manualshive.com logo in svg

Cisco ISR 4000 series, Configuration Manual

The Cisco ISR 4000 series is a powerful and reliable networking device designed to meet the growing demands of today's businesses. To help users configure and optimize their device, a comprehensive Configuration Manual is available for free download at manualshive.com. Unlock the full potential of your Cisco ISR 4000 series and ensure seamless operations with this essential manual.

Share
Download
background image

Cisco ISR 4000 Family Routers Administrator Guidance 

Page 

34

 of 

66

 

 

Note:

 The configuration above is not a complete IKE v2 configuration, and that additional settings 

will  be  needed.  See  [18]  Configuring  Internet  Key  Exchange  Version  2  (IKEv2)  for  additional 
information on IKE v2 configuration.

 

4.6.2 IPsec Transforms and Lifetimes 

Regardless of the IKE version selected, the TOE must be configured with the proper transform for 
IPsec ESP encryption and integrity as well as IPsec lifetimes. 

TOE-common-criteria(config)# 

crypto  ipsec  transform-set  example  esp-aes  128  esp-

sha-hmac 

Note that this configures IPsec ESP to use HMAC-SHA-1 and AES-CBC-128. To 
change this to the other allowed algorithms the following options can replace ‘esp-
aes 128’ in the command above: 

Encryption Algorithm 

Command 

AES-CBC-256 

esp-aes 256 

AES-GCM-128 

esp-gcm 128 

AES-GCM-256 

esp-gcm 256 

Note: The size of the key selected here must be less than or equal to the key size 
selected for the IKE encryption setting in 4.6.1.1 and 4.6.1.2 above. If AES-CBC-
128 was selected there for use with IKE encryption, then only AES-CBC-128 or 
AES-GCM-128 may be selected here. 

TOE-common-criteria(config-crypto)#

mode tunnel 

 

This  configures  tunnel  mode  for  IPsec.  Tunnel  is  the  default,  but  by  explicitly 
specifying tunnel mode, the router will request tunnel mode and will accept only 
tunnel mode. 

 

TOE-common-criteria(config-crypto)#

mode transport 

This configures transport mode for IPsec. 

 

TOE-common-criteria  (config)#

crypto  ipsec  security-association  lifetime  seconds 

28800

 

The default time value  for Phase 1 SAs is  24 hours.  The default time value for 
Phase  2  SAs  is  1  hour.    There  is  no  configuration  required  for  these  since  the 
defaults are acceptable, however to change the setting to 8 hours as claimed in the 
Security Target the crypto ipsec security-association lifetime command can be used 
as specified above. 

TOE-common-criteria  (config)#

crypto  ipsec  security-association  lifetime  kilobytes 

100000 

This configures a lifetime of 100 MB of traffic for Phase 2 SAs. The default amount 
for  this  setting  is  2560KB,  which  is  the  minimum  configurable  value  for  this 
command.  The maximum configurable value for this command is is 4GB. 

Summary of Contents for ISR 4000 series

Page 1: ...Cisco Integrated Services Routers ISR 4000 Family CC Configuration Guide Version 0 2 May 22 2017 ...

Page 2: ...1 Options to be chosen during the initial setup of the ISR 4000 Family Routers 14 3 2 2 Saving Configuration 15 3 2 3 Enabling FIPS Mode 15 3 2 4 Administrator Configuration and Credentials 15 3 2 5 Session Termination 16 3 2 6 User Lockout 16 3 3 Network Protocols and Cryptographic Settings 17 3 3 1 Remote Administration Protocols 17 3 3 2 Authentication Server Protocols 19 3 3 3 Logging Configur...

Page 3: ... Traversal 35 4 6 4 X 509 Certificates 35 4 6 5 Information Flow Policies 40 4 7 Product Updates 40 Configure Reference Identifier 40 5 Security Relevant Events 43 5 1 Deleting Audit Records 57 6 Network Services and Protocols 59 7 Modes of Operation 62 8 Security Measures for the Operational Environment 64 9 Obtaining Documentation and Submitting a Service Request 65 9 1 Documentation Feedback 65...

