router 2811

5/18/2018 Router 2811

1/31

Cisco 2811 and Cisco 2821

Integrated Services Routers

withAIM-VPN/EPII-Pus

!IPS 1"#-2 Non Pro$rietar% Securit% Poic%&eve 2 Vaidation

Version 1'(

Se$te)*er #8+ 2##8

Copyright 2007 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright otice.

5/18/2018 Router 2811

2/31

Copyright 2007 Cisco Systems, Inc. 2This document may be freely reproduced and distributed whole and intact including this Copyright

,a*e o Contents

1 IN,R./0C,I.N''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

!.! "#$"%S&............................................................................................................................. '

!.2 $&(&$&C&S....................................................................................................................... '!.' T&$)I%*%+ .................................................................................................................... '!.- %C#)&T %$+/I/TI% ................................................................................................ '

2 CISC. 2811 AN 2821 R.0,ERS'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

2.! T1& 2!! C$"T%+$/"1IC )%#*& "1SIC/* C1/$/CT&$ISTICS ...................................... 32.2 T1& 22! C$"T%+$/"1IC )%#*& "1SIC/* C1/$/CT&$ISTICS ......................................

2.' $%*&S / S&$4IC&S........................................................................................................... !22.3.1. User Services................................................................................................

12

2.3.2 Crypto Officer Services ..................................................................................12

2.3.3 Unauthenticated Services............................................................................... 132.3.4 Strength ofAuthentication ..............................................................................

14

2.- "1SIC/* S&C#$IT............................................................................................................. !-2.3 C$"T%+$/"1IC 5& )//+&)&T .................................................................................. !6

2. S&*(8T&STS ....................................................................................................................... 27

2.6.1 Self-tests perfored !y the "OS iage .......................................................2#

2.6.2 Self-tests perfored !y $et%& Chip ...........................................................2#

2.6.3 Self-tests perfored !yA"'........................................................................2(

SEC0RE .PERA,I.N .! ,3E CISC. 2811 .R 2821 R.0,ER ''''''''''''''''''''''''''''' 28

'.! IITI/* S&T#" ................................................................................................................... 2

'.2 SST&) IITI/*I/TI% / C%(I+#$/TI%................................................................. 26

'.' I"S&C $&9#I$&)&TS / C$"T%+$/"1IC /*+%$IT1)S ............................................. 26'.- "$%T%C%*S ....................................................................................................................... '0

'.3 SS*4'.!:T*S $&9#I$&)&TS / C$"T%+$/"1IC /*+%$IT1)S ................................ '0

'. $&)%T& /CC&SS ............................................................................................................... '0

5/18/2018 Router 2811

3/31

1 Introduction

1.1 Purpose

This document is the non8proprietary Cryptographic )odule Security "olicy for the Cisco 2!!

and 22! Integrated Ser;ices $outers with /I)84":&"II8"lus installed. This security policy

describes how the Cisco 2!! and 22! Integrated Ser;ices $outers (irmware 4ersion= I%S !2.-

5/18/2018 Router 2811

4/31

Copyright 2007 Cisco Systems, Inc. -This document may be freely reproduced and distributed whole and intact including this Copyright

and functionality of the router. Section ' specifically addresses the re@uired configuration forthe (I"S8mode of operation.

Dith the eBception of this on8"roprietary Security "olicy, the (I"S !-082 4alidationSubmission ocumentation is Cisco8proprietary and is releasable only under appropriate non8

disclosure agreements. (or access to these documents, please contact Cisco Systems.

5/18/2018 Router 2811

5/31


2 Cisco 2811 and 2821 Routers

Eranch office networing re@uirements are dramatically e;ol;ing, dri;en by web and e8commerce applications to enhance producti;ity and merging the ;oice and data infrastructure to

reduce costs. The Cisco 2!! and 22! routers pro;ide a scalable, secure, manageable remote

access ser;er that meets (I"S !-082 *e;el 2 re@uirements. This section describes the generalfeatures and functionality pro;ided by the routers. The following subsections describe the

physical characteristics of the routers.

2.1 The 2811 Cryptographic o!ule Physical Characteristics

!igure 1 4 ,he 2811 router case

The 2!! $outer is a multiple8chip standalone cryptographic module. The router has a

processing speed of '30)1F. epending on configuration, installed /I)84":&"II8"lus

module, or the internal et+G chip or the I%S software is used for cryptographic operations.

The cryptographic boundary of the module is the de;iceHs case. /ll of the functionality

discussed in this document is pro;ided by components within this cryptographic boundary.

The interface for the router is located on the front and rear panels as shown in (igure 2 and

(igure ', respecti;ely.

!igure 2 4 !ront Pane Ph%sica Interaces

5/18/2018 Router 2811

6/31

!igure 4 Rear Pane Ph%sica Interaces

The Cisco 2!! router features a console port, an auBiliary port, two #ni;ersal Serial Eus

5/18/2018 Router 2811

7/31


/uBiliary "ower %ffSolid +reenSolid %range

8-4 "S and $"S not present8-4 "S or $"S present and functional8-4 "S or $"S present and failure detected

/cti;ity %ff

Elining +reen

Solid +reen

o interrupts or pacet transfer occurring

System is ser;icing interrupts

System is acti;ely transferring pacets

Compact (lash %ff Solid +reen

o ongoing accesses, eJect permittede;ice is busy, do not eJect

,a*e 1 4 2811 !ront Pane Indicators

ame State escription"4)! %ff

Solid +reenSolid %range

"4)! not installed"4)! installed and initialiFed"4)! installed and initialiFed error

"4)0 %ff


"4)0 not installed

"4)0 installed and initialiFed"4)0 installed and initialiFed error

/I)! %ff


/I)! not installed

/I)! installed and initialiFed/I)! installed and initialiFed error

/I)0 %ff Solid +reen

Solid %range

/I)0 not installed/I)0 installed and initialiFed

/I)0 installed and initialiFed error

,a*e 2 4 2811 Rear Pane Indicators

The following table describes the meaning of &thernet *&s on the rear panel=

ame State escription/cti;ity %ff

Solid:Elining +reen

ot recei;ing pacets

$ecei;ing pacetsupleB %ff

Solid +reen1alf8upleB(ull8upleB

Speed %ne Elin +reen

Two Elin +reen

!0 )bps

!00 )bps

*in %ff

Solid +reen

o lin established

&thernet lin is established

,a*e 4 2811 Ethernet Indicators

The physical interfaces are separated into the logical interfaces from (I"S !-082 as described inthe following table=

Router Ph%sica Interace !IPS 1"#-2 &ogica Interace

!0:!00 &thernet */ "orts1DIC "orts

Console "ort

/uBiliary "ort

&) Slot#SE "orts

ata Input Interface

5/18/2018 Router 2811

8/31



Console "ort

/uBiliary "ort

&) Slot

#SE "orts

ata %utput Interface


"ower Switch

Console "ort

/uBiliary "ort&) Slot

Control Input Interface

!0:!00 &thernet */ "ort *&s

/I) *&s"4) *&s

"ower *&

/cti;ity *&s

/uBiliary *&Compact (lash *&

Console "ort/uBiliary "ort#SE "orts

Status %utput Interface

)ain "ower "lug

$edundant "ower Supply "lug

"ower Interface

,a*e " 4 2811 !IPS 1"#-2 &ogica Interaces

The C( card that stored the I%S image is considered an internal memory module, because theI%S image stored in the card may not be modified or upgraded. The card itself must ne;er be

remo;ed from the dri;e. Tamper e;ident seal will be placed o;er the card in the dri;e.

2.2 The 2821 Cryptographic o!ule Physical Characteristics

!igure " 4 ,he 2821 router case

The 22! router a multiple8chip standalone cryptographic module. The router has a processing

speed of '30)1F. epending on configuration, either installed /I)84":&"II8"lus card or the

internal et+G chip or the I%S software is used for cryptographic operations.

5/18/2018 Router 2811

9/31


The cryptographic boundary of the module is the de;iceHs case. /ll of the functionalitydiscussed in this document is pro;ided by components within this cryptographic boundary.

The interfaces for the router are located on the front and rear panels as shown in (igure 3 and(igure , respecti;ely.

!igure 4 2821 !ront Pane Ph%sica Interaces

!igure ( 4 2821 Rear Pane Ph%sica Interaces

The Cisco 22! router features a console port, an auBiliary port, two #ni;ersal Serial Eus

5/18/2018 Router 2811

10/31

Copyright 2007 Cisco Systems, Inc. !0This document may be freely reproduced and distributed whole and intact including this Copyright

Elining +reenSolid +reenSolid %range

"ower off $%))%mode %perating

normally System &rror

etected

/uBiliary "ower %ffSolid +reenSolid %range

8-4 "S and $"S not present8-4 "S or $"S present and functional8-4 "S or $"S present and failure detected

/cti;ity %ff

Elining +reenSolid +reen

o interrupts or pacet transfer occurring

System is ser;icing interruptsSystem is acti;ely transferring pacets

Compact (lash %ff

Solid +reen

o ongoing accesses, eJect permitted

e;ice is busy, do not eJect

,a*e 4 2821 !ront Pane Indicators

ame State escription"4)2 %ff

Solid +reen

Solid %range

"4)2 not installed"4)2 installed and initialiFed

"4)2 installed and initialiFed error

"4)! %ff


"4)! not installed

"4)! installed and initialiFed"4)! installed and initialiFed error

"4)0 %ff Solid +reen

Solid %range

"4)0 not installed"4)0 installed and initialiFed

"4)0 installed and initialiFed error

/I)! %ff Solid +reenSolid %range

/I)! not installed/I)! installed and initialiFed/I)! installed and initialiFed error

