Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipmentCatalyst 3750X-48PF
61626364656667686970
Cisco Cat3K ST 6 June 2012
62
TOE SFRs How the SFR is Met
The TOE’s administrative interfaces only permit valid values to be specified
within administratively-defined rules for the VLAN SFP, VACL SFP,ACL SFP,
and PRIVAC SFP. For the VLAN SFP, the administrative interfaces ensure that
the administrator will only be able to associate valid (configured) VLANs with
valid (configured) Layer 2 (switch port) interfaces For the VACL SFP, the
interfaces ensure that the administrator will only be able to associate valid
(configured) VACLs that will be applied to packets that traverse the VLANs
whether bridged within a VLAN or routed into or out of a VLAN. For the ACL
SFP, the administrative interfaces will ensure that the administrator will only be
able to associate a single outbound ACL, and/or a single inbound ACL on any
one Layer 3 interface. Further, the administrative interface will ensure that only
valid value formats are permitted for security relevant information and subject
attributes in ACLs, including valid IP address formats, masks, protocol
identifiers, and port numbers.
For the PRIVAC SFP, the TOE ensures that only valid privilege levels and
associated commands are assigned. When commands have been assigned to
privilege levels, any administrator at that privilege level will be restricted to
executing the command’s options/keywords to the extent the options/keyword
have been explicitly defined for that privilege level.
FMT_MSA.3(1) The default TOE VLAN SFP, VACL SFP, and ACL SFP are permissive within
the TOE. The flow control policies must be administratively configured to be
restrictive. When no VLANs or PVLANs have been explicitly created by the
administrator and applied to ports, the ports are configured in a single default
VLAN and thus traffic is allowed to flow among the ports. When no ACLs
have been explicitly created and applied to interfaces, IP traffic is allowed to
flow between subnets as defined in the routing table.
The TOE only permits the authorized administrators to specify the flow control
policies rules used to enforce the SFP through the administrative interface.
FMT_MSA.3(2) The default TOE PRIVAC SFP is restrictive by default in that all accounts have
the default privilege level 1. Once authenticated, an administrator can
temporarily “enable” a different privilege level (such as level 15, or a custom
privilege level 2-14) during their CLI session as long as the administrator
provides the correct password to enable that privilege level. A privileged
administrator can override these default restrictive settings in two ways: 1)
assign a non-default privilege level (a level other than level 1) to any
administrator’s account; and/or 2) add non-default commands to the set of
commands available at privilege level 1.