Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipmentCatalyst 3750X-48PF
11121314151617181920
Cisco Cat3K ST 6 June 2012
17
All of these management functions are restricted to the authorized administrator of the
TOE.
The TOE switch platform maintains administrative privilege level and non-administrative
access. Non-administrative access is granted to authenticated neighbor routers for the
ability to receive updated routing tables per the information flow rules. There is no other
access or functions associated with non-administrative access. The administrative
privilege levels include:
Administrators are assigned to privilege levels 0 and 1. Privilege levels 0 and 1
are defined by default and are customizable. These levels have a very limited
scope and access to CLI commands that include basic functions such as login,
show running system information, turn on/off privileged commands, logout.
Semi-privileged administrators equate to any privilege level that has a subset of
the privileges assigned to level 15; levels 2-14. These levels are undefined by
default and are customizable. The custom level privileges are explained in the
example below.
Privileged administrators are equivalent to full administrative access to the CLI,
which is the default access for IOS privilege level 15.
The term “authorized administrator” is used in this ST to refer to any user which has been
assigned to a privilege level that is permitted to perform the relevant action; therefore has
the appropriate privileges to perform the requested functions.
1.7.6 Protection of the TSF
The TOE protects against interference and tampering by untrusted subjects by
implementing identification, authentication and access controls to limit configuration to
authorized administrators. Additionally Cisco IOS is not a general purpose operating
system and access to Cisco IOS memory space is restricted to only Cisco IOS functions.
The TOE provides secure transmission when TSF data is transmitted between separate
parts of the TOE (encrypted sessions for remote administration (via SSHv2)). Use of
separate VLANs are used to ensure routing protocol communications between the TOE
and neighbor routers including routing table updates and neighbor router authentication
will be logically isolated from traffic on other VLANs.
The TOE is also able to detect replay of information and/or operations. The detection
applied to network packets that are terminated at the TOE, such as trusted
communications between the administrators to TOE, IT entity (e.g., authentication
server) to TOE. If replay is detected, the packets are discarded.
In addition, the TOE internally maintains the date and time. This date and time is used as
the time stamp that is applied to TOE generated audit records. Alternatively, an NTP
server can be used to synchronize the date-timestamp. Finally, the TOE performs testing
to verify correct operation of the switch itself and that of the cryptographic module.