Cisco Cat3K ST 6 June 2012 Cisco Catalyst Switches (3560-X and 3750-X) Security Target Revision 1.
Cisco Cat3K ST 6 June 2012 Table of Contents 1 SECURITY TARGET INTRODUCTION ............................................................................. 6 1.1 ST and TOE Reference ........................................................................................ 6 1.2 Acronyms and Abbreviations ............................................................................... 6 1.3 TOE Overview ..................................................................................................... 8 1.
Cisco Cat3K ST 6 June 2012 5.5.2 Security Assurance Requirements Rationale .............................................. 44 5.6 Assurance Measures ........................................................................................... 44 6 TOE Summary Specification ................................................................................................ 46 6.1 6.2 7 TOE Security Functional Requirement Measures ..............................................
Cisco Cat3K ST 6 June 2012 List of Tables TABLE 1 ST AND TOE IDENTIFICATION .............................................................................. 6 TABLE 2 ACRONYMS ............................................................................................................ 6 TABLE 3 IT ENVIRONMENT COMPONENTS ........................................................................... 8 TABLE 4 TOE ASSUMPTIONS ........................................................................................
Cisco Cat3K ST 6 June 2012 DOCUMENT INTRODUCTION Prepared By: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134 This document provides the basis for an evaluation of a specific Target of Evaluation (TOE), the Cisco Catalyst Switches (3560-X and 3750-X) running IOS 15.0(1)SE2.
Cisco Cat3K ST 1 6 June 2012 SECURITY TARGET INTRODUCTION The Security Target contains the following sections: • • • • • • • Security Target Introduction [Section 1] Conformance Claims [Section 2] Security Problem Definition [Section 3] Security Objectives [Section 4] IT Security Requirements [Section 5] TOE Summary Specification [Section 6] Rationale [Section 7] The structure and content of this ST comply with the requirements specified in the Common Criteria (CC), Part 1, Annex A, and Part 3, Chapte
Cisco Cat3K ST 6 June 2012 Acronyms / Abbreviations DH EAL EEPROM Definition PIM-SM PP PRNG PVLAN RADIUS Diffie-Hellman Evaluation Assurance Level Electrically erasable programmable read-only memory, specifically the memory in the switch where the Cisco IOS is stored.
Cisco Cat3K ST 1.3 6 June 2012 TOE Overview The TOE is the Cisco Catalyst Switches (3560-X and 3750-X) running IOS 15.0(1)SE2 (herein after referred to as Catalyst Switches). The TOE is a purpose-built, switching and routing platform with OSI Layer2 and Layer3 traffic filtering capabilities. 1.3.1 TOE Product Type The Cisco Catalyst Switches are a switching and routing platform used to construct IP networks by interconnecting multiple smaller networks or network segments.
Cisco Cat3K ST 6 June 2012 o Type A for Storage, all Cisco supported USB flash drives o Type mini-B as console port in the front • Non-volatile read-only memory (ROM) is used to store the bootstrap program and power-on diagnostic programs • Non-volatile random-access memory (NVRAM) is used to store switch configuration parameters used to initialize the system at start-up • Physical network interfaces (minimally two) (e.g. RJ45 serial and standard 10/100 Ethernet ports).
Cisco Cat3K ST 6 June 2012 The following figure provides a visual depiction of an example TOE deployment. 1.6 Physical Scope of the TOE The TOE is a hardware and software solution that makes up the following switch models; Cisco Catalyst 3560-X and 3750-X running Cisco IOS 15.0(1)SE2. The network, on which they reside, is part of the environment.
Cisco Cat3K ST 6 June 2012 called a license file, is examined by Cisco IOS Software when the switch is powered on. Based on the license’s type, Cisco IOS Software activates the appropriate feature set. License types can be changed, or upgraded, to activate a different feature set. For detailed information about Software Activation, visit http://www.cisco.com/go/sa.
