Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel

FIPS 140 - 2 for the Cisco 5921 ESR

730
Views
0
Helpful
5
Comments
fcolumbu
Cisco Employee
‎09-28-2015 03:57 PM
edited on: ‎09-28-2015 ‎03:57 PM

This is a non-proprietary Cryptographic Module Security Policy for the Cisco 5921 ESR

from Cisco Systems, Inc., referred to in this document as the modules, routers, or by their  specific model name. This security policy describes how modules meet the security

requirements of FIPS 140 - 2 and how to run the modules in a FIPS 140 - 2 mode of operation. FIPS 140 - 2 (Federal Information Processing Standards Publication 140 - 2

Security Requirements for Cryptographic Modules) details the U.S. Government requirements for  cryptographic modules. More information about the FIPS 140 -2 standard and validation

program is available on the NIST website at

http://csrc.nist.gov/groups/STM/cmvp/index.html

0 Helpful
Comments
Wray Upchurch
Community Member
‎03-23-2016 07:41 AM
‎03-23-2016 07:41 AM

Glad to see that the 5921 is FIPS validated.  Do you have any instruction on how to implement the Zeroize function both in the IOS and the hardware?

fcolumbu
Cisco Employee
Cisco Employee
‎03-25-2016 11:33 AM
‎03-25-2016 11:33 AM

Hi Wray,

Thank you for your question, I checked with our developers for the context of how the zeroize feature is implemented per FIPS 140. It is as follows:

For the certification purposes, we have tested the Crypto key zeroization for c5921.

This could be done by commands such as "crypto key zeroize".

Regards,

Frank Columbus

Technical Marketing Engineer, Embedded Products

Internet of Things Systems and Software Group

Cisco Systems, Inc.

Wray Upchurch
Community Member
‎03-25-2016 12:43 PM
‎03-25-2016 12:43 PM

Thanks Frank. I thought maybe there was a hardware button that could have been implemented on a serial port. If the government is good with using an IOS command, then that’s good enough for me!

Thanks again.

Wray Upchurch

Manager, Product Management

wray.upchurch@datapath.com<mailto:%20wray.upchurch@datapath.com>

Office: +1 678 597 0423

<http://www.datapath.com/>

2205 Northmont Pkwy, STE 100

Duluth, GA 30096

This email and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains information that is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

fcolumbu
Cisco Employee
Cisco Employee
‎03-25-2016 01:10 PM
‎03-25-2016 01:10 PM

Hi Wray,

Please remember that the 5921 is a software router.

A hardware button on the integrator's custom hardware combined with an application that monitors the button and programmatically logs into the router to issue the "crypto key zeroize" command could be done via a Linux TAP interface.

You could later in your custom app delete the router config file as it is located in the router's home directory, "/opt/cisco/c5921", depending upon how much you want to clear.

Regards,

Frank Columbus

Technical Marketing Engineer, Embedded Products

Internet of Things Systems and Software Group

Cisco Systems, Inc.

Wray Upchurch
Community Member
‎03-25-2016 02:20 PM
‎03-25-2016 02:20 PM

Yep. Fully aware it’s a SW router.

Wray Upchurch

Manager, Product Management

wray.upchurch@datapath.com<mailto:%20wray.upchurch@datapath.com>

Office: +1 678 597 0423

<http://www.datapath.com/>

2205 Northmont Pkwy, STE 100

Duluth, GA 30096

This email and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains information that is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

Latest Contents
NSO System Install webui not openingup
Created by schallagalla on 12-20-2020 12:20 AM
0
0
0
0
Hi, I am trying to do system install NSO 5.2.1.2 on Redhat Server. It was an offline server. so I did installed java and ant rpms manually and installed NSO.  I can do ssh to nso cli, but I can not see ports opening up for webui.  I ha... view more
Unsupported parameters for (cisco.asa.asa_command) module: c...
Created by mervinh16 on 09-24-2020 09:03 AM
0
0
0
0
Hello, I am trying to send a 'show version' command to my Cisco ASA using Ansible, but I am encountering the following errors and I don't know why. The same thing works for my Cisco router though. Below are some details that might be helpful. Ci... view more
JSONRPC run_action method to run live-status command
Created by Raja.Selvaraj on 03-03-2020 12:25 AM
0
0
0
0
Hi, I want to run a jsonrpc command to get the live-status of device hostname. I'm trying the below command but couldn't get succeed. Can any one help me to fix this ? Assume i got logged in and get_trans method ran successfully before exec... view more
How to delete specific node using JNC
Created by ppratikdutta on 09-26-2019 06:27 AM
0
0
0
0
Hi all i am using JNC to manage device . Trying to delete specific node on basis of node value which is key to list . I am trying to use markdelete(Str Path) to delete my node but node able to get correct path for my node with node-name value as getting p... view more
c3560x interface status is inaccurate
Created by jerome.johnson on 07-15-2019 08:11 AM
7
0
7
0
we have a we-c3560x-24p switch with version 12.2 (55) SE5 that was off our network for a few years and we connected it back up to the network but it shows that there are a few devices connected to it but there is only 1 SFP connected in the G1/1.  An... view more
Content for Community-Ad

This widget could not be displayed.