2621XM and 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation Version 1.3 June 2, 2004 © Copyright 2004 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table of Contents 1 INTRODUCTION.................................................................................................................. 3 1.1 PURPOSE ............................................................................................................................. 3 1.2 REFERENCES ....................................................................................................................... 3 1.3 TERMINOLOGY ................................................................................................................... 3 1.4 DOCUMENT ORGANIZATION ............................................................................................... 3 2 THE 2621XM/2651XM ROUTER........................................................................................ 5 2.1 THE 2621XM/2651XM CRYPTOGRAPHIC MODULE ........................................................... 5 2.2 MODULE INTERFACES ......................................................................................................... 6 2.3 ROLES AND SERVICES ......................................................................................................... 8 2.3.1 Crypto Officer Services.................................................................................. 9 2.3.2 User Services .............................................................................................. 10 2.4 PHYSICAL SECURITY ........................................................................................................ 10 2.5 CRYPTOGRAPHIC KEY MANAGEMENT .............................................................................. 12 2.6 SELF-TESTS ...................................................................................................................... 16 3 SECURE OPERATION OF THE CISCO 2621XM/2651XM ROUTER ....................... 18 3.1 INITIAL SETUP .................................................................................................................. 18 3.2 SYSTEM INITIALIZATION AND CONFIGURATION ................................................................ 18 3.3 IPSEC REQUIREMENTS AND CRYPTOGRAPHIC ALGORITHMS ............................................ 19 3.4 PROTOCOLS ...................................................................................................................... 20 3.5 REMOTE ACCESS .............................................................................................................. 20 © Copyright 2004 Cisco Systems, Inc. Page 2 of 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 Introduction 1.1 Purpose This is the non-proprietary Cryptographic Module Security Policy for the 2621XM and 2651XM Modular Access Routers with AIM-VPN/EP. This security policy describes how the 2621XM and 2651XM routers (Hardware Version: 2621XM, 2651XM; AIM-VPN/EP: Hardware Version 1.0, Board Version B0; Firmware Version: IOS 12.3(3d)) meet the security requirements of FIPS 140-2, and how to operate the 2621XM and 2651XM routers in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the 2621XM and 2651XM routers. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 -- Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/cryptval/. 1.2 References This document deals only with operations and capabilities of the 2621XM and 2651XM routers in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the 2621XM and 2651XM routers and the entire 2600 Series from the following sources: · The Cisco Systems website contains information on the full line of products at www.cisco.com. The 2600 Series product descriptions can be found at: http://www.cisco.com/en/US/products/hw/routers/ps259/index.html · For answers to technical or sales related questions please refer to the contacts listed on the Cisco Systems website at www.cisco.com. · The NIST Validated Modules website (http://csrc.nist.gov/cryptval) contains contact information for answers to technical or sales-related questions for the module 1.3 Terminology In this document, the Cisco 2621XM and 2651XM routers are referred to as the routers, the modules, or the systems. 1.4 Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document Finite State Machine Module Software Listing Other supporting documentation as additional references © Copyright 2004 Cisco Systems, Inc. Page 3 of 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. This document provides an overview of the 2621XM and 2651XM routers and explains the secure configuration and operation of the modules. This introduction section is followed by Section 2, which details the general features and functionality of the 2621XM and 2651XM routers. Section 3 specifically addresses the required configuration for the FIPS-mode of operation. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate non- disclosure agreements. For access to these documents, please contact Cisco Systems. © Copyright 2004 Cisco Systems, Inc. Page 4 of 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 The 2621XM/2651XM Router Branch office networking requirements are dramatically evolving, driven by web and e- commerce applications to enhance productivity and merging the voice and data infrastructure to reduce costs. The Cisco 2621XM and 2651XM routers offer versatility, integration, and security to branch offices. With over 100 Network Modules (NMs) and WAN Interface Cards (WICs), the modular architecture of the Cisco router easily allows interfaces to be upgraded to accommodate network expansion. The Cisco 2621XM and 2651XM provide a scalable, secure, manageable remote access server that meets FIPS 140-2 Level 2 requirements. This section describes the general features and functionality provided by the Cisco 2621XM and 2651XM routers. 2.1 The 2621XM/2651XM Cryptographic Module Figure 1 - The 2621XM/2651XM Router The 2621XM and 2651XM Routers are multiple-chip standalone cryptographic modules. The cryptographic boundary is defined as encompassing the "top," "front," "left," "right," and "bottom" surfaces of the case; all portions of the "backplane" of the case which are not designed to accommodate a WIC or Network Module; and the inverse of the three-dimensional space within the case that would be occupied by an installed WIC or Network Module. The cryptographic boundary includes the connection apparatus between the WIC or Network Module and the motherboard/daughterboard that hosts the WIC or Network Module, but the boundary does not include the WIC or Network Module itself. In other words, the cryptographic boundary encompasses all hardware components within the case of the device except any installed modular WICs or Network Modules. All of the functionality discussed in this document is provided by components within this cryptographic boundary. The Cisco 2621XM and 2651XM routers incorporate an AIM-VPN/EP cryptographic accelerator card. The AIM-VPN/EP is located inside the module chassis, and is installed directly on the motherboard. Cisco IOS features such as tunneling, data encryption, and termination of Remote Access WANs via IPSec, Layer 2 Forwarding (L2F) and Layer 2 Tunneling Protocols (L2TP) make the Cisco 2600 an ideal platform for building virtual private networks or outsourced dial solutions. Cisco 2600`s RISC-based processor provides the power needed for the dynamic requirements of the © Copyright 2004 Cisco Systems, Inc. Page 5 of 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. remote branch office, achieving wire speed Ethernet to Ethernet routing with up to 30 thousand packets per second (Kpps) throughput capacity for the 2621XM, and 40 Kpps for the 2651XM. 2.2 Module Interfaces The interfaces for the router are located on the rear panel as shown in Figure 2. Figure 2 ­ Physical Interfaces The Cisco 2621XM and 2651XM routers feature a console port, an auxiliary port, dual fixed LAN interfaces, a Network Module slot, and two WIC slots. LAN support includes single and dual Ethernet options; 10/100 Mbps auto-sensing Ethernet; mixed Token-Ring and Ethernet; and single Token Ring chassis versions. WAN interface cards support a variety of serial, ISDN BRI, and integrated CSU/DSU options for primary and backup WAN connectivity. Available Network Modules support multi-service voice/data/fax integration, departmental dial concentration, and high-density serial options All Cisco 2600 series routers include an auxiliary port supporting 115Kbps Dial-On-Demand Routing, ideal for back-up WAN connectivity. When a Network Module is inserted, it fits into an adapter called the Network Module expansion bus. The expansion bus interacts with the PCI bridge in the same way that the fixed LAN ports do; therefore, no critical security parameters pass through the Network Module (just as they don't pass through the LAN ports). Network modules do not perform any cryptographic functions. WICs are similar to Network Modules in that they greatly increase the router's flexibility. A WIC is inserted into one of two slots, which are located above the fixed LAN ports. WICs interface directly with the processor. They do not interface with the cryptographic card; therefore no security parameters will pass through them. WICs cannot perform cryptographic functions; they only serve as a data input and data output physical interface. The physical interfaces include a power plug for the power supply and a power switch. The router has two Fast Ethernet (10/100 RJ-45) connectors for data transfers in and out. The module also has two other RJ-45 connectors on the back panel for a console terminal for local system access and an auxiliary port for remote system access or dial backup using a modem. The © Copyright 2004 Cisco Systems, Inc. Page 6 of 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 10/100Base-T LAN ports have Link/Activity, 10/100Mbps, and half/full duplex LEDs. Figure 3 shows the LEDs located on the rear panel with descriptions detailed in Table 1: Figure 3 ­ Rear Panel LEDs LED Indication Description LINK Green An Ethernet link has been established Off No Ethernet link established FDX Green The interface is transmitting data in full-duplex mode Off When off, the interface is transmitting data in half-duplex mode 100 Mbps Green The speed of the interface is 100 Mbps Off The speed of the interface is 10 Mbps or no link is established Table 1 ­ Rear Panel LEDs and Descriptions Figure 4 shows the front panel LEDs, which provide overall status of the router's operation. The front panel displays whether or not the router is booted, if the redundant power is (successfully) attached and operational, and overall activity/link status. Figure 4 ­ Front Panel LEDs The following table provides more detailed information conveyed by the LEDs on the front panel of the router: LED Indication Description Power Green Power is supplied to the router and the router is operational Off The router is not powered on RPS* Green RPS is attached and operational Off No RPS is attached Blink RPS is attached, but has a failure Activity Off In the Cisco IOS software, but no network activity © Copyright 2004 Cisco Systems, Inc. Page 7 of 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. LED Indication Description Blink (500 ms ON, 500 ms In ROMMON, no errors OFF) Blink (500 ms ON, 500 ms In ROMMON, error detected OFF, 2 sec between codes) Blink (less than 500 ms) In the Cisco IOS software, the blink rate reflects the level of activity Table 2 ­ Front Panel LEDs and Descriptions * RPS = Redundant Power System All of these physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the following table: Router Physical Interface FIPS 140-2 Logical Interface 10/100BASE-TX LAN Port Data Input Interface WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port Data Output Interface WIC Interface Network Module Interface Console Port Auxiliary Port 10/100BASE-TX LAN Port Control Input Interface WIC Interface Network Module Interface Power Switch Console Port Auxiliary Port 10/100BASE-TX LAN Port Status Output Interface WIC Interface Network Module Interface LAN Port LEDs 10/100BASE-TX LAN Port LEDs Power LED Redundant Power LED Activity LED Console Port Auxiliary Port Power Plug Power Interface Table 3 ­ FIPS 140-2 Logical Interfaces 2.3 Roles and Services Authentication is role-based. There are two main roles in the router that operators may assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. Both roles are authenticated by providing a valid username and password. The configuration of the encryption and decryption functionality is performed only by the Crypto Officer after authentication to the Crypto Officer role by providing © Copyright 2004 Cisco Systems, Inc. Page 8 of 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. a valid Crypto Officer username and password. Once the Crypto Officer configured the encryption and decryption functionality, the User can use this functionality after authentication to the User role by providing a valid User username and password. The Crypto Officer can also use the encryption and decryption functionality after authentication to the Crypto Officer role. The module supports RADIUS and TACACS+ for authentication and they are used in the FIPS mode. A complete description of all the management and configuration capabilities of the Cisco 2621XM and 2651XM Routers can be found in the Performing Basic System Management manual and in the online help for the router. The User and Crypto Officer passwords and the RADIUS/TACACS+ shared secrets must each be at least 8 alphanumeric characters in length. See Section 3, Secure Operation of the Cisco 2621XM/2651XM Router, for more information. If only integers 0-9 are used without repetition for an 8 digit PIN, the probability of randomly guessing the correct sequence is 1 in 1,814,400. Including the rest of the alphanumeric characters drastically decreases the odds of guessing the correct sequence. 2.3.1 Crypto Officer Services During initial configuration of the router, the Crypto Officer password (the "enable" password) is defined. A Crypto Officer may assign permission to access the Crypto Officer role to additional accounts, thereby creating additional Crypto Officers. The Crypto Officer role is responsible for the configuration and maintenance of the router. The Crypto Officer services consist of the following: · Configure the router: define network interfaces and settings, create command aliases, set the protocols the router will support, enable interfaces and network services, set system date and time, and load authentication information. · Define Rules and Filters: create packet Filters that are applied to User data streams on each interface. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. · Status Functions: view the router configuration, routing tables, active sessions, use Gets to view SNMP MIB II statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status · Manage the router: log off users, shutdown or reload the outer, manually back up router configurations, view complete configurations, manager user rights, and restore router configurations. · Set Encryption/Bypass: set up the configuration tables for IP tunneling. Set keys and algorithms to be used for each IP range or allow plaintext packets to be set from specified IP address. · Change Network Modules: insert and remove modules in the Network Module slot as described in Section 3.1, Number 3 of this document. · Change WAN Interface Cards: insert and remove WICs as described in Section 3.1, Number 4 of this document. © Copyright 2004 Cisco Systems, Inc. Page 9 of 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2.3.2 User Services A User enters the system by accessing the console port with a terminal program. The IOS prompts the User for their password. If the password is correct, the User is allowed entry to the IOS executive program. The services available to the User role consist of the following: · Status Functions: view state of interfaces, state of layer 2 protocols, version of IOS currently running · Network Functions: connect to other network devices through outgoing telnet, PPP, etc. and initiate diagnostic network services (i.e., ping, mtrace) · Terminal Functions: adjust the terminal session (e.g., lock the terminal, adjust flow control) · Directory Services: display directory of files kept in flash memory 2.4 Physical Security The router is entirely encased by a thick steel chassis. The rear of the unit provides 1 Network Module slot, 2 WIC slots, on-board LAN connectors, Console/Auxiliary connectors, the power cable connection and a power switch. The top portion of the chassis may be removed (see Figure 5) to allow access to the motherboard, memory, and expansion slots. Figure 5 ­ Chassis Removal Any NM or WIC slot, which is not populated with a NM or WIC, must be populated with an appropriate slot cover in order to operate in a FIPS compliant mode. The slot covers are included with each router, and additional covers may be ordered from Cisco. The same procedure mentioned below to apply tamper evidence labels for NMs and WICs must also be followed to apply tamper evidence labels for the slot covers. Once the router has been configured in to meet FIPS 140-2 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized tamper- evidence labels as follows: 1. Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10°C. © Copyright 2004 Cisco Systems, Inc. Page 10 of 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2. Place the first label on the router as shown in Figure 6. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the side of the router. Any attempt to remove the enclosure will leave tamper evidence. 3. Place the second label on the router as shown in Figure 6. The tamper evidence label should be placed so that the one half of the tamper evidence label covers the enclosure and the other half covers the side of the router. Any attempt to remove the enclosure will leave tamper evidence. 4. Place the third label on the router as shown in Figure 6. The tamper evidence label should be placed so that the one half of the label covers the enclosure and the other half covers the Network Module slot. Any attempt to remove a Network Module will leave tamper evidence. 5. Place the fourth label on the router as shown in Figure 6. The tamper evidence label should be placed so that the half of the label covers the enclosure and the other half covers the WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. 6. Place the fifth label on the router as shown in Figure 6. The tamper evidence label should be placed so that one half of the label covers the enclosure and the other half covers the WAN interface card slot. Any attempt to remove a WAN interface card will leave tamper evidence. 7. The labels completely cure within five minutes. Figure 6 ­ Tamper Evidence Label Placement The tamper evidence seals are produced from a special thin gauge vinyl with self-adhesive backing. Any attempt to open the router, remove Network Modules or WIC cards, or the front faceplate will damage the tamper evidence seals or the painted surface and metal of the module cover. Since the tamper evidence seals have non-repeated serial numbers, they may be inspected for damage and compared against the applied serial numbers to verify that the module has not © Copyright 2004 Cisco Systems, Inc. Page 11 of 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. been tampered. Tamper evidence seals can also be inspected for signs of tampering, which include the following: curled corners, bubbling, crinkling, rips, tears, and slices. The word "OPEN" may appear if the label was peeled back. 2.5 Cryptographic Key Management The router securely administers both cryptographic keys and other critical security parameters such as passwords. The tamper evidence seals provide physical protection for all keys. All keys are also protected by the password-protection on the Crypto Officer role login, and can be zeroized by the Crypto Officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE). The modules contain a cryptographic accelerator card (the AIM-VPN/EP), which provides DES (56-bit) (only for legacy systems) and 3DES (168-bit) IPSec encryption at up to 15Mbps, MD5 and SHA-1 hashing, and has hardware support for DH and RSA key generation. The module supports the following critical security parameters (CSPs): CSP # Description Storage Name 1 CSP 1 This is the seed key for X9.31 PRNG. This key is DRAM stored in DRAM and updated periodically after the (plaintext) generation of 400 bites; hence, it is zeroized periodically. Also, the operator can turn off the router to zeroize this key. 2 CSP 2 The private exponent used in Diffie-Hellman (DH) DRAM exchange. Zeroized after DH shared secret has been (plaintext) generated. 3 CSP 3 The shared secret within IKE exchange. Zeroized when DRAM IKE session is terminated. (plaintext) 4 CSP 4 Same as above DRAM (plaintext) 5 CSP 5 Same as above DRAM (plaintext) 6 CSP 6 Same as above DRAM (plaintext) 7 CSP 7 The IKE session encrypt key. The zeroization is the DRAM same as above. (plaintext) 8 CSP 8 The IKE session authentication key. The zeroization is DRAM the same as above. (plaintext) 9 CSP 9 The RSA private key. "crypto key zeroize" command NVRAM zeroizes this key. (plaintext) 10 CSP 10 The key used to generate IKE skeyid during preshared- NVRAM key authentication. "no crypto isakmp key" command (plaintext) zeroizes it. This key can have two forms based on whether the key is related to the hostname or the IP address. © Copyright 2004 Cisco Systems, Inc. Page 12 of 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 11 CSP 11 This key generates keys 3, 4, 5 and 6. This key is DRAM zeroized after generating those keys. (plaintext) 12 CSP 12 The RSA public key used to validate signatures within DRAM IKE. These keys are expired either when CRL (plaintext) (certificate revocation list) expires or 5 secs after if no CRL exists. After above expiration happens and before a new public key structure is created this key is deleted. This key does not need to be zeroized because it is a public key; however, it is zeroized as mentioned here. 13 CSP 13 The fixed key used in Cisco vendor ID generation. This NVRAM key is embedded in the module binary image and can (plaintext) be deleted by erasing the Flash. 14 CSP 14 The IPSec encryption key. Zeroized when IPSec DRAM session is terminated. (plaintext) 15 CSP 15 The IPSec authentication key. The zeroization is the DRAM same as above. (plaintext) 16 CSP 16 The RSA public key of the CA. "no crypto ca trust NVRAM