Cisco 7606 Gebruikershandleiding - Pagina 27
Blader online of download pdf Gebruikershandleiding voor {categorie_naam} Cisco 7606. Cisco 7606 28 pagina's. User guide
Ook voor Cisco 7606: Brochure (8 pagina's)
Initializing and Configuring the System
To initialize and configure the system, the crypto officer must perform the following operations:
•
•
•
•
•
•
•
•
•
IPsec Requirements and Cryptographic Algorithms
Two types of key management method are allowed in FIPS mode: Internet Key Exchange (IKE) and
IPsec manually entered keys.
Although the Cisco IOS implementation of IKE allows a number of algorithms, only the following
algorithms are allowed in a FIPS 140-2 configuration:
•
•
•
•
•
The following algorithms are not FIPS approved and should be disabled:
•
•
OL-6334-01
Secure Operation of the Catalyst 6509 Switch and the Cisco 7606 and Cisco 7609 Routers
The crypto officer must perform the initial configuration. Cisco IOS Release 12.2(14)SY3 is the
only allowable image; no other image may be loaded.
The value of the boot field must be 0x0101 (the factory default). This setting disables the break from
the console to the ROM monitor and automatically boots the Cisco IOS image. From the configure
terminal command line, the crypto officer enters the following syntax:
config-register 0x0101
The crypto officer must create the enable password for the crypto officer role. The password must
be at least eight characters and is entered when the crypto officer first engages the enable command.
The crypto officer enters the following syntax at the "#" prompt:
enable secret [PASSWORD]
The crypto officer must always assign passwords (of at least eight characters) to users.
Identification and authentication on the console port is required for users. From the configure
terminal command line, the crypto officer enters the following syntax:
line con 0
password [PASSWORD]
login local
The crypto officer shall only assign users to a privilege level 1 (the default).
The crypto officer shall not assign a command to any privilege level other than its default.
The crypto officer may configure the module to use RADIUS or TACACS+ for authentication.
Configuring the module to use RADIUS or TACACS+ for authentication is optional. If the module
is configured to use RADIUS or TACACS+, the Crypto-Officer must define RADIUS or TACACS+
shared secret keys that are at least 8 characters long.
If the crypto officer loads any Cisco IOS image onto the switch or router, this will put the switch or
router into a non-FIPS mode of operation.
ah-sha-hmac
esp-des
esp-sha-hmac
esp-3des
esp-aes
MD-4 and MD-5 for signing
MD-5 HMAC
Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note
27