Cisco Wireless Local Area Network (WLAN) Access System with Integrated Wireless Intrusion Prevention System (wIPS) Security Target Version: 3.1 August 2013 This document provides the basis for an evaluation of a specific Target of Evaluation (TOE) . The evaluated solution is the Cisco Unified Wireless Network (WLAN) & Wireless Intrusion Prevention System (wIPS) release 7.0.240.
Table of Contents TABLE OF CONTENTS ............................................................................................................................. 2 LIST OF TABLES ....................................................................................................................................... 5 1 SECURITY TARGET INTRODUCTION ..................................................................................... 5 1.1 1.2 1.3 1.4 2 ST & TOE IDENTIFICATION ...............................
6 SECURITY REQUIREMENTS .................................................................................................... 39 6.1 TOE SECURITY FUNCTIONAL REQUIREMENTS............................................................................................... 40 6.1.1 FAU_GEN.1(1) Audit Data Generation ............................................................................................. 42 6.1.2 FAU_GEN.2 User Identity Association ...............................................................
6.2.6 FAU_STG.3 Action in case of possible audit data loss........................................................................ 58 6.2.7 FAU_SEL.1(2) Selective Audit ............................................................................................................ 58 6.2.8 FDP_RIP.1(2) Subset Residual Information Protection ...................................................................... 58 6.2.9 FIA_AFL.1(2) Remote User Authentication failure handling ....................................
List of Tables Table 1 Acronyms, Abbreviations & Definitions ..........................................................................................................8 Table 2 Terms & Definitions ....................................................................................................................................... 11 Table 3 Required Number & Versions ........................................................................................................................
Vendor / Developer TOE Identification CC Identification Common Criteria Conformance Claim Cisco Systems, Inc. Cisco Unified Wireless Network (WLAN) & Wireless Intrusion Prevention System (wIPS) release 7.0.240.0 Common Criteria for Information Technology Security Evaluation, version 3.1, Revision 3, July 2009 The ST is compliant with the Common Criteria (CC) version 3.1 Revision 3. The ST is EAL4 Augmented with ALC_FLR.2, Part 2 extended, and Part 3 conformant.
2. 3. The Controller, hereafter referred to as the Controller or the WLC (or WiSM when distinction is necessary between the WLC appliances and the Wireless Services Module): Cisco 4400 Series Wireless LAN Controllers Cisco 5508 Series Wireless LAN Controllers The Wireless Integrated Services Module (WiSM), and WiSM2 hereafter both referred to as the WiSM. The WLAN software. The end user downloads from Cisco.com a WLAN Controller image bundle that includes AP images (images of IOS 12.
[CEM] Common Methodology for Information Technology Security Evaluation - Evaluation Methodology, dated July 2009, version 3.1, Revision 3, CCMB-2009-07-004 [WLANPP] US Government Wireless Local Area Network (WLAN) Access System for Basic Robustness Environments, version 1.1, July 25, 2007 (pp_wlan_as_br_v1.1) 1.
EAP Extensible Authentication Protocol EAP-TLS Extensible Authentication Protocol-Transport Layer Security EAPOL EAP over LAN ECC Error Correction Coding FSP Functional Specification GUI Graphical User Interface HLD High Level Design HTTPS Secure Hypertext Transfer Protocol IDS Intrusion Detection System IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force ISE Cisco Identity Services Engine IT Information Technology LAN Local Area Network LD
PEAP Protected Extensible Authentication Protocol PEAP (EAPGTC) PEAP (Extensible Authentication Protocol-Generic Token Card) PEAP (EAPMSCHAP V2) PEAP (Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2) PKI Public Key Infrastructure PMK Pairwise Master Keys PP Protection Profile PSK Pre-shared key PSPF Public Secure Protocol Format RADIUS Remote Authentication Dial-In User Service RF Radio Frequency RFID Radio-Frequency Identification RSSI Rec
TSP TOE Security Policy Wi-Fi Wireless Fidelity WIDS Wireless Intrusion Detection System wIPS Wireless Intrusion Prevention System WiSM Wireless Services Module WLAN Wireless LAN WLC Cisco Wireless LAN Controller WCS Cisco Wireless Control System WPA2 Wi-Fi Protected Access 2 The following terms are used in this Security Target: Table 2 Terms & Definitions Terms Definitions 802.1X The IEEE 802.1X standard provides a framework for many authentication types and the link layer.
EAPEAP-MS-CHAP-V2 (Microsoft Challenge-Handshake Authentication MSCHAP V2 Protocol version 2) is a mutual authentication method that supports password-based user or computer authentication. EAP-MS-CHAP-V2 is typically used inside a TLS tunnel created by TTLS or PEAP. EAP-TLS EAP-TLS (RFC 2716) stands for Extensible Authentication ProtocolTranslation Layer Security. It uses the TLS protocol (RFC 2246) authentication hand shaking implementation for 802.1x authentication.
MSE, and syslog server) in the environment for analysis and review, and denial of traffic flow and/or containment of rogue access points and clients consistent with applied wIPS policies. The AP performs analysis of wireless traffic in the course of generating wIPS data – the wIPS event log items represent events sent from the wIPS system to the MSE.