Cisco Cat3K ST Feature Set 6 June 2012 Models WS-C3560-X48PFS/Standalone Total Default AC 10/100/1000 Power Supply Ethernet Ports 48 PoE+ 1100W Available PoE Power 800W The Cisco Catalyst 3750-X Series Configurations Front and back view Feature Set LAN Base IP Base Models WS-C3750X24T-L WS-C3750X48T-L WS-C3750X24P-L WS-C3750X48P-L WS-C3750X48PF-L WS-C3750X24T-S WS-C3750X48T-S WS-C3750X24P-S WS-C3750X48P-S WS-C3750X48PF-S WS-C3750X- Total 10/100/1000 Ethernet Ports 24 Default AC Power Supply
Cisco Cat3K ST Feature Set IP Services 6 June 2012 Models 12S-S WS-C3750X24S-S WS-C3750X12S-E WS-C3750X24S-E WS-C3750X24T-E WS-C3750X48T-E WS-C3750X24P-E WS-C3750X48P-E WS-C3750X48PF-E Total 10/100/1000 Ethernet Ports Default AC Power Supply Available PoE Power 24 GE SFP 350W - 12 GE SFP 350W - 715W 435W 1100W 800W 24 GE SFP 24 48 24 48 48 StackPower Connector StackPower can be deployed in either power sharing mode or redundancy mode.
Cisco Cat3K ST 6 June 2012 1.7 Logical Scope of the TOE The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below. 1. 2. 3. 4. 5. 6. 7. Security audit Cryptographic support User data protection Identification and authentication Secure Management Protection of the TSF TOE access These features are described in more detail in the subsections below. 1.7.
Cisco Cat3K ST 6 June 2012 1.7.3 Traffic Filtering and Switching (VLAN Processing and ACLs) VLANs control whether Ethernet frames are passed through the switch interfaces based on the VLAN tag information in the frame header. IP ACLs or ICMP ACLs control whether routed IP packets are forwarded or blocked at Layer 3 TOE interfaces (interfaces that have been configured with IP addresses).
Cisco Cat3K ST 6 June 2012 1.7.4 Identification and authentication The TOE performs authentication, using Cisco IOS platform authentication mechanisms, to authenticate access to user EXEC and privileged EXEC command modes. All users wanting to use TOE services are identified and authenticated prior to being allowed access to any of the services. Once a user attempts to access the management functionality of the TOE (via EXEC mode), the TOE prompts the user for a user name and password.
Cisco Cat3K ST 6 June 2012 All of these management functions are restricted to the authorized administrator of the TOE. The TOE switch platform maintains administrative privilege level and non-administrative access. Non-administrative access is granted to authenticated neighbor routers for the ability to receive updated routing tables per the information flow rules. There is no other access or functions associated with non-administrative access.
Cisco Cat3K ST 6 June 2012 1.7.7 TOE Access The TOE can terminate inactive sessions after an authorized administrator configurable time-period. Once a session has been terminated the TOE requires the user to reauthenticate to establish a new session. The TOE can also display a Security Administrator specified banner on the CLI management interface prior to allowing any administrative access to the TOE. 1.
Cisco Cat3K ST • • • • 6 June 2012 not interfere with the enforcement of the security policies as defined in the Security Target. TrustSec - is only relevant to this ST to a limited degree, for RADIUS KeyWrap, which is being represented with other cryptographic methods. This feature is disabled by default and should remain disabled in the evaluated configuration. Not including this feature does not interfere with the enforcement of the security policies as defined in the Security Target.
Cisco Cat3K ST 2 6 June 2012 CONFORMANCE CLAIMS 2.1 Common Criteria Conformance Claim The ST and the TOE it describes are conformant with the following CC specifications: • Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Components, Version 3.1, Revision 3, July 2009 o Part 2 Extended • Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Components, Version 3.
