router 2811
DESCRIPTION
Aqui adjunto especificaciones tecnicas de un router 2811 Cisco en españolTRANSCRIPT
-
5/18/2018 Router 2811
1/31
Cisco 2811 and Cisco 2821
Integrated Services Routers
withAIM-VPN/EPII-Pus
!IPS 1"#-2 Non Pro$rietar% Securit% Poic%&eve 2 Vaidation
Version 1'(
Se$te)*er #8+ 2##8
Copyright 2007 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright otice.
-
5/18/2018 Router 2811
2/31
Copyright 2007 Cisco Systems, Inc. 2This document may be freely reproduced and distributed whole and intact including this Copyright
,a*e o Contents
1 IN,R./0C,I.N''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
!.! "#$"%S&............................................................................................................................. '
!.2 $&(&$&C&S....................................................................................................................... '!.' T&$)I%*%+ .................................................................................................................... '!.- %C#)&T %$+/I/TI% ................................................................................................ '
2 CISC. 2811 AN 2821 R.0,ERS'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
2.! T1& 2!! C$"T%+$/"1IC )%#*& "1SIC/* C1/$/CT&$ISTICS ...................................... 32.2 T1& 22! C$"T%+$/"1IC )%#*& "1SIC/* C1/$/CT&$ISTICS ......................................
2.' $%*&S / S&$4IC&S........................................................................................................... !22.3.1. User Services................................................................................................
12
2.3.2 Crypto Officer Services ..................................................................................12
2.3.3 Unauthenticated Services............................................................................... 132.3.4 Strength ofAuthentication ..............................................................................
14
2.- "1SIC/* S&C#$IT............................................................................................................. !-2.3 C$"T%+$/"1IC 5& )//+&)&T .................................................................................. !6
2. S&*(8T&STS ....................................................................................................................... 27
2.6.1 Self-tests perfored !y the "OS iage .......................................................2#
2.6.2 Self-tests perfored !y $et%& Chip ...........................................................2#
2.6.3 Self-tests perfored !yA"'........................................................................2(
SEC0RE .PERA,I.N .! ,3E CISC. 2811 .R 2821 R.0,ER ''''''''''''''''''''''''''''' 28
'.! IITI/* S&T#" ................................................................................................................... 2
'.2 SST&) IITI/*I/TI% / C%(I+#$/TI%................................................................. 26
'.' I"S&C $&9#I$&)&TS / C$"T%+$/"1IC /*+%$IT1)S ............................................. 26'.- "$%T%C%*S ....................................................................................................................... '0
'.3 SS*4'.!:T*S $&9#I$&)&TS / C$"T%+$/"1IC /*+%$IT1)S ................................ '0
'. $&)%T& /CC&SS ............................................................................................................... '0
-
5/18/2018 Router 2811
3/31
1 Introduction
1.1 Purpose
This document is the non8proprietary Cryptographic )odule Security "olicy for the Cisco 2!!
and 22! Integrated Ser;ices $outers with /I)84":&"II8"lus installed. This security policy
describes how the Cisco 2!! and 22! Integrated Ser;ices $outers (irmware 4ersion= I%S !2.-
-
5/18/2018 Router 2811
4/31
Copyright 2007 Cisco Systems, Inc. -This document may be freely reproduced and distributed whole and intact including this Copyright
and functionality of the router. Section ' specifically addresses the re@uired configuration forthe (I"S8mode of operation.
Dith the eBception of this on8"roprietary Security "olicy, the (I"S !-082 4alidationSubmission ocumentation is Cisco8proprietary and is releasable only under appropriate non8
disclosure agreements. (or access to these documents, please contact Cisco Systems.
-
5/18/2018 Router 2811
5/31
Copyright 2007 Cisco Systems, Inc. 3This document may be freely reproduced and distributed whole and intact including this Copyright
2 Cisco 2811 and 2821 Routers
Eranch office networing re@uirements are dramatically e;ol;ing, dri;en by web and e8commerce applications to enhance producti;ity and merging the ;oice and data infrastructure to
reduce costs. The Cisco 2!! and 22! routers pro;ide a scalable, secure, manageable remote
access ser;er that meets (I"S !-082 *e;el 2 re@uirements. This section describes the generalfeatures and functionality pro;ided by the routers. The following subsections describe the
physical characteristics of the routers.
2.1 The 2811 Cryptographic o!ule Physical Characteristics
!igure 1 4 ,he 2811 router case
The 2!! $outer is a multiple8chip standalone cryptographic module. The router has a
processing speed of '30)1F. epending on configuration, installed /I)84":&"II8"lus
module, or the internal et+G chip or the I%S software is used for cryptographic operations.
The cryptographic boundary of the module is the de;iceHs case. /ll of the functionality
discussed in this document is pro;ided by components within this cryptographic boundary.
The interface for the router is located on the front and rear panels as shown in (igure 2 and
(igure ', respecti;ely.
!igure 2 4 !ront Pane Ph%sica Interaces
-
5/18/2018 Router 2811
6/31
!igure 4 Rear Pane Ph%sica Interaces
The Cisco 2!! router features a console port, an auBiliary port, two #ni;ersal Serial Eus
-
5/18/2018 Router 2811
7/31
Copyright 2007 Cisco Systems, Inc. 7This document may be freely reproduced and distributed whole and intact including this Copyright
/uBiliary "ower %ffSolid +reenSolid %range
8-4 "S and $"S not present8-4 "S or $"S present and functional8-4 "S or $"S present and failure detected
/cti;ity %ff
Elining +reen
Solid +reen
o interrupts or pacet transfer occurring
System is ser;icing interrupts
System is acti;ely transferring pacets
Compact (lash %ff Solid +reen
o ongoing accesses, eJect permittede;ice is busy, do not eJect
,a*e 1 4 2811 !ront Pane Indicators
ame State escription"4)! %ff
Solid +reenSolid %range
"4)! not installed"4)! installed and initialiFed"4)! installed and initialiFed error
"4)0 %ff
Solid +reenSolid %range
"4)0 not installed
"4)0 installed and initialiFed"4)0 installed and initialiFed error
/I)! %ff
Solid +reenSolid %range
/I)! not installed
/I)! installed and initialiFed/I)! installed and initialiFed error
/I)0 %ff Solid +reen
Solid %range
/I)0 not installed/I)0 installed and initialiFed
/I)0 installed and initialiFed error
,a*e 2 4 2811 Rear Pane Indicators
The following table describes the meaning of &thernet *&s on the rear panel=
ame State escription/cti;ity %ff
Solid:Elining +reen
ot recei;ing pacets
$ecei;ing pacetsupleB %ff
Solid +reen1alf8upleB(ull8upleB
Speed %ne Elin +reen
Two Elin +reen
!0 )bps
!00 )bps
*in %ff
Solid +reen
o lin established
&thernet lin is established
,a*e 4 2811 Ethernet Indicators
The physical interfaces are separated into the logical interfaces from (I"S !-082 as described inthe following table=
Router Ph%sica Interace !IPS 1"#-2 &ogica Interace
!0:!00 &thernet */ "orts1DIC "orts
Console "ort
/uBiliary "ort
&) Slot#SE "orts
ata Input Interface
-
5/18/2018 Router 2811
8/31
Router Ph%sica Interace !IPS 1"#-2 &ogica Interace
!0:!00 &thernet */ "orts1DIC "orts
Console "ort
/uBiliary "ort
&) Slot
#SE "orts
ata %utput Interface
!0:!00 &thernet */ "orts1DIC "orts
"ower Switch
Console "ort
/uBiliary "ort&) Slot
Control Input Interface
!0:!00 &thernet */ "ort *&s
/I) *&s"4) *&s
"ower *&
/cti;ity *&s
/uBiliary *&Compact (lash *&
Console "ort/uBiliary "ort#SE "orts
Status %utput Interface
)ain "ower "lug
$edundant "ower Supply "lug
"ower Interface
,a*e " 4 2811 !IPS 1"#-2 &ogica Interaces
The C( card that stored the I%S image is considered an internal memory module, because theI%S image stored in the card may not be modified or upgraded. The card itself must ne;er be
remo;ed from the dri;e. Tamper e;ident seal will be placed o;er the card in the dri;e.