Table 3 Required Number & Versions Component Name AP Required Quantity One or more 4400 Controller or 5508 Controller or WiSM or WiSM2 One or more 6500 Chassis and Supervisor 720 One or more (with WiSM or WiSM2 only) One or more Cisco ACS or ISE Model Number and Versions Cisco Aironet 1131 AG Series Access Points Cisco Aironet 1142AGN Series Access Points Cisco Aironet 1242 AG Series Access Points Cisco Aironet 1252 AGN Series Access Points Cisco Aironet 1262 AGN Series Access Points Cisco Aironet 15
Figure 1 depicts a sample TOE configuration, highlighting the physical boundary. The shaded portions define the components in the physical boundary. The un-shaded portions define the components supplied by the IT Environment.
The physical boundary of the APs includes FIPS Kits that cover the physical interfaces of the APs to make them FIPS compliant. The FIPS Kits are part of the physical boundary of the AP. The FIPS Kits for the APs are the Cisco product number AIRLAP-FIPSKIT. The AP TOE components have an RF interface, an Ethernet interface, and a serial console interface. All three of these interfaces are controlled by the software executing on the AP.
Cisco Aironet 1131 AG Series Access Point The Cisco Aironet 1131 AG Series IEEE 802.11a/b/g Access Point is a fixedconfiguration dual-band Access Point. The Cisco 1131 AG Series IEEE 802.11a/b/g Access Point provides two radios each with diversity antennas that provide omni-directional coverage. The TOE's physical boundary includes the listed Cisco Aironet 1131 AG Series Access Points which are considered hardware components of the TOE. This module is within the TOE boundary.
Cisco Aironet 1252 AG Series Access Point The Cisco Aironet 1252 AG Series IEEE 802.11a/b/g/n Access Point is a fixedconfiguration dual-band Access Point. The Cisco 1252 AG Series IEEE 802.11a/b/g /n Access Point provides two radios each with diversity antennas that provide omni-directional coverage. The TOE's physical boundary includes the listed Cisco Aironet 1252 AG Series Access Points which are considered hardware components of the TOE. This module is within the TOE boundary.
Cisco Aironet 1520 AG Series Access Point The Cisco Aironet 1520 AG Series IEEE 802.11a/b/g Access Point is a fixedconfiguration dual-band Access Point. The Cisco 1520 AG Series IEEE 802.11a/b/g Access Point provides two radios each with diversity antennas that provide omni-directional coverage. The Cisco Aironet 1520 AG Series is comprised of two models, the Cisco Aironet 1522 and the Cisco Aironet 1524.
Cisco Aironet 3500 AG Series Access Point The Cisco Aironet 3500 AG Series IEEE 802.11a/b/g/n Access Point is a fixedconfiguration dual-band Access Point. The Cisco 3500 AG Series IEEE 802.11a/b/g /n Access Point provides two radios each with diversity antennas that provide omni-directional coverage. The 3500 series is made up of two models, the Cisco Aironet 3502E and the Cisco Aironet 3502I.
succeeds before allowing any other mediate security function dealing with authentication or accounting to proceed. The Controller interfaces with the APs for management communication. The Controller ensures that the management interface functions are invoked and succeed before allowing any further management functions to be carried out between the Controller and the APs. Controllers enforce protection of audit events being logged by transmitting syslog over TLS to the Syslog server.
Table 5 Cisco Wireless LAN Controllers, Hardware Configuration, and Part Numbers TOE Configuration Hardware Configuration Part Numbers Cisco 4400 Series Wireless The Cisco 4400 Wireless LAN Controller is a series of LAN Controller wireless LAN controllers that is available in two models: the 4402 Cisco 4400 Series Wireless LAN Controller and the 4404 Cisco 4400 Series Wireless LAN Controller.
Catalyst 6500 Wireless Integrated Service Module (WiSM) and WiSM2 The WiSM and WiSM2 functionally is the same as the 4400 or 5500 series Controllers. The WiSM and WiSM2 are hardware modules that plug into a Catalyst 6500 switch chassis. Each WiSM blade supports up to 300 Access Points. The Supervisor 720 provides routing and switching to support network connectivity to the management interface of the WiSM and WiSM2.
functionality that enables a human user to configure and manage TOE components. Management functions include configuration of cryptographic keys, encryption settings, audit settings, authentication credentials, and the use of authentication servers. The SFRs covered by this security function are FMT_MOF.1(1), FMT_MOF.1(2), FMT_MOF.1(3), FMT_MSA.2, FMT_MTD.1(1), FMT_MTD.1(2), FMT_MTD.1(3), FMT_SMF.1(1), FMT_SMF.1(2), FMT_SMF.1(3), FMT_SMR.1(1), FTA_SSL.3 2.4.
external components such as the time server use for Controller clock updates. The APs, and Controllers all use FIPS 140-2 validated cryptomodules, see the TSS for details. The SFRs covered by this security function are FCS_BCM_(EXT).1, FCS_CKM.1(1), FCS_CKM.1(2), FCS_CKM.2, FCS_CKM_(EXT).2, FCS_CKM.4, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_COP_(EXT).1 2.4.
which requires integration with MSE and NCS or WCS, but Adaptive wIPS is beyond the logical scope of this evaluation, so is not discussed further in this ST. 2.5 IT Environment Dependencies The following section defines the IT Environment components relied upon by the TOE and not included in the physical boundary and therefore supplied by the IT Environment. The following section details the IT Environment supplied components and the dependencies on them from TOE components. 2.5.
The Controller can be configured to require the APs to use the Controller’s internal database of wireless user accounts, or to use either ACS or ISE to perform RADIUS authentication, authorization, and accounting of wireless clients that connect to the TOE. When RADIUS is ued, the Controller is configured into ACS or ISE as a RADIUS client which enables APs to pass secure wireless user authentication requests through the Controller to a AAA server. IEEE 802.1X (which is part of IEEE 802.
WCS also provides centralized management for the Wireless Intrusion Prevention (wIPS), forwarding wIPS profiles to the MSE for further distribution. The WCS component is required to maintain a WCS administrator role whose purpose is to configure wIPS and monitor and review wIPS records.
2.6.1.1 EAP-MD5 Not supported Supported EAP-TLS Supported Not supported EAP-MSCHAPv2 Supported Not supported EAP-GCT Supported Not supported EAP-FAST Supported Not supported WPA2-PSK Supported Not supported HTTPS Not supported Supported Controller Functionality Excluded from the Logical Boundary Controller TACACS+ authentication and authorization are not included in the Logical Boundary of the TOE.
2.8 TOE Component Communication Methods The evaluated configuration of the TOE consists of several components that work together to provide the TOE functionality described in this ST.
3) FCS_BCM_(EXT).1.2 was deleted to bring the ST in conformance with current cryptography policy as exemplified in the common management requirements PP (draft). 4) FCS_CKM.1.1(2) changed 128 bit symmetric strength to 2048 bit modulus (to match FCS_COP.1(2)). 5) FCS_COP.1(3) was refined to include support for SHA-1 for compatibility with existing protocols (DTLS/TLS,SNMPv3). 6) FDP_PUD_(EXT).
T.WIRELESS_INTRUSION Rogue APs and malicious wireless clients may attempt to subvert the wireless network. P.WIRELESS_LOCATION_POLICY In concordance with the DOD 8100.2 Wireless LAN Policy, the TOE will support location tracking for all 802.11 devices transmitting within the RF environment. O.
4 Security Problem Definition This section identifies the following: Significant assumptions about the TOE’s operational environment. IT related threats to the organization countered by the TOE. Environmental threats requiring controls to provide sufficient protection. Organizational security policies for the TOE as appropriate. This document identifies assumptions as A.assumption with “assumption” specifying a unique name. Threats are identified as T.
4.2 Threats Table 10 lists the threats addressed by the TOE and the IT Environment. The threats are identical to the threats identified in [WLANPP]. For the threats below, attackers are assumed to be of low attack potential. Table 9 Threats 34 Threat Name Threat Definition T.ACCIDENTAL_ADMIN_ERROR An administrator may incorrectly install or configure the TOE resulting in ineffective security mechanisms. T.
T.UNAUTHORIZED_ACCESS A user may gain access to services (either on the TOE or by sending data through the TOE) for which they are not authorized according to the TOE security policy. T.UNAUTH_ADMIN_ACCESS An unauthorized user or process may gain access to an administrative account. T.WIRELESS_INTRUSION Rogue APs and malicious wireless clients may attempt to subvert the wireless network. T.
P.WIRELESS_LOCATION_POLICY In concordance with the DOD 8100.2 Wireless LAN Policy, the TOE will support location tracking for all 802.11 devices transmitting within the RF environment. 5 Security Objectives This section identifies the security objectives of the TOE and the IT Environment. The security objectives identify the responsibilities of the TOE and the TOE’s IT environment in meeting the security needs. Objectives of the TOE are identified as O.objective with objective specifying a unique name.
O.CRYPTOGRAPHY_VALIDATED The TOE will use NIST FIPS 140-2 validated cryptomodules for cryptographic services implementing NIST-approved security functions and random number generation services used by cryptographic functions. O.DISPLAY_BANNER The TOE will display an advisory warning prior to establishing an administrator session regarding use of the TOE prior to permitting the use of any TOE services that requires authentication. O.
5.2 Security Objectives for the Environment The assumptions identified above are incorporated as security objectives for the environment. They levy additional requirements on the environment, which are largely satisfied through procedural or administrative measures. Table 13 identifies the security objectives for the environment. Table 12 Security Objectives for the Environment 38 Name IT Environment Security Objective OE.
OE.TOE_NO_BYPASS Wireless clients are configured so that information cannot flow between a wireless client and any other wireless client or host networked to the TOE without passing through the TOE. OE.TIME_STAMPS The TOE IT environment shall provide reliable time stamps and the capability for the administrator to set the time used for these time stamps. OE.
6.1 TOE Security Functional Requirements This section identifies the Security Functional Requirements for the TOE. The TOE Security Functional Requirements that appear Table 13 are described in more detail in the following subsections. Table 13 TOE Security Functional Requirements Functional Component 40 FAU_GEN.1(1) Audit data generation FAU_GEN.2(1) User identity association FAU_SEL.1(1) Selective audit FCS_BCM_(EXT).1 Extended: Baseline Cryptographic Module FCS_CKM.
FIA_USB.1(1) User-subject binding (Administrator) FIA_USB.1(2) User-subject binding (Wireless User) FMT_MOF.1(1) Management of cryptographic security functions behavior FMT_MOF.1(2) Management of audit security functions behavior FMT_MOF.1(3) Management of authentication security functions behavior FMT_MSA.2 Secure security attributes FMT_MTD.1(1) Management of Audit pre-selection data FMT_MTD.1(2) Management of Authentication data (Administrator) FMT_MTD.
6.1.1 FAU_GEN.1(1) FAU_GEN.1.1(1) Audit Data Generation The TSF shall be able to generate an audit record of the following auditable events: a. Start-up and shutdown of the audit functions; b. All auditable events for the minimum level of audit; and c. [additional auditable events shown in column 2 of Table 14]. Table 14 SFR Auditable Events 42 Requirement Auditable Events Additional Audit Record Contents FAU_GEN.1(1) None None FAU_GEN.2 None None FAU_SEL.
FIA_AFL.1(1) The reaching of the threshold for the unsuccessful authentication attempts and the actions (e.g., disabling of a terminal) taken and the subsequent, if appropriate, restoration to the normal state (e.g., reenabling of a terminal None FIA_ATD.1(1),(2) None None FIA_UAU.1 Use of the authentication mechanism (success or failure) User identity - the TOE SHALL NOT record invalid passwords in the audit log. FIA_UAU_(EXT).
FMT_SMF.1(3) Use of the (crypto key data) management functions None FMT_REV.1 Unsuccessful revocation of security attributes. None FMT_SMR.1(1) Modifications to the group of users that are part of a role None FPT_ITT.1 The detection of modification of TSF data None FPT_STM_(EXT).1 Changes to the time None FPT_TST_(EXT).1 Execution of the self test Success or Failure of test FPT_TST.1(1) Execution of the self test Success or Failure of test FPT_TST.
6.1.2 FAU_GEN.2 User Identity Association FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. Application note: Actions of Management Users and SNMPv3 Users are identified in audit messages by their username though Management Users are human users, and SNMPv3 Users are remote entities such as NCS, WCS, or MSE servers. 6.1.3 FAU_SEL.1(1) FAU_SEL.1.
6.1.7 FCS_CKM.2 Cryptographic Key Distribution FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method Automated (Electronic) Method that meets the following: a) NIST Special Publication 800-57, "Recommendation for Key Management" Section 8.1.5 b) NIST Special Publication 800-56A, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography" 6.1.8 FCS_CKM_(EXT).
functions Digital Signature Algorithm (DSA) with a key size (modulus) of [2048 bits], RSA Digital Signature Algorithm (rDSA) with a key size (modulus) of [2048 bits] that meets NIST Special Publication 800-57, "Recommendation for Key Management." 6.1.12 FCS_COP.1(3) Cryptographic Operation (Hashing) FCS_COP.1.1(3) The TSF shall perform cryptographic hashing services using the FIPS-approved security function Secure Hash Algorithm and message digest size of 160 bits or 256 bits. 6.1.13 FCS_COP.
6.1.17 FIA_AFL.1(1) Administrator Authentication Failure Handling FIA_AFL.1.1(1) The TSF shall defer authentication of remote administrators to a RADIUS server for the IT Environment to detect when an administrator configurable positive integer within the range [1 to 10] of unsuccessful authentication attempts occur related to remote administrators logging on to the WLAN access system. FIA_AFL.1.
mechanism for administrators and wireless LAN users. Application note: Local authentication mechanisms are used for all authentication of SNMPv3 Users, and optionally for authentication of wireless users. Remote authentication is used for all authentication of Management Users connecting to the SSH CLI or the TLS GUI, and optionally for authentication of wireless users. 6.1.22 FIA_UID.2 User Identification Before any Action FIA_UID.2.
• Crypto: load a key • Crypto: delete/zeroize a key • Crypto: set a key lifetime • Crypto: set the cryptographic algorithm • Crypto: set the TOE to encrypt or not to encrypt wireless transmissions • Crypto: execute self tests of TOE hardware and the cryptographic functions to administrators with read-write permission. 6.1.26 FMT_MOF.1(2) FMT_MOF.1.
6.1.31 FMT_MTD.1(3) FMT_MTD.1.1(3) Management of Authentication Data (User) The TSF shall restrict the ability to modify the user authentication credentials to TOE users. 6.1.32 FMT_SMF.1(1) Specification of Management Functions (Cryptographic Function) FMT_SMF.1.1(1) The TSF shall be capable of performing the following security management functions: query and set the encryption/decryption of network packets (via FCS_COP.1(1)) in conformance with the administrator’s configuration of the TOE. 6.1.
of stored TSF executable code through the use of the TSF-provided cryptographic services. 6.1.39 FPT_TST.1(1) TST Testing (for cryptography) FPT_TST.1.1(1) The TSF shall run a suite of self tests in accordance with FIPS PUB 140-2 and Appendix C of the PP during initial start-up (on power on), at the request of the cryptographic administrator (on demand), under various conditions defined in section 4.9.
6.1.43 FTP_ITC_(EXT).1 Extended: Inter-TSF Trusted Channel FTP_ITC_(EXT).1.1 The TOE shall provide an encrypted communication channel between itself and entities in TOE IT Environment that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure. FTP_ITC_(EXT).1.2 The TSF shall permit the TSF, or the IT Environment entities to initiate communication via the trusted channel. FTP_ITC_(EXT).
x. Virtual carrier attack xi. Authentication-failure attack xii. Deauthentication broadcast attack xiii. Deauthentication flood attack xiv. Disassociation broadcast attack xv. Disassociation flood attack xvi. EAPOL-logoff attack xvii. FATA-jack tool detected xviii. Premature EAP-failure attack xix. Premature EAP-success attack b. Security Penetration Attack Detection including: i. Airsnarf attack ii. ChopChop Attack iii. Day-zero attack by WLAN security anomaly iv.
Application Note This IPS Data Collection SFR (IPS_SDC) is distinct from the wIPS Analysis SFR (IPS_ANL) in that this SFR lists the wireless network events for which the MSE performs data correlation, analysis, and generation of audit records of detected events based on that analysis. Identity of the data source is used for detection of rogue APs and rogue clients, and to allow correlation to an active list of malicious source addresses.
b) Drop traffic that fails integrity checks described in FDP_PUD_(EXT).1; and/or c) Drop traffic that fails authentication checks; and/or d) Drop traffic that matches an entry in the active list of malicious source addresses; and/or e) Launch a de-authentication attack (rogue containment) against one or more rogue APs and associated clients, and generate an audit record of the rogue containment with the following audit message details: a. date and time of the event; b.
FIA_AFL.1(2) The reaching of the threshold for the unsuccessful authentication attempts and the actions (e.g., disabling of a terminal) taken and the subsequent, if appropriate, restoration to the normal state (e.g., reenabling of a terminal None FIA_ATD.1(3) None None FIA_UAU_(EXT).5(2) Failure to receive a response from the remote authentication server Identification of the Authentication server that did not reply FIA_UID.1 None None FMT_MTD.1(4) Changes to the time data None FMT_MTD.
6.2.4 FAU_SAR.3 Selectable Audit Review FAU_SAR.3.1 The TOE IT environment shall provide the ability to perform [searches] of audit data based on event type, date, time, and/or [message contents]. 6.2.5 FAU_STG.1 Protected audit trail storage FAU_STG.1.1 The TOE IT environment shall protect the stored audit records from unauthorized deletion. FAU_STG.1.2 The TOE IT environment shall be able to prevent unauthorized modifications to the audit records in the audit trail. 6.2.6 FAU_STG.
6.2.11 FIA_UAU_(EXT).5(2) Remote authentication mechanisms FIA_UAU_(EXT).5.1(2) The TOE IT Environment shall provide a remote authentication mechanism to provide TOE remote user authentication. FIA_UAU_(EXT).5.2(2) The TOE IT Environment shall authenticate any user’s claimed identity according to the [AAA authentication policies defined on the Controller]. 6.2.12 FIA_UID.1 Timing of identification FIA_UID.1.
FTP_ITC_(EXT).1.3(2) The TOE IT environment shall initiate communication via the trusted channel for [all authentication functions, remote logging, time, [remote configuration from WCS/NCS to Controllers]. 6.2.18 FPT_STM.1 Reliable time stamps FPT_STM.1.1 The TOE IT environment shall be able to provide reliable time and date stamps for the TOE and its own use. 6.
ALC_TAT.1 Well-defined development tools ASE: Security Target evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification ATE: Tests ATE_COV.2 Analysis of coverage ATE_DPT.2 Testing: security enforcing modules ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample AVA: Vulnerability assessment AVA_VAN.
synchronization.
administrators who have individually authenticated to an external entity prior to trigging an SNMPv3 GET or SET command to be sent from the external entity to an SNMPv3 server. Thus, Controller-generated audit records of actions performed on a Controller by an “SNMPv3 User” are actions performed by an external entity (one instance of WCS or NCS). FAU_SEL.1(1) The Controller supports pre-selection of audit generation based on event type, which are standard syslog severity levels 0 through 7.
FCS_CKM.1(1) FIPS certificate #1448 (APs 1131, 1142, 1242, 1252, 1262, 3502e and 3502i) FIPS certificate #1888 (AP 1552) FIPS certificate #1909 (WiSM2) FIPS certificate #1875 (WiSM) FIPS certificate #1853 (Controllers 4402, and 4404) FIPS certificate #1829 (Controller 5508) The following values are generated by FIPS 140-2 evaluated cryptographic modules.
For non-volatile memories other than EEPROM and Flash, the zeroization shall be executed by overwriting three or more times using a different alternating data pattern each time. FCS_COP.1(1) AES-128 is used within TLS and DTLS ciphersuites (for CAPWAP, HTTPS, EAP-FAST and EAP-TLS), for AES Key Wrap to distribute 802.11i PMKs, and for encryption of 802.11i keys and traffic. The APs perform FIPS 140-2 validated end-to-end AES-CCMP wireless encryption and decryption between a wireless device and the AP.
through the TOE by providing the ability to enable and disable the encryption policy of the TOE. This encryption policy determines whether the APs and Controllers will encrypt and decrypt communications with wireless clients. After a wireless client has successfully authenticated to the TOE the wireless client can communicate with other wireless clients that have successfully authenticated through the TOE and with other wired clients that operate on the wired network controlled by the TOE.
• EAP-FAST without client certificate: username and password • EAP-FAST with client certificate: client’s device certificate • EAP-FAST with EAP-GTC: username and PAC (Protected Access Credential) • EAP-MSCHAPv2 without client certificate: username and password • EAP-MSCHAPv2 with client certificate: client’s device certificate • WPA2-PSK: Passphrase ( ASCII or Hex)] Protected access credentials (PACs) are strong shared secrets that enable the Controller and an EAP-FAST client to authenticate ea
authenticated via RADIUS, and SNMPv3 Users authenticated locally) are required to be successfully identified (via the configured authentication mechanisms), prior to the TOE allowing any TSF-mediated actions other than authentication attempts. Any deferring of authentication of authentication decisions (for Controller administrators or wireless users) to a RADIUS server does not interfere with the TOE controlling the sequence of identification, authentication, and access events (e.g.
FMT_MOF.1(3) The Controller administrator is able to configure (enable/disable/define/re-define) authentication servers used by the Controller. The controller does not enforce account lockout for multiple failed login attempts to the local serial console, and requires that all remote administrative sessions (SSH or TLS) are authenticated to the remote authentication server so the remote authentication server can enforce lockout of accounts after successive failed login attempts.
FMT_SMF.1(1) See FMT_MOF.1(1) FMT_SMF.1(2) See FMT_MOF.1(2) FMT_SMF.1(3) See FMT_MOF.1(1) FMT_SMR.1(1) Once the TOE is operational (after APs have been configured to be managed by a Controller), there is only one administrative role in the TOE, which is the administrator. The Controller Administrator is responsible for management and configuration of the Controller and AP TOE components.
configuration or in the TOEs evaluated configuration and is covered with a tamper evident label once the FIPS Kit is installed. Related TOE IT Environment SFRs: FMT_SMR.1(2): There are two administrator roles maintained by the TOE IT Environment in the evaluated configuration, the ACS/ISE Administrator, and the Syslog Administrator.
FPT_STM_(EXT).1 The Controllers each maintain their own hardware clock, which is settable by the Controller administrator. The Controller may be configured to receive automated clock updates via encrypted and authenticated connection from WCS/NCS. The Controller ensures that each of its managed APs maintain synchronized time with the Controller. Related TOE IT Environment SFRs: FPT_STM.
through the TOE by providing the ability to enable and disable the encryption policy of the TOE. This encryption policy determines whether the APs and Controllers will encrypt and decrypt communications with wireless clients. After a wireless client has successfully authenticated to the TOE the wireless client can communicate with other wireless clients that have successfully authenticated through the TOE and with other wired clients that operate on the wired network controlled by the TOE.
The 802.1x protocol allows for different authentication methods. The different authentication methods are provided through the use of the Extensible Authentication Protocol (EAP). There are a variety of EAP variants. The authentication methods and therefore the EAP variants used by this TOE for authentication are EAP -TLS, EAPMSCHAPv2, EAP-GCT, and EAP-FAST. The TOE uses a supplicant, authenticator, and authentication server model to perform authentication for wireless users.
IPS_SDC_(EXT).1 The AP analyzes wireless network traffic, performing signature matching checks, data integrity checks, and measuring signal strength to generate wIPS audit records and alerts, and to support location tracking of wireless devices. IPS_ANL_(EXT).1 The Controller has a Wireless Intrusion Prevention System (wIPS) capability that generates audit records based on wireless networking traffic matching a set of predefined signature rules.
running NetStumbler when a GPS is attached). IPS_RCT_(EXT).1 The AP component enforces policies received via the WLC component from components external to the TOE including MSE (for signatures) and optionally IDS systems (for lists of malicious source IPs). 7.2 Assurance Measures The TOE satisfies CC EAL4 assurance requirements augmented with ALC_FLR.2.
ALC_DEL.1 Cisco documents the delivery procedure for the TOE to include the procedure on how to download certain components of the TOE from the Cisco website and how certain components of the TOE are physically delivered to the user. The delivery procedure detail how the end-user may determine if they have the TOE and if the integrity of the TOE has been maintained. Further, the delivery documentation describes how to acquire the proper license keys to use the TOE components. ALC_DVS.
specified in the WLAN PP, and results in a statement of security objectives that is more restrictive than the statement of security objectives in the WLAN PP. T.ACCIDENTAL_ ADMIN_ ERROR X X X X X X X T.POOR_TEST X X X X X X T.POOR_ IMPLEMENTATION X X X X X X T.RESIDUAL_DATA X T.TSF_COMPROMISE X X X X X X X T.UNATTENDED_ SESSION X T.UNAUTHORIZED_ ACCESS X X X X X X X X X X X X T.WIRELESS_ INTRUSION X T.CLIENT_INSECURE X P.ACCESS_BANNER P.ACCOUNTABILITY P.
OE.CLIENT_PROTECT OE.TOE_NO_BYPASS OE.TOE_ACCESS OE.TIME_STAMPS OE.SELF_PROTECTION OE.RESIDUAL_INFORMATION OE.PROTECT_MGMT_COMMS OE.PHYSICAL OE.NO_GENERAL_PURPOSE OE.NO_EVIL OE.MANAGE OE.AUDIT_REVIEW OE.AUDIT_PROTECTION O.VULNERABILITY_ANALYSIS O.TOE_ACCESS O.TIME_STAMPS O.SELF_PROTECTION O.RESIDUAL_INFORMATION O.PARTIAL_FUNCTIONAL_TESTING O.MEDIATE O.MANAGE O.WIPS_FUNCTIONS O.DOCUMENTED_DE SIGN O.DISPLAY_BANNER O.CRYPTOGRAPHY_VALIDATED O.CRYPTOGRAPHY O.CORRECT_TSF_OPERATION O.
T. MASQUERADE O.TOE_ACCESS mitigates this threat by controlling the logical access to the TOE and its resources. By constraining how and when authorized users can access the TOE, and by mandating the type and strength of the authentication mechanism this objective helps mitigate the possibility of a user attempting to login and masquerade as an authorized user.
satisfies the security functional requirements. In order to ensure the TOE's design is correctly realized in its implementation, the appropriate level of functional testing of the TOE's security mechanisms must be performed during the evaluation of the TOE. T.RESIDUAL_DATA O.RESIDUAL_INFORMATION; OE.
T.UNAUTHORIZED_ ACCESS O.MEDIATE works to mitigate this threat by ensuring that all network packets that flow through the TOE are subject to the information flow policies. O.TOE_ACCESS and OE.TOE ACCESS The TOE requires authentication prior to gaining access to certain services on or mediated by the TOE. O.SELF_PROTECTION and OE.SELF_PROTECTION The TSF and its environment must ensure that all configured enforcement functions (authentication, access control rules, etc.
P.ACCOUNTABILITY O.AUDIT_GENERATION addresses this policy by providing the administrator with the capability of configuring the audit mechanism to record the actions of a specific user, or review the audit trail based on the identity of the user. Additionally, the administrator’s ID is recorded when any security relevant change is made to the TOE (e.g., access rule modification, start/stop of the audit mechanism, establishment of a trusted channel, etc.). OE.
P.ENCRYPTED_CHANNEL O.CRYPTOGRAPHY and O.CRYPTOGRAPHY_VALIDATED satisfies this policy by requiring the TOE to implement NIST FIPS validated cryptographic services. These services will provide confidentiality and integrity protection of user data while in transit wireless clients that are authorized to join the network. O.MEDIATE allows the TOE administrator to set a policy to encrypt all wireless traffic. OE.
FAU_GEN.1(1) X FAU_GEN.2 X FAU_SEL.1(1) X FCS_BCM_(EXT).1 X X FCS_CKM.1(1),(2) X X FCS_CKM.2 X X FCS_CKM_(EXT).2 X X X FCS_CKM.4 X X X FCS_COP.1(1),(2),(3),(4) X X FCS_COP_(EXT).1 X X FDP_PUD_(EXT).1 X FDP_RIP.1(1) X FIA_AFL.1(1) X FIA_ATD.1(1),(2) X FIA_UAU.1 X X FIA_UAU_(EXT).5(1) X X FIA_UID.2 X X FIA_USB.1(1),(2) X FMT_MOF.1(1),(2),(3) X FMT_MSA.2 X FMT_MTD.1(1),(2),(3) X FMT_SMF.1(1),(2),(3) X FMT_SMR.1(1) X FPT_ITT.1 O.
FPT_STM_(EXT).1 ALC_DEL.1 ALC_FLR.2 AVA_VAN.3 86 X FTP_ITC_(EXT).1 AGD_OPE.1 X AGD_PRE.1 X X FPT_TST_(EXT).1 X FPT_TST.1(1),(2) X FTA_SSL.3 X FTA_TAB.1 X X X FTP_TRP.1 X IPS_SDC_(EXT).1 X IPS_ANL_(EXT).1 X IPS_RCT_(EXT).1 X ADV_ARC.1 X ADV_FSP.4 X ADV_TDS.3 X ALC_CMC.4 X ALC_CMS.4 X X X ATE_COV.2 X ATE_DPT.2 X ATE_FUN.1 X ATE_IND.2 X X O.VULNERABILITY_ANALYSIS O.TOE_ACCESS O.TIME_STAMPS O.SELF_PROTECTION O.RESIDUAL_INFORMATION O.PARTIAL_FUNCTIONAL_TESTING O.MEDIATE O.
Table 22 TOE Security Functional Requirement to TOE Security Objectives Rationale Security Objective (TOE) O.ADMIN_GUIDANCE Security Functional Requirement Rationale ALC_DEL.1 ensures that the administrator has the ability to begin their TOE installation with a clean (e.g., malicious code has not been inserted once it has left the developer’s control) version of the TOE, which is necessary for secure management of the TOE The AGD_PRE.