Page 4: ...ntation 7 Table 3 IT Environment Components 9 Table 4 Excluded Functionality 10 Table 5 TOE External Identification 11 Table 6 Evaluated Software Images 13 Table 7 General Auditable Events 44 Table 8 Auditable Administrative Events 53 Table 9 Protocols and Services 59 Table 10 Operational Environment Security Measures 64 ...

Page 5: ...Administration Authorization and Accounting AES Advanced Encryption Standard FIPS Federal Information Processing Standards EAL Evaluation Assurance Level HTTPS Hyper Text Transport Protocol Secure IP Internet Protocol NTP Network Time Protocol RADIUS Remote Authentication Dial In User Service SFP Security Function Policy SSHv2 Secure Shell version 2 TCP Transport Control Protocol TOE Target of Eva...

Page 6: ...Cisco Integrated Services Routers ISR 4000 4321 4331 and 4351 Family This Operational User Guidance with Preparative Procedures addresses the administration of the TOE software and hardware and describes how to install configure and maintain the TOE in the Common Criteria evaluated configuration Administrators of the TOE will be referred to as administrators authorized administrators TOE administr...

Page 7: ...and interfaces that are necessary to configure and maintain the TOE in the evaluated configuration This document is not meant to detail specific actions performed by the administrator but rather is a road map for identifying the appropriate locations within Cisco documentation to get the specific details for configuring and maintaining ISR 4000 operations All security relevant commands to manage t...

Page 8: ...ios security s1 sec s1 cr book html 9 Public Key Infrastructure Configuration Guide http www cisco com c en us td docs ios xml ios sec_conn_pki configuration xe 16 sec pki xe 16 book html 11 IPsec Data Plane Configuration Guide http www cisco com c en us td docs ios xml ios sec_conn_dplane configuration xe 16 sec ipsec data plane xe 16 book html 12 FlexVPN and Internet Key Exchange Version 2 Confi...

Page 9: ...the Cisco IOS XE software image Release 16 3 2 In addition the software image is also downloadable from the Cisco web site 1 5 Operational Environment 1 5 1 Supported non TOE Hardware Software Firmware The TOE supports in some cases optionally the following hardware software and firmware in its environment Table 3 IT Environment Components Component Required Usage Purpose Description for TOE perfo...

Page 10: ...ions with an NTP server in order to synchronize the date and time on the TOE with the NTP server s date and time A solution must be used that supports secure communications with up to a 32 character key Syslog Server Yes This includes any syslog server to which the TOE would transmit syslog messages 1 6 Excluded Functionality The following functionality is excluded from the evaluation Table 4 Excl...

Page 11: ...of the device Verify the serial number on the shipping documentation matches the serial number on the separately mailed invoice for the equipment If it does not contact the supplier of the equipment Cisco Systems or an authorized Cisco distributor partner Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment Cisco Systems or an authorized Cisco distributor partn...

Page 12: ...ntaining System Images Digitally Signed Cisco Software The show software authenticity file command allows you to display software authentication related information that includes image credential information key type used for verification signing information and other attributes in the signature envelope for a specific image file The command handler will extract the signature envelope and its fiel...

Page 13: ...D5 4559bae68571648d40bdcb7c8387b393 SHA 256 14503889e9ebc7b6d869924d72c8062a1452688bd6e280 08bb09f8ebcfd9ff071e9218f4ea1513d3ddb20ba78d471 9fbf26714c3ead9393ad4c5566f9c25b929 4331 isr4300 universalk9 16 03 02 SPA bin MD5 4559bae68571648d40bdcb7c8387b393 SHA 256 14503889e9ebc7b6d869924d72c8062a1452688bd6e280 08bb09f8ebcfd9ff071e9218f4ea1513d3ddb20ba78d471 9fbf26714c3ead9393ad4c5566f9c25b929 4351 is...

Page 14: ...ny administrator that has successfully authenticated to the switch and has access to the appropriate privileges to perform the requested functions Refer to the IOS Command Reference Guide for available commands associated roles and privilege levels as used in the example above 3 6 8 13 1 Enable Secret The password must adhere to the password complexity requirements as described in the relevant sec...

Page 15: ...e Router