11
Cisco 3640 Modular Access Router Security Policy
78-13835-01
Obtaining Documentation
Step 4
The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification and
authentication of the console port is required for Users. From the "configure terminal" command line,
the Crypto Officer enters the following syntax:
line con 0
password [PASSWORD]
login local
Step 5
The Crypto Officer shall only assign users to a privilege level 1 (the default).
Step 6
The Crypto Officer shall not assign a command to any privilege level other than its default.
Step 7
The PCMCIA Flash memory card slot is not configured in FIPS mode. Its use is restricted via tamper
Non-FIPS Approved Algorithms
The following algorithms are not FIPS approved and should be disabled:
·
RSA for encryption
·
MD-4 and MD-5 for signing
·
ah-sha-hmac
·
esp-sha-hmac
·
HMAC SHA-1
Protocols
The following network services affect the security data items and must not be configured: NTP,
TACACS+, RADIUS, Kerberos.
SNMP v3 over a secure IPSec tunnel may be employed for authenticated, secure SNMP gets and sets.
Since SNMP v2C uses community strings for authentication, only gets are allowed under SNMP v2C.
Remote Access
Auxiliary terminal services must be disabled, except for the console. The following configuration
disables login services on the auxiliary console line.
line aux 0
no exec
Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and
the module. The Crypto officer must configure the module so that any remote connections via telnet are
secured through IPSec.
Obtaining Documentation
The following sections provide sources for obtaining documentation from Cisco Systems.