Cisco Systems 7206VXR NPE-400 manual Obtaining Documentation, Protocols, Remote Access, Cisco.com

Obtaining Documentation

•If the Crypto Officer loads any IOS image onto the router, this will put the router into a non-FIPS mode of operation.

IPSec Requirements and Cryptographic Algorithms

There are two types of key management method that are allowed in FIPS mode: Internet Key Exchange (IKE) and IPSec manually entered keys.

Although the IOS implementation of IKE allows a number of algorithms, only the following algorithms are allowed in a FIPS 140-2 configuration:

•ah-sha-hmac

•esp-des

•esp-sha-hmac

•esp-3des

•esp-aes

The following algorithms are not FIPS approved and should be disabled:

•MD-4 and MD-5 for signing

•MD-5 HMAC

Protocols

All SNMP operations must be performed within a secure IPSec tunnel.

Remote Access

•Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module. The Crypto Officer must configure the module so that any remote connections via telnet are secured through IPSec.

•SSH access to the module is only allowed if SSH is configured to use a FIPS-approved algorithm. The Crypto Officer must configure the module so that SSH uses only FIPS-approved algorithms.

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM