12
Cisco 7206 VXR Router with ISA Security Policy
Secure Operation of the Cisco 7206 VXR NPE-400 Router
• The crypto officer must create the “enable” password for the crypto officer role. The password must
be at least 8 characters and is entered when the crypto officer first engages the enable command.
The crypto officer enters the following syntax at the “#” prompt:
enable secret [PASSWORD]
• The crypto officer must always assign passwords (of at least 8 characters) to users. Identification
and authentication of the console port is required for users. From the configure terminal command
line, the crypto officer enters the following syntax:
line con 0
password [PASSWORD]
login local
• The crypto officer shall only assign users to a privilege level 1 (the default).
• The crypto officer shall not assign a command to any privilege level other than its default.
• The PCMCIA Flash memory card slot is not configured in FIPS mode. Its use is restricted via tamper
evidence labels. See the “Physical Security” section for more details.
Non FIPS-Approved Algorithms
• The following algorithms are not FIPS approved and should be disabled:
–
RSA for encryption
–
MD-5 for signing
–
AH-SHA-HMAC
–
ESP-SHA-HMAC
–
HMAC SHA-1
Protocols
• The following network services affect the security data items and must not be configured: NTP,
TACACS+, RADIUS, Kerberos.
• SNMP v3 over a secure IPSec tunnel can be employed for authenticated, secure SNMP Gets and
Sets. Since SNMP v2C uses community strings for authentication, only gets are allowed under
SNMP v2C.
Remote Access
• Auxiliary terminal services must be disabled, except for the console. The following configuration
disables login services on the auxiliary console line.
line aux 0
no exec