Cisco Cat3K ST 3 6 June 2012 SECURITY PROBLEM DEFINITION This section describes the security environment in which the TOE is intended to be used. This document identifies assumptions as A.assumption with “assumption” specifying a unique name. Threats are identified as T.threat with “threat” specifying a unique name. 3.1 Assumptions The specific conditions listed in the following subsections are assumed to exist in the TOE’s environment.
Cisco Cat3K ST 6 June 2012 Threat T.NOAUTH T.NOMGT T.UNAUTH_MGT_ACCESS T.TIME T.USER_DATA_REUSE 3.3 Threat Definition An unauthorized person may attempt to bypass the security of the TOE so as to access and use security functions and/or non-security functions provided by the TOE to disrupt operations of the TOE. The administrator is not able to manage the security functions of the TOE, resulting in the potential for the TOE configuration to compromise security objectives and policies.
Cisco Cat3K ST 4 6 June 2012 SECURITY OBJECTIVES This Chapter identifies the security objectives of the TOE and the IT Environment. The security objectives identify the responsibilities of the TOE and the TOE’s IT environment in meeting the security needs. • 4.1 This document identifies objectives of the TOE as O.objective with objective specifying a unique name. Objectives that apply to the IT environment are designated as OE.objective with objective specifying a unique name.
Cisco Cat3K ST 6 June 2012 TOE Objective TOE Security Objective Definition O.TIME The TOE will provide a reliable time stamp for its own use. The TOE will display an advisory warning regarding use of the TOE. The TOE will ensure that any data contained in a protected resource is not available when the resource is reallocated. O.DISPLAY_BANNER O.RESIDUAL_INFORMATION_CLEARING 4.2 Security Objectives for the Environment All of the assumptions stated in Section 3.
Cisco Cat3K ST 6 June 2012 5 SECURITY REQUIREMENTS This section identifies the Security Functional Requirements for the TOE. The Security Functional Requirements included in this section are derived from Part 2 of the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 3, dated: July 2009 and all international interpretations. 5.
Cisco Cat3K ST 6 June 2012 Functional Component FAU_SAR.1: Audit review FAU_STG.1: Protected audit trail storage FCS: Cryptographic support FCS_CKM.1(1): Cryptographic key generation - RSA FCS_CKM.1(2): Cryptographic key generation - AES FCS_CKM.4: Cryptographic key zeroization FCS_COP.1(1): Cryptographic operation (for RSA encryption/decryption) FCS_COP.1(2): Cryptographic operation (for AES encryption/decryption) FCS_COP.1(3): Cryptographic operation (for RNG) FCS_COP.
Cisco Cat3K ST 6 June 2012 Functional Component FPT_TST_EXT.1: TSF testing FTA: TOE Access FTA_SSL.3: TSF-initiated termination FTA_TAB.1: Default TOE Access Banners 5.2.1 Security audit (FAU) 5.2.1.1 FAU_GEN.1: Audit data generation FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [not specified] level of audit specified in Table 10; and c) [no additional events]. FAU_GEN.1.
Cisco Cat3K ST 6 June 2012 Requirement Auditable Events Additional Audit Record Contents FDP_IFC.1(1),(2),(3) None FDP_IFF.1(1) None FDP_IFF.1(2) All decisions on requests for information flow None. FDP_IFF.1(3) IP packet flows denied by VACL None FIA_UAU.2 All use of the authentication mechanism. Provided user identity, origin of the attempt (e.g., IP address). FIA_UAU.5 All use of the authentication mechanism. Origin of the attempt (e.g., IP address). FIA_UID.
Cisco Cat3K ST 6 June 2012 5.2.1.3 FAU_SAR.1 Audit review FAU_SAR.1.1 The TSF shall provide [privileged administrator, and semiprivileged administrator with appropriate privileges] with the capability to read [all TOE audit trail data] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. 5.2.1.4 FAU_STG.1 Protected audit trail storage FAU_STG.1.
