Cisco Aggregation Services Router (ASR) 900 Series Security Target Version 1.
Cisco Aggregation Services Router (ASR) 900 Series Security Target Table of Contents 1 SECURITY TARGET INTRODUCTION .............................................................................................8 1.1 ST AND TOE REFERENCE ................................................................................................................... 8 1.2 TOE OVERVIEW ............................................................................................................................... 8 1.2.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 5.2.1 Trusted Path/Channels (FTP) ................................................................................................. 36 5.3 TOE SFR DEPENDENCIES RATIONALE FOR SFRS FOUND IN NDPP ......................................................... 37 5.4 SECURITY ASSURANCE REQUIREMENTS .............................................................................................. 37 5.4.1 SAR Requirements .................................
Cisco Aggregation Services Router (ASR) 900 Series Security Target List of Tables TABLE 1: ACRONYMS ..........................................................................................................................................................5 TABLE 2 TERMINOLOGY.......................................................................................................................................................6 TABLE 3: ST AND TOE IDENTIFICATION ................................................
Cisco Aggregation Services Router (ASR) 900 Series Security Target List of Acronyms The following acronyms and abbreviations are common and may be used in this Security Target: Table 1: Acronyms Acronyms/Abbreviations AAA AES BGP Bridge Domain BSC BTS CC CE CEM CLI CM DH DHCP EAL EFP ENI EtherChannel EVC FIPS GE HA HMAC HTTPS IS-IS IT LAN MEF MSC NDPP NNI NTP OS OSPF Definition Administration, Authorization, and Accounting Advanced Encryption Standard Border Gateway Protocol.
Cisco Aggregation Services Router (ASR) 900 Series Security Target Acronyms/Abbreviations Definition autonomous system). A link-state routing protocol which calculates the shortest path to each node. Protection Profile Radio Access Network Route Switch Processor Quality of Service Small–form-factor pluggable port Secure Hash Standard Secure Shell (version 2) Security Target Transport Control Protocol Time-division multiplexing.
Cisco Aggregation Services Router (ASR) 900 Series Security Target DOCUMENT INTRODUCTION Prepared By: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134 This document provides the basis for an evaluation of a specific Target of Evaluation (TOE), the Aggregation Services Router (ASR) 900 Series.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 1 SECURITY TARGET INTRODUCTION The Security Target contains the following sections: Security Target Introduction [Section 1] Conformance Claims [Section 2] Security Problem Definition [Section 3] Security Objectives [Section 4] IT Security Requirements [Section 5] TOE Summary Specification [Section 6] Rationale [Section 7] The structure and content of this ST comply with the requirements specified in the Common Criteria (C
Cisco Aggregation Services Router (ASR) 900 Series Security Target but due to its smaller size, it has four interface module cards and one Route Switch Processor (RSP) card. The RSP card is the centralized card in the system performing the data plane, network timing, and control plane functions for the system. All components support online replacement and field upgrades, with the exception of the RSP card, which requires the system to be brought down for a replacement or upgrade.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 1.3 TOE DESCRIPTION This section provides an overview of the Cisco Aggregation Services Router (ASR) 900 Series Target of Evaluation (TOE). This section also defines the TOE components included in the evaluated configuration of the TOE.
Cisco Aggregation Services Router (ASR) 900 Series Security Target The following figure provides a visual depiction of an example TOE deployment. The TOE boundary is surrounded with a hashed red line.
