Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentASR 900 Series
11121314151617181920
Cisco Aggregation Services Router (ASR) 900 Series Security Target
Page 19 of 52
Administrators can create configurable login banners to be displayed at time of login, and can
also define an inactivity timeout for each admin interface to terminate sessions after a set period
of inactivity.
1.6.4 Protection of the TSF
The TOE protects against interference and tampering by untrusted subjects by implementing
identification, authentication, and access controls to limit configuration to Authorized
Administrators. The TOE prevents reading of cryptographic keys and passwords. Additionally
Cisco IOS is not a general-purpose operating system and access to Cisco IOS memory space is
restricted to only Cisco IOS functions.
The TOE internally maintains the date and time. This date and time is used as the timestamp that
is applied to audit records generated by the TOE. Administrators can update the TOE’s clock
manually, or can configure the TOE to use NTP to synchronize the TOE’s clock with an external
time source. Finally, the TOE performs testing to verify correct operation of the switch itself and
that of the cryptographic module.
The TOE is able to verify any software updates prior to the software updates being installed on
the TOE to avoid the installation of Authorized Administrator software.
1.6.5 TOE Access
The TOE can terminate inactive sessions after an Authorized Administrator configurable time-
period. Once a session has been terminated the TOE requires the user to re-authenticate to
establish a new session.
The TOE can also display an Authorized Administrator specified banner on the CLI management
interface prior to allowing any administrative access to the TOE.
1.6.6 Trusted path/Channels
The TOE allows trusted paths to be established to itself from remote administrators over SSHv2,
and initiates outbound IPsec tunnels to transmit audit messages to remote syslog servers. In
addition, IPsec is used to secure the session between the TOE and the authentication servers.
The TOE can also establish trusted paths of peer-to-peer IPsec sessions. The peer-to-peer IPsec
sessions can be used for securing the communications between the TOE and authentication
server/syslog server.
1.7 Excluded Functionality
The following functionality is excluded from the evaluation.
Table 11 Excluded Functionality
Excluded Functionality
Exclusion Rationale
Non-FIPS 140-2 mode of
operation on the
This mode of operation includes non-FIPS allowed operations.