Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentA9014CFD
11121314151617181920
Cisco Aggregation Services Router (ASR) 901 Series Security Target
Page 16 of 50
Table 7 TOE Provided Cryptography
Cryptographic Method
Use within the TOE
Internet Key Exchange
Used to establish initial IPsec session.
Secure Shell Establishment
Used to establish initial SSH session.
RSA/DSA Signature Services
Used in IPsec session establishment.
Used in SSH session establishment.
SP 800-90 RBG
Used in IPsec session establishment.
Used in SSH session establishment.
SHS
Used to provide IPsec traffic integrity verification
Used to provide SSH traffic integrity verification
AES
Used to encrypt IPsec session traffic.
Used to encrypt SSH session traffic.
1.6.1 User Data Protection
The TOE ensures that all information flows from the TOE do not contain residual information
from previous traffic. Packets are padded with zeros. Residual data is never transmitted from
the TOE.
1.6.2 Identification and Authentication
The TOE performs two types of authentication: device-level authentication of the remote device
(VPN peers) and user authentication for the Authorized Administrator of the TOE. Device-level
authentication allows the TOE to establish a secure channel with a trusted peer. The secure
channel is established only after each device authenticates the other. Device-level authentication
is performed via IKE/IPsec mutual authentication. The IKE phase authentication for the IPsec
communication channel between the TOE and authentication server and between the TOE and
syslog server is considered part of the Identification and Authentication security functionality of
the TOE.
The TOE provides authentication services for administrative users to connect to the TOEs secure
CLI administrator interface. The TOE requires Authorized Administrators to authenticate prior
to being granted access to any of the management functionality. The TOE can be configured to
require a minimum password length of 15 characters as well as mandatory password complexity
rules. The TOE provides administrator authentication against a local user database. Password-
based authentication can be performed on the serial console or SSH interfaces. The SSHv2
interface also supports authentication using SSH keys. The TOE optionally supports use of a
RADIUS or TACACS+ AAA server (part of the IT Environment) for authentication of
administrative users attempting to connect to the TOE’s CLI.