2.2 The 2821 Cryptographic o!ule Physical Characteristics
!igure " 4 ,he 2821 router case
The 22! router a multiple8chip standalone cryptographic module. The router has a processing
speed of '30)1F. epending on configuration, either installed /I)84":&"II8"lus card or the
internal et+G chip or the I%S software is used for cryptographic operations.
-
5/18/2018 Router 2811
9/31
Copyright 2007 Cisco Systems, Inc. 6This document may be freely reproduced and distributed whole and intact including this Copyright
The cryptographic boundary of the module is the de;iceHs case. /ll of the functionalitydiscussed in this document is pro;ided by components within this cryptographic boundary.
The interfaces for the router are located on the front and rear panels as shown in (igure 3 and(igure , respecti;ely.
!igure 4 2821 !ront Pane Ph%sica Interaces
!igure ( 4 2821 Rear Pane Ph%sica Interaces
The Cisco 22! router features a console port, an auBiliary port, two #ni;ersal Serial Eus
-
5/18/2018 Router 2811
10/31
Copyright 2007 Cisco Systems, Inc. !0This document may be freely reproduced and distributed whole and intact including this Copyright
Elining +reenSolid +reenSolid %range
"ower off $%))%mode %perating
normally System &rror
etected
/uBiliary "ower %ffSolid +reenSolid %range
8-4 "S and $"S not present8-4 "S or $"S present and functional8-4 "S or $"S present and failure detected
/cti;ity %ff
Elining +reenSolid +reen
o interrupts or pacet transfer occurring
System is ser;icing interruptsSystem is acti;ely transferring pacets
Compact (lash %ff
Solid +reen
o ongoing accesses, eJect permitted
e;ice is busy, do not eJect
,a*e 4 2821 !ront Pane Indicators
ame State escription"4)2 %ff
Solid +reen
Solid %range
"4)2 not installed"4)2 installed and initialiFed
"4)2 installed and initialiFed error
"4)! %ff
Solid +reenSolid %range
"4)! not installed
"4)! installed and initialiFed"4)! installed and initialiFed error
"4)0 %ff Solid +reen
Solid %range
"4)0 not installed"4)0 installed and initialiFed
"4)0 installed and initialiFed error
/I)! %ff Solid +reenSolid %range
/I)! not installed/I)! installed and initialiFed/I)! installed and initialiFed error
/I)0 %ff Solid +reen
/I)0 not installed/I)0 installed and initialiFed
-
5/18/2018 Router 2811
11/31
Copyright 2007 Cisco Systems, Inc. !!This document may be freely reproduced and distributed whole and intact including this Copyright
Solid %range /I)0 installed and initialiFed error
,a*e ( 4 2821 Rear Pane Indicators
The following table describes the meaning of &thernet *&s on the front panel=
ame State escription/cti;ity %ff
Solid:Elining +reenot recei;ing pacets$ecei;ing pacets
upleB %ff Solid +reen
1alf8upleB(ull8upleB
Speed %ne Elin +reenTwo Elin +reen
!0 )bps!00 )bps
*in %ff
Solid +reen
o lin established
&thernet lin is established
,a*e 5 4 2821 Ethernet Indicators
The physical interfaces are separated into the logical interfaces from (I"S !-082 as described inthe following table=
Router Ph%sica Interace !IPS 1"#-2 &ogica Interace
!0:!00 &thernet */ "orts
1DIC "ortsConsole "ort
/uBiliary "ort
&) Slot
4eo) Slot#SE "orts
ata Input Interface
!0:!00 &thernet */ "orts1DIC "orts
Console "ort/uBiliary "ort
&) Slot4eo) Slot
#SE "orts
ata %utput Interface
!0:!00 &thernet */ "orts1DIC "orts"ower SwitchConsole "ort/uBiliary "ort&) Slot
Control Input Interface
!0:!00 &thernet */ "ort *&s/I) *&s
"4) *&s"ower *&
/cti;ity *&s/uBiliary *&
Compact (lash *&
Console "ort
/uBiliary "ort#SE "orts
Status %utput Interface
-
5/18/2018 Router 2811
12/31
Copyright 2007 Cisco Systems, Inc. !2This document may be freely reproduced and distributed whole and intact including this Copyright
Router Ph%sica Interace !IPS 1"#-2 &ogica Interace
)ain "ower "lug$edundant "ower Supply "lug
"ower Interface
,a*e 8 4 2821 !IPS 1"#-2 &ogica Interaces
The C( card that stored the I%S image is considered an internal memory module. The reason is
the I%S image stored in the card cannot be modified or upgraded. The card itself must ne;er beremo;ed from the dri;e. Tamper e;ident seal will be placed o;er the card in the dri;e.