/I)0 %ff Solid +reen

/I)0 not installed/I)0 installed and initialiFed

5/18/2018 Router 2811

11/31

Copyright 2007 Cisco Systems, Inc. !!This document may be freely reproduced and distributed whole and intact including this Copyright

Solid %range /I)0 installed and initialiFed error

,a*e ( 4 2821 Rear Pane Indicators

The following table describes the meaning of &thernet *&s on the front panel=

ame State escription/cti;ity %ff

Solid:Elining +reenot recei;ing pacets$ecei;ing pacets

upleB %ff Solid +reen

1alf8upleB(ull8upleB

Speed %ne Elin +reenTwo Elin +reen

!0 )bps!00 )bps

*in %ff

Solid +reen

o lin established

&thernet lin is established

,a*e 5 4 2821 Ethernet Indicators

The physical interfaces are separated into the logical interfaces from (I"S !-082 as described inthe following table=


!0:!00 &thernet */ "orts

1DIC "ortsConsole "ort

/uBiliary "ort

&) Slot

4eo) Slot#SE "orts

ata Input Interface


Console "ort/uBiliary "ort

&) Slot4eo) Slot

#SE "orts

ata %utput Interface

!0:!00 &thernet */ "orts1DIC "orts"ower SwitchConsole "ort/uBiliary "ort&) Slot

Control Input Interface

!0:!00 &thernet */ "ort *&s/I) *&s

"4) *&s"ower *&

/cti;ity *&s/uBiliary *&

Compact (lash *&

Console "ort

/uBiliary "ort#SE "orts

Status %utput Interface

5/18/2018 Router 2811

12/31

Copyright 2007 Cisco Systems, Inc. !2This document may be freely reproduced and distributed whole and intact including this Copyright


)ain "ower "lug$edundant "ower Supply "lug

"ower Interface

,a*e 8 4 2821 !IPS 1"#-2 &ogica Interaces

The C( card that stored the I%S image is considered an internal memory module. The reason is

the I%S image stored in the card cannot be modified or upgraded. The card itself must ne;er beremo;ed from the dri;e. Tamper e;ident seal will be placed o;er the card in the dri;e.

2.3 Roles an! "er#ices

/uthentication in Cisco 2!! and 22! is role8based. There are two main roles in the router thatoperators can assume= the Crypto %fficer role and the #ser role. The administrator of the router

assumes the Crypto %fficer role in order to configure and maintain the router using Crypto

%fficer ser;ices, while the #sers eBercise only the basic #ser ser;ices. The module supports

$/I#S and T/C/CSK for authentication. / complete description of all the management andconfiguration capabilities of the router can be found in thePerforming Basic System

Management manual and in the online help for the router.

2.'.!. #ser Ser;ices

#sers enter the system by accessing the console port with a terminal program or ;ia I"Secprotected telnet or SS1 session to a */ port. The I%S prompts the #ser for username and

password. If the password is correct, the #ser is allowed entry to the I%S eBecuti;e program.

The ser;ices a;ailable to the #ser role consist of the following=

Status !unctions 4iew state of interfaces and protocols, ;ersion of I%S currentlyrunning.

Networ6 !unctions Connect to other networ de;ices through outgoing telnet, """, etc.and initiate diagnostic networ ser;ices

5/18/2018 Router 2811

13/31

Conigure the router efine networ interfaces and settings, create command aliases, set

the protocols the router will support, enable interfaces and networ

ser;ices, set system date and time, and load authenticationinformation.

eine Rues and !iters Create pacet (ilters that are applied to #ser data streams on each

interface. &ach (ilter consists of a set of $ules, which define a set

of pacets to permit or deny based on characteristics such asprotocol I, addresses, ports, TC" connection establishment, or

pacet direction.

View Status !unctions 4iew the router configuration, routing tables, acti;e sessions, use

gets to ;iew S)" )IE statistics, health, temperature, memory

status, ;oltage, pacet statistics, re;iew accounting logs, and ;iewphysical interface status.

Manage the router *og off users, shutdown or reload the router, erase the flash

memory, manually bac up router configurations, ;iew completeconfigurations, manager user rights, and restore router

configurations.

Set Encr%$tion/%$ass Set up the configuration tables for I" tunneling. Set preshared eys

and algorithms to be used for each I" range or allow plainteBtpacets to be set from specified I" address.

