Specifications
Cisco Aggregation Services Router (ASR) 901 Series Security Target
Page 18 of 50
1.6.5 TOE Access
The TOE can terminate inactive sessions after an Authorized Administrator configurable time-
period. Once a session has been terminated the TOE requires the user to re-authenticate to
establish a new session.
The TOE can also display an Authorized Administrator specified banner on the CLI management
interface prior to allowing any administrative access to the TOE.
1.6.6 Trusted path/Channels
The TOE allows trusted paths to be established to itself from remote administrators over SSHv2,
and initiates outbound IPsec tunnels to transmit audit messages to remote syslog servers. In
addition, IPsec is used to secure the session between the TOE and the authentication servers.
The TOE can also establish trusted paths of peer-to-peer IPsec sessions. The peer-to-peer IPsec
sessions can be used for securing the communications between the TOE and authentication
server/syslog server.
1.7 Excluded Functionality
The following functionality is excluded from the evaluation.
Table 8 Excluded Functionality
Excluded Functionality
Exclusion Rationale
Non-FIPS 140-2 mode of
operation on the
This mode of operation includes non-FIPS allowed operations.
Telnet
Telnet sends authentication data in the clear. This feature is
enabled by default and must be disabled in the evaluated
configuration. Including this feature would not meet the security
policies as defined in the Security Target. The exclusion of this
feature has no effect on the operation of the TOE. Refer to the
Guidance documentation for configuration syntax and information
These services will be disabled by configuration. The exclusion of this functionality does not
affect compliance to the compliance to the U.S. Government Protection Profile for Security
Requirements for Network Devices Version 1.1 with Security Requirements for Network
Devices Errata#2.