background image
20
Cisco 1721 and Cisco 1760 Modular Access Routers with MOD1700-VPN FIPS 140-2 Non-Proprietary Security Policy
78-16315-01
Secure Operation of the Cisco 1721/1760 Router
Secure Operation of the Cisco 1721/1760 Router
The Cisco 1721 and 1760 Modular Access Routers with MOD1700-VPN meet all the Level 2
requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS
mode. Operating this router without maintaining the following settings will remove the module from the
FIPS approved mode of operation.
Initial Setup
·
The Crypto Officer must ensure that the MOD1700-VPN cryptographic accelerator card is installed
in the module by opening the chassis and visually confirming the presence of the MOD1700-VPN.
Please refer to the Cisco publication Installing the Virtual Private Network Module in a Cisco 1700
Series Router for detailed instructions on chassis disassembly and reassembly, and MOD1700-VPN
identification. This document may be accessed on the web at:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/1700/1700cnts/interclr.pdf
·
The Crypto Officer must apply tamper evidence labels as described in the "Physical Security"
section of this document.
·
Only a Crypto Officer may add and remove WAN Interface Cards. When removing the tamper
evidence label, the Crypto Officer should remove the entire label from the router and clean the cover
of any grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply
tamper evidence labels on the router as described in the "Physical Security" section of this
document.
·
The Crypto Officer must apply the opacity shield as described in the "The Cisco 1721/1760
Cryptographic Module" section of this document.
·
The Crypto Officer must disable IOS Password Recovery by executing the following commands:
configure terminal
no service password-recovery
end
show version
Note
Once Password Recovery is disabled, administrative access to the module without the
password will not be possible.
System Initialization and Configuration
·
The Crypto Officer must perform the initial configuration. IOS version 12.3(3d) is the only
allowable image; no other image may be loaded.
·
The value of the boot field must be 0x0101 (the factory default). This setting disables break from
the console to the ROM monitor and automatically boots the IOS image. From the "configure
terminal" command line, the Crypto Officer enters the following syntax:
config-register 0x0101