O.AUDIT_GENERATION FAU_GEN.1(1) defines the set of events that the TOE must be capable of recording. This requirement ensures that the administrator has the ability to audit any security relevant event that takes place in the TOE. This requirement also defines the information that must be contained in the audit record for each auditable event.
O.CRYPTOGRAPHY Baseline cryptographic services are provided in the TOE by FIPS PUB 140-2 compliant modules implemented in hardware, in software, or in hardware/software combinations [FCS_BCM_(EXT).1]. The cryptographic services offered by this baseline capability are augmented and customized in the TOE to support robustness environments. These TOE services are based primarily upon functional security requirements in the areas of key management and cryptographic operations.
O.MANAGE The FMT requirements are used to satisfy this management objective, as well as other objectives that specify the control of functionality. The requirement’s rationale for this objective focuses on the administrator’s capability to perform management functions in order to control the behavior of security functions. FMT_MOF.1(1)(2) and (3) ensure that the administrator has the ability manage the cryptographic, audit, and authentication functions. FMT_MSA.
O.RESIDUAL_ INFORMATION FDP_RIP.1(1) is used to ensure the contents of resources are not available once the resource is reallocated. For this TOE it is critical that the memory used to build network packets is either cleared or that some buffer management scheme be employed to prevent the contents of a packet being disclosed in a subsequent packet (e.g., if padding is used in the construction of a packet, it must not contain another user’s data or TSF data). FCS_CKM_(EXT).
O.TOE_ACCESS FIA_UID.2 plays a small role in satisfying this objective by ensuring that every user is identified before the TOE performs any mediated functions. In most cases, the identification cannot be authenticated (e.g., a user attempting to send a data packet through the TOE that does not require authentication).
O.WIPS_FUNCTIONS IPS_SDC_(EXT).1 defines the types of traffic that the AP will be able to collect. IPS_ANL_(EXT).1 defines the set of events that the TOE must be capable of recording. This requirement ensures that the administrator has the ability to audit wIPS security relevant events based on the signature that takes place in the targeted IT System resources. This requirement also defines the information that must be contained in the wIPS audit record for each auditable event.
FCS_CKM.2 No other components [FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1] FCS_CKM.4 Satisfied by FCS_CKM.1(1) FCS_CKM.4 FCS_CKM_(EXT).2 N/A [FDP_ITC.1 or FCS_CKM.1] Satisfied by FCS_CKM.1(1) FCS_CKM.4 No other components [FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1] Satisfied by FCS_CKM.1(1) FCS_CKM.1(2) FCS_COP.1(1) N/A [FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1] FCS_CKM.4 Satisfied by FCS_CKM.1(1) FCS_CKM.4 FCS_COP.1(2) N/A [FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1] FCS_CKM.4 Satisfied by FCS_CKM.
FIA_UAU.1 No other components FIA_UID.1 Satisfied by FIA_UID.2 FIA_UAU_(EXT).5(1) No other components None N/A FIA_UID.2 FIA_UID.1 None N/A FIA_USB.1(1) No other components FIA_ATD.1 Satisfied by FIA_ATD.1(1) FIA_USB.1(2) No other components FIA_ATD.1 Satisfied by FIA_ATD.1(2) FMT_MOF. 1(1) No other components FMT_SMF.1 FMT_SMR.1 Satisfied by FMT_SMF.1(1) FMT_SMR.1(1) FMT_MOF. 1(2) No other components FMT_SMF.1 FMT_SMR.1 Satisfied by FMT_SMF.1(2) FMT_SMR.1(1) FMT_MOF.
FMT_SMF.1(3) No other components None N/A FMT_SMR.1(1) No other components FIA_UID.1 Satisfied by FIA_UID.2 FPT_ITT.1 No other components None N/A FPT_STM_(EXT).1 N/A None N/A FPT_TST_(EXT).1 N/A None N/A FPT_TST.1(1) N/A None N/A FPT_TST.1(2) N/A None N/A FTA_SSL.3 No other components None N/A FTA_TAB.1 No other components None N/A FTP_ITC_(EXT).1 N/A None N/A FTP_TRP.1 No other components None N/A IPS_SDC_(EXT).1 N/A FPT_STM.1 Satisfied FPT_STM.
FMT_MTD.1(2) FMT_SMR.1 FMT_SMF.1 FMT_MTD.1(2) FMT_SMR.1 FMT_SMF.1 This ST is based on the PP which was validated as acceptable without the inclusion of this dependency. This ST is based on the PP which was validated as acceptable without the inclusion of this dependency. 8.4 Rationale for Extended Requirements and Extended Components Definition Table 25 presents the rationale for the inclusion of the explicit requirements found in this ST.
mechanism necessary to obtain and enforce an authentication decision from the IT environment. FPT_STM_(EXT).1 Reliable time stamps This explicitly generated requirement was done because this requirement requires the TSF to be able to ‘obtain’ a reliable time stamp while the CC requirement requires the TOE to supply the time stamp so the two requirements do not require the same functionality. FPT_TST_(EXT).
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Ci sco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems
