21
Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy
OL-8663-01
Cisco 2811 and Cisco 2821 Routers
Self-Tests
In order to prevent any secure data from being released, it is important to test the cryptographic
components of a security module to insure all components are functioning correctly. The router includes
an array of self-tests that are run during startup and periodically during operations. All self-tests are
implemented by the software. An example of self-tests run at power-up is a cryptographic known answer
test (KAT) on each of the FIPS-approved cryptographic algorithms and on the Diffie-Hellman algorithm.
Examples of tests performed at startup are a software integrity test using an EDC, and a set of Statistical
Random Number Generator (RNG) tests. Examples of tests run periodically or conditionally include: a
bypass mode test performed conditionally prior to executing IPSec, and a continuous random number
generator test. If any of the self-tests fail, the router transitions into an error state. In the error state, all
secure data transmission is halted and the router outputs status information indicating the failure.
Examples of the errors that cause the system to transition to an error state:
• IOS image integrity checksum failed
• Microprocessor overheats and burns out
• Known answer test failed
• NVRAM module malfunction.
• Temperature high warning
Self-tests performed by the IOS image
IOS Self Tests:
• POST tests
–
AES Known Answer Test
–
Software/firmware test
–
Power up bypass test
–
RNG Known Answer Test
–
Diffie Hellman test
–
HMAC-SHA-1 Known Answer Test
–
SHA-1 Known Answer Test
–
DES Known Answer Test
–
3DES Known Answer Test
• Conditional tests
–
Conditional bypass test
–
Continuous random number generation test
Self-tests performed by NetGX
NetGX Tests:
• POST tests
–
AES Known Answer Test
–
DES Known Answer Test
To Next Page
Loading...
Need help?
General
Weight and Dimensions