Cisco Cat3K ST 6 June 2012 [RSA] and cryptographic key sizes [1024-bits and 2048-bits] that meet the following: [none]. 5.2.2.5 FCS_COP.1(2): Cryptographic operation (for AES encryption/decryption) FCS_COP.1.
Cisco Cat3K ST 6 June 2012 FCS_SSH_EXT.1.5 The TSF shall ensure that, as described in RFC 4253, packets greater than 35,000 bytes in an SSH transport connection are dropped. FCS_SSH_EXT.1.6 The TSF shall ensure that the SSH transport implementation uses the following encryption algorithms AES-CBC-128, AES-CBC-256. FCS_SSH_EXT.1.7 The TSF shall ensure that the SSH transport implementation uses SSH_RSA and [no other public key algorithms,] as its public key algorithm(s). FCS_SSH_EXT.1.
Cisco Cat3K ST FDP_ACF.1.2 FDP_ACF.1.3 FDP_ACF.1.4 6 June 2012 • CLI Commands o Privilege Level– The privilege level that an Authenticated Administrator must be assigned in order to execute command(s)) o Password ( if password has been set for a command or command set)].
Cisco Cat3K ST FDP_IFF.1.2(1) 6 June 2012 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [ • if the source and destination Layer 2 ports are configured to be in the same VLAN or • the frames have been permitted into the VLAN through traffic flow controls enforced at Layer 3 as defined in FDP_IFF.1(2)]. FDP_IFF.1.3(1) The TSF shall enforce the [none]. FDP_IFF.1.
Cisco Cat3K ST 6 June 2012 5.2.3.5 FDP_IFC.1(2) Subset Information Flow Control - ACL FDP_IFC.1.1(2) The TSF shall enforce the [ACL SFP] on: [ a) Controlled subjects: Layer 3 interfaces (i.e. any interface configured with an IP address including physical copper or fiber ports, or any virtual sub-interface, or Layer 3 VLAN interface); b) Controlled information: IP packets c) Operation: forward or drop the packets]. 5.2.3.6 FDP_IFF.1(2) Simple Security Attributes - ACL FDP_IFF.1.
Cisco Cat3K ST 6 June 2012 which in turn correlates to the TOE interface that received the packet; • and the destination IP address in the information (packet), correlates to connected network in the routing table]. FDP_IFF.1.3(2) The TSF shall enforce the [none]. FDP_IFF.1.4(2) The TSF shall explicitly authorize an information flow based on the following rules: [none].
Cisco Cat3K ST 6 June 2012 a) security attributes of controlled subjects: • VLAN ID • VLAN access-map containing one or more map sequences each with a match clause and an action clause b) security attributes of controlled information: • Ethernet frame header attributes (when MAC ACLs are specified in a match clause) o source MAC address identified within the packet; o destination MAC address identified in the packet; o EtherType (e.g.
Cisco Cat3K ST 6 June 2012 VACLs (but can be checked via ACLs defined in FDP_IFF.1(2))]. The TSF shall explicitly deny an information flow based on the following rules: [the source MAC address is explicitly denied in a specified VLAN through use of the ‘mac-address-table static’ command with the keyword ‘drop’]. FDP_IFF.1.5(3) 5.2.3.9 FDP_RIP.2: Full residual information protection FDP_RIP.2.
Cisco Cat3K ST 6 June 2012 5.2.4.4 FIA_UAU.7: Protected authentication feedback FIA_UAU.7.1 The TSF shall provide only [no feedback, nor any locally visible representation of the user-entered password] to the user while the authentication is in progress. 5.2.4.5 FIA_UID.2 User identification before any action FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. 5.2.5 Security management (FMT) 5.2.5.1 FMT_MOF.
Cisco Cat3K ST 6 June 2012 5.2.5.4 FMT_MSA.3(2) Static Attribute Initialization (Access Control) FMT_MSA.3.1(2) The TSF shall enforce the [PRIVAC SFP], to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2(2) The TSF shall allow the [privileged administrator] to specify alternative initial values to override the default values when an object or information is created. 5.2.5.5 FMT_MTD.1: Management of TSF data FMT_MTD.1.
