Cisco 7606 User Manual - Page 27

Browse online or download pdf User Manual for Network Hardware Cisco 7606. Cisco 7606 28 pages. User guide
Also for Cisco 7606: Brochure (8 pages)

Print Page

Initializing and Configuring the System

To initialize and configure the system, the crypto officer must perform the following operations:

•

IPsec Requirements and Cryptographic Algorithms

Two types of key management method are allowed in FIPS mode: Internet Key Exchange (IKE) and

IPsec manually entered keys.

Although the Cisco IOS implementation of IKE allows a number of algorithms, only the following

algorithms are allowed in a FIPS 140-2 configuration:

•

The following algorithms are not FIPS approved and should be disabled:

•

OL-6334-01

Secure Operation of the Catalyst 6509 Switch and the Cisco 7606 and Cisco 7609 Routers

The crypto officer must perform the initial configuration. Cisco IOS Release 12.2(14)SY3 is the

only allowable image; no other image may be loaded.

The value of the boot field must be 0x0101 (the factory default). This setting disables the break from

the console to the ROM monitor and automatically boots the Cisco IOS image. From the configure

terminal command line, the crypto officer enters the following syntax:

config-register 0x0101

The crypto officer must create the enable password for the crypto officer role. The password must

be at least eight characters and is entered when the crypto officer first engages the enable command.

The crypto officer enters the following syntax at the "#" prompt:

enable secret [PASSWORD]

The crypto officer must always assign passwords (of at least eight characters) to users.

Identification and authentication on the console port is required for users. From the configure

terminal command line, the crypto officer enters the following syntax:

line con 0

password [PASSWORD]

The crypto officer shall only assign users to a privilege level 1 (the default).

The crypto officer shall not assign a command to any privilege level other than its default.

The crypto officer may configure the module to use RADIUS or TACACS+ for authentication.

Configuring the module to use RADIUS or TACACS+ for authentication is optional. If the module

is configured to use RADIUS or TACACS+, the Crypto-Officer must define RADIUS or TACACS+

shared secret keys that are at least 8 characters long.

If the crypto officer loads any Cisco IOS image onto the switch or router, this will put the switch or

router into a non-FIPS mode of operation.

ah-sha-hmac

esp-des

esp-sha-hmac

esp-3des

esp-aes

MD-4 and MD-5 for signing

MD-5 HMAC

Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note