2.3 Roles an! "er#ices
/uthentication in Cisco 2!! and 22! is role8based. There are two main roles in the router thatoperators can assume= the Crypto %fficer role and the #ser role. The administrator of the router
assumes the Crypto %fficer role in order to configure and maintain the router using Crypto
%fficer ser;ices, while the #sers eBercise only the basic #ser ser;ices. The module supports
$/I#S and T/C/CSK for authentication. / complete description of all the management andconfiguration capabilities of the router can be found in thePerforming Basic System
Management manual and in the online help for the router.
2.'.!. #ser Ser;ices
#sers enter the system by accessing the console port with a terminal program or ;ia I"Secprotected telnet or SS1 session to a */ port. The I%S prompts the #ser for username and
password. If the password is correct, the #ser is allowed entry to the I%S eBecuti;e program.
The ser;ices a;ailable to the #ser role consist of the following=
Status !unctions 4iew state of interfaces and protocols, ;ersion of I%S currentlyrunning.
Networ6 !unctions Connect to other networ de;ices through outgoing telnet, """, etc.and initiate diagnostic networ ser;ices
-
5/18/2018 Router 2811
13/31
Conigure the router efine networ interfaces and settings, create command aliases, set
the protocols the router will support, enable interfaces and networ
ser;ices, set system date and time, and load authenticationinformation.
eine Rues and !iters Create pacet (ilters that are applied to #ser data streams on each
interface. &ach (ilter consists of a set of $ules, which define a set
of pacets to permit or deny based on characteristics such asprotocol I, addresses, ports, TC" connection establishment, or
pacet direction.
View Status !unctions 4iew the router configuration, routing tables, acti;e sessions, use
gets to ;iew S)" )IE statistics, health, temperature, memory
status, ;oltage, pacet statistics, re;iew accounting logs, and ;iewphysical interface status.
Manage the router *og off users, shutdown or reload the router, erase the flash
memory, manually bac up router configurations, ;iew completeconfigurations, manager user rights, and restore router
configurations.
Set Encr%$tion/%$ass Set up the configuration tables for I" tunneling. Set preshared eys
and algorithms to be used for each I" range or allow plainteBtpacets to be set from specified I" address.
Eypass )odeThe routers implement an alternating bypass capability, in which some connections may be
cryptographically authenticated and encrypted while others may not. Two independent internal
actions are re@uired in order to transition into each bypass state= (irst, the bypass state must be
configured by the Crypto %fficer using Lmatch address N/C*8nameOP sub8command undercrypto map which defines what traffic is encrypted. Second, the module must recei;e a pacet
that is destined for an I" that is not configured to recei;e encrypted data. The configuration table
uses an error detection code to detect integrity failures, and if an integrity error is detected, themodule will enter an error state in which no pacets are routed. Therefore, a single error in the
configuration table cannot cause plainteBt to be transmitted to an I" address for which it should
be encrypted.
2.'.' #nauthenticated Ser;ices
The ser;ices a;ailable to unauthenticated users are= 4iewingthe status output from the moduleHs *&s "owering the
module on and off using the power switch Sending
pacets in bypass
-
5/18/2018 Router 2811
14/31
Copyright 2007 Cisco Systems, Inc. !-This document may be freely reproduced and distributed whole and intact including this Copyright
2.'.- Strength of /uthentication
The security policy stipulates that all user passwords must be alphanumeric characters, so thepassword space is 2. trillion possible passwords. The possibility of randomly guessing a
password is thus far less than one in one million. To eBceed a one in !00,000 probability of a
successful random password guess in one minute, an attacer would ha;e to be capable of 2
million password attempts per minute, which far eBceeds the operational capabilities of themodule to support.
Dhen using $S/ based authentication, $S/ ey pair has modulus siFe of !02- bit to 20- bit,
thus pro;iding between 0 bits and !!2 bits of strength. /ssuming the low end of that range, an
attacer would ha;e a ! in 20 chance of randomly obtaining the ey, which is much strongerthanthe one in a million chance re@uired by (I"S !-082. To eBceed a one in !00,000 probability
of a successful random ey guess in one minute, an attacer would ha;e to be capable of
approBimately !.B!02! attempts per minute, which far eBceeds the operational capabilities of the
modules to support.
Dhen using preshared ey based authentication, the security policy stipulates that all presharedeys must be alphanumeric characters, so the ey space is 2. trillion possible combinations.The possibility of randomly guessing this is thus far less than one in one million. To eBceed a
one in !00,000 probability of a successful random guess in one minute, an attacer would ha;e
to be capable of 2 million attempts per minute, which far eBceeds the operational capabilities ofthe module to support.
2.4 Physical "ecurity
The router is entirely encased by a metal, opa@ue case. The rear of the unit contains
1DIC:DIC:4IC connectors, */ connectors, a C( dri;e, power connector, console connector,auBiliary connector, #SE port, and fast &thernet connectors. The front of the unit contains the
system status and acti;ity *&s. The top, side, and front portion of the chassis can be remo;ed
toallow access to the motherboard, memory, /I) slot, and eBpansion slots.
The Cisco 2!! and 22! routers re@uire that a special opacity shield be installed o;er the side
air;ents in order to operate in (I"S8appro;ed mode. The shield decreases the surface area of the
;ent holes, reducing ;isibility within the cryptographic boundary to (I"S8appro;edspecifications.
Install the opacity plates as specified in the pictures below=
-
5/18/2018 Router 2811
15/31
!igure 5- 2811 4 .$acit% Shieds
!igure 8 - 2821 o$acit% shied $ace)ent
%nce the router has been configured in to meet (I"S !-082 *e;el 2 re@uirements, the router
cannot be accessed without signs of tampering. To seal the system, apply serialiFed tamper8
e;idence labels as follows=
!or Cisco 28119
-
5/18/2018 Router 2811
16/31
!. Clean the co;er of any grease, dirt, or oil before applying the tamper e;idence
labels. /lcohol8based cleaning pads are recommended for this purpose. The
temperature of the router should be abo;e !0 C.2. The tamper e;idence label should be placed so that one half of the label co;ers
the front panel and the other half co;ers the enclosure.
'. The tamper e;idence label should be placed o;er the C( card in the slot so thatany attempt to remo;e the card will show sign of tampering.
-. The tamper e;idence label should be placed so that the one half of the labelco;ers the enclosure and the other half co;ers the port adapter slot.
3. The tamper e;idence label should be placed so that the one half of the label
co;ers the enclosure and the other half co;ers the rear panel.. "lace tamper e;ident labels on the opacity shield as shown in (igure !!.
7. The labels completely cure within fi;e minutes.
(igures 6, !0 and !! show the additional tamper e;idence label placements for the 2!!.
!igure : 4 2811 ,a)$er Evident &a*e Pace)ent ;ac6 View