Cisco Aggregation Services Router (ASR) 900 Series Security Target Up to two DC or two AC or a combination of AC and DC power supply units One fan tray o Cisco ASR 903 3-RU modular chassis Dedicated slots in the chassis that support the following: Up to six interface modules Up to two Route Switch Processors (RSP) Up to two DC power supply units One fan tray o Cisco ASR 920 Indoor version includes ASR-920-12CZ-A and ASR-920-12CZ-D models that have fixed ENET interfaces (12 x 1
Cisco Aggregation Services Router (ASR) 900 Series Security Target Figure 2 ASR 902 chassis design Table 5 ASR 902 chassis References Label Component 1 Interface modules 2 One RSP unit slot; supports the RSP1A55, RSP1B-55, RSP2A-64 and RSP2A128 3 Fan tray 4 Redundant power units; two DC power units are shown Figure 3 ASR 902 chassis design Table 6 ASR 903 chassis References Label Component 1 Interface modules 2 Two RSP unit slots; supports the RSP1A-55, RSP1B-55, RSP2A-64 and RSP2A-128 3 Fan tray 4 Redu
Cisco Aggregation Services Router (ASR) 900 Series Security Target Figure 4 Front Panel of Cisco ASR-920-12CZ-A Router Figure 5 Front Panel of Cisco ASR-920-12CZ-D Router Table 7 ASR 920 (12CZ-A/12CD-D) chassis References Label Component 1 Power Supply 0 (AC or DC) 2 Power Supply 1 (AC or DC) 3 Power Supply 0 LED (AC or DC) 4 Power Supply 1 LED (AC or DC) 5 RJ-48 slots for BITS (upper slot) and ToD (lower slot) 6 Management port 7 Console port (TIA/EIA232F) 8 Auxiliary Console port Label 10 11 12 Compo
Cisco Aggregation Services Router (ASR) 900 Series Security Target Figure 7 Front Panel of Cisco ASR-920-4SZ -A Router Table 8 ASR 920 (4SZ/4SZ-A) chassis References Label Component 1 Power Supply 0 (AC or DC) 2 Power Supply 1 (AC or DC) 3 Power Supply 0 LED (AC or DC) 4 Power Supply 1 LED (AC or DC) 5 RJ-48 slots for BITS (upper slot) and ToD (lower slot) 6 Management port 7 Console port (TIA/EIA232F) 8 Auxiliary Console port Label 9 10 11 Component 2 1GE Copper ports Four 1G/10G Dual Rate ports USB C
Cisco Aggregation Services Router (ASR) 900 Series Security Target These features are described in more detail in the subsections below. In addition, the TOE implements all RFCs of the NDPP as necessary to satisfy testing/assurance measures prescribed therein. 1.6.1 Security audit The Cisco Aggregation Services Router (ASR) 900 Series provides extensive auditing capabilities. The TOE generates a comprehensive set of audit logs that identify specific TOE operations.
Cisco Aggregation Services Router (ASR) 900 Series Security Target Algorithm Cert. # RSA 1471 ECDSA 493 While the algorithm implementations listed in the preceding table were not tested on the exact processor installed within the ASR 900, the algorithm certificates are applicable to the TOE based on the following, 1. The cryptographic implementation which is tested is identical (unchanged) to the cryptographic implementation on the ASR 900s. 2.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 1.6.1 User Data Protection The TOE ensures that all information flows from the TOE do not contain residual information from previous traffic. Packets are padded with zeros. Residual data is never transmitted from the TOE. 1.6.2 Identification and Authentication The TOE performs two types of authentication: device-level authentication of the remote device (VPN peers) and user authentication for the Authorized Administrator of the TOE.
Cisco Aggregation Services Router (ASR) 900 Series Security Target Administrators can create configurable login banners to be displayed at time of login, and can also define an inactivity timeout for each admin interface to terminate sessions after a set period of inactivity. 1.6.4 Protection of the TSF The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators.
Cisco Aggregation Services Router (ASR) 900 Series Security Target Telnet Telnet sends authentication data in the clear. This feature is enabled by default and must be disabled in the evaluated configuration. Including this feature would not meet the security policies as defined in the Security Target. The exclusion of this feature has no effect on the operation of the TOE. Refer to the Guidance documentation for configuration syntax and information These services will be disabled by configuration.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 2 CONFORMANCE CLAIMS 2.1 Common Criteria Conformance Claim The TOE and ST are compliant with the Common Criteria (CC) Version 3.1, Revision 4, dated: September 2012. For a listing of Assurance Requirements claimed see section 5.4. The TOE and ST are CC Part 2 extended and CC Part 3 conformant. 2.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 2.3.3 Statement of Security Requirements Consistency The Security Functional Requirements included in the Security Target represent the Security Functional Requirements specified in the NDPPv1.1, for which conformance is claimed verbatim. All concepts covered in the Protection Profile’s Statement of Security Requirements are included in this Security Target.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 3 SECURITY PROBLEM DEFINITION This chapter identifies the following: Significant assumptions about the TOE’s operational environment. IT related threats to the organization countered by the TOE. Environmental threats requiring controls to provide sufficient protection. Organizational security policies for the TOE as appropriate. This document identifies assumptions as A.assumption with “assumption” specifying a unique name.
Cisco Aggregation Services Router (ASR) 900 Series Security Target Threat Threat Definition T.UNAUTHORIZED_ACCESS A user may gain unauthorized access to the TOE data and TOE executable code. A malicious user, process, or external IT entity may masquerade as an authorized entity in order to gain unauthorized access to data or TOE resources. A malicious user, process, or external IT entity may misrepresent itself as the TOE to obtain identification and authentication data. T.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 4 SECURITY OBJECTIVES This Chapter identifies the security objectives of the TOE and the IT Environment. The security objectives identify the responsibilities of the TOE and the TOE’s IT environment in meeting the security needs. This document identifies objectives of the TOE as O.objective with objective specifying a unique name. Objectives that apply to the IT environment are designated as OE.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 4.2 Security Objectives for the Environment All of the assumptions stated in section 3.1 are considered to be security objectives for the environment. The following are the Protection Profile non-IT security objectives, which, in addition to those assumptions, are to be satisfied without imposing technical requirements on the TOE. That is, they will not require the implementation of functions in the TOE hardware and/or software.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 5 SECURITY REQUIREMENTS This section identifies the Security Functional Requirements for the TOE. The Security Functional Requirements included in this section are derived from Part 2 of the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, dated: September 2012 and all international interpretations. 5.
Cisco Aggregation Services Router (ASR) 900 Series Security Target Class Name Component Identification Component Name FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation) FC_SSH_EXT.1 Explicit: SSH FDP: User data protection FDP_RIP.2 Full Residual Information Protection FIA: Identification and authentication FIA_PMG_EXT.1 Password Management FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition FIA_UIA_EXT.1 User Identification and Authentication FIA_UAU_EXT.
Cisco Aggregation Services Router (ASR) 900 Series Security Target FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [information specified in column three of Table 19].
Cisco Aggregation Services Router (ASR) 900 Series Security Target SFR Auditable Event Additional Audit Record Contents FPT_STM.1 Changes to the time. The old and new values for the time. Origin of the attempt (e.g., IP address). FPT_TUD_EXT.1 Initiation of update. No additional information. FPT_TST_EXT.1 None. None. FTA_SSL_EXT.1 Any attempts at unlocking of an interactive session. No additional information. FTA_SSL.3 The termination of a remote session by the session locking mechanism.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 112 bits. 5.2.2.2 FCS_CKM_EXT.4 Cryptographic Key Zeroization FCS_CKM_EXT.4.1 The TSF shall zeroize all plaintext secret and private cryptographic keys and CSPs when no longer required. 5.2.2.3 FCS_COP.1(1) Cryptographic Operation (for data encryption/decryption) FCS_COP.1.
Cisco Aggregation Services Router (ASR) 900 Series Security Target FCS_IPSEC_EXT.1.3 The TSF shall have a nominal, final entry in the SPD that matches anything that is otherwise unmatched, and discards it. FCS_IPSEC_EXT.1.4 The TSF shall implement the IPsec protocol ESP as defined by RFC 4303 using [the cryptographic algorithms AES-CBC-128 (as specified by RFC 3602) together with a Secure Hash Algorithm (SHA)-based HMAC, AES-CBC-256 (as specified by RFC 3602)]. FCS_IPSEC_EXT.1.
Cisco Aggregation Services Router (ASR) 900 Series Security Target FCS_SSH_EXT.1.3 The TSF shall ensure that, as described in RFC 4253, packets greater than [65,535 bytes] bytes in an SSH transport connection are dropped. FCS_SSH_EXT.1.4 The TSF shall ensure that the SSH transport implementation uses the following encryption algorithms: AES-CBC-128, AES-CBC-256, [no other algorithms]. FCS_SSH_EXT.1.
Cisco Aggregation Services Router (ASR) 900 Series Security Target FIA_PSK_EXT.1.3 The TSF shall condition the text-based pre-shared keys by using [AES] and be able to [accept bit-based pre-shared keys]. 5.2.4.3 FIA_UIA_EXT.1 User Identification and Authentication FIA_UIA_EXT.1.1 The TSF shall allow the following actions prior to requiring the non-TOE entity to initiate the identification and authentication process: Display the warning banner in accordance with FTA_TAB.1; [no other services].
Cisco Aggregation Services Router (ASR) 900 Series Security Target 5.2.5.3 FMT_SMR.2 Restrictions on Security Roles FMT_SMR.2.1 The TSF shall maintain the roles: Authorized Administrator. FMT_SMR.2.2 The TSF shall be able to associate users with roles. FMT_SMR.2.3 The TSF shall ensure that the conditions Authorized Administrator role shall be able to administer the TOE locally; Authorized Administrator role shall be able to administer the TOE remotely; are satisfied. 5.2.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 5.2.7 TOE Access (FTA) 5.2.7.1 FTA_SSL_EXT.1 TSF-initiated Session Locking FTA_SSL_EXT.1.1 The TSF shall, for local interactive sessions, [ terminate the session] after a Security Administrator-specified time period of inactivity. 5.2.7.2 FTA_SSL.3 TSF-initiated Termination FTA_SSL.3.1 Refinement: The TSF shall terminate a remote interactive session after a [Security Administrator-configurable time interval of session inactivity].
Cisco Aggregation Services Router (ASR) 900 Series Security Target 5.2.1.2 FTP_TRP.1 Trusted Path FTP_TRP.1.1 Refinement: The TSF shall use [SSH] provide a trusted communication path between itself and remote administrators that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from disclosure and detection of modification of the communicated data. FTP_TRP.1.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 5.4.2 Security Assurance Requirements Rationale The Security Assurance Requirements (SARs) in this Security Target represent the SARs identified in the NDPPv1.1. As such, the NDPP SAR rationale is deemed acceptable since the PP itself has been validated. 5.5 Assurance Measures The TOE satisfies the identified assurance requirements. This section identifies the Assurance Measures applied by Cisco to satisfy the assurance requirements.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 6 TOE SUMMARY SPECIFICATION 6.1 TOE Security Functional Requirement Measures This chapter identifies and describes how the Security Functional Requirements identified above are met by the TOE. Table 22 How TOE SFRs Measures TOE SFRs FAU_GEN.1 How the SFR is Met The TOE generates an audit record whenever an audited event occurs.
Cisco Aggregation Services Router (ASR) 900 Series Security Target TOE SFRs How the SFR is Met functionality of the switch is affected. All notifications and information type message can be sent to the syslog server, whereas message is only for information; switch functionality is not affected. To configure the TOE to send audit records to a syslog server, the ‘set logging server’ command is used. A maximum of three syslog servers can be configured.
Cisco Aggregation Services Router (ASR) 900 Series Security Target How the SFR is Met TOE SFRs Changes to the time. Changes to the time are logged, including the old and new values for the time along with the origin of the attempt Updates An audit record will be generated on the initiation of updates (software/firmware) Failure to establish and/or establishment/failure of an IPsec session Attempts to establish an IPsec session or the failure of an established IPsec is logged.
