background image
25
Cisco 2691 and 3725 Modular Access Routers with AIM-VPN/EP II and Cisco 3745 Modular Access Router with AIM-VPN/HP II FIPS 140-2
OL-6084-01
Secure Operation of the Cisco 2691, 3725, and 3745 Routers
Secure Operation of the Cisco 2691, 3725, and 3745 Routers
The Cisco 2691 and 3725 Modular Access Routers with AIM-VPN/EP II and the Cisco 3745 Modular
Access Router with AIM-VPN/HP II meet all the Level 2 requirements for FIPS 140-2. Follow the
setting instructions provided below to place the modules in FIPS mode. Operating the routers without
maintaining the following settings will remove the modules from the FIPS approved mode of operation.
Initial Setup
·
The Crypto Officer must ensure that the AIM-VPN/EP II or AIM-VPN/HP II cryptographic
accelerator card is installed in the module by opening the chassis and visually confirming the
presence of the AIM-VPN/EP II or AIM-VPN/HP II.
·
The Crypto Officer must apply tamper evidence labels as described in the "Physical Security"
section of this document.
·
Only a Crypto Officer may add and remove Network Modules. When removing the tamper evidence
label, the Crypto Officer should remove the entire label from the router and clean the cover of any
grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply tamper
evidence labels on the router as described in the "Physical Security" section of this document.
·
Only a Crypto Officer may add and remove WAN Interface Cards. When removing the tamper
evidence label, the Crypto Officer should remove the entire label from the router and clean the cover
of any grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply
tamper evidence labels on the router as described in the "Physical Security" section of this
document.
·
The Crypto Officer must disable IOS Password Recovery by executing the following commands:
configure terminal
no service password-recovery
end
show version
Note
Once Password Recovery is disabled, administrative access to the module without the
password will not be possible.
System Initialization and Configuration
·
The Crypto Officer must perform the initial configuration. IOS version 12.3(3d) is the only
allowable image; no other image may be loaded.
·
The value of the boot field must be 0x0101 (the factory default). This setting disables break from
the console to the ROM monitor and automatically boots the IOS image. From the "configure
terminal" command line, the Crypto Officer enters the following syntax:
config-register 0x0101
·
The Crypto Officer must create the "enable" password for the Crypto Officer role. The password
must be at least 8 characters and is entered when the Crypto Officer first engages the "enable"
command. The Crypto Officer enters the following syntax at the "#" prompt:
enable secret [
PASSWORD]