Cisco Aggregation Services Router (ASR) 901 Series Security Target Version 1.
Cisco Aggregation Services Router (ASR) 901 Series Security Target Table of Contents 1 SECURITY TARGET INTRODUCTION .............................................................................................8 1.1 ST AND TOE REFERENCE ................................................................................................................... 8 1.2 TOE OVERVIEW ............................................................................................................................... 8 1.2.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 5.2.1 Trusted Path/Channels (FTP) ................................................................................................. 34 5.3 TOE SFR DEPENDENCIES RATIONALE FOR SFRS FOUND IN NDPP ......................................................... 35 5.4 SECURITY ASSURANCE REQUIREMENTS .............................................................................................. 35 5.4.1 SAR Requirements .................................
Cisco Aggregation Services Router (ASR) 901 Series Security Target List of Tables TABLE 1: ACRONYMS ..........................................................................................................................................................5 TABLE 2 TERMINOLOGY.......................................................................................................................................................6 TABLE 3: ST AND TOE IDENTIFICATION ................................................
Cisco Aggregation Services Router (ASR) 901 Series Security Target List of Acronyms The following acronyms and abbreviations are common and may be used in this Security Target: Table 1: Acronyms Acronyms/Abbreviations AAA AES BGP Bridge Domain BSC BTS CC CE CEM CLI CM DH DHCP EAL EFP ENI EtherChannel EVC FIPS GE HA HMAC HTTPS IS-IS IT LAN MEF MSC NDPP NNI NTP OS OSPF Definition Administration, Authorization, and Accounting Advanced Encryption Standard Border Gateway Protocol.
Cisco Aggregation Services Router (ASR) 901 Series Security Target Acronyms/Abbreviations Definition autonomous system). A link-state routing protocol which calculates the shortest path to each node. Protection Profile Radio Access Network Small–form-factor pluggable port Secure Hash Standard Secure Shell (version 2) Security Target Transport Control Protocol Time-division multiplexing.
Cisco Aggregation Services Router (ASR) 901 Series Security Target DOCUMENT INTRODUCTION Prepared By: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134 This document provides the basis for an evaluation of a specific Target of Evaluation (TOE), the Aggregation Services Router (ASR) 901 Series.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 1 SECURITY TARGET INTRODUCTION The Security Target contains the following sections: Security Target Introduction [Section 1] Conformance Claims [Section 2] Security Problem Definition [Section 3] Security Objectives [Section 4] IT Security Requirements [Section 5] TOE Summary Specification [Section 6] Rationale [Section 7] The structure and content of this ST comply with the requirements specified in the Common Criteria (C
Cisco Aggregation Services Router (ASR) 901 Series Security Target The TOE consists of any one of a number of hardware models as listed above in Table 3: ST and TOE Identification, each running the same version of IOS software. The ASR 901 Series chassis provides power, cooling, and backplane for the Ethernet interfaces and Small Form-Factor Pluggable (SFP) and enhanced SFP (SFP+) optics modules, as defined in Table 3 in Section 1.1.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 1.3 TOE DESCRIPTION This section provides an overview of the Cisco Aggregation Services Router (ASR) 901 Series Target of Evaluation (TOE). This section also defines the TOE components included in the evaluated configuration of the TOE.
Cisco Aggregation Services Router (ASR) 901 Series Security Target =TOE Boundary Network 1 VPN Peer Management Workstation ASR 901 Series Routers NTP Server Network 3 Network 2 AAA Server VPN Peer Syslog Server Figure 1 TOE Example Deployment The previous figure includes the following: Examples of TOE Models (models listed in order of diagram) o Cisco ASR 901-12C-FT-D and ASR 901-4C-FT-D Routers o Cisco ASR 901-12C-F-D and ASR 901-4C-F-D Routers o Cisco ASR 901-6CZ-FT-D Router o Ci
Cisco Aggregation Services Router (ASR) 901 Series Security Target NOTE: While the previous figure includes the available TOE devices and several non-TOE IT environment devices, the TOE is only the ASR 901 device with the Cisco IOS software. Only one TOE device is required in an evaluated configuration. 1.5 Physical Scope of the TOE The TOE is a hardware and software solution that makes up the router models shown in the figures below.
Cisco Aggregation Services Router (ASR) 901 Series Security Target The network, on which the TOE resides, is considered part of the environment. The software is pre-installed and is comprised of the Cisco IOS software image Release IOS 15.5(1)S1. In addition, the software image is also downloadable from the Cisco web site. A login id and password is required to download the software image.
Cisco Aggregation Services Router (ASR) 901 Series Security Target Power supplies 2 power supplies (DC only); module redundancy: 1:1 1 power supply (AC only) Software Cisco IOS 15.5(1)S1 1.6 Logical Scope of the TOE The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below. 1. 2. 3. 4. 5. 6. 7. 8.
Cisco Aggregation Services Router (ASR) 901 Series Security Target additional information of the event and its success and/or failure. The TOE does not have an interface to modify audit records, though there is an interface available for the authorized administrator to clear audit data stored locally on the TOE. 1.6.2 Cryptographic support The TOE provides cryptography in support of other Cisco Aggregation Services Router (ASR) 901 Series security functionality.
Cisco Aggregation Services Router (ASR) 901 Series Security Target Table 7 TOE Provided Cryptography Use within the TOE Cryptographic Method Internet Key Exchange Used to establish initial IPsec session. Secure Shell Establishment Used to establish initial SSH session. RSA/DSA Signature Services Used in IPsec session establishment. Used in SSH session establishment. SP 800-90 RBG Used in IPsec session establishment. Used in SSH session establishment.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 1.6.3 Security Management The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs either through a secure SSHv2 session or via a local console connection.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 1.6.5 TOE Access The TOE can terminate inactive sessions after an Authorized Administrator configurable timeperiod. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. The TOE can also display an Authorized Administrator specified banner on the CLI management interface prior to allowing any administrative access to the TOE. 1.6.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 2 CONFORMANCE CLAIMS 2.1 Common Criteria Conformance Claim The TOE and ST are compliant with the Common Criteria (CC) Version 3.1, Revision 4, dated: September 2012. For a listing of Assurance Requirements claimed see section 5.4. The TOE and ST are CC Part 2 extended and CC Part 3 conformant. 2.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 2.3.3 Statement of Security Requirements Consistency The Security Functional Requirements included in the Security Target represent the Security Functional Requirements specified in the NDPPv1.1, for which conformance is claimed verbatim. All concepts covered in the Protection Profile’s Statement of Security Requirements are included in this Security Target.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 3 SECURITY PROBLEM DEFINITION This chapter identifies the following: Significant assumptions about the TOE’s operational environment. IT related threats to the organization countered by the TOE. Environmental threats requiring controls to provide sufficient protection. Organizational security policies for the TOE as appropriate. This document identifies assumptions as A.assumption with “assumption” specifying a unique name.
Cisco Aggregation Services Router (ASR) 901 Series Security Target Threat Threat Definition T.UNAUTHORIZED_ACCESS A user may gain unauthorized access to the TOE data and TOE executable code. A malicious user, process, or external IT entity may masquerade as an authorized entity in order to gain unauthorized access to data or TOE resources. A malicious user, process, or external IT entity may misrepresent itself as the TOE to obtain identification and authentication data. T.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 4 SECURITY OBJECTIVES This Chapter identifies the security objectives of the TOE and the IT Environment. The security objectives identify the responsibilities of the TOE and the TOE’s IT environment in meeting the security needs. This document identifies objectives of the TOE as O.objective with objective specifying a unique name. Objectives that apply to the IT environment are designated as OE.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 4.2 Security Objectives for the Environment All of the assumptions stated in section 3.1 are considered to be security objectives for the environment. The following are the Protection Profile non-IT security objectives, which, in addition to those assumptions, are to be satisfied without imposing technical requirements on the TOE. That is, they will not require the implementation of functions in the TOE hardware and/or software.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 5 SECURITY REQUIREMENTS This section identifies the Security Functional Requirements for the TOE. The Security Functional Requirements included in this section are derived from Part 2 of the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, dated: September 2012 and all international interpretations. 5.
Cisco Aggregation Services Router (ASR) 901 Series Security Target Class Name Component Identification Component Name FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation) FC_SSH_EXT.1 Explicit: SSH FDP: User data protection FDP_RIP.2 Full Residual Information Protection FIA: Identification and authentication FIA_PMG_EXT.1 Password Management FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition FIA_UIA_EXT.1 User Identification and Authentication FIA_UAU_EXT.
Cisco Aggregation Services Router (ASR) 901 Series Security Target FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [information specified in column three of Table 16].
Cisco Aggregation Services Router (ASR) 901 Series Security Target SFR Auditable Event Additional Audit Record Contents FPT_STM.1 Changes to the time. The old and new values for the time. Origin of the attempt (e.g., IP address). FPT_TUD_EXT.1 Initiation of update. No additional information. FPT_TST_EXT.1 None. None. FTA_SSL_EXT.1 Any attempts at unlocking of an interactive session. No additional information. FTA_SSL.3 The termination of a remote session by the session locking mechanism.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 112 bits. 5.2.2.2 FCS_CKM_EXT.4 Cryptographic Key Zeroization FCS_CKM_EXT.4.1 The TSF shall zeroize all plaintext secret and private cryptographic keys and CSPs when no longer required. 5.2.2.3 FCS_COP.1(1) Cryptographic Operation (for data encryption/decryption) FCS_COP.1.
Cisco Aggregation Services Router (ASR) 901 Series Security Target FCS_IPSEC_EXT.1.3 The TSF shall have a nominal, final entry in the SPD that matches anything that is otherwise unmatched, and discards it. FCS_IPSEC_EXT.1.4 The TSF shall implement the IPsec protocol ESP as defined by RFC 4303 using [the cryptographic algorithms AES-CBC-128 (as specified by RFC 3602) together with a Secure Hash Algorithm (SHA)-based HMAC, AES-CBC-256 (as specified by RFC 3602)]. FCS_IPSEC_EXT.1.
Cisco Aggregation Services Router (ASR) 901 Series Security Target FCS_SSH_EXT.1.3 The TSF shall ensure that, as described in RFC 4253, packets greater than [65,535 bytes] bytes in an SSH transport connection are dropped. FCS_SSH_EXT.1.4 The TSF shall ensure that the SSH transport implementation uses the following encryption algorithms: AES-CBC-128, AES-CBC-256, [no other algorithms]. FCS_SSH_EXT.1.
Cisco Aggregation Services Router (ASR) 901 Series Security Target FIA_PSK_EXT.1.3 The TSF shall condition the text-based pre-shared keys by using [AES] and be able to [accept bit-based pre-shared keys]. 5.2.4.3 FIA_UIA_EXT.1 User Identification and Authentication FIA_UIA_EXT.1.1 The TSF shall allow the following actions prior to requiring the non-TOE entity to initiate the identification and authentication process: Display the warning banner in accordance with FTA_TAB.1; [no other services].
Cisco Aggregation Services Router (ASR) 901 Series Security Target 5.2.5.3 FMT_SMR.2 Restrictions on Security Roles FMT_SMR.2.1 The TSF shall maintain the roles: Authorized Administrator. FMT_SMR.2.2 The TSF shall be able to associate users with roles. FMT_SMR.2.3 The TSF shall ensure that the conditions Authorized Administrator role shall be able to administer the TOE locally; Authorized Administrator role shall be able to administer the TOE remotely; are satisfied. 5.2.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 5.2.7 TOE Access (FTA) 5.2.7.1 FTA_SSL_EXT.1 TSF-initiated Session Locking FTA_SSL_EXT.1.1 The TSF shall, for local interactive sessions, [ terminate the session] after a Security Administrator-specified time period of inactivity. 5.2.7.2 FTA_SSL.3 TSF-initiated Termination FTA_SSL.3.1 Refinement: The TSF shall terminate a remote interactive session after a [Security Administrator-configurable time interval of session inactivity].
Cisco Aggregation Services Router (ASR) 901 Series Security Target 5.2.1.2 FTP_TRP.1 Trusted Path FTP_TRP.1.1 Refinement: The TSF shall use [SSH] provide a trusted communication path between itself and remote administrators that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from disclosure and detection of modification of the communicated data. FTP_TRP.1.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 5.4.2 Security Assurance Requirements Rationale The Security Assurance Requirements (SARs) in this Security Target represent the SARs identified in the NDPPv1.1. As such, the NDPP SAR rationale is deemed acceptable since the PP itself has been validated. 5.5 Assurance Measures The TOE satisfies the identified assurance requirements. This section identifies the Assurance Measures applied by Cisco to satisfy the assurance requirements.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 6 TOE SUMMARY SPECIFICATION 6.1 TOE Security Functional Requirement Measures This chapter identifies and describes how the Security Functional Requirements identified above are met by the TOE. Table 19 How TOE SFRs Measures TOE SFRs FAU_GEN.1 How the SFR is Met The TOE generates an audit record whenever an audited event occurs.
Cisco Aggregation Services Router (ASR) 901 Series Security Target TOE SFRs How the SFR is Met functionality of the switch is affected. All notifications and information type message can be sent to the syslog server, whereas message is only for information; switch functionality is not affected. To configure the TOE to send audit records to a syslog server, the ‘set logging server’ command is used. A maximum of three syslog servers can be configured.
Cisco Aggregation Services Router (ASR) 901 Series Security Target How the SFR is Met TOE SFRs Changes to the time. Changes to the time are logged, including the old and new values for the time along with the origin of the attempt Updates An audit record will be generated on the initiation of updates (software/firmware) Failure to establish and/or establishment/failure of an IPsec session Attempts to establish an IPsec session or the failure of an established IPsec is logged.
Cisco Aggregation Services Router (ASR) 901 Series Security Target TOE SFRs How the SFR is Met discovers it can no longer communicate with its configured syslog server, and will transmit the buffer contents when connectivity to the syslog server is restored. This buffer store is separate from the local logging buffer, which could be set to a different level of logging then what is to be sent via syslog.
Cisco Aggregation Services Router (ASR) 901 Series Security Target TOE SFRs How the SFR is Met services using AES-CBC-128 and AES-CBC-256 together with HMAC-SHA1. The TOE uses IPsec to secure communications with the remote syslog server, with AAA servers (RADIUS and TACACS+) for remote authentication if configured and with NTP servers if configured.
Cisco Aggregation Services Router (ASR) 901 Series Security Target TOE SFRs How the SFR is Met The TOE supports configuration lifetimes of both Phase 1 SAs and Phase 2 SAs The TOE supports Diffie-Hellman Group 14 (2048-bit keys) Peer authentication uses rDSA (RSA), and can be configured to use pre-shared keys. Pre-shared keys include a combination of upper and lower case letters, numbers, and special characters and can be 22 characters or longer.
Cisco Aggregation Services Router (ASR) 901 Series Security Target TOE SFRs How the SFR is Met numbers, and special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”. Minimum password length is settable by the Authorized Administrator, and can be configured for minimum password lengths of 15 characters. FIA_PSK_EXT.1 The TOE supports use of IKEv1 (ISAKMP) pre-shared keys for authentication of IPsec tunnels.
Cisco Aggregation Services Router (ASR) 901 Series Security Target How the SFR is Met purposes of this evaluation, the privileged level is equivalent to full administrative access to the CLI, which is the default access for IOS privilege level 15; and the semi-privileged level equates to any privilege level that has a subset of the privileges assigned to level 15. Privilege levels 0 and 1 are defined by default and are customizable, while levels 2-14 are undefined by default and are also customizable.
Cisco Aggregation Services Router (ASR) 901 Series Security Target TOE SFRs FPT_APW_EXT.2 How the SFR is Met encrypt all locally defined user passwords. In this manner, the TOE ensures that plaintext user passwords will not be disclosed even to administrators. The command is the password encryption aes command used in global configuration mode. The TOE can also be configured to not display configured keys as part of configuration files using the ‘hidekeys’ command.
Cisco Aggregation Services Router (ASR) 901 Series Security Target TOE SFRs FTA_SSL_EXT.1 and FTA_SSL.3 How the SFR is Met An Authorized Administrator can configure maximum inactivity times individually for both local and remote administrative sessions through the use of the “session-timeout” setting applied to the console and virtual terminal (vty) lines. The configuration of the vty lines sets the configuration for the remote console access.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 1 ANNEX A: KEY ZEROIZATION 1.1 Key Zeroization The following table describes the key zeroization referenced by FCS_CKM_EXT.4 provided by the TOE. Table 20: TOE Key Zeroization Name Diffie-Hellman Shared Secret Description The value is zeroized after it has been given back to the consuming operation. The value is overwritten by 0’s. This key is stored in DRAM. Zeroization Automatically after completion of DH exchange.
Cisco Aggregation Services Router (ASR) 901 Series Security Target Name Description Zeroization skeyid_d, IKE Session Encryption Key and IKE Session Authentication Key. All values overwritten by 0’s. This key is stored in DRAM. ISAKMP preshared The function calls the free operation with the poisoning mechanism that overwrites the value with 0x0d. This key is stored in DRAM.
Cisco Aggregation Services Router (ASR) 901 Series Security Target Name Description Zeroization User Password This is a Variable 15+ character password that is used to authenticate local users. The password is stored in NVRAM. Zeroized by overwriting with new password Enable Password (if used) This is a Variable 15+ character password that is used to authenticate local users at a higher privilege level. The password is stored in NVRAM.
Cisco Aggregation Services Router (ASR) 901 Series Security Target 2 ANNEX B: REFERENCES The following documentation was used to prepare this ST: Table 21: References Identifier [CC_PART1] Description Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and general model, dated September 2012, version 3.
