37Protocols . 37Remote Access . 38Wireless Services . 38Cisco Unified Border Element (CUBE) TLS Configuration . 38Related Documentation. 39Obtaining Documentation . 39Cisco.com. 39Product Documentation DVD . 39Ordering Documentation . 40Documentation Feedback . 40Cisco Product Security Overview . 40Reporting Security Problems in Cisco Products . 41Obtaining Technical Assistance. 41Cisco Technical Support & Documentation Website . 41Submitting a Service Request . 42Definitions of Service Request Severity . 42Obtaining Additional Publications and Information . 43Definition List . 442

IntroductionThis is a non-proprietary Cryptographic Module Security Policy for the Cisco 1905,Cisco 1921, Cisco 1941, Cisco 2901, Cisco 2911, and Cisco 2921 Integrated ServicesRouters (ISRs) from Cisco Systems, Inc. (Hardware Versions: 1905[1][2], 1921[1][2],1941[1][2], 2901[1][3], 2911[1][4], 2921[1][5], FIPS Kit (CISCO-FIPS-KIT ), Revision-B0[1], ISR: FIPS-SHIELD-1900 [2], FIPS-SHIELD-2901 [3], FIPS-SHIELD2911 [4] and FIPS-SHIELD-2921 [5]; Firmware Versions: IOS 15.1(2)T2A and15.1(2)T3), referred to in this document as the modules, routers, or by their specificmodel name. This security policy describes how modules meet the security requirementsof FIPS 140-2 and how to run the modules in a FIPS 140-2 mode of operation.FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — SecurityRequirements for Cryptographic Modules) details the U.S. Government requirements forcryptographic modules. More information about the FIPS 140-2 standard and ncesThis document deals only with operations and capabilities of the module in the technicalterms of a FIPS 140-2 cryptographic module security policy. More information isavailable on the module from the following sources: The Cisco Systems website (http://www.cisco.com) contains information on thefull line of products from Cisco Systems. (http://csrc.nist.gov/groups/STM/cmvp/index.html) contains contact informationfor answers to technical or sales-related questions for the module.FIPS 140-2 Submission PackageThe security policy document is one document in a FIPS 140-2 Submission Package. Inaddition to this document, the submission package includes: Vendor Evidence Finite State Machine Other supporting documentation as additional referencesWith the exception of this non-proprietary security policy, the FIPS 140-2 validationdocumentation is proprietary to Cisco Systems, Inc. and is releasable only underappropriate non-disclosure agreements. For access to these documents, please contactCisco Systems, Inc. See “Obtaining Technical Assistance” section for more information.3

Module DescriptionCisco 1905, Cisco 1921, Cisco 1941, Cisco 2901, Cisco 2911, andCisco 2921 Integrated Services Routers (ISRs)The Cisco 1905, Cisco 1921, Cisco 1941, Cisco 2901, Cisco 2911, and Cisco 2921Integrated Services Routers (ISRs) are routing platforms that provides VPN functionality,as well as, SIP Gateway Signaling Over TLS Transport. The Cisco 1905, Cisco 1921,Cisco 1941, Cisco 2901, Cisco 2911, and Cisco 2921 Integrated Services Routers (ISRs)provide connectivity and security services in a single, secure device. These routers offerbroadband speeds and simplified management to small businesses, and enterprise smallbranch and teleworkers.In support of the routing capabilities, the Cisco 1905, Cisco 1921, Cisco 1941, Cisco2901, Cisco 2911, and Cisco 2921 Integrated Services Routers (ISRs) provide IPSec,GetVPN (GDOI), and SSL v3.1 connection capabilities for VPN enabled clientsconnecting through the Cisco 1905, Cisco 1921, Cisco 1941, Cisco 2901, Cisco 2911,and Cisco 2921 Integrated Services Routers (ISRs).The tested platforms consist of the following components: Cisco 1905 ISRCisco 1921 ISRCisco 1941 ISRCisco 2901 ISRCisco 2911 ISRCisco 2921 ISRModelCisco 1905 ISRCisco 1921 ISRCisco 1941 ISRCisco 2901 ISRCisco 2911 ISRCisco 2921 ISRFirmware15.1(2)T2A and 15.1(2)T315.1(2)T2A and 15.1(2)T315.1(2)T2A and 15.1(2)T315.1(2)T2A and 15.1(2)T315.1(2)T2A and 15.1(2)T315.1(2)T2A and 15.1(2)T3Table 1: Module Hardware ConfigurationsModule Validation LevelThe following table lists the level of validation for each area in the FIPS PUB 140-2.No.12345Area TitleCryptographic Module SpecificationCryptographic Module Ports and InterfacesRoles, Services, and AuthenticationFinite State ModelPhysical SecurityLevel223224

67891011OverallOperational EnvironmentCryptographic Key managementElectromagnetic Interface/Electromagnetic CompatibilitySelf-TestsDesign AssuranceMitigation of Other AttacksOverall module validation levelN/A2223N/A2Table 2: Module Validation Level5

