Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipment2851 - Integrated Services Router
12345678910
© Copyright 2007 Cisco Systems, Inc. Page 10 of 26
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
and algorithms to be used for each IP range or allow plaintext
packets to be set from specified IP address.
Bypass Mode
The routers implement an alternating bypass capability, in which some connections may be
cryptographically authenticated and encrypted while others may not. Two independent internal
actions are required in order to transition into each bypass state: First, the bypass state must be
configured by the Crypto Officer using “match address <ACL-name>" sub-command under
crypto map which defines what traffic is encrypted. Second, the module must receive a packet
that is destined for an IP that is not configured to receive encrypted data. The configuration table
uses an error detection code to detect integrity failures, and if an integrity error is detected, the
module will enter an error state in which no packets are routed. Therefore, a single error in the
configuration table cannot cause plaintext to be transmitted to an IP address for which it should
be encrypted.
2.2.3 Unauthenticated Services
The services available to unauthenticated users are:
Viewing the status output from the module’s LEDs
Powering the module on and off using the power switch
Sending packets in bypass
2.2.4 Strength of Authentication
The security policy stipulates that all user passwords must be 8 alphanumeric characters, so the
password space is 2.8 trillion possible passwords. The possibility of randomly guessing a
password is thus far less than one in one million. To exceed a one in 100,000 probability of a
successful random password guess in one minute, an attacker would have to be capable of 28
million password attempts per minute, which far exceeds the operational capabilities of the
module to support.
When using RSA based authentication, RSA key pair has modulus size of 1024 bit to 2048 bit,
thus providing between 80 bits and 112 bits of strength. Assuming the low end of that range, an
attacker would have a 1 in 280 chance of randomly obtaining the key, which is much stronger
than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability
of a successful random key guess in one minute, an attacker would have to be capable of
approximately 1.8x1021 attempts per minute, which far exceeds the operational capabilities of
the modules to support.
When using preshared key based authentication, the security policy stipulates that all preshared
keys must be 8 alphanumeric characters, so the key space is 2.8 trillion possible combinations.
The possibility of randomly guessing this is thus far less than one in one million. To exceed a
one in 100,000 probability of a successful random guess in one minute, an attacker would have
to be capable of 28 million attempts per minute, which far exceeds the operational capabilities of
the module to support.