Eypass )odeThe routers implement an alternating bypass capability, in which some connections may be

cryptographically authenticated and encrypted while others may not. Two independent internal

actions are re@uired in order to transition into each bypass state= (irst, the bypass state must be

configured by the Crypto %fficer using Lmatch address N/C*8nameOP sub8command undercrypto map which defines what traffic is encrypted. Second, the module must recei;e a pacet

that is destined for an I" that is not configured to recei;e encrypted data. The configuration table

uses an error detection code to detect integrity failures, and if an integrity error is detected, themodule will enter an error state in which no pacets are routed. Therefore, a single error in the

configuration table cannot cause plainteBt to be transmitted to an I" address for which it should

be encrypted.

2.'.' #nauthenticated Ser;ices

The ser;ices a;ailable to unauthenticated users are= 4iewingthe status output from the moduleHs *&s "owering the

module on and off using the power switch Sending

pacets in bypass

5/18/2018 Router 2811

14/31

Copyright 2007 Cisco Systems, Inc. !-This document may be freely reproduced and distributed whole and intact including this Copyright

2.'.- Strength of /uthentication

The security policy stipulates that all user passwords must be alphanumeric characters, so thepassword space is 2. trillion possible passwords. The possibility of randomly guessing a

password is thus far less than one in one million. To eBceed a one in !00,000 probability of a

successful random password guess in one minute, an attacer would ha;e to be capable of 2

million password attempts per minute, which far eBceeds the operational capabilities of themodule to support.

Dhen using $S/ based authentication, $S/ ey pair has modulus siFe of !02- bit to 20- bit,

thus pro;iding between 0 bits and !!2 bits of strength. /ssuming the low end of that range, an

attacer would ha;e a ! in 20 chance of randomly obtaining the ey, which is much strongerthanthe one in a million chance re@uired by (I"S !-082. To eBceed a one in !00,000 probability

of a successful random ey guess in one minute, an attacer would ha;e to be capable of

approBimately !.B!02! attempts per minute, which far eBceeds the operational capabilities of the

modules to support.

Dhen using preshared ey based authentication, the security policy stipulates that all presharedeys must be alphanumeric characters, so the ey space is 2. trillion possible combinations.The possibility of randomly guessing this is thus far less than one in one million. To eBceed a

one in !00,000 probability of a successful random guess in one minute, an attacer would ha;e

to be capable of 2 million attempts per minute, which far eBceeds the operational capabilities ofthe module to support.

2.4 Physical "ecurity

The router is entirely encased by a metal, opa@ue case. The rear of the unit contains

1DIC:DIC:4IC connectors, */ connectors, a C( dri;e, power connector, console connector,auBiliary connector, #SE port, and fast &thernet connectors. The front of the unit contains the

system status and acti;ity *&s. The top, side, and front portion of the chassis can be remo;ed

toallow access to the motherboard, memory, /I) slot, and eBpansion slots.

The Cisco 2!! and 22! routers re@uire that a special opacity shield be installed o;er the side

air;ents in order to operate in (I"S8appro;ed mode. The shield decreases the surface area of the

;ent holes, reducing ;isibility within the cryptographic boundary to (I"S8appro;edspecifications.

Install the opacity plates as specified in the pictures below=

5/18/2018 Router 2811

15/31

!igure 5- 2811 4 .$acit% Shieds

!igure 8 - 2821 o$acit% shied $ace)ent

%nce the router has been configured in to meet (I"S !-082 *e;el 2 re@uirements, the router

cannot be accessed without signs of tampering. To seal the system, apply serialiFed tamper8

e;idence labels as follows=

!or Cisco 28119

5/18/2018 Router 2811

16/31

!. Clean the co;er of any grease, dirt, or oil before applying the tamper e;idence

labels. /lcohol8based cleaning pads are recommended for this purpose. The

temperature of the router should be abo;e !0 C.2. The tamper e;idence label should be placed so that one half of the label co;ers

the front panel and the other half co;ers the enclosure.

'. The tamper e;idence label should be placed o;er the C( card in the slot so thatany attempt to remo;e the card will show sign of tampering.

-. The tamper e;idence label should be placed so that the one half of the labelco;ers the enclosure and the other half co;ers the port adapter slot.

3. The tamper e;idence label should be placed so that the one half of the label

co;ers the enclosure and the other half co;ers the rear panel.. "lace tamper e;ident labels on the opacity shield as shown in (igure !!.

7. The labels completely cure within fi;e minutes.

(igures 6, !0 and !! show the additional tamper e;idence label placements for the 2!!.

!igure : 4 2811 ,a)$er Evident &a*e Pace)ent ;ac6 View

router 2811

Documents