Cryptographic BoundaryThe cryptographic boundary for the Cisco 1905, Cisco 1921, Cisco 1941, Cisco 2901,Cisco 2911, and Cisco 2921 Integrated Services Routers (ISRs) is defined as themodules’ chassis along with the opacity shields.Cryptographic Module Ports and InterfacesEach module provides a number of physical and logical interfaces to the device, and thephysical interfaces provided by the module are mapped to four FIPS 140-2 definedlogical interfaces: data input, data output, control input, and status output. The logicalinterfaces and their mapping are described in the following tables:Physical InterfacesEHWIC Slot10/100/1000 Ports (2)Console PortUSB Console PortAuxiliary PortEHWIC Slots10/100/1000 Ports (2)Console PortUSB Console PortAuxiliary PortEHWIC Slots10/100/1000 Ports (2)Console PortUSB Console PortAuxiliary PortReset ButtonSerial PortActivity LEDSystem LEDCompact Flash LED (2)RPS Boost LEDPower LED (2)Console PortAuxiliary PortUSB Console PortSerial PortPower PlugPoE PortFIPS 140-2 Logical InterfacesData Input InterfaceData Output InterfaceControl Input InterfaceStatus Output InterfacePower interfaceTable 3: Cisco 1905 ISR InterfacesPhysical InterfacesEHWIC Slots (2)10/100/1000 Ports (2)Console PortUSB Console PortAuxiliary PortEHWIC Slots (2)10/100/1000 Ports (2)FIPS 140-2 Logical InterfacesData Input InterfaceData Output Interface6

Physical InterfacesConsole PortUSB Console PortAuxiliary PortEHWIC Slots (2)10/100/1000 Ports (2)Console PortUSB Console PortAuxiliary PortReset ButtonActivity LEDSystem LEDCompact Flash LED (2)RPS Boost LEDPower LED (2)Console PortAuxiliary PortUSB Console PortPower PlugPoE PortFIPS 140-2 Logical InterfacesControl Input InterfaceStatus Output InterfacePower interfaceTable 4: Cisco 1921 ISR InterfacesPhysical InterfacesFIPS 140-2 Logical InterfacesEHWIC Slots (2)Data Input InterfaceGigE Ports (2)Console PortUSB Console PortAuxiliary PortEHWIC Slots (2)Data Output InterfaceGigE Ports (2)Console PortUSB Console PortAuxiliary PortEHWIC Slots (2)Control Input InterfaceGigE Ports (2)Console PortUSB Console PortAuxiliary PortActivity LEDStatus Output InterfaceSystem LEDGigE Link LED (1 per GigE port)GigE Speed LED (1 per GigE port)Compact Flash LED (2)WLAN LEDRPS Boost LEDPower LED (2)GigE ports (2)Console PortAuxiliary PortUSB Console PortPower PlugPower interfacePoE PortTable 5: Cisco 1941 ISR InterfacesPhysical InterfacesFIPS 140-2 Logical Interfaces7

Physical InterfacesFIPS 140-2 Logical InterfacesEHWIC Slots (4)Data Input InterfaceGigE Ports (2)Console PortUSB Console PortAuxiliary PortEHWIC Slots (4)Data Output InterfaceGigE Ports (2)Console PortUSB Console PortAuxiliary PortEHWIC Slots (4)Control Input InterfaceGigE Ports (2)Console PortUSB Console PortAuxiliary PortActivity LEDStatus Output InterfaceSystem LEDGigE Link LED (1 per GigE port)GigE Speed LED (1 per GigE port)Compact Flash LED (2)RPS Boost LEDPower LED (2)GigE ports (2)Console PortAuxiliary PortUSB Console PortPower PlugPower interfacePoE PortTable 6: Cisco 2901 ISR InterfacesPhysical InterfacesEHWIC Slots (4)SM Slot (1)GigE Ports (3)Console PortUSB Console PortAuxiliary PortEHWIC Slots (4)SM Slot (1)GigE Ports (3)Console PortUSB Console PortAuxiliary PortEHWIC Slots (4)SM Slot (1)GigE Ports (3)Console PortUSB Console PortAuxiliary PortActivity LEDSystem LEDGigE Link LED (1 per GigE port)GigE Speed LED (1 per GigE port)SM LEDFIPS 140-2 Logical InterfacesData Input InterfaceData Output InterfaceControl Input InterfaceStatus Output Interface8

Physical InterfacesCompact Flash LED (2)RPS Boost LEDPower LED (2)GigE ports (3)Console PortAuxiliary PortUSB Console PortPower PlugPoE PortFIPS 140-2 Logical InterfacesPower interfaceTable 7: Cisco 2911 ISR InterfacesPhysical InterfacesFIPS 140-2 Logical InterfacesEHWIC Slots (4)Data Input InterfaceSM Slot (1)GigE Ports (3)Console PortUSB Console PortAuxiliary PortEHWIC Slots (4)Data Output InterfaceSM Slot (1)GigE Ports (3)Console PortUSB Console PortAuxiliary PortEHWIC Slots (4)Control Input InterfaceSM Slot (1)GigE Ports (3)Console PortUSB Console PortAuxiliary PortStatus Output InterfaceActivity LEDSystem LEDGigE Link LED (1 per GigE port)GigE Speed LED (1 per GigE port)SM LEDCompact Flash LED (2)RPS Boost LEDPower LED (2

Title: Microsoft Word - Xformers_Security_Policy_1941_2901_2911_2921.doc Author: wangzhi Created Date: 7/15/2011 12:00:38 PM