Cisco Cat3K ST 6 June 2012 5.2.6 Protection of the TSF (FPT) 5.2.6.1 FPT_RPL.1: Replay detection FPT_RPL.1.1 The TSF shall detect replay for the following entities: [network packets terminated at the TOE]. FPT_RPL.1.2 The TSF shall perform [reject the data] when replay is detected. 5.2.6.2 FPT_STM.1: Reliable time stamps FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. 5.2.6.3 FPT_TST_EXT.1: TSF testing FPT_TST_EXT.1.
Cisco Cat3K ST 6 June 2012 B. Family – The extended SFRs included in this ST are part of several SFR families C. Component – The extended SFRs are not hierarchical to any other components, though they may have identifiers terminating on other than “1”. The dependencies for each extended component are identified in the TOE SFR Dependencies section of this ST below. D.
Cisco Cat3K ST SFR 6 June 2012 Dependency Rationale FAU_STG.1 FAU_GEN.1 Met by FAU_GEN.1 FCS_CKM.1(2) FCS_CKM.2 or FCS_COP.1 FCS_CKM.4 Met by FCS_COP.1(2) Met by FCS_CKM.4 FCS_CKM.1(1) FCS_CKM.2 or FCS_COP.1 FCS_CKM.4 Met by FCS_COP.1(1) Met by FCS_CKM.4 FCS_CKM.4 FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1 Met by FCS_CKM.1 FCS_COP.1(1) FDP_ITC.1 or 2 or FCS_CKM.1 FCS_CKM.4 Met by FCS_CKM.1(1) and FCS_CKM.4 FCS_COP.1(2) FDP_ITC.1 or 2 or FCS_CKM.1 FCS_CKM.4 Met by FCS_CKM.1 and FCS_CKM.
Cisco Cat3K ST SFR 6 June 2012 Dependency Rationale FIA_UAU.5 No dependencies N/A FIA_UAU.7 FIA_UAU.1 Met by FIA_UAU.2 FIA_UID.2 No dependencies N/A FMT_MOF.1 FMT_SMF.1 FMT_SMR.1 Met by SMT_SMF.1 and FMT_SMR.1 FMT_MSA.2 FDP_ACC.1 FDP_IFC.1 FMT_MSA.1 FMT_SMR.1 Met by FDP_ACC.2 FDP_IFC.1(1),(2), (3) FMT_SMR.1 See rational below regarding FMT_MSA.1 FMT_MSA.3(1)(2) FMT_MSA.1 FMT_SMR.1 Met by FMT_SMR.1 See rational below regarding FMT_MSA.1 FMT_MTD.1 FMT_SMF.1 FMT_SMR.1 Met by FMT_SMF.
Cisco Cat3K ST Assurance Class DEVELOPMENT GUIDANCE DOCUMENTS LIFE CYCLE SUPPORT TESTS VULNERABILITY ASSESSMENT 6 June 2012 Components Components Description ADV_ARC.1 ADV_FSP.2 ADV_TDS.1 AGD_OPE.1 AGD_PRE.1 ALC_CMC.2 ALC_CMS.2 ALC_DEL.1 ALC_DVS.1 ALC_FLR.2 ATE_COV.1 ATE_FUN.1 ATE_IND.2 AVA_VAN.
Cisco Cat3K ST Component ADV_FSP.2 ADV_TDS.1 AGD_OPE.1 AGD_PRE.1 ALC_CMC.2 ALC_CMS.2 ALC_DEL.1 ALC_DVS.1 ALC_FLR.2 ATE_COV.1 ATE_FUN.1 ATE_IND.2 AVA_VAN.2 6 June 2012 How requirement will be met The functional specification describes the external interfaces of the TOE; such as the means for a user to invoke a service and the corresponding response of those services.
