Cisco Systems 7206VXR NPE-400 manual Secure Operation, Initial Setup

Page 16

Secure Operation

Continuous random number generator test

Secure Operation

The Cisco 7206VXR NPE-400 router with a single VPN Acceleration Module (VAM) meets all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS mode of operation. Operating this router without maintaining the appropriate settings will remove the module from the FIPS approved mode of operation.

Initial Setup

The Crypto Officer ensures that the VAM cryptographic accelerator card is installed in the module by visually confirming the presence of the VAM in a port adapter slot.

The Crypto Officer must apply tamper evidence labels as described in the “Physical Security” section on page 8 of this document.

Only a Crypto Officer may add and remove port adapters. When removing the tamper evidence label, the Crypto Officer should remove the entire label from the router and clean the cover of any grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply tamper evidence labels on the router as described in the “Physical Security” section on page 8 of this document.

System Initialization and Configuration

The Crypto Officer must perform the initial configuration. The Cisco IOS software version 12.3(3d) is the only allowable image. No other image may be loaded.

The value of the boot field must be 0x0102. This setting disables break from the console to the ROM monitor and automatically boots the IOS image. From the configure terminal command line, the Crypto Officer enters the following syntax:

config-register 0x0102

The Crypto Officer must create the “enable” password for the Crypto Officer role. The password must be at least 8 characters and is entered when the Crypto Officer first engages the enable command. The Crypto Officer enters the following syntax at the “#” prompt:

enable secret [PASSWORD]

The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification and authentication on the console port is required for Users. From the configure terminal command line, the Crypto Officer enters the following syntax:

line con 0

password [PASSWORD] login local

The Crypto Officer shall only assign users to a privilege level 1 (the default).

The Crypto Officer shall not assign a command to any privilege level other than its default.

The Crypto Officer may configure the module to use RADIUS or TACACS+ for authentication. Configuring the module to use RADIUS or TACACS+ for authentication is optional. If the module is configured to use RADIUS or TACACS+, the Crypto-Officer must define RADIUS or TACACS+ shared secret keys that are at least 8 characters long.

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

16

OL-3959-01

 

 

Page 15 Page 17
Image 16
Page 15 Page 17
Contents Introduction Fips 140-2 Submission Package OverviewCryptographic Module Module InterfacesIO Power OK Indication DescriptionEnable BootError LED Label Color State FunctionRoles and Services Router Physical Interface Fips 140-2 Logical InterfaceCrypto Officer Role User RolePhysical Security Cryptographic Key Management Cryptographic Key ManagementCSP Name Description Storage CSP14 CSP15CSP16 CSP17CSP25 CSP26CSP27 CSP28Role and Service Access to CSPs Cryptographic Key Management Self-Tests Key ZeroizationDES KAT Tdes KAT AES KAT SHA-1 KAT Prng KAT HMAC-SHA-1 KATSystem Initialization and Configuration Initial SetupSecure Operation Remote Access Obtaining DocumentationIPSec Requirements and Cryptographic Algorithms ProtocolsObtaining Technical Assistance Documentation FeedbackOrdering Documentation Definitions of Service Request Severity Submitting a Service RequestCisco Technical Support Website Obtaining Additional Publications and Information Obtaining Additional Publications and Information OL-3959-01
Top Page Image Contents