10
Cisco 3640 Modular Access Router Security Policy
78-13835-01
Secure Operation of the Cisco 3640 Router
performed conditionally prior to executing IPSec, a software load test for upgrades and the continuous
random number generator test. If any of these self-tests fail, the router will transition into an error state.
Within the error state, all secure data transmission is halted and the router outputs status information
indicating the failure.
Secure Operation of the Cisco 3640 Router
The Cisco 3640 router meets all the Level 2 requirements for FIPS 140-1. Follow the setting instructions
provided below to place the module in FIPS mode. Operating this router without maintaining the
following settings will remove the module from the FIPS approved mode of operation.
Initial Setup
Step 1
The Crypto Officer must apply tamper evidence labels as described in the Physical Security section of
this document. The Crypto Officer must securely store tamper evidence labels before use, and any
tamper evidence labels not used should also be stored securely.
Step 2
Only a Crypto Officer may add and remove network modules. When removing the tamper evidence
label, the Crypto Officer should remove the entire label from the router and clean the cover of any
grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply tamper
Step 3
Only a Crypto Officer may add and remove WAN Interface Cards. When removing the tamper evidence
label, the Crypto Officer should remove the entire label from the router and clean the cover of any
grease, dirt, or oil with an alcohol-based cleaning pad. The Crypto Officer must re-apply tamper
System Initialization and Configuration
Step 1
The Crypto Officer must perform the initial configuration. The IOS version shipped with the router,
version 12.1(5)T, is the only allowable image. No other image may be loaded.
Step 2
The value of the boot field must be 0x0101 (the factory default). This setting disables break from the
console to the ROM monitor and automatically and boots the IOS image. From the "configure terminal"
command line, the Crypto Officer enters the following syntax:
config-register 0x0101
Step 3
The Crypto Officer must create the "enable" password for the Crypto Officer role. The password must
be at least 8 characters and is entered when the Crypto Officer first engages the "enable" command. The
Crypto Officer enters the following syntax at the "#" prompt:
enable secret [PASSWORD]