Cisco Aggregation Services Router (ASR) 900 Series Security Target TOE SFRs How the SFR is Met discovers it can no longer communicate with its configured syslog server, and will transmit the buffer contents when connectivity to the syslog server is restored. This buffer store is separate from the local logging buffer, which could be set to a different level of logging then what is to be sent via syslog.
Cisco Aggregation Services Router (ASR) 900 Series Security Target TOE SFRs How the SFR is Met services using AES-CBC-128 and AES-CBC-256 together with HMAC-SHA1. The TOE uses IPsec to secure communications with the remote syslog server, with AAA servers (RADIUS and TACACS+) for remote authentication if configured and with NTP servers if configured.
Cisco Aggregation Services Router (ASR) 900 Series Security Target TOE SFRs How the SFR is Met The TOE supports configuration lifetimes of both Phase 1 SAs and Phase 2 SAs The TOE supports Diffie-Hellman Group 14 (2048-bit keys) Peer authentication uses rDSA (RSA), and can be configured to use pre-shared keys. Pre-shared keys include a combination of upper and lower case letters, numbers, and special characters and can be 22 characters or longer.
Cisco Aggregation Services Router (ASR) 900 Series Security Target TOE SFRs How the SFR is Met numbers, and special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”. Minimum password length is settable by the Authorized Administrator, and can be configured for minimum password lengths of 15 characters. FIA_PSK_EXT.1 The TOE supports use of IKEv1 (ISAKMP) pre-shared keys for authentication of IPsec tunnels.
Cisco Aggregation Services Router (ASR) 900 Series Security Target How the SFR is Met purposes of this evaluation, the privileged level is equivalent to full administrative access to the CLI, which is the default access for IOS privilege level 15; and the semi-privileged level equates to any privilege level that has a subset of the privileges assigned to level 15. Privilege levels 0 and 1 are defined by default and are customizable, while levels 2-14 are undefined by default and are also customizable.
Cisco Aggregation Services Router (ASR) 900 Series Security Target TOE SFRs FPT_APW_EXT.2 How the SFR is Met encrypt all locally defined user passwords. In this manner, the TOE ensures that plaintext user passwords will not be disclosed even to administrators. The command is the password encryption aes command used in global configuration mode. The TOE can also be configured to not display configured keys as part of configuration files using the ‘hidekeys’ command.
Cisco Aggregation Services Router (ASR) 900 Series Security Target TOE SFRs FTA_SSL_EXT.1 and FTA_SSL.3 How the SFR is Met An Authorized Administrator can configure maximum inactivity times individually for both local and remote administrative sessions through the use of the “session-timeout” setting applied to the console and virtual terminal (vty) lines. The configuration of the vty lines sets the configuration for the remote console access.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 1 ANNEX A: KEY ZEROIZATION 1.1 Key Zeroization The following table describes the key zeroization referenced by FCS_CKM_EXT.4 provided by the TOE. Table 23: TOE Key Zeroization Name Diffie-Hellman Shared Secret Description The value is zeroized after it has been given back to the consuming operation. The value is overwritten by 0’s. This key is stored in DRAM. Zeroization Automatically after completion of DH exchange.
Cisco Aggregation Services Router (ASR) 900 Series Security Target Name Description Zeroization skeyid_d, IKE Session Encryption Key and IKE Session Authentication Key. All values overwritten by 0’s. This key is stored in DRAM. ISAKMP preshared The function calls the free operation with the poisoning mechanism that overwrites the value with 0x0d. This key is stored in DRAM.
Cisco Aggregation Services Router (ASR) 900 Series Security Target Name Description Zeroization User Password This is a Variable 15+ character password that is used to authenticate local users. The password is stored in NVRAM. Zeroized by overwriting with new password Enable Password (if used) This is a Variable 15+ character password that is used to authenticate local users at a higher privilege level. The password is stored in NVRAM.
Cisco Aggregation Services Router (ASR) 900 Series Security Target 2 ANNEX B: REFERENCES The following documentation was used to prepare this ST: Table 24: References Identifier [CC_PART1] Description Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and general model, dated September 2012, version 3.
