亲爱的 Michael,我想知道如何在固件版本为 15.1(4)M4 的 Cisco 2911 路由器中启用 FIPS 模式?提前感谢您的回复。
答案1
进入 FIPS-得到正式认可的模式,请按照以下步骤操作,参见 FIPS 140-2 验证文档适用于该系列思科路由器。
此处的格式有限,我不会花一个小时来摆弄 markdown 以使其匹配,因此如果您想要更易读的格式,请访问链接。第 36-38 页。
Secure Operation
The Cisco 1905, Cisco 1921, Cisco 1941, Cisco 2901, Cisco 2911, and Cisco 2921
Integrated Services Routers (ISRs) meet all the overall Level 2 requirements for FIPS
140-2. Follow the setting instructions provided below to place the module in FIPSapproved
mode. Operating this router without maintaining the following settings will
remove the module from the FIPS approved mode of operation.
Initial Setup
1. The Crypto Officer must install the FIPS opacity shields as described in this
document.
2. The Crypto Officer must apply tamper evidence labels as described in this document.
3. The Crypto Officer must disable IOS Password Recovery by executing the following
commands:
configure terminal
no service password-recovery
end
show version
NOTE: Once Password Recovery is disabled, administrative access to the module
without the password will not be possible.
System Initialization and Configuration
1. The value of the boot field must be 0x0102. This setting
disables break from the console to the ROM monitor and
automatically boots. From the “configure terminal”
command line, the Crypto Officer enters the following
syntax:
config-register 0x0102
2. The Crypto Officer must create the “enable” password for
the Crypto Officer role. Procedurally, the password must
be at least 8 characters, including at least one letter
and at least one number, and is entered when the Crypto
Officer first engages the “enable” command. The Crypto
Officer enters the following syntax at the “#” prompt:
enable secret [PASSWORD]
3. The Crypto Officer must always assign passwords (of at
least 8 characters, including at least one letter and at
least one number) to users. Identification and
authentication on the console/auxiliary port is required
37
for Users. From the “configure terminal” command line,
the Crypto Officer enters the following syntax:
line con 0
password [PASSWORD]
login local
4. The Crypto Officer may configure the module to use RADIUS
or TACACS+ for authentication. Configuring the module to
use RADIUS or TACACS+ for authentication is optional. If
the module is configured to use RADIUS or TACACS+, the
Crypto-Officer must define RADIUS or TACACS+ shared
secret keys that are at least 8 characters long,
including at least one letter and at least one number.
5. Firmware update is not allowed in FIPS mode.
IPSec Requirements and Cryptographic Algorithms
1. The only types of IPSec key management that are allowed
in FIPS mode is Internet Key Exchange (IKE) and Group
Domain of Interpretation (GDOI).
2. Although the IOS implementation of IKE allows a number of
algorithms, only the following algorithms are allowed in
a FIPS 140-2 configuration:
• ah-sha-hmac
• esp-sha-hmac
• esp-3des
• esp-aes
• esp-aes-192
• esp-aes-256
3. The following algorithms shall not be used:
• MD-5 for signing
• MD-5 HMAC
• DES
Protocols
1. SNMP v3 over a secure IPSec tunnel may be employed for authenticated, secure
SNMP gets and sets. Since SNMP v2C uses community strings for authentication,
only gets are allowed under SNMP v2C.
38
Remote Access
1. SSH access to the module is allowed in FIPS approved mode of operation, using SSH
v2 and a FIPS approved algorithm.
2. Telnet access to the module is only allowed via a secure IPSec tunnel between the
remote system and the module. The Crypto officer must configure the module so that
any remote connections via telnet are secured through IPSec, using FIPS-approved
algorithms. Note that all users must still authenticate after remote access is granted.
3. HTTPS/TLS management is not allowed in FIPS mode
Wireless Services
1. Wireless communication with the module is allowed not in FIPS approved mode of
operation.
2. Be default, the radio interfaces for the module are
disabled. These interfaces should not be enabled.
Cisco Unified Border Element (CUBE) TLS Configuration
1. When configuring CUBE TLS connections, the following configuration command
option must be executed to limit the TLS session options to FIPS-approved
algorithms.
crypto signaling [strict-cipher]