Corporate Headquarters: Copyright © 2001. Cisco Systems, Inc. All rights reserved. Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Cisco 2621 Modular Access Router Security Policy Introduction This is a non-proprietary Cryptographic Module Security Policy for the Cisco 2621 router. This security policy describes how the Cisco 2621 router meets the security requirements of FIPS 140-1, and how to operate the Cisco 2621 router in a secure FIPS 140-1 mode. This policy was prepared as part of the Level 2 FIPS 140-1 certification of the Cisco 2621 router. Note This document may be copied in its entirety and without modification. All copies must include the copyright notice and statements on the last page. FIPS 140-1 (Federal Information Processing Standards Publication 140-1 - Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-1 standard and validation program is available on the NIST website at the following NIST website: http://csrc.nist.gov/cryptval/ This document contains the following sections: • Introduction, page 1 • Cisco 2621 Modular Access Routers, page 2 • Secure Operation of the Cisco 2621 Router, page 10 • Network Modules and WAN Interface Cards, page 11 • Tables of Supported Cards, page 13 • Obtaining Documentation, page 17 • Obtaining Technical Assistance, page 18 2 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Cisco 2621 Modular Access Routers References This document deals only with operations and capabilities of the Cisco 2621 router in the technical terms of a FIPS 140-1 cryptographic module security policy. More information is available on the Cisco 2621 router and the entire 2600 Series from the following sources: • The Cisco Systems website contains information on the full line of Cisco Systems products. Refer to the following website: www.cisco.com. • The 2600 Series product descriptions can be found at the following website: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis2600/2600hig/2600ovr.htm • For answers to technical or sales related questions, please refer to the contacts listed on the following website: www.cisco.com. Terminology In this document, the Cisco 2621 router is referred to as the router, the module, or the system. Document Organization The Security Policy document is part of the complete FIPS 140-1 Submission Package. In addition to this document, the complete Submission Package contains: • Vendor Evidence document • Finite State Machine • Module Software Listing • Other supporting documentation as additional references This document provides an overview of the Cisco 2621 router and explains the secure configuration and operation of the module. This introduction section is followed by the “Cisco 2621 Modular Access Routers” section on page 2, which details the general features and functionality of the Cisco 2621 router. The “Secure Operation of the Cisco 2621 Router” section on page 10 specifically addresses the required configuration for the FIPS-mode of operation. This Security Policy and other Certification Submission Documentation was produced by Corsec Security, Inc. under contract to Cisco Systems. With the exception of this Non-Proprietary Security Policy, the FIPS 140-1 Certification Submission Documentation is Cisco-proprietary and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Cisco Systems. Cisco 2621 Modular Access Routers Branch office networking requirements are dramatically evolving, driven by web and e-commerce applications to enhance productivity and converging the voice and data infrastructure to reduce costs. The Cisco 2621 modular multi-service router offers versatility, integration, and security to branch offices. With over 70 network modules and interfaces, the modular architecture of the Cisco router easily 3 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Cisco 2621 Modular Access Routers allows interfaces to be upgraded to accommodate network expansion. The Cisco 2621 provides a scalable, secure, manageable remote access server that meets FIPS 140-1 Level 2 requirements. This section describes the general features and functionality provided by the Cisco 2621 router. The “Secure Operation of the Cisco 2621 Router” section on page 10 provides further details on how the router addresses FIPS 140-1 requirements. The Cisco 2621 Cryptographic Module The metal casing that fully encloses the module establishes the cryptographic boundary for the router, all the functionality discussed in this document is provided by components within the casing. Cisco IOS features such as tunneling, data encryption, and termination of Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 2600 an ideal platform for building virtual private networks or outsourced dial solutions. Cisco 2600`s RISC-based processor provides the power needed for the dynamic requirements of the remote branch office, achieving wire speed Ethernet to Ethernet routing with up to 25 thousand packets per second (Kpps) throughput capacity. Figure 1 shows a Cisco 2621 modular access router. Figure 1 Cisco 2621 Router Module Interfaces The interfaces for the router are located on the rear panel as shown in Figure 2. Figure 2 Physical Interfaces POWER RPS ACTIVITY Cisco 2600SERIES SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2A/S SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2T Cisco 2611 100-240V– 1A 50/60 Hz 47 W W0 AUX CONSOLE ETHERNET 0 ACT LINK ACT ETHERNET 1 LINK W1 10/100BaseT Ethernet 0/0 (RJ-45) 10/100BaseT Ethernet 0/1 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) Cisco 2621 14324 4 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Cisco 2621 Modular Access Routers The Cisco 2600 series features single or dual fixed LAN interfaces, a network module slot, two Cisco WAN interface card (WIC) slots, and a new Advanced Integration Module (AIM) slot. LAN support includes single and dual Ethernet options; 10/100 Mbps auto-sensing Ethernet; mixed Token-Ring and Ethernet; and single Token Ring chassis versions. WAN interface cards support a variety of serial, ISDN BRI, and integrated CSU/DSU options for primary and backup WAN connectivity, while available network modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options. The AIM slot supports integration of advanced services such as hardware-assisted data compression and encryption. All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial On Demand Routing, ideal for back-up WAN connectivity. The physical interfaces include power plug for the power supply and a power switch. The router has two Fast Ethernet (10/100 RJ-45) connectors for data transfers in and out. The module also has two other RJ-45 connectors on the back panel for a console terminal for local system access and an auxiliary port for remote system access or dial backup using a modem. The 10/100Base-T LAN ports have Link/Activity, 10/100Mbps, and half/full duplex LEDs. Figure 3 shows the LEDs located on the rear panel with descriptions detailed in Table 1: Figure 3 Rear Panel LEDs Figure 4 shows the front panel LEDs, which provide overall status of the router's operation. The front panel displays whether or not the router is booted, if the redundant power is (successfully) attached and operational, and overall activity/link status. 14326 SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2A/S SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2A/S Cisco 2621 W0 W1 AUX CONSOLE 10/100 ETHERNET 0/0 10/100 ETHERNET 0/1 10/100BaseT Ethernet 0/0 (RJ-45) 10/100BaseT Ethernet 0/1 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) FDX LED FDX LED Link FDX FDX Link LED 100 Mbps Mbps LED Link Link LED 100 Mbps Mbps LED Table 1 Rear Panel LEDs and Descriptions LED Indication Description LINK Green An Ethernet link has been established Off No Ethernet link established FDX Green The interface is transmitting data in full-duplex mode Off When off, the interface is transmitting data in half-duplex mode 100 Mbps Green The speed of the interface is 100 Mbps Off The speed of the interface is 10 Mbps or no link is established 5 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Cisco 2621 Modular Access Routers Figure 4 Front Panel LEDs The following table provides more detailed information conveyed by the LEDs on the front panel of the router: All of these physical interfaces are separated into the logical interfaces from FIPS as described in the following table: POWER RPS ACTIVITY H11660 Table 2 Front Panel LEDs and Descriptions LED Indication Description Power Green Power is supplied to the router and the router is operational Off The router is not powered on Redundant Power System (RPS) Green RPS is attached and operational Off No RPS is attached Blink RPS is attached, but has a failure Activity Off In the Cisco IOS software, but no network activity Blink (500 ms ON, 500 ms OFF) In ROMMON, no errors Blink (500 ms ON, 500 ms OFF, 2 sec between codes) In ROMMON, error detected Blink (less than 500 ms) In the Cisco IOS software, the blink rate reflects the level of activity 6 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Cisco 2621 Modular Access Routers *The auxiliary port must be disabled in FIPS mode. See the “Secure Operation of the Cisco 2621 Router” section on page 10. In addition to the built-in interfaces, the router also has approximately 70 network modules that can optionally be placed in an available slot. These networks modules have many embodiments, including multiple Ethernet, token ring, and modem cards to handle frame relay, ATM, and ISDN connections. See the “Network Modules and WAN Interface Cards” section on page 11 for a more detailed description of network modules and how they apply to the FIPS certification. Roles and Services There are two main roles in the router (as required by FIPS 140-1) that operators may assume: Crypto Officer role and User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. Crypto Officer Services During initial configuration of the router a Crypto Officer or Administrator password is defined and all management services are available from this role. The Administrator connects to the router through the console port via terminal program. An administrator of the router may assign permission to access the Administrator role to additional accounts, thereby creating additional administrators. At the highest level, Crypto Officer services include the following: Table 3 FIPS 140-1 Logical Interfaces Router Physical Interface FIPS 140-1 Logical Interface 10/100BASE-TX LAN Port WAN Interface Network Module Interface Console Port Auxiliary Port* Data Input Interface 10/100BASE-TX LAN Port WAN Interface Network Module Interface Console Port Auxiliary Port* Data Output Interface Power Switch Console Port Auxiliary Port* Control Input Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED Redundant Power LED Activity LED Console Port Auxiliary Port* Status Output Interface Power Plug Power Interface 7 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Cisco 2621 Modular Access Routers • Configure the router: define network interfaces and settings, create command aliases, set the protocols the router will support, enable interfaces and network services, set system date and time, load authentication information, etc. • Define Rules and Filters: create packet Filters that are applied to User data streams on each interface. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. • Status Functions: view the router configuration, routing tables, active sessions, use Gets to view SNMP MIB II statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status • Manage the router: log off users, shutdown or reload the router, manually back up router configurations, view complete configurations, manager user rights, restore router configurations, etc. • Set Encryption/Bypass: set up the configuration tables for IP tunneling. Set keys and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address. • Change Network Modules: insert and remove modules in the network module slot as described in the “Physical Security” section on page 7 of this document. • Change WAN Interface Cards: insert and remove modules in the network module slot as described in “Physical Security” section on page 7 of this document. A complete description of all the management and configuration capabilities of the Cisco 2621 router can be found in the Performing Basic System Management manual and in the online help for the router. User Services A User enters the system by accessing the console port with a terminal program. The IOS prompts the User for their password. If it matches the plaintext password stored in IOS memory, the User is allowed entry to the IOS executive program. The services available to the User role include: At the highest level, User services include the following: • Status Functions: view state of interfaces, state of layer 2 protocols, version of IOS currently running • Network Functions: connect to other network devices through outgoing telnet, PPP, etc. and initiate diagnostic network services (i.e., ping, mtrace) • Terminal Functions: adjust the terminal session (e.g., lock the terminal, adjust flow control) • Directory Services: display directory of files kept in flash memory Physical Security The router is entirely encased by a thick steel chassis. The rear of the unit provides 1 Network Module slot, 2 WIC slots, on-board LAN connectors, Console/Auxiliary connectors, the power cable connection and a power switch. The top portion of the chassis may be removed (see Figure 5) to allow access to the motherboard, memory, expansion slots and Advanced Interface Module. 8 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Cisco 2621 Modular Access Routers Figure 5 Chassis Removal Once the router has been configured in to meet FIPS 140-1 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamper-evidence labels as follows: Step 1 Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The ambient air must be above 10ºC, otherwise the labels may not properly cure.. Step 2 Place the first label on the router as shown in Figure 6. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 3 Place the second label on the router as shown in Figure 6. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 4 Place the third label on the router as shown in Figure 6. The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the Network Module slot. Any attempt to remove a network module will leave tamper evidence. Step 5 Place the fourth label on the router as shown in Figure 6. The tamper evidence label should be placed so that the half of the label covers the enclosure and the other half covers the WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 6 Place the fifth label on the router as shown in Figure 6. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 7 The labels completely cure within five minutes. 35392 POWER RPS ACTIVITY Cisco 2600SERIES 9 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Cisco 2621 Modular Access Routers Figure 6 Tamper-Evident Labels The tamper evidence seals are produced from a special thin gauge vinyl with self-adhesive backing. Any attempt to open the router, remove network modules or WIC cards, or the front faceplate will damage the tamper evidence seals or the painted surface and metal of the module cover. Since the tamper evidence labels have non-repeated serial numbers, the labels may be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered. Tamper evidence labels can also be inspected for signs of tampering, which include the following: curled corners, bubbling, crinkling, rips, tears, and slices. The word "Opened" may appear if the label was peeled back. Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords. The tamper evidence seals provide physical protection for all keys. Keys are also password protected and can be zeroized by the Crypto Officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). The Cisco 2621 router supports the following FIPS-approved algorithms: DES. 3DES, and SHA-1. These algorithms received certification numbers 74, 17, and 26 respectively. The Cisco 2621 router contains a cryptographic accelerator card, which provides DES (56-bit) and 3DES (168-bit) IPSec encryption at up to 32Mbps (3DES, 96Mbps DES), MD5 and SHA-1 hashing, and has hardware support for DH, RSA, and DSA key generation. Self-Tests In order to prevent any secure data being released, it is important to test the cryptographic components of a security module to insure all components are functioning correctly. The router includes an array of self-tests that are run during startup and periodically during operations. The self-test run at power-up includes a cryptographic known answer tests (KAT) on the FIPS-approved cryptographic algorithms (DES, 3DES), on the message digest (SHA-1) and on Diffie-Hellman algorithm. Also performed at startup are software integrity test using an EDC, and a set of Statistical Random Number Generator (RNG) tests. The following tests are also run periodically or conditionally: a Bypass Mode test performed conditionally prior to executing IPSec, a software load test for upgrades and the continuous random number generator test. If any of these self-tests fail, the router will transition into an error state. Within the error state, all secure data transmission is halted and the router outputs status information indicating the failure. 62125 SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2A/S SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2T Cisco 2611 100-240V– 1A 50/60 Hz 47 W W0 AUX CONSOLE ETHERNET 0 ACT LINK ACT ETHERNET 1 LINK W1 POWER RPS ACTIVITY Cisco 2600SERIES 10 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Secure Operation of the Cisco 2621 Router Secure Operation of the Cisco 2621 Router The Cisco 2621 router meets all the Level 2 requirements for FIPS 140-1. Follow the setting instructions provided below to place the module in FIPS mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation. Initial Setup Step 1 The Crypto Officer must apply tamper evidence labels as described in the “Physical Security” section on page 7 of this document. The Crypto Officer must securely store tamper evidence labels before use, and any tamper evidence labels not used should also be stored securely. Step 2 Only a Crypto Officer may add and remove network modules. When removing the tamper evidence label, the Crypto Officer should remove the entire label from the router and clean the cover of any grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply tamper evidence labels on the router as described in the “Physical Security” section on page 7 Step 3 Only a Crypto Officer may add and remove WAN Interface Cards. When removing the tamper evidence label, the Crypto Officer should remove the entire label from the router and clean the cover of any grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply tamper evidence labels on the router as described in the “Physical Security” section on page 7. System Initialization and Configuration Step 1 The Crypto Officer must perform the initial configuration. The IOS version shipped with the router, version 12.1(5)T, is the only allowable image. No other image may be loaded. Step 2 The value of the boot field must be 0x0101 (the factory default). This setting disables break from the console to the ROM monitor and automatically and boots the IOS image. From the "configure terminal" command line, the Crypto Officer enters the following syntax: config-register 0x0101 Step 3 The Crypto Officer must create the "enable" password for the Crypto Officer role. The password must be at least 8 characters and is entered when the Crypto Officer first engages the "enable" command. The Crypto Officer enters the following syntax at the "#" prompt: enable secret [PASSWORD] Step 4 The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification and authentication of the console port is required for Users. From the "configure terminal" command line, the Crypto Officer enters the following syntax: line con 0 password [PASSWORD] login local Step 5 The Crypto Officer shall only assign users to a privilege level 1 (the default). Step 6 The Crypto Officer shall not assign a command to any privilege level other than its default. 11 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Network Modules and WAN Interface Cards Non-FIPS Approved Algorithms The following algorithms are not FIPS approved and should be disabled: • RSA for encryption • MD-4 and MD-5 for signing • ah-sha-hmac • esp-sha-hmac • HMAC SHA-1 Protocols The following network services affect the security data items and must not be configured: NTP, TACACS+, RADIUS, Kerberos. SNMP v3 over a secure IPSec tunnel may be employed for authenticated, secure SNMP gets and sets. Since SNMP v2C uses community strings for authentication, only gets are allowed under SNMP v2C. Remote Access Auxiliary terminal services must be disabled, except for the console. The following configuration disables login services on the auxiliary console line. line aux 0 no exec Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module. The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec. Network Modules and WAN Interface Cards With over 70 modular interface options, the Cisco 2621 provides solutions for data, voice, video, hybrid dial access, virtual private networks (VPNs), and multi-protocol data routing. The high-performance, modular architecture protects customers' investment in network technology and integrates the functions of several devices into a single, manageable solution. Each network module and WAN Interface Card (WIC) meets FIPS 140-1 requirements for physical interfaces. They are classified as data input interfaces and data output interfaces. Network modules and WICs are an external interface, similar to the 100Base-T LAN ports. They expand the router's physical interfaces with multi-port ATM modules, multi-port Ethernet modules, high-speed serial interfaces, etc. A list all network modules and WICs is included with this document (the “Tables of Supported Cards” section on page 13). 12 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Network Modules and WAN Interface Cards Network Modules When a network module is inserted, it fits into an adapter called the network module expansion bus. The expansion bus interacts with the PCI bridge in the same way that the fixed LAN ports do; therefore, no critical security parameters pass through the network module (just as they don't pass through the LAN ports). The Advanced Interface Module (AIM) socket, which contains the cryptographic accelerator card, interacts with only the PCI bridge. There is no direct interaction between the AIM socket and the network module expansion bus, just as there is no interaction between the fixed AIM socket and the fixed LAN ports. Furthermore, network modules do not perform any cryptographic functions. The Cisco 2621 block diagram clearly depicts the distinction between the network module slot and the AIM socket. The block diagram for the crypto card clearly delineates that the network modules and network module expansion bus have no direct interaction with the crypto card. Therefore, no security parameters pass through the network module expansion bus to the crypto card or vice versa. The expansion bus for the network module card is inside the cryptographic boundary, but it services only the network modules (physical interfaces) and has no effect on the cryptographic processing of the module. If the expansion bus were at the router's cryptographic boundary (as opposed to being inside the boundary), the same principles would apply. While the cryptographic boundary is drawn at the router case, adding and removing network modules will not compromise the security of the router. As described in the “Roles and Services” section on page 6, only a Crypto Officer may replace a network module. If someone other than the Crypto Officer attempts to change a network module, the stickers over the network module slot will indicate tamper evidence. Thus, only valid network modules will be used and only the proper authority may change them. The “Physical Security” section on page 7 provides instructions to change network modules in a FIPS-approved manner. WAN Interface Cards WICs are similar to network modules in that they greatly increase the router's flexibility. The WICs are inserted into one of two slots, which are located above the fixed LAN ports. WICs interface directly with the processor. They do not interface with the cryptographic card; therefore no security parameters will pass through them. WICs cannot perform cryptographic functions; they only serve as a data input and data output physical interface. Please refer to the block diagrams for further reference. Only the Crypto Officer may change WICs, and they must follow the same guidelines for changing network modules (see the “Physical Security” section on page 7). Console Port Additionally, the console port does not directly interface with the network modules, the WICs, or the AIM socket; therefore, no critical security parameters will be passed over the network modules, WICs, or cryptographic processing card from the terminal. Conclusion Network modules and WAN Interface Cards do not affect the cryptographic processing of the router, nor are they privy to any security parameters contained in the router's cryptographic card. The following table describes the input data types and output data types of network modules and WICs: 13 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Tables of Supported Cards No critical security parameters are passed though either of these interfaces. These interfaces do not perform any cryptographic functions, and "hot swapping" these interfaces by the Crypto Officer as described in the “Initial Setup” section on page 10 does not compromise the security of the router. Tables of Supported Cards Network Modules Supported Network Module and WAN Interface Card Input Data type Output Data type Plaintext data that is to be encrypted from the local area network Plaintext data that has been decrypted by the module Encrypted input from the remote modules (Wide Area Network) Ciphertext data that has been encrypted by the module Internet Key Exchange information from the remote module Internet Key Exchange information from the module Status information Cisco 2600 Series Supported Network Modules Part Number 1-Port DS3 ATM Network Module NM-1A-T3 1-Port DS3 ATM Network Module NM-1A-T3= 1-Port E3 ATM Network Module NM-1A-E3 1-Port E3 ATM Network Module NM-1A-E3= 16 port Asynchronous Module NM-16A= 16 port Asynchronous Module NM-16A 32 port Asynchronous Module NM-32A 32 port Asynchronous Module NM-32A= 4-Port Async/Sync Serial Network Module NM-4A/S 4-Port Async/Sync Serial Network Module NM-4A/S= 4-Port ISDN-BRI Network Module NM-4B-S/T 4-Port ISDN-BRI Network Module NM-4B-S/T= 4-Port ISDN-BRI with NT-1 Network Module NM-4B-U 4-Port ISDN-BRI with NT-1 Network Module NM-4B-U= 8-Port Async/Sync Serial Network Module NM-8A/S 8-Port Async/Sync Serial Network Module NM-8A/S= 8-Port ISDN-BRI Network Module NM-8B-S/T 14 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Tables of Supported Cards 8-Port ISDN-BRI Network Module NM-8B-S/T= 8-Port ISDN-BRI with NT-1 Network Module NM-8B-U 8-Port ISDN-BRI with NT-1 Network Module NM-8B-U= 1-Port Channelized T1/ISDN-PRI Network Module NM-1CT1 1-Port Channelized T1/ISDN-PRI Network Module NM-1CT1= 1-Port Channelized T1/ISDN-PRI with CSU Network Module NM-1CT1-CSU 1-Port Channelized T1/ISDN-PRI with CSU Network Module NM-1CT1-CSU= 2-Port Channelized T1/ISDN-PRI Network Module NM-2CT1 2-Port Channelized T1/ISDN-PRI Network Module NM-2CT1= 2-Port Channelized T1/ISDN-PRI with CSU Network Module NM-2CT1-CSU 2-Port Channelized T1/ISDN-PRI with CSU Network Module NM-2CT1-CSU= 1-Port Channelized E1/ISDN-PRI Balanced Network Module NM-1CE1B 1-Port Channelized E1/ISDN-PRI Balanced Network Module NM-1CE1B= 1-Port Channelized E1/ISDN-PRI Unbalanced Network Module NM-1CE1U 1-Port Channelized E1/ISDN-PRI Unbalanced Network Module NM-1CE1U= 2-Port Channelized E1/ISDN-PRI Balanced Network Module NM-2CE1B 2-Port Channelized E1/ISDN-PRI Balanced Network Module NM-2CE1B= 2-Port Channelized E1/ISDN-PRI Unbalanced Network Module NM-2CE1U 2-Port Channelized E1/ISDN-PRI Unbalanced Network Module NM-2CE1U= 4-Port Ethernet Network Module NM-4E 4-Port Ethernet Network Module NM-4E= 4-port E1 ATM Network Module with IMA NM-4E1-IMA 4-port E1 ATM Network Module with IMA NM-4E1-IMA= 4-port T1 ATM Network Module with IMA NM-4T1-IMA= 4-port T1 ATM Network Module with IMA NM-4T1-IMA 1-Port Ethernet Network Module NM-1E 1-Port Ethernet Network Module NM-1E= One port ATM 25Mbps network module NM-1ATM-25 Single port ATM 25 Network Module for 3600 series(spare) NM-1ATM-25= 8Port Analog Modem Network Module NM-8AM 8-port E1 ATM Network Module with IMA NM-8E1-IMA 8-port E1 ATM Network Module with IMA NM-8E1-IMA= 8-port T1 ATM Network Module with IMA NM-8T1-IMA 8-port T1 ATM Network Module with IMA NM-8T1-IMA= 16 Port Analog Modem Network Module NM-16AM 16 Port Analog Modem Network Module Spare NM-16AM= Blank Network Module Panel NM-BLANK-PANEL= Cisco 2600 Series Supported Network Modules Part Number 15 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Tables of Supported Cards Voice/Fax Network Modules Supported Voice/Fax Interface Card for Voice/Fax Modules Supported Single-Port 24 Channel T1 Voice/Fax Network Module NM-HDV-1T1-24 Single-Port 24 Channel T1 Voice/Fax Network Module NM-HDV-1T1-24= Single-Port 24 Enhanced Channel T1 Voice/Fax Network Module NM-HDV-1T1-24E Single-Port 24 Enhanced Channel T1 Voice/Fax Network Module NM-HDV-1T1-24E= Dual-Port 48 Channel T1 Voice/Fax Network Module NM-HDV-2T1-48 Dual-Port 48 Channel T1 Voice/Fax Network Module NM-HDV-2T1-48= 2 WAN Card Slot Network Module(no LAN) NM-2W 2 WAN Card Slot Network Module(no LAN) NM-2W= Single-Port 30 Channel E1 Voice/Fax Network Module NM-HDV-1E1-30 Single-Port 30 Channel E1 Voice/Fax Network Module NM-HDV-1E1-30= Single-Port 30 Enhanced Channel E1 Voice/Fax Network Module NM-HDV-1E1-30E Single-Port 30 Enhanced Channel E1 Voice/Fax Network Module NM-HDV-1E1-30E= Dual-Port 60 Channel E1 Voice/Fax Network Module NM-HDV-2E1-60 Dual-Port 60 Channel E1 Voice/Fax Network Module NM-HDV-2E1-60= Cisco 2600 Voice/Fax Network Modules Part Number One-slot Voice/fax Network Module NM-1V One-Slot Voice/fax Network Module-Spare NM-1V= Two-Slot Voice/fax Network Module NM-2V Two-Slot Voice/fax Network Module-Spare NM-2V= Cisco 2600 Voice/Fax Interface Card for Voice/Fax Modules Part Number Two-port Voice Interface Card - FXS VIC-2FXS Two-port Voice Interface Card - FXS-Spare VIC-2FXS= Two-port Voice Interface Card - FXO VIC-2FXO Two-port Voice Interface Card - FXO-Spare VIC-2FXO= Two-port Voice Interface Card - E&M VIC-2E/M Two-port Voice Interface Card - E&M-Spare VIC-2E/M= Two-port Voice Interface Card - FXO (for Europe) VIC-2FXO-EU Two-port Voice Interface Card - FXO (for Europe) VIC-2FXO-EU= Two-port Voice Interface Card - FXO (for Australia) VIC-2FXO-M3 Cisco 2600 Series Supported Network Modules Part Number 16 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Tables of Supported Cards Multiflex Voice / WAN interface Cards Supported WAN Interface Cards Supported Two-port Voice Interface Card - FXO (for Australia) VIC-2FXO-M3= Two-port Voice Interface Card - BRI (Terminal) VIC-2BRI-S/T-TE Two-port Voice Interface Card - BRI (Terminal) VIC-2BRI-S/T-TE= Cisco 2600 Multiflex Voice / WAN interface Cards Part Number 1-Port RJ-48 Multiflex Trunk - E1 VWIC-1MFT-E1 1-Port RJ-48 Multiflex Trunk - E1 VWIC-1MFT-E1= 2-Port RJ-48 Multiflex Trunk - E1 VWIC-2MFT-E1= 2-Port RJ-48 Multiflex Trunk - E1 With Drop and Insert VWIC-2MFT-E1-DI 2-Port RJ-48 Multiflex Trunk - E1 With Drop and Insert VWIC-2MFT-E1-DI= 1-Port RJ-48 Multiflex Trunk - T1 VWIC-1MFT-T1 1-Port RJ-48 Multiflex Trunk - T1 VWIC-1MFT-T1= 2-Port RJ-48 Multiflex Trunk - T1 With Drop and Insert VWIC-2MFT-T1-DI 2-Port RJ-48 Multiflex Trunk - T1 With Drop and Insert VWIC-2MFT-T1-DI= 2-Port RJ-48 Multiflex Trunk - T1 VWIC-2MFT-T1 2-Port RJ-48 Multiflex Trunk - T1 VWIC-2MFT-T1= Cisco 2600 Series Supported WAN Interface Cards Part Number 1-Port Serial WAN interface card WIC-1T 1-Port Serial WAN interface card WIC-1T= 1-port 4-WIRE 56/64 KBPS WAN interface card WIC-1DSU-56K4 1-Port 4-Wire 56Kbps DSU/CSU WAN Interface card WIC-1DSU-56K4= 1-Port ISDN WAN interface card(dial and leased line) WIC-1B-S/T 1-Port ISDN WAN interface card(dial and leased line) WIC-1B-S/T= 1-Port ISDN withNT-1WAN interface card(dial and leased line) WIC-1B-U 1-Port ISDN with NT-1 WAN Interface card dial and leasedline WIC-1B-U= 1-Port T1/Fractional T1 DSU/CSU WAN interface card WIC-1DSU-T1 1-Port T1/Fractional T1 DSU/CSU WAN interface card WIC-1DSU-T1= Blank WAN interface card panel WIC-BLANK-PANEL= 2-Port Serial WAN interface card WIC-2T Cisco 2600 Voice/Fax Interface Card for Voice/Fax Modules Part Number 17 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Obtaining Documentation Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: • http://www.cisco.com • http://www-china.cisco.com • http://www-europe.cisco.com Documentation CD-ROM Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription. Ordering Documentation Cisco documentation is available in the following ways: • Registered Cisco Direct Customers can order Cisco Product documentation from the Networking Products MarketPlace: http://www.cisco.com/cgi-bin/order/order_root.pl • Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store: http://www.cisco.com/go/subscription • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS(6387). Documentation Feedback If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. You can e-mail your comments to bug-doc@cisco.com. 2-Port Serial WAN interface card spare WIC-2T= 2-Port Async/Sync Serial WAN interface card WIC-2A/S 2-Port Async/Sync Serial WAN interface card spare WIC-2A/S= Cisco 2600 Series Supported WAN Interface Cards Part Number 18 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Obtaining Technical Assistance To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address: Attn Document Resource Connection Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Obtaining Technical Assistance Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website. Cisco.com Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco. Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available. Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco. To access Cisco.com, go to the following website: http://www.cisco.com Technical Assistance Center The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract. Contacting TAC by Using the Cisco TAC Website If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website: http://www.cisco.com/tac 19 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Obtaining Technical Assistance P3 and P4 level problems are defined as follows: • P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue. • P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration. In each of the above cases, use the Cisco TAC website to quickly find answers to your questions. To register for Cisco.com, go to the following website: http://www.cisco.com/register/ If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website: http://www.cisco.com/tac/caseopen Contacting TAC by Telephone If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml P1 and P2 level problems are defined as follows: • P1—Your production network is down, causing a critical impact to business operations if service is not restored quickly. No workaround is available. • P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available. This document is to be used in conjunction with the documents listed in the “References” section. AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. By printing or making a copy of this document, the user agrees to use this information for product evaluation purposes only. Sale of this information in whole or in part is not authorized by Cisco Systems. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0106R) Copyright © 1999, Cisco Systems, Inc. All rights reserved. 20 Cisco 2621 Modular Access Router Security Policy 78-13695-01 Obtaining Technical Assistance Corporate Headquarters: Copyright © 2001. Cisco Systems, Inc. All rights reserved. Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Cisco 2651 Modular Access Router Security Policy Introduction This is a non-proprietary Cryptographic Module Security Policy for the Cisco 2651 router. This security policy describes how the Cisco 2651 router meets the security requirements of FIPS 140-1, and how to operate the Cisco 2651 router in a secure FIPS 140-1 mode. This policy was prepared as part of the Level 2 FIPS 140-1 certification of the Cisco 2651 router. Note This document may be copied in its entirety and without modification. All copies must include the copyright notice and statements on the last page. FIPS 140-1 (Federal Information Processing Standards Publication 140-1 - Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-1 standard and validation program is available on the NIST website at the following NIST website: http://csrc.nist.gov/cryptval/ This document contains the following sections: • Introduction, page 1 • Cisco 2651 Modular Access Routers, page 2 • Secure Operation of the Cisco 2651 Router, page 10 • Network Modules and WAN Interface Cards, page 11 • Tables of Supported Cards, page 13 • Obtaining Documentation, page 17 • Obtaining Technical Assistance, page 18 2 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Cisco 2651 Modular Access Routers References This document deals only with operations and capabilities of the Cisco 2651 router in the technical terms of a FIPS 140-1 cryptographic module security policy. More information is available on the Cisco 2651 router and the entire 2600 Series from the following sources: • The Cisco Systems website contains information on the full line of Cisco Systems products. Refer to the following website: www.cisco.com. • The 2600 Series product descriptions can be found at the following website: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis2600/2600hig/2600ovr.htm • For answers to technical or sales related questions, please refer to the contacts listed on the following website: www.cisco.com. Terminology In this document, the Cisco 2651 router is referred to as the router, the module, or the system. Document Organization The Security Policy document is part of the complete FIPS 140-1 Submission Package. In addition to this document, the complete Submission Package contains: • Vendor Evidence document • Finite State Machine • Module Software Listing • Other supporting documentation as additional references This document provides an overview of the Cisco 2651 router and explains the secure configuration and operation of the module. This introduction section is followed by the “Cisco 2651 Modular Access Routers” section on page 2, which details the general features and functionality of the Cisco 2651 router. The “Secure Operation of the Cisco 2651 Router” section on page 10 specifically addresses the required configuration for the FIPS-mode of operation. This Security Policy and other Certification Submission Documentation was produced by Corsec Security, Inc. under contract to Cisco Systems. With the exception of this Non-Proprietary Security Policy, the FIPS 140-1 Certification Submission Documentation is Cisco-proprietary and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Cisco Systems. Cisco 2651 Modular Access Routers Branch office networking requirements are dramatically evolving, driven by web and e-commerce applications to enhance productivity and converging the voice and data infrastructure to reduce costs. The Cisco 2651 modular multi-service router offers versatility, integration, and security to branch offices. With over 70 network modules and interfaces, the modular architecture of the Cisco router easily 3 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Cisco 2651 Modular Access Routers allows interfaces to be upgraded to accommodate network expansion. The Cisco 2651 provides a scalable, secure, manageable remote access server that meets FIPS 140-1 Level 2 requirements. This section describes the general features and functionality provided by the Cisco 2651 router. “Secure Operation of the Cisco 2651 Router” section on page 10 provides further details on how the router addresses FIPS 140-1 requirements. The Cisco 2651 Cryptographic Module The metal casing that fully encloses the module establishes the cryptographic boundary for the router, all the functionality discussed in this document is provided by components within the casing. Cisco IOS features such as tunneling, data encryption, and termination of Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 2600 an ideal platform for building virtual private networks or outsourced dial solutions. Cisco 2600`s RISC-based processor provides the power needed for the dynamic requirements of the remote branch office, achieving wire speed Ethernet to Ethernet routing with up to 25 thousand packets per second (Kpps) throughput capacity. Figure 1 shows a Cisco 2651 modular access router. Figure 1 Cisco 2651 Router Module Interfaces The interfaces for the router are located on the rear panel as shown in Figure 2. Figure 2 Physical Interfaces POWER RPS ACTIVITY Cisco 2600SERIES SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2A/S SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2T Cisco 2651 100-240V– 1A 50/60 Hz 47 W W0 AUX CONSOLE ETHERNET 0 ACT LINK ACT ETHERNET 1 LINK W1 10/100BaseT Ethernet 0/0 (RJ-45) 10/100BaseT Ethernet 0/1 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) Cisco 2651 31618 4 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Cisco 2651 Modular Access Routers The Cisco 2600 series features single or dual fixed LAN interfaces, a network module slot, two Cisco WAN interface card (WIC) slots, and a new Advanced Integration Module (AIM) slot. LAN support includes single and dual Ethernet options; 10/100 Mbps auto-sensing Ethernet; mixed Token-Ring and Ethernet; and single Token Ring chassis versions. WAN interface cards support a variety of serial, ISDN BRI, and integrated CSU/DSU options for primary and backup WAN connectivity, while available network modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options. The AIM slot supports integration of advanced services such as hardware-assisted data compression and encryption. All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial On Demand Routing, ideal for back-up WAN connectivity. The physical interfaces include power plug for the power supply and a power switch. The router has two Fast Ethernet (10/100 RJ-45) connectors for data transfers in and out. The module also has two other RJ-45 connectors on the back panel for a console terminal for local system access and an auxiliary port for remote system access or dial backup using a modem. The 10/100Base-T LAN ports have Link/Activity, 10/100Mbps, and half/full duplex LEDs. Figure 3 shows the LEDs located on the rear panel with descriptions detailed in Table 1: Figure 3 Rear Panel LEDs Figure 4 shows the front panel LEDs, which provide overall status of the router's operation. The front panel displays whether or not the router is booted, if the redundant power is (successfully) attached and operational, and overall activity/link status. 31620 SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2A/S SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2A/S Cisco 2651 W0 W1 AUX CONSOLE 10/100 ETHERNET 0/0 10/100 ETHERNET 0/1 10/100BaseT Ethernet 0/0 (RJ-45) 10/100BaseT Ethernet 0/1 (RJ-45) Auxiliary port (RJ-45) Console port (RJ-45) FDX LED FDX LED Link FDX FDX Link LED 100 Mbps Mbps LED Link Link LED 100 Mbps Mbps LED Table 1 Rear Panel LEDs and Descriptions LED Indication Description LINK Green An Ethernet link has been established Off No Ethernet link established FDX Green The interface is transmitting data in full-duplex mode Off When off, the interface is transmitting data in half-duplex mode 100 Mbps Green The speed of the interface is 100 Mbps Off The speed of the interface is 10 Mbps or no link is established 5 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Cisco 2651 Modular Access Routers Figure 4 Front Panel LEDs The following table provides more detailed information conveyed by the LEDs on the front panel of the router: All of these physical interfaces are separated into the logical interfaces from FIPS as described in the following table: POWER RPS ACTIVITY H11660 Table 2 Front Panel LEDs and Descriptions LED Indication Description Power Green Power is supplied to the router and the router is operational Off The router is not powered on Redundant Power System (RPS) Green RPS is attached and operational Off No RPS is attached Blink RPS is attached, but has a failure Activity Off In the Cisco IOS software, but no network activity Blink (500 ms ON, 500 ms OFF) In ROMMON, no errors Blink (500 ms ON, 500 ms OFF, 2 sec between codes) In ROMMON, error detected Blink (less than 500 ms) In the Cisco IOS software, the blink rate reflects the level of activity 6 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Cisco 2651 Modular Access Routers *The auxiliary port must be disabled in FIPS mode. See the “Secure Operation of the Cisco 2651 Router” section on page 10. In addition to the built-in interfaces, the router also has approximately 70 network modules that can optionally be placed in an available slot. These networks modules have many embodiments, including multiple Ethernet, token ring, and modem cards to handle frame relay, ATM, and ISDN connections. See the “Network Modules and WAN Interface Cards” section on page 11 for a more detailed description of network modules and how they apply to the FIPS certification. Roles and Services There are two main roles in the router (as required by FIPS 140-1) that operators may assume: Crypto Officer role and User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. Crypto Officer Services During initial configuration of the router a Crypto Officer or Administrator password is defined and all management services are available from this role. The Administrator connects to the router through the console port via terminal program. An administrator of the router may assign permission to access the Administrator role to additional accounts, thereby creating additional administrators. Table 3 FIPS 140-1 Logical Interfaces Router Physical Interface FIPS 140-1 Logical Interface 10/100BASE-TX LAN Port WAN Interface Network Module Interface Console Port Auxiliary Port* Data Input Interface 10/100BASE-TX LAN Port WAN Interface Network Module Interface Console Port Auxiliary Port* Data Output Interface Power Switch Console Port Auxiliary Port* Control Input Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED Redundant Power LED Activity LED Console Port Auxiliary Port* Status Output Interface Power Plug Power Interface 7 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Cisco 2651 Modular Access Routers At the highest level, Crypto Officer services include the following: • Configure the router: define network interfaces and settings, create command aliases, set the protocols the router will support, enable interfaces and network services, set system date and time, load authentication information, etc. • Define Rules and Filters: create packet Filters that are applied to User data streams on each interface. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. • Status Functions: view the router configuration, routing tables, active sessions, use Gets to view SNMP MIB II statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status • Manage the router: log off users, shutdown or reload the router, manually back up router configurations, view complete configurations, manager user rights, restore router configurations, etc. • Set Encryption/Bypass: set up the configuration tables for IP tunneling. Set keys and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address. • Change Network Modules: insert and remove modules in the network module slot as described in the “Physical Security” section on page 7 of this document. • Change WAN Interface Cards: insert and remove modules in the network module slot as described in the “Physical Security” section on page 7 of this document. A complete description of all the management and configuration capabilities of the Cisco 2651 router can be found in the Performing Basic System Management manual and in the online help for the router. User Services A User enters the system by accessing the console port with a terminal program. The IOS prompts the User for their password. If it matches the plaintext password stored in IOS memory, the User is allowed entry to the IOS executive program. The services available to the User role include: At the highest level, User services include the following: • Status Functions: view state of interfaces, state of layer 2 protocols, version of IOS currently running • Network Functions: connect to other network devices through outgoing telnet, PPP, etc. and initiate diagnostic network services (i.e., ping, mtrace) • Terminal Functions: adjust the terminal session (e.g., lock the terminal, adjust flow control) • Directory Services: display directory of files kept in flash memory Physical Security The router is entirely encased by a thick steel chassis. The rear of the unit provides 1 Network Module slot, 2 WIC slots, on-board LAN connectors, Console/Auxiliary connectors, the power cable connection and a power switch. The top portion of the chassis may be removed (see Figure 5) to allow access to the motherboard, memory, expansion slots and Advanced Interface Module. 8 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Cisco 2651 Modular Access Routers Figure 5 Chassis Removal Once the router has been configured in to meet FIPS 140-1 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamper-evidence labels as follows: Step 1 Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10(C. Step 2 Place the first label on the router as shown in Figure 6. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 3 Place the second label on the router as shown in Figure 6. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the side of the router. Any attempt to remove the enclosure will leave tamper evidence. Step 4 Place the third label on the router as shown in Figure 6. The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the Network Module slot. Any attempt to remove a network module will leave tamper evidence. Step 5 Place the fourth label on the router as shown in Figure 6. The tamper evidence label should be placed so that the half of the label covers the enclosure and the other half covers the WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 6 Place the fifth label on the router as shown in Figure 6. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. Step 7 The labels completely cure within five minutes. 35392 POWER RPS ACTIVITY Cisco 2600SERIES 9 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Cisco 2651 Modular Access Routers Figure 6 Tamper-Evident Labels The tamper evidence seals are produced from a special thin gauge vinyl with self-adhesive backing. Any attempt to open the router, remove network modules or WIC cards, or the front faceplate will damage the tamper evidence seals or the painted surface and metal of the module cover. Since the tamper evidence labels have non-repeated serial numbers, the labels may be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered. Tamper evidence labels can also be inspected for signs of tampering, which include the following: curled corners, bubbling, crinkling, rips, tears, and slices. The word "Opened" may appear if the label was peeled back. Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords. The tamper evidence seals provide physical protection for all keys. Keys are also password protected and can be zeroized by the Crypto Officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). The Cisco 2651router contains a cryptographic accelerator card, which provides DES (56-bit) and 3DES (168-bit) IPSec encryption at up to 32Mbps (3DES, 96Mbps DES), MD5 and SHA-1 hashing, and has hardware support for DH, RSA, and DSA key generation. Self-Tests In order to prevent any secure data being released, it is important to test the cryptographic components of a security module to insure all components are functioning correctly. The router includes an array of self-tests that are run during startup and periodically during operations. The self-test run at power-up includes a cryptographic known answer tests (KAT) on the FIPS-approved cryptographic algorithms (DES, 3DES), on the message digest (SHA-1) and on Diffie-Hellman algorithm. Also performed at startup are software integrity test using an EDC, and a set of Statistical Random Number Generator (RNG) tests. The following tests are also run periodically or conditionally: a Bypass Mode test performed conditionally prior to executing IPSec, a software load test for upgrades and the continuous random number generator test. If any of these self-tests fail, the router will transition into an error state. Within the error state, all secure data transmission is halted and the router outputs status information indicating the failure. 62125 SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2A/S SEE MANUAL BEFORE INSTALLATION SERIAL 1 SERIAL 0 CONN CONN WIC 2T Cisco 2611 100-240V– 1A 50/60 Hz 47 W W0 AUX CONSOLE ETHERNET 0 ACT LINK ACT ETHERNET 1 LINK W1 POWER RPS ACTIVITY Cisco 2600SERIES 10 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Secure Operation of the Cisco 2651 Router Secure Operation of the Cisco 2651 Router The Cisco 2651 router meets all the Level 2 requirements for FIPS 140-1. Follow the setting instructions provided below to place the module in FIPS mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation. Initial Setup Step 1 The Crypto Officer must apply tamper evidence labels as described in the “Physical Security” section on page 7 of this document. The Crypto Officer must securely store tamper evidence labels before use, and any tamper evidence labels not used should also be stored securely. Step 2 Only a Crypto Officer may add and remove network modules. When removing the tamper evidence label, the Crypto Officer should remove the entire label from the router and clean the cover of any grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply tamper evidence labels on the router as described inthe “Physical Security” section on page 7 Step 3 Only a Crypto Officer may add and remove WAN Interface Cards. When removing the tamper evidence label, the Crypto Officer should remove the entire label from the router and clean the cover of any grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply tamper evidence labels on the router as described in the “Physical Security” section on page 7. System Initialization and Configuration Step 1 The Crypto Officer must perform the initial configuration. The IOS version shipped with the router, version 12.1(5)T, is the only allowable image. No other image may be loaded. Step 2 The value of the boot field must be 0x0101 (the factory default). This setting disables break from the console to the ROM monitor and automatically and boots the IOS image. From the "configure terminal" command line, the Crypto Officer enters the following syntax: config-register 0x0101 Step 3 The Crypto Officer must create the "enable" password for the Crypto Officer role. The password must be at least 8 characters and is entered when the Crypto Officer first engages the "enable" command. The Crypto Officer enters the following syntax at the "#" prompt: enable secret [PASSWORD] Step 4 The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification and authentication of the console port is required for Users. From the "configure terminal" command line, the Crypto Officer enters the following syntax: line con 0 password [PASSWORD] login local Step 5 The Crypto Officer shall only assign users to a privilege level 1 (the default). Step 6 The Crypto Officer shall not assign a command to any privilege level other than its default. 11 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Network Modules and WAN Interface Cards Non-FIPS Approved Algorithms The following algorithms are not FIPS approved and should be disabled: • RSA for encryption • MD-4 and MD-5 for signing • ah-sha-hmac • esp-sha-hmac • HMAC SHA-1 Protocols The following network services affect the security data items and must not be configured: NTP, TACACS+, RADIUS, Kerberos. SNMP v3 over a secure IPSec tunnel may be employed for authenticated, secure SNMP gets and sets. Since SNMP v2C uses community strings for authentication, only gets are allowed under SNMP v2C. Remote Access Auxiliary terminal services must be disabled, except for the console. The following configuration disables login services on the auxiliary console line. line aux 0 no exec Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module. The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec. Network Modules and WAN Interface Cards With over 70 modular interface options, the Cisco 2651 provides solutions for data, voice, video, hybrid dial access, virtual private networks (VPNs), and multi-protocol data routing. The high-performance, modular architecture protects customers' investment in network technology and integrates the functions of several devices into a single, manageable solution. Each network module and WAN Interface Card (WIC) meets FIPS 140-1 requirements for physical interfaces. They are classified as data input interfaces and data output interfaces. Network modules and WICs are an external interface, similar to the 100Base-T LAN ports. They expand the router's physical interfaces with multi-port ATM modules, multi-port Ethernet modules, high-speed serial interfaces, etc. A list all network modules and WICs is included with this document (See the “Tables of Supported Cards” section on page 13). 12 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Network Modules and WAN Interface Cards Network Modules When a network module is inserted, it fits into an adapter called the network module expansion bus. The expansion bus interacts with the PCI bridge in the same way that the fixed LAN ports do; therefore, no critical security parameters pass through the network module (just as they don't pass through the LAN ports). The Advanced Interface Module (AIM) socket, which contains the cryptographic accelerator card, interacts with only the PCI bridge. There is no direct interaction between the AIM socket and the network module expansion bus, just as there is no interaction between the fixed AIM socket and the fixed LAN ports. Furthermore, network modules do not perform any cryptographic functions. The Cisco 2651 block diagram clearly depicts the distinction between the network module slot and the AIM socket. The block diagram for the crypto card clearly delineates that the network modules and network module expansion bus have no direct interaction with the crypto card. Therefore, no security parameters pass through the network module expansion bus to the crypto card or vice versa. The expansion bus for the network module card is inside the cryptographic boundary, but it services only the network modules (physical interfaces) and has no effect on the cryptographic processing of the module. If the expansion bus were at the router's cryptographic boundary (as opposed to being inside the boundary), the same principles would apply. While the cryptographic boundary is drawn at the router case, adding and removing network modules will not compromise the security of the router. As described in the “Roles and Services” section on page 6, only a Crypto Officer may replace a network module. If someone other than the Crypto Officer attempts to change a network module, the stickers over the network module slot will indicate tamper evidence. Thus, only valid network modules will be used and only the proper authority may change them. The “Physical Security” section on page 7 provides instructions to change network modules in a FIPS-approved manner. WAN Interface Cards WICs are similar to network modules in that they greatly increase the router's flexibility. The WICs are inserted into one of two slots, which are located above the fixed LAN ports. WICs interface directly with the processor. They do not interface with the cryptographic card; therefore no security parameters will pass through them. WICs cannot perform cryptographic functions; they only serve as a data input and data output physical interface. Please refer to the block diagrams for further reference. Only the Crypto Officer may change WICs, and they must follow the same guidelines for changing network modules (see the “Physical Security” section on page 7). Console Port Additionally, the console port does not directly interface with the network modules, the WICs, or the AIM socket; therefore, no critical security parameters will be passed over the network modules, WICs, or cryptographic processing card from the terminal. Conclusion Network modules and WAN Interface Cards do not affect the cryptographic processing of the router, nor are they privy to any security parameters contained in the router's cryptographic card. The following table describes the input data types and output data types of network modules and WICs: 13 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Tables of Supported Cards No critical security parameters are passed though either of these interfaces. These interfaces do not perform any cryptographic functions, and "hot swapping" these interfaces by the Crypto Officer as described in the “Initial Setup” section on page 10 does not compromise the security of the router. Tables of Supported Cards Network Modules Supported Network Module and WAN Interface Card Input Data type Output Data type Plaintext data that is to be encrypted from the local area network Plaintext data that has been decrypted by the module Encrypted input from the remote modules (Wide Area Network) Ciphertext data that has been encrypted by the module Internet Key Exchange information from the remote module Internet Key Exchange information from the module Status information Cisco 2600 Series Supported Network Modules Part Number 1-Port DS3 ATM Network Module NM-1A-T3 1-Port DS3 ATM Network Module NM-1A-T3= 1-Port E3 ATM Network Module NM-1A-E3 1-Port E3 ATM Network Module NM-1A-E3= 16 port Asynchronous Module NM-16A= 16 port Asynchronous Module NM-16A 32 port Asynchronous Module NM-32A 32 port Asynchronous Module NM-32A= 4-Port Async/Sync Serial Network Module NM-4A/S 4-Port Async/Sync Serial Network Module NM-4A/S= 4-Port ISDN-BRI Network Module NM-4B-S/T 4-Port ISDN-BRI Network Module NM-4B-S/T= 4-Port ISDN-BRI with NT-1 Network Module NM-4B-U 4-Port ISDN-BRI with NT-1 Network Module NM-4B-U= 8-Port Async/Sync Serial Network Module NM-8A/S 8-Port Async/Sync Serial Network Module NM-8A/S= 8-Port ISDN-BRI Network Module NM-8B-S/T 14 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Tables of Supported Cards 8-Port ISDN-BRI Network Module NM-8B-S/T= 8-Port ISDN-BRI with NT-1 Network Module NM-8B-U 8-Port ISDN-BRI with NT-1 Network Module NM-8B-U= 1-Port Channelized T1/ISDN-PRI Network Module NM-1CT1 1-Port Channelized T1/ISDN-PRI Network Module NM-1CT1= 1-Port Channelized T1/ISDN-PRI with CSU Network Module NM-1CT1-CSU 1-Port Channelized T1/ISDN-PRI with CSU Network Module NM-1CT1-CSU= 2-Port Channelized T1/ISDN-PRI Network Module NM-2CT1 2-Port Channelized T1/ISDN-PRI Network Module NM-2CT1= 2-Port Channelized T1/ISDN-PRI with CSU Network Module NM-2CT1-CSU 2-Port Channelized T1/ISDN-PRI with CSU Network Module NM-2CT1-CSU= 1-Port Channelized E1/ISDN-PRI Balanced Network Module NM-1CE1B 1-Port Channelized E1/ISDN-PRI Balanced Network Module NM-1CE1B= 1-Port Channelized E1/ISDN-PRI Unbalanced Network Module NM-1CE1U 1-Port Channelized E1/ISDN-PRI Unbalanced Network Module NM-1CE1U= 2-Port Channelized E1/ISDN-PRI Balanced Network Module NM-2CE1B 2-Port Channelized E1/ISDN-PRI Balanced Network Module NM-2CE1B= 2-Port Channelized E1/ISDN-PRI Unbalanced Network Module NM-2CE1U 2-Port Channelized E1/ISDN-PRI Unbalanced Network Module NM-2CE1U= 4-Port Ethernet Network Module NM-4E 4-Port Ethernet Network Module NM-4E= 4-port E1 ATM Network Module with IMA NM-4E1-IMA 4-port E1 ATM Network Module with IMA NM-4E1-IMA= 4-port T1 ATM Network Module with IMA NM-4T1-IMA= 4-port T1 ATM Network Module with IMA NM-4T1-IMA 1-Port Ethernet Network Module NM-1E 1-Port Ethernet Network Module NM-1E= One port ATM 25Mbps network module NM-1ATM-25 Single port ATM 25 Network Module for 3600 series(spare) NM-1ATM-25= 8Port Analog Modem Network Module NM-8AM 8-port E1 ATM Network Module with IMA NM-8E1-IMA 8-port E1 ATM Network Module with IMA NM-8E1-IMA= 8-port T1 ATM Network Module with IMA NM-8T1-IMA 8-port T1 ATM Network Module with IMA NM-8T1-IMA= 16 Port Analog Modem Network Module NM-16AM 16 Port Analog Modem Network Module Spare NM-16AM= Blank Network Module Panel NM-BLANK-PANEL= Cisco 2600 Series Supported Network Modules Part Number 15 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Tables of Supported Cards Voice/Fax Network Modules Supported Voice/Fax Interface Card for Voice/Fax Modules Supported Single-Port 24 Channel T1 Voice/Fax Network Module NM-HDV-1T1-24 Single-Port 24 Channel T1 Voice/Fax Network Module NM-HDV-1T1-24= Single-Port 24 Enhanced Channel T1 Voice/Fax Network Module NM-HDV-1T1-24E Single-Port 24 Enhanced Channel T1 Voice/Fax Network Module NM-HDV-1T1-24E= Dual-Port 48 Channel T1 Voice/Fax Network Module NM-HDV-2T1-48 Dual-Port 48 Channel T1 Voice/Fax Network Module NM-HDV-2T1-48= 2 WAN Card Slot Network Module(no LAN) NM-2W 2 WAN Card Slot Network Module(no LAN) NM-2W= Single-Port 30 Channel E1 Voice/Fax Network Module NM-HDV-1E1-30 Single-Port 30 Channel E1 Voice/Fax Network Module NM-HDV-1E1-30= Single-Port 30 Enhanced Channel E1 Voice/Fax Network Module NM-HDV-1E1-30E Single-Port 30 Enhanced Channel E1 Voice/Fax Network Module NM-HDV-1E1-30E= Dual-Port 60 Channel E1 Voice/Fax Network Module NM-HDV-2E1-60 Dual-Port 60 Channel E1 Voice/Fax Network Module NM-HDV-2E1-60= Cisco 2600 Voice/Fax Network Modules Part Number One-slot Voice/fax Network Module NM-1V One-Slot Voice/fax Network Module-Spare NM-1V= Two-Slot Voice/fax Network Module NM-2V Two-Slot Voice/fax Network Module-Spare NM-2V= Cisco 2600 Voice/Fax Interface Card for Voice/Fax Modules Part Number Two-port Voice Interface Card - FXS VIC-2FXS Two-port Voice Interface Card - FXS-Spare VIC-2FXS= Two-port Voice Interface Card - FXO VIC-2FXO Two-port Voice Interface Card - FXO-Spare VIC-2FXO= Two-port Voice Interface Card - E&M VIC-2E/M Two-port Voice Interface Card - E&M-Spare VIC-2E/M= Two-port Voice Interface Card - FXO (for Europe) VIC-2FXO-EU Two-port Voice Interface Card - FXO (for Europe) VIC-2FXO-EU= Two-port Voice Interface Card - FXO (for Australia) VIC-2FXO-M3 Cisco 2600 Series Supported Network Modules Part Number 16 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Tables of Supported Cards Multiflex Voice / WAN interface Cards Supported WAN Interface Cards Supported Two-port Voice Interface Card - FXO (for Australia) VIC-2FXO-M3= Two-port Voice Interface Card - BRI (Terminal) VIC-2BRI-S/T-TE Two-port Voice Interface Card - BRI (Terminal) VIC-2BRI-S/T-TE= Cisco 2600 Multiflex Voice / WAN interface Cards Part Number 1-Port RJ-48 Multiflex Trunk - E1 VWIC-1MFT-E1 1-Port RJ-48 Multiflex Trunk - E1 VWIC-1MFT-E1= 2-Port RJ-48 Multiflex Trunk - E1 VWIC-2MFT-E1= 2-Port RJ-48 Multiflex Trunk - E1 With Drop and Insert VWIC-2MFT-E1-DI 2-Port RJ-48 Multiflex Trunk - E1 With Drop and Insert VWIC-2MFT-E1-DI= 1-Port RJ-48 Multiflex Trunk - T1 VWIC-1MFT-T1 1-Port RJ-48 Multiflex Trunk - T1 VWIC-1MFT-T1= 2-Port RJ-48 Multiflex Trunk - T1 With Drop and Insert VWIC-2MFT-T1-DI 2-Port RJ-48 Multiflex Trunk - T1 With Drop and Insert VWIC-2MFT-T1-DI= 2-Port RJ-48 Multiflex Trunk - T1 VWIC-2MFT-T1 2-Port RJ-48 Multiflex Trunk - T1 VWIC-2MFT-T1= Cisco 2600 Series Supported WAN Interface Cards Part Number 1-Port Serial WAN interface card WIC-1T 1-Port Serial WAN interface card WIC-1T= 1-port 4-WIRE 56/64 KBPS WAN interface card WIC-1DSU-56K4 1-Port 4-Wire 56Kbps DSU/CSU WAN Interface card WIC-1DSU-56K4= 1-Port ISDN WAN interface card(dial and leased line) WIC-1B-S/T 1-Port ISDN WAN interface card(dial and leased line) WIC-1B-S/T= 1-Port ISDN withNT-1WAN interface card(dial and leased line) WIC-1B-U 1-Port ISDN with NT-1 WAN Interface card dial and leasedline WIC-1B-U= 1-Port T1/Fractional T1 DSU/CSU WAN interface card WIC-1DSU-T1 1-Port T1/Fractional T1 DSU/CSU WAN interface card WIC-1DSU-T1= Blank WAN interface card panel WIC-BLANK-PANEL= 2-Port Serial WAN interface card WIC-2T Cisco 2600 Voice/Fax Interface Card for Voice/Fax Modules Part Number 17 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Obtaining Documentation Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: • http://www.cisco.com • http://www-china.cisco.com • http://www-europe.cisco.com Documentation CD-ROM Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription. Ordering Documentation Cisco documentation is available in the following ways: • Registered Cisco Direct Customers can order Cisco Product documentation from the Networking Products MarketPlace: http://www.cisco.com/cgi-bin/order/order_root.pl • Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store: http://www.cisco.com/go/subscription • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS(6387). Documentation Feedback If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. You can e-mail your comments to bug-doc@cisco.com. 2-Port Serial WAN interface card spare WIC-2T= 2-Port Async/Sync Serial WAN interface card WIC-2A/S 2-Port Async/Sync Serial WAN interface card spare WIC-2A/S= Cisco 2600 Series Supported WAN Interface Cards Part Number 18 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Obtaining Technical Assistance To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address: Attn Document Resource Connection Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Obtaining Technical Assistance Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website. Cisco.com Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco. Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available. Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco. To access Cisco.com, go to the following website: http://www.cisco.com Technical Assistance Center The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract. Contacting TAC by Using the Cisco TAC Website If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website: http://www.cisco.com/tac 19 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Obtaining Technical Assistance P3 and P4 level problems are defined as follows: • P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue. • P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration. In each of the above cases, use the Cisco TAC website to quickly find answers to your questions. To register for Cisco.com, go to the following website: http://www.cisco.com/register/ If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website: http://www.cisco.com/tac/caseopen Contacting TAC by Telephone If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml P1 and P2 level problems are defined as follows: • P1—Your production network is down, causing a critical impact to business operations if service is not restored quickly. No workaround is available. • P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available. This document is to be used in conjunction with the documents listed in the “References” section. AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. By printing or making a copy of this document, the user agrees to use this information for product evaluation purposes only. Sale of this information in whole or in part is not authorized by Cisco Systems. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0106R) Copyright © 1999, Cisco Systems, Inc. All rights reserved. 20 Cisco 2651 Modular Access Router Security Policy 78-13697-01 Obtaining Technical Assistance