Ipsec requirements and cryptographic algorithms, Protocols, Remote access – Cisco 7206VXR NPE-400 User Manual
Page 17: Obtaining documentation, Cisco.com
17
FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM
OL-3959-01
Obtaining Documentation
•
If the Crypto Officer loads any IOS image onto the router, this will put the router into a non-FIPS
mode of operation.
IPSec Requirements and Cryptographic Algorithms
There are two types of key management method that are allowed in FIPS mode: Internet Key Exchange
(IKE) and IPSec manually entered keys.
Although the IOS implementation of IKE allows a number of algorithms, only the following algorithms
are allowed in a FIPS 140-2 configuration:
•
ah-sha-hmac
•
esp-des
•
esp-sha-hmac
•
esp-3des
•
esp-aes
The following algorithms are not FIPS approved and should be disabled:
•
MD-4 and MD-5 for signing
•
MD-5 HMAC
Protocols
All SNMP operations must be performed within a secure IPSec tunnel.
Remote Access
•
Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system
and the module. The Crypto Officer must configure the module so that any remote connections via
telnet are secured through IPSec.
•
SSH access to the module is only allowed if SSH is configured to use a FIPS-approved algorithm.
The Crypto Officer must configure the module so that SSH uses only FIPS-approved algorithms.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL: