Specifications
Cisco ISR-800 Security Target
56
TOE SFRs
How the SFR is Met
screen so that the user password is obscured. For remote session authentication,
the TOE does not echo any characters as they are entered.
FIA_X509_EXT.1
The TOE uses X.509v3 certificates as defined by RFC 5280 to support
authentication for IPsec and SSH connections. Public key infrastructure (PKI)
credentials, such as Rivest, Shamir, and Adelman (RSA) keys and certificates can
be stored in a specific location on the router, such as NVRAM and flash memory
or on a USB eToken 64 KB smart card that has the same physical security
measures as the TOE. The certificates themselves provide protection in that they
are digitally signed. If a certificate is modified in any way, it would be
invalidated. The digital signature verifications process would show that the
certificate had been tampered with when the hash value would be invalid. The
physical security of the router (A.Physical) protects the router and the certificates
from being tampered with or deleted. In addition, the TOE identification and
authentication security functions protect an unauthorized user from gaining access
to the TOE. USB tokens provide for secure configuration distribution of the
digital certificates and private keys. RSA operations such as on-token key
generation, signing, and authentication, and the storage of Virtual Private Network
(VPN) credentials for deployment can be implemented using the USB tokens.
Both OCSP and CRL are configurable and may be used for certificate revocation
(the TOE supports use of OCSP only when using RSA certs and not when using
ECDSA certs). Checking is also done for the basicConstraints extension and the
cA flag to determine whether they are present and set to TRUE. If they are not, the
certificate is not accepted.
FMT_MOF.1
The TOE restricts the ability to enable, disable, determine and modify the
behavior of all of the security functions of the TOE to an authorized administrator
via the CLI. The TOE provides the ability for Authorized Administrators to access
TOE data, such as audit data, configuration data, security attributes, routing tables,
and session thresholds. Each of the predefined and administratively configured
privilege level has default set of permissions that will grant them access to the
TOE data, though with some privilege levels, the access is limited. The TOE
performs role-based authorization, using TOE platform authorization mechanisms,
to grant access to the semi-privileged and privileged levels. For the purposes of
this evaluation, the privileged level is equivalent to full administrative access to
the CLI, which is the default access for IOS privilege level 15; and the semi-
privileged level equates to any privilege level that has a subset of the privileges
assigned to level 15. Privilege levels 0 and 1 are defined by default and are
customizable, while levels 2-14 are undefined by default and are also
customizable. The term “Authorized Administrator” is used in this ST to refer to
any user which has been assigned to a privilege level that is permitted to perform
the relevant action; therefore has the appropriate privileges to perform the
requested functions. Therefore, semi-privileged administrators with only a subset
of privileges can also modify TOE data based on if granted the privilege.
FMT_MTD.1
FMT_SMF.1
The TOE provides all the capabilities necessary to securely manage the TOE. The
administrative user can connect to the TOE using the CLI to perform these
functions via SSHv2, a terminal server, or at the local console.
The specific management capabilities available from the TOE include:
• Ability to administer the TOE locally and remotely;
• Ability to update the TOE, and to verify the updates using digital
signature or published hash capability prior to installing those updates;