Name: Cisco 2811
Brand: Cisco
Rating: 5 (1 reviews)

To Next Page

To Previous Page

Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy

OL-8663-01

Cisco 2811 and Cisco 2821 Routers

The routers support the following FIPS 140-2 approved algorithm implementations:

• Software (IOS) implementations

–

AES

–

DES (for legacy use only) (transitional phase only – valid until May 19th, 2007)

–

3DES

–

SHA-1

–

HMAC-SHA-1

–

X9.31 PRNG

• Onboard hardware implementations

–

AES

–

DES (for legacy use only) (transitional phase only – valid until May 19th, 2007)

–

3DES

–

SHA-1

–

HMAC-SHA-1

The router is in the approved mode of operation only when FIPS 140-2 approved algorithms are used

(except DH which is allowed in the approved mode for key establishment despite being non-approved).

The following are not FIPS 140-2 approved algorithms: RC4, MD5, HMAC-MD5, RSA and DH.

Note: The module supports DH key sizes of 1024 and 1536 bits. Therefore, DH provides 80-bit and

96-bit of encryption strength per NIST 800-57.

The module supports two types of key management schemes:

• Pre-shared key exchange via electronic key entry. DES/3DES/AES key and HMAC-SHA-1 key are

exchanged and entered electronically.

• Internet Key Exchange method with support for pre-shared keys exchanged and entered

electronically.

–

The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES,

3DES or AES keys.

–

The pre-shared key is also used to derive HMAC-SHA-1 key.

The module supports commercially available Diffie-Hellman for key establishment. See the Cisco IOS

Reference Guide.

All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected

by a password. Therefore, the CO password is associated with all the pre-shared keys. The Crypto

Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual

tunnels are directly associated with that specific tunnel only via the IKE protocol.

Key Zeroization:

Each key can be zeroized by sending the “no” command prior to the key function commands. This will

zeroize each key from the DRAM, the running configuration.

“Clear Crypto IPSec SA” will zeroize the IPSec DES/3DES/AES session key (which is derived using

the Diffie-Hellman key agreement technique) from the DRAM. This session key is only available in the

DRAM; therefore this command will completely zeroize this key. The following command will zeroize

the pre-shared keys from the DRAM:

Questions and Answers:

Need help?

Do you have a question about the Cisco 2811 and is the answer not in the manual?

Cisco 2811 Specifications

General

Full duplex	Yes
Networking standards	-
Ethernet LAN data rates	10, 100 Mbit/s
Supports ISDN connection	No
Safety	UL 60950, CAN/CSA C22.2 No. 60950, IEC 60950, EN 60950-1, AS/NZS 60950
Flash memory	128 MB
Internal memory	256 MB
I/O ports	2 x USB\\r 2 x 10/100 Base-T
Ethernet LAN (RJ-45) ports	2
Storage temperature (T-T)	-40 - 70 °C
Firewall security	Cisco IOS
Security algorithms	128-bit AES, 192-bit AES, 256-bit AES, 3DES, DES
Product color	Blue, Stainless steel
Rack capacity	1U