Cisco Catalyst 6509 Switch, 7606 and 7609 Routers with VPN Services Module FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version 1.5 April 21, 2004 © Copyright 2004 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table of Contents 1 INTRODUCTION.................................................................................................................. 3 1.1 PURPOSE ............................................................................................................................. 3 1.2 REFERENCES ....................................................................................................................... 3 1.3 TERMINOLOGY ................................................................................................................... 3 1.4 DOCUMENT ORGANIZATION ............................................................................................... 3 2 THE 6509 SWITCH/7606 AND 7609 ROUTERS............................................................... 5 2.1 THE 6509/7606/7609 CRYPTOGRAPHIC MODULE .............................................................. 5 2.2 MODULE INTERFACES ......................................................................................................... 7 2.3 ROLES AND SERVICES ......................................................................................................... 9 2.3.1 Crypto Officer Role ...................................................................................... 10 2.3.2 User Services .............................................................................................. 10 2.4 PHYSICAL SECURITY ........................................................................................................ 11 2.5 CRYPTOGRAPHIC KEY MANAGEMENT .............................................................................. 13 2.6 SELF-TESTS ...................................................................................................................... 18 3 SECURE OPERATION OF THE CISCO 6509 SWITCH/7606 AND 7609 ROUTER 20 3.1 INITIAL SETUP .................................................................................................................. 20 3.2 SYSTEM INITIALIZATION AND CONFIGURATION ................................................................ 20 3.3 IPSEC REQUIREMENTS AND CRYPTOGRAPHIC ALGORITHMS ............................................ 21 3.4 PROTOCOLS ...................................................................................................................... 21 3.5 REMOTE ACCESS .............................................................................................................. 21 © Copyright 2004 Cisco Systems, Inc. Page 2 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 Introduction 1.1 Purpose This is the non-proprietary Cryptographic Module Security Policy for the Cisco Catalyst 6509 Switch, 7606 and 7609 Routers with VPN Services module (Hardware Version: 6509, 7606 and 7609; Backplane chassis: Hardware Version 3.0 (6509), 1.0 (7606) and 1.0 (7609); Supervisor Blade: Hardware Version 3.2; VPN Accelerator Blade: Hardware Version 1.2 , Firmware Version: 12.2(14)SY3). This security policy describes how the Catalyst 6509 Switch, 7606 and 7609 Routers with VPN Services Module meet the security requirements of FIPS 140-2, and how to operate them in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the Catalyst 6509 Switch, 7606 and 7609 Routers with VPN Services Module. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 -- Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/cryptval/. 1.2 References This document deals only with operations and capabilities of the Catalyst 6509 Switch, 7606 and 7609 Routers in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the Catalyst 6509 Switch, 7606 and 7609 Routers and the entire 6500 and 7600 series from the following sources: · The Cisco Systems website contains information on the full line of products at www.cisco.com. The 6500 Series product descriptions can be found at: http://www.cisco.com/en/US/products/hw/switches/ps708/index.html. The 7600 Series product descriptions can be found at: http://www.cisco.com/en/US/products/hw/routers/ps368/index.html. · For answers to technical or sales related questions please refer to the contacts listed on the Cisco Systems website at www.cisco.com. · The NIST Validated Modules website (http://csrc.nist.gov/cryptval) contains contact information for answers to technical or sales-related questions for the module 1.3 Terminology In this document, the Cisco Catalyst 6509 Switch, 7606 and 7609 Routers with VPN Services Module are referred to the 6509, 7606 and 7609, the 6509 switch, 7606 router and 7609 router, the routers, the modules, or the systems. 1.4 Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document Finite State Machine © Copyright 2004 Cisco Systems, Inc. Page 3 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Module Software Listing Other supporting documentation as additional references This document provides an overview of the Cisco Catalyst 6509 Switch, 7606 and 7609 Routers and explains the secure configuration and operation of the modules. This introduction section is followed by Section 2, which details the general features and functionality of the Catalyst 6509 Switch, 7606 and 7609 Router. Section 3 specifically addresses the required configuration for the FIPS-approved mode of operation. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate non- disclosure agreements. For access to these documents, please contact Cisco Systems. © Copyright 2004 Cisco Systems, Inc. Page 4 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 The 6509 Switch/7606 and 7609 Routers Branch office networking requirements are dramatically evolving, driven by web and e- commerce applications to enhance productivity and merging the voice and data infrastructure to reduce costs. The Cisco Catalyst 6509 Switch, 7606 and 7609 Routers with VPN Services Module offer versatility, integration, and security to branch offices. With numerous Network Modules (NMs) and Service Modules (SMs) available, the modular architecture of the Cisco router easily allows interfaces to be upgraded to accommodate network expansion. The Cisco 6509, 7606 and 7609 provide a scalable, secure, manageable remote access server that meets FIPS 140-2 Level 2 requirements, as a multi-chip standalone module. This section describes the general features and functionality provided by the Cisco 6509 switch, 7606 and 7609 routers. 2.1 The 6509/7606/7609 Cryptographic Module © Copyright 2004 Cisco Systems, Inc. Page 5 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 1 - The 6509 Switch, 7606 and 7609 Routers The cryptographic boundary is defined as encompassing the "top," "front," "left," "right," and "bottom" surfaces of the case; all portions of the "backplane" of the case which are not designed to accommodate a NM or SM; and the inverse of the three-dimensional space within the case that would be occupied by any installed NM or SM which does not perform Approved cryptographic functions or any installed power supply module. The cryptographic boundary includes the connection apparatus between the NM/SM and the motherboard/daughterboard that hosts the NM/SM, but the boundary does not include the NM/SM itself unless it performs Approved cryptographic functions. In other words, the cryptographic boundary encompasses all hardware components within the case of the device except any installed non-Approved cryptographic NMs/SMs and the power supply sub-modules. Currently available Service Modules include a © Copyright 2004 Cisco Systems, Inc. Page 6 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Network Access Module (NAM), a Firewall Module, and a VPN Services Module. All of the functionality discussed in this document is provided by components within this cryptographic boundary. The modules require that a special opacity shield be installed over the right-hand-side air vents (shown on the right-hand side of the modules in Figure 1) in order to operate in FIPS-approved mode. The shield decreases the effective size of the vent holes, reducing visibility within the cryptographic boundary to FIPS-approved specifications. Detailed installation instructions for the shield are provided in the documentation that accompanies the shield in the FIPS kit. The Cisco 6509 Switch, 7606 and 7609 Routers incorporate a single VPN Services Module cryptographic accelerator card. The VPN Services Module is installed in an NM/SM slot. Cisco IOS features such as tunneling, data encryption, and termination of Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 6509, 7606 and 7609 with VPN Services Module an ideal platform for building virtual private networks or outsourced dial solutions. The modules' RISC-based processor provides the power needed for the dynamic requirements of the remote branch office. 2.2 Module Interfaces The interfaces for the routers are located on the front panel as shown in Figure 2. Figure 2 ­ 6509, 7606 and 7609 Physical Interfaces The Cisco Catalyst 6509 Switch, 7606 and 7609 Routers feature console ports, fixed Ethernet interfaces, nine Cisco Network/Service Module slots on the 6509 and 7609, and six Network/Service Module slots on the 7606. Network modules support a variety of LAN and WAN connectivity interfaces, for example: Ethernet, ATM, serial, ISDN BRI, and integrated CSU/DSU options for primary and backup WAN connectivity. An NM/SM is inserted into one of the NM/SM slots, which are located on the front panel of both routers. NMs/SMs interface directly with the processor, and cannot perform cryptographic functions; they only serve as a data input and data output physical interface. The router has two Ethernet uplink ports. The module also has an RJ-45 connector for a console terminal for local system access. The Ethernet ports have Link LEDs. Power is supplied to the module from the power supply sub-module via the backplane. Figure 2 shows the LEDs located on the 6509, 7606 and 7609 with descriptions detailed in Table 1 below. © Copyright 2004 Cisco Systems, Inc. Page 7 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. LED Indication Description Supervisor 2 Module STATUS Green All diagnostics pass. The module is operational (normal initialization sequence). Orange The module is booting or running diagnostics (normal initialization sequence). An over-temperature condition has occurred. (A minor temperature threshold has been exceeded during environmental monitoring.). Red The diagnostic test failed. The module is not operational because a fault occurred during the initialization sequence. An over-temperature condition has occurred. (A major temperature threshold has been exceeded during environmental monitoring.) SYSTEM1 Green All chassis environmental monitors are reporting OK. Orange The power supply has failed or the power supply fan has failed. Incompatible power supplies are installed. The redundant clock has failed. One VTT2 module has failed or the VTT module temperature minor threshold has been exceeded3. Red Two VTT modules fail or the VTT module temperature major threshold has been exceeded. The temperature of the supervisor engine major threshold has been exceeded. ACTIVE Green The supervisor engine is operational and active. Orange The supervisor engine is in standby mode. POWER Green Sufficient power is available for all modules. MGMT Orange Sufficient power is not available for all modules. SWITCH If the switch is operational, the switch load meter indicates (as an LOAD approximate percentage) the current traffic load over the backplane. PCMCIA The PCMCIA LED is lit when no Flash PC card is in the slot, and it goes off when you insert a Flash PC card. LINK Green The port is operational. Orange The link has been disabled by software. Flashing The link is bad and has been disabled due to a hardware failure. Orange Off No signal is detected. VPN Services Module STATUS Green All non-FIPS-related diagnostic tests pass. The module is operational.4 Red A diagnostic test other than an individual port test failed. Orange Indicates one of three conditions: · The module is running through its boot and self-test diagnostic sequence. · The module is disabled. · The module is in the shutdown state. Off The module power is off. 1 The SYSTEM and PWR MGMT LED indications on a redundant supervisor engine are synchronized to the active supervisor engine. 2 VTT = voltage termination module. The VTT module terminates signals on the Catalyst switching bus. © Copyright 2004 Cisco Systems, Inc. Page 8 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3 If no redundant supervisor engine is installed and there is a VTT module minor or major over-temperature condition, the system shuts down. 4Execute the command "show crypto eli" to determine whether the FIPS-related self-tests passed. Table 1 ­ 6509, 7606 and 7609 LEDs and Descriptions All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the following table: Router Physical Interface FIPS 140-2 Logical Interface Ethernet Ports Data Input Interface Network/Service Module Interface Console Port Compact Flash Slot Ethernet Ports Data Output Interface Network/Service Module Interface Console Port Compact Flash Slot Ethernet Ports Control Input Interface Network/Service Module Interface Console Port Reset Button Ethernet Ports Status Output Interface Network/Service Module Interface Status LED (Supervisor 2) System LED Active LED PWR MGMT LED PCMCIA LED Switch Load LED Network Port LINK LEDs Status LED (VPN Services Module) Console Port Backplane Power Interface Table 2 ­ FIPS 140-2 Logical Interfaces 2.3 Roles and Services Authentication is role-based. There are two main roles in the router that operators may assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. Both roles are authenticated by providing a valid username and password. The configuration of the encryption and decryption functionality is performed only by the Crypto Officer after authentication to the Crypto Officer role by providing a valid Crypto Officer username and password. Once the Crypto Officer configured the encryption and decryption functionality, the User can use this functionality after authentication to the User role by providing a valid User username and password. The Crypto Officer can also use the encryption and decryption functionality after authentication to the Crypto Officer role. The module supports RADIUS and TACACS+ for authentication and they are used in the FIPS © Copyright 2004 Cisco Systems, Inc. Page 9 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. mode. A complete description of all the management and configuration capabilities of the Cisco Catalyst 6509 Switch, 7606 and 7609 Routers can be found in the Performing Basic System Management manual and in the online help for the router. The User and Crypto Officer passwords and the RADIUS/TACACS+ shared secrets must each be at least 8 alphanumeric characters in length. See Section 3, Secure Operation of the Cisco 6509 Switch, 7606 and 7609 Router, for more information. If only integers 0-9 are used without repetition for an 8 digit PIN, the probability of randomly guessing the correct sequence is 1 in 1,814,400. Including the rest of the alphanumeric characters drastically decreases the odds of guessing the correct sequence. 2.3.1 Crypto Officer Role During initial configuration of the router, the Crypto Officer password (the "enable" password) is defined. A Crypto Officer may assign permission to access the Crypto Officer role to additional accounts, thereby creating additional Crypto Officers. The Crypto Officer role is responsible for the configuration and maintenance of the router. The Crypto Officer services consist of the following: · Configure the router: define network interfaces and settings, create command aliases, set the protocols the router will support, enable interfaces and network services, set system date and time, and load authentication information. · Define Rules and Filters: create packet Filters that are applied to User data streams on each interface. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. · Status Functions: view the router configuration, routing tables, active sessions, use Gets to view SNMP MIB II statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status · Manage the router: log off users, shutdown or reload the router, manually back up router configurations, view complete configurations, manager user rights, and restore router configurations. · Set Encryption/Bypass: set up the configuration tables for IP tunneling. Set keys and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address. · Change Port Adapters: insert and remove adapters in a port adapter slot. 2.3.2 User Services A User enters the system by accessing the console port with a terminal program. The IOS prompts the User for their password. If the password is correct, the User is allowed entry to the IOS executive program. The services available to the User role consist of the following: · Status Functions: view state of interfaces, state of layer 2 protocols, version of IOS cur- rently running · Network Functions: connect to other network devices (via outgoing telnet or PPP) and initiate diagnostic network services (i.e., ping, mtrace) © Copyright 2004 Cisco Systems, Inc. Page 10 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. · Terminal Functions: adjust the terminal session (e.g., lock the terminal, adjust flow control) · Directory Services: display directory of files kept in flash memory 2.4 Physical Security The router is entirely encased by a thick steel chassis. Nine NM slots are provided on the 6509 and 7609, and six NM slots are provided on the 7606. On-board LAN connectors and console connectors are provided on the routers, and the power cable connection and a power switch are provided on the power supply of both models. The individual modules (or "blades") that comprise the router may be removed to allow access to the internal components of each blade. Any NM/SM slot, which is not populated with a NM/SM, must be populated with an appropriate slot cover in order to operate in a FIPS compliant mode. The slot covers are included with each router, and additional covers may be ordered from Cisco. The same procedure mentioned below to apply tamper evidence labels for NMs/SMs must also be followed to apply tamper evidence labels for the slot covers. Once the router has been configured in to meet FIPS 140-2 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamper- evidence labels as follows: 1. Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10°C. 2. Place a label on the router as shown in Figure 3. The tamper evidence label should be placed so that one half of the tamper evidence label covers the front of the fan-bank module and the other half covers the left side of the router. Any attempt to remove the fan-bank will leave tamper evidence. 3. Place labels on the router as shown in Figure 3. For each Supervisor 2 module, VPN Services Module, network module, or network module cover installed in the router, place a tamper evidence label so that one half of the label covers the right side of the Supervisor 2 module, VPN Services Module, network module, or network module cover and the other half covers the right side of the router. Any attempt to remove a network module will leave tamper evidence. 4. Place labels on the router as shown in Figure 3. For each Supervisor 2 module installed in the router, place a tamper evidence label so that one half of the label covers the Compact Flash slot and the other half covers the Supervisor 2 module. Any attempt to install or remove a Compact Flash card will leave tamper evidence. 5. Place labels on the router as shown in Figure 3. For each Supervisor 2 module installed in the router, place a tamper evidence label so that one half of the label covers an installed Supervisor 2 Network Interface module and the other half covers the Supervisor 2 module. Any attempt to remove a Supervisor 2 Network Module will leave tamper evidence. © Copyright 2004 Cisco Systems, Inc. Page 11 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 6. Place labels on the router as shown in Figure 3. For each Supervisor 2 module installed in the router that has an unpopulated Network Interface port, place a tamper evidence label so that it completely covers the unpopulated Network Interface port opening. Any attempt to install a network Interface port will leave tamper evidence. 7. Place labels on the router as shown in Figure 3. For each power supply or power supply cover installed in the router, place a tamper evidence label so that one half of the label covers the enclosure and the other half covers the front of the power supply or power supply cover. Any attempt to install or remove a power supply will leave tamper evidence. 8. Place labels on the router as shown in Figure 3. Four labels should be applied to the Opacity Shield in the right side of the chassis as follows: one label should be placed so that one half of the label covers the top of the Opacity Shield and the other half covers the top of the chassis; one label should be placed so that one half of the label covers the left side of the Opacity Shield and the other half covers the front of the chassis; one label should be placed so that one half of the label covers the right side of the Opacity Shield and the other half covers the rear of the chassis; for the 6509 only, one label should be placed so that one half of the label covers the bottom of the Opacity Shield and the other half covers the right side of the chassis; and for the 7606 only, one label should be placed so that one half of the label covers the bottom of the Opacity Shield and the other half covers the bottom of the chassis. The 7609 does not have an opacity shield. 9. The labels completely cure within five minutes. © Copyright 2004 Cisco Systems, Inc. Page 12 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 3 ­ 6509, 7606 and 7609 Tamper Evidence Label Placement The tamper evidence seals are produced from a special thin-gauge vinyl with self-adhesive backing. Any attempt to open the router, remove Network Modules, or remove the front faceplate will damage the tamper evidence seals or the painted surface and metal of the module cover. Since the tamper evidence seals have non-repeated serial numbers, they may be inspected for damage and compared against the applied serial numbers to verify that the module has not been tampered. Tamper evidence seals can also be inspected for signs of tampering, which include the following: curled corners, bubbling, crinkling, rips, tears, and slices. The word "OPEN" may appear if the label was peeled back. 2.5 Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords. The tamper evidence seals provide physical protection for all keys. All keys © Copyright 2004 Cisco Systems, Inc. Page 13 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. are also protected by the password-protection on the Crypto Officer role login, and can be zeroized by the Crypto Officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). The modules contain the VPN Services Module, a cryptographic accelerator card which provides DES (56-bit) (only for legacy systems) and 3DES (168-bit) IPSec encryption, MD5 and SHA-1 hashing, and hardware support for RSA signature generation. The module supports the following critical security parameters (CSPs): CSP # Description Storage Name 1 CSP 1 This is the seed key for X9.31 PRNG. This key is DRAM stored in DRAM and updated periodically after the (plaintext) generation of 400 bytes; hence, it is zeroized periodically. Also, the operator can turn off the router to zeroize this key. 2 CSP 2 The private exponent used in Diffie-Hellman (DH) DRAM exchange. Zeroized after DH shared secret has been (plaintext) generated. 3 CSP 3 The shared secret within IKE exchange. Zeroized when DRAM IKE session is terminated. (plaintext) 4 CSP 4 Same as above DRAM (plaintext) 5 CSP 5 Same as above DRAM (plaintext) 6 CSP 6 Same as above DRAM (plaintext) 7 CSP 7 The IKE session encrypt key. The zeroization is the DRAM same as above. (plaintext) 8 CSP 8 The IKE session authentication key. The zeroization is DRAM the same as above. (plaintext) 9 CSP 9 The RSA private key. "crypto key zeroize" command NVRAM zeroizes this key. (plaintext) 10 CSP 10 The key used to generate IKE skeyid during preshared- NVRAM key authentication. "no crypto isakmp key" command (plaintext) zeroizes it. This key can have two forms based on whether the key is related to the hostname or the IP address. 11 CSP 11 This key generates keys 3, 4, 5 and 6. This key is DRAM zeroized after generating those keys. (plaintext) 12 CSP 12 The RSA public key used to validate signatures within DRAM IKE. These keys are expired either when CRL (plaintext) (certificate revocation list) expires or 5 secs after if no CRL exists. After above expiration happens and before a new public key structure is created this key is deleted. © Copyright 2004 Cisco Systems, Inc. Page 14 of 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. This key does not need to be zeroized because it is a public key; however, it is zeroized as mentioned here. 13 CSP 13 The fixed key used in Cisco vendor ID generation. This NVRAM key is embedded in the module binary image and can (plaintext) be deleted by erasing the Flash. 14 CSP 14 The IPSec encryption key. Zeroized when IPSec DRAM session is terminated. (plaintext) 15 CSP 15 The IPSec authentication key. The zeroization is the DRAM same as above. (plaintext) 16 CSP 16 The RSA public key of the CA. "no crypto ca trust NVRAM