Secure Operation of the Cisco 7206 VXR
•The crypto officer must create the “enable” password for the crypto officer role. The password must be at least 8 characters and is entered when the crypto officer first engages the enable command. The crypto officer enters the following syntax at the “#” prompt:
enable secret [PASSWORD]
•The crypto officer must always assign passwords (of at least 8 characters) to users. Identification and authentication of the console port is required for users. From the configure terminal command line, the crypto officer enters the following syntax:
line con 0
password [PASSWORD] login local
•The crypto officer shall only assign users to a privilege level 1 (the default).
•The crypto officer shall not assign a command to any privilege level other than its default.
•The PCMCIA Flash memory card slot is not configured in FIPS mode. Its use is restricted via tamper evidence labels. See the “Physical Security” section for more details.
Non FIPS-Approved Algorithms
•The following algorithms are not FIPS approved and should be disabled:
–RSA for encryption
–
–
–
–HMAC
Protocols
•The following network services affect the security data items and must not be configured: NTP, TACACS+, RADIUS, Kerberos.
•SNMP v3 over a secure IPSec tunnel can be employed for authenticated, secure SNMP Gets and Sets. Since SNMP v2C uses community strings for authentication, only gets are allowed under SNMP v2C.
Remote Access
•Auxiliary terminal services must be disabled, except for the console. The following configuration disables login services on the auxiliary console line.
line aux 0 no exec
Cisco 7206 VXR Router with ISA Security Policy
12