Specifications
Cisco ISR-800 Security Target
52
TOE SFRs
How the SFR is Met
384, and SHA-512 with message digest sizes 160, 256, 384 and 512 bits
respectively, as specified in FIPS Pub 180-3 “Secure Hash Standard.”
FCS_COP.1(4)
The TOE provides keyed-hashing message authentication services using HMAC-
SHA-1, SHA-256, SHA-384, and SHA-512 with 160-bit key size and message
digests sizes 160, 256, 384 and 512 bits respectively, as specified in FIPS Pub
198-1, "The Keyed-Hash Message Authentication Code,” and FIPS 180-3,
“Secure Hash Standard.”
FCS_IPSEC_EXT.1
The TOE implements IPsec to provide authentication and encryption services to
prevent unauthorized viewing or modification of data as it travels over the external
network. IPsec provides secure tunnels between two peers, such as two routers. An
authorized administrator defines which packets are considered sensitive and
should be sent through these secure tunnels. When the IPsec peer recognizes a
sensitive packet, the peer sets up the appropriate secure tunnel and sends the
packet through the tunnel to the remote peer. More accurately, these tunnels are
sets of security associations (SAs) that are established between two IPsec peers.
The SAs define the protocols and algorithms to be applied to sensitive packets and
specify the keying material to be used. SAs are unidirectional and are established
per security protocol (AH or ESP). In the evaluated configuration only ESP will
be configured for use.
A crypto map (the Security Policy Definition) set can contain multiple entries,
each with a different access list. The crypto map entries are searched in a sequence
- the router attempts to match the packet to the access list (acl) specified in that
entry. When a packet matches a permit entry in a particular access list, the method
of security in the corresponding crypto map is applied. If the crypto map entry is
tagged as ipsecisakmp, IPsec is triggered. The traffic matching the permit acls
would then flow through the IPSec tunnel and be classified as “PROTECTED”.
Traffic that does not match a permit acl in the crypto map, but that is not
disallowed by other acls on the interface is allowed to BYPASS the tunnel. Traffic
that does not match a permit acl and is also blocked by other non-crypto acls on
the interface would be DISCARDED.
If there is no SA that the IPsec can use to protect this traffic to the peer, IPsec uses
IKE to negotiate with the remote peer to set up the necessary IPsec SAs on behalf
of the data flow. The negotiation uses information specified in the crypto map
entry as well as the data flow information from the specific access list entry.
In addition to tunnel mode, which is the default IPSec mode, the TOE also
supports transport mode, allowing for only the payload of the packet to be
encrypted. If tunnel mode is explicitly specified, the router will request tunnel
mode and will accept only tunnel mode.
The IPsec implementation provides VPN peer-to-peer capabilities. The VPN
peer-to-peer tunnel allows for example the TOE and another router to establish an
IPsec tunnel to secure the passing of route tables (user data). Another
configuration in the peer-to-peer configuration is to have the TOE be set up with
an IPsec tunnel with a VPN peer to secure the session between the TOE and
syslog server.
IPsec Internet Key Exchange, also called ISAKMP, is the negotiation protocol that