Cisco Cat3K ST 6 June 2012 6 TOE SUMMARY SPECIFICATION 6.1 TOE Security Functional Requirement Measures This section identifies and describes how the Security Functional Requirements identified above are met by the TOE. Table 14: How TOE SFRs are Met TOE SFRs FAU_GEN.1 How the SFR is Met The TOE generates an audit record whenever an audited event occurs.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met The administrator can set the level of the audit records to be displayed on the console or sent to the syslog server. For instance all emergency, alerts, critical, errors, and warning message can be sent to the console alerting the administrator that some action needs to be taken as these types of messages mean that the functionality of the switch is affected.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met packet 00:09:59:%SEC-6-IPACCESSLOGS:list stan1 denied 10.1.1.15 1 packet 00:10:11:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1 packet 00:15:33:%SEC-6-IPACCESSLOGS:list stan1 denied 10.1.1.15 2009 packets This example is a named extended access list ext1 that permits ICMP packets from any source to 10.1.1.0 0.0.0.255 and denies all UDP packets. Switch(config)# ip access-list extended ext1 Switch(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met authentication, and the username attempting to authenticate will be included in the log record. Any use of the authentication mechanism. Events will be generated for attempted identification/ authentication, and the username attempting to authenticate will be included in the log record, along with the origin or source of the attempt.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met FCS_CKM.1(1) FCS_COP.1(1) The TOE generates RSA key establishment schemes conformant with FIPS 1863. RSA keys are used for encryption and decryption of keying material in SSHv2 used for remote administration of the TOE. (Refer to FIPS 140-2 certificate # 1657) FCS_CKM.
Cisco Cat3K ST 6 June 2012 TOE SFRs FDP_IFC.1(1) FDP_IFF.1(1) How the SFR is Met VLAN – A VLAN is a switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users. VLANs have the same attributes as physical LANs, but can group end stations even if they are not physically located on the same LAN segment.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met The TOE controls the flow of Ethernet traffic by matching VLAN tag information contained in the Ethernet frame headers against a set of rules specified by the authorized administrator in the VLAN flow control policies. VLANs enforce separation of traffic that terminates at the TOE, as well as traffic flowing through the TOE.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met isolated host ports that belong to the secondary VLANs associated with the primary VLAN. • Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met upstream from the hosts toward the promiscuous ports and the gateway. • Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. Multiple community VLANs can be configured in a PVLAN. A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met primary VLAN. Step 5 exit Return to global configuration mode. Step 6 vlan vlan-id (Optional) Enter VLAN configuration mode and designate or create a VLAN that will be an isolated VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094. Step 7 private-vlan isolated Designate the VLAN as an isolated VLAN. Step 8 exit Return to global configuration mode.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met • • • • The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs. The secondary_vlan_list parameter can contain multiple community VLAN IDs but only one isolated VLAN ID. Enter a secondary_vlan_list, or use the add keyword with a secondary_vlan_list to associate secondary VLANs with a primary VLAN.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met ------- --------- ----------------- ----------------------------------------20 501 isolated 20 502 community 20 503 community 20 504 non-operational The following shows how to configure a Layer 2 interface as a PVLAN Host Port.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met Switch(config-if)# end Switch# show interfaces gigabitethernet1/0/22 switchport Name: Gi1/0/22 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: private-vlan host Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrativ
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met Command Purpose interfaces Displays the status of interfaces, including the VLANs to which they belongs. show status show vlan private- Display the private-VLAN information for the vlan [type] switch or switch stack. show interface Display private-VLAN interfaces. switchport configuration on show interface Display information about the private-VLAN mapping for VLAN SVIs.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met tables are used to determine which egress ACL is applied, the authority to modify the routing tables is restricted to authenticated administrators, and authenticated neighbor routers. FDP_IFC.1(3) FDP_IFF.1(3) FDP_RIP.2 Unlike regular Cisco IOS ACLs (discussed in FDP_IFF.1(2)) that are configured on Layer 3 interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN.
Cisco Cat3K ST 6 June 2012 TOE SFRs FIA_UID.2 How the SFR is Met allowing any TSF mediated actions to be performed. Administrative access to the TOE is facilitated through the TOE’s CLI. The TOE mediates all administrative actions through the CLI. Once a potential administrative user attempts to access the CLI of the TOE through either a directly connected console or remotely through an SSHv2 connection, the TOE prompts the user for a user name and password.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met The TOE’s administrative interfaces only permit valid values to be specified within administratively-defined rules for the VLAN SFP, VACL SFP,ACL SFP, and PRIVAC SFP.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met FMT_MTD.1 The TOE provides the ability for authorized administrators to access TOE data, such as audit data, configuration data, security attributes, information flow rules, routing tables, and session thresholds. Each of the predefined and administratively configured privilege level has delete set of permissions that will grant them access to the TOE data, though with some privilege levels, the access is limited.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met time threshold. FDP_ACC.2/FDP_ACF.1 FMT_SMR.1 The TOE switch platform maintains administrative privilege level and nonadministrative access. Non-administrative access is granted to authenticated neighbor routers for the ability to receive updated routing tables per the information flow rules. There is no other access or functions associated with non-administrative access.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met (such as show ip accounting, show ip aliases, show ip bgp, and so on) will be available at privilege level 5. The privilege command is used to move commands from one privilege level to another in order to create the additional levels of administration. The default configuration permits two types of users to access the CLI. The first type of user is a person who is only allowed to access user EXEC mode.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 show privilege Displays the privilege level of the current CLI session Router# show privilege Current privilege level is 7 clear counters The clear counters command clears the interface counters. This command has been changed from privilege level 15 to privilege level 7.
Cisco Cat3K ST 6 June 2012 TOE SFRs How the SFR is Met session Router> show privilege Current privilege level is 1 The term “authorized administrator” is used in this ST to refer to any user that has been assigned to a privilege level that is permitted to perform the relevant action; therefore has the appropriate privileges to perform the requested functions. The privilege level determines the functions the user can perform; hence the authorized administrator with the appropriate privileges.
Cisco Cat3K ST 6.2 6 June 2012 TOE Bypass and interference/logical tampering Protection Measures The TOE consists of a hardware platform in which all operations in the TOE scope are protected from interference and tampering by untrusted subjects. All administration and configuration operations are performed within the physical boundary of the TOE. Also, all TSP enforcement functions must be invoked and succeed prior to functions within the TSC proceeding.
Cisco Cat3K ST 6 June 2012 7 RATIONALE This section describes the rationale for the Security Objectives and Security Functional Requirements as defined within this Security Target. 7.1 Rationale for TOE Security Objectives X X X P.ACCESS BANNER X T.USER_DATA_REUSE T.UNAUTH_MGT_ACCESS X T.TIME T.NOMGT T.NOAUDIT T.MEDIATE X X T.NOAUTH O.ACCESS_CONTROL O.ADMIN_ROLE O.AUDIT_GEN O.AUDIT_VIEW O.CFG_MANAGE O.IDAUTH O.MEDIATE O.SELFPRO O.STARTUP_TEST O.TIME O.DISPLAY_BANNER O.
Cisco Cat3K ST 6 June 2012 Table 16: Threat/Organizing Security Policy/TOE and TOE Environment Objectives Rationale Threat/Organization Security Policy T.AUDIT_REVIEW T.AUTHADMIN T.MEDIATE T.NOAUDIT T.NOAUTH T.NOMGT Rationale Actions performed by users may not be known to the administrators due to actions not being recorded locally or remotely in a manner suitable for allow interpretation of the messages. The O.AUDIT_GEN objective requires that the TOE generate audit records. The O.
Cisco Cat3K ST 6 June 2012 Threat/Organization Security Policy T.UNAUTH_MGT_ACCESS T.TIME T.USER_DATA_REUSE P.ACCESS_BANNER 7.2 Rationale O.CFG_MANAGE objective requires that the TOE will provide management tools/applications for the administrator to manage its security functions, reducing the possibility for error. The O.ACCESS_CONTROL objective ensures that only authorized administrator have access to the TOE management functions. The O.
Cisco Cat3K ST 6 June 2012 between the security requirements and the security objectives and the relationship between the threats, policies and IT security objectives. The functional and assurance requirements presented in this Security Target are mutually supportive and their combination meets the stated security objectives. OE.AUDIT_REVIEW OE.NOEVIL OE.TRAIN_GUIDAN OE.LOCATE OE.CONFIDENTIALITY OE.INTEROPERABILITY OE.LOWEXP X T.AUDIT_REVIEW A.LOWEXP A.INTEROPERABILITY A.CONFIDENTIALITY A.
Cisco Cat3K ST 6 June 2012 Assumption A.LOCATE A.CONFIDENTIALITY Rationale objective ensures that the authorized administrators are trained to periodically review audit logs to identify sources of concern. The processing resources of the TOE will be located within controlled access facilities, which will prevent unauthorized physical access. The OE.
Cisco Cat3K ST 6 June 2012 FAU_GEN.1 X FAU_GEN.2 X O.RESIDUAL_INFORMATION_CLEARING O.DISPLAY_BANNER O.TIME O.STARTUP_TEST O.SELFPRO O.MEDIATE O.IDAUTH O.CFG_MANAGE X FAU_SAR.1 FAU_STG.1 O.AUDIT_VIEW O.AUDIT_GEN O.ADMIN_ROLE O.ACCESS_CONTROL Table 19: TOE Security Objective to Security Functional Requirements Mappings X X FCS_CKM.1(1) X FCS_CKM.1(2) X FCS_CKM.4 X FCS_COP.1(1) X FCS_COP.1(2) X FCS_COP.1(3) X FCS_COP.1(4) X FCS_SSH_EXT.1 X FDP_ACC.2 X X X X FD_ACF.
Cisco Cat3K ST 6 June 2012 FIA_UAU.5 X FIA_UAU.7 X FIA_UID.2 X FMT_MOF.1 X X FMT_MSA.2 FMT_MSA.3(1)(2) X FMT_MTD.1 X X X FMT_SMF.1 FMT_SMR.1 X X X X FPT_RPL.1 X FPT_STM.1 X X FPT_TST_EXT.1 FTA_SSL.3 X X X X X FTA_TAB.1 Table 20: TOE Security Objective to Security Functional Requirements Rationale Objective O.ACCESS_CONTROL O.ADMIN_ROLE O.AUDIT_GEN Rationale The TOE will restrict access to the TOE Management functions to the Authorized administrators.
Cisco Cat3K ST 6 June 2012 Objective O.AUDIT_VIEW O.CFG_MANAGE O.IDAUTH O.MEDIATE Rationale auditable for the TOE [FAU_GEN.1 and FAU_GEN.2]. Timestamps associated with the audit record must be reliable [FPT_STM.1]. The TOE will provide the authorized administrators the capability to review Audit data. Security relevant events must be available for review by authorized administrators [FAU_SAR.1].
Cisco Cat3K ST 6 June 2012 Objective O.SELFPRO 0.STARTUP_TEST O.TIME O.DISPLAY_BANNER O.RESIDUAL_INFORMATION_CLEA RING Rationale The TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with TOE security functions. [FDP_ACC.2/FDP_ACF.
Cisco Cat3K ST 6 June 2012 ANNEX A: REFERENCES The following documentation was used to prepare this ST: Table 21: References [CC_PART1] [CC_PART2] [CC_PART3] [CEM] [NDPP] Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and general model, dated July 2009, version 3.1, Revision 3 Common Criteria for Information Technology Security Evaluation – Part 2: Security functional components, dated July 2009, version 3.
