Roles and Services

The User and Crypto Officer passwords and the RADIUS/TACACS+ shared secrets must each be at least 8 alphanumeric characters in length. See the “Secure Operation” section on page 16 for more information. If only integers 0-9 are used without repetition for an 8 digit PIN, the probability of randomly guessing the correct sequence is 1 in 1,814,400. Including the rest of the alphanumeric characters drastically decreases the odds of guessing the correct sequence.

Crypto Officer Role

During initial configuration of the router, the Crypto Officer password (the “enable” password) is defined. A Crypto Officer assigns permission to access the Crypto Officer role to additional accounts, thereby creating additional Crypto Officers.

The Crypto Officer role is responsible for the configuration and maintenance of the router. The Crypto Officer services consist of the following:

Configures the Router: Defines network interfaces and settings, creates command aliases, sets the protocols the router will support, enables interfaces and network services, sets system date and time, and loads authentication information.

Defines Rules and Filters: Creates packet filters that are applied to User data streams on each interface. Each Filter consists of a set of rules, which define a set of packets to permit or deny based characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction.

Status Functions: Views the router configuration, routing tables, active sessions; views SNMP MIB II statistics, health, temperature, memory status, voltage, packet statistics; reviews accounting logs, and views physical interface status.

Manages the Router: Logs off users, shuts down or reloads the router, manually backs up router configurations, views complete configurations, manager user rights, and restores router configurations.

Sets Encryption/Bypass: Sets up the configuration tables for IP tunneling; sets keys and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address.

Changes Port Adapters: Inserts and removes adapters in a port adapter slot.

User Role

A User enters the system by accessing the console port with a terminal program. The IOS prompts the User for their password. If the password is correct, the User is allowed entry to the IOS executive program. The services available to the User role consist of the following:

Status Functions: Views state of interfaces, state of layer 2 protocols, and version of IOS currently running

Network Functions: Connects to other network devices (via outgoing telnet or PPP) and initiates diagnostic network services (i.e., ping, mtrace)

Terminal Functions: Adjusts the terminal session (e.g., lock the terminal, adjust flow control)

Directory Services: Displays directory of files kept in flash memory

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

 

OL-3959-01

7

 

 

 

Page 7
Image 7
Cisco Systems 7206VXR NPE-400 manual Crypto Officer Role, User Role