Cisco 2811 Security Policy - Page 12

Router Physical Interface Main Power Plug Redundant Power Supply Plug FIPS 140-2 Logical Interface Power Interface Table 8 - 2821 FIPS 140-2 Logical Interfaces The CF card that stored the IOS image is considered an internal memory module. The reason is the IOS image stored in the card cannot be modified or upgraded. The card itself must never be removed from the drive. Tamper evident seal will be placed over the card in the drive. 2.3 Roles and Services Authentication in Cisco 2811 and 2821 is role-based. There are two main roles in the router that operators can assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role in order to configure and maintain the router using Crypto Officer services, while the Users exercise only the basic User services. The module supports RADIUS and TACACS+ for authentication. A complete description of all the management and configuration capabilities of the router can be found in the Performing Basic System Management manual and in the online help for the router. 2.3.1. User Services Users enter the system by accessing the console port with a terminal program or via IPSec protected telnet or SSH session to a LAN port. The IOS prompts the User for username and password. If the password is correct, the User is allowed entry to the IOS executive program. The services available to the User role consist of the following: Status Functions View state of interfaces and protocols, version of IOS currently running. Network Functions Terminal Functions Directory Services SSL-TLS/VPN EASY VPN Connect to other network devices through outgoing telnet, PPP, etc. and initiate diagnostic network services (i.e., ping, mtrace). Adjust the terminal session (e.g., lock the terminal, adjust flow control). Display directory of files kept in flash memory. Negotiation and encrypted data transport via SSL/TLS. Negotiation and encrypted data transport via EASY VPN. 2.3.2 Crypto Officer Services During initial configuration of the router, the Crypto Officer password (the "enable" password) is defined. A Crypto Officer can assign permission to access the Crypto Officer role to additional accounts, thereby creating additional Crypto Officers. The Crypto Officer role is responsible for the configuration and maintenance of the router. The Crypto Officer services consist of the following: © Copyright 2007 Cisco Systems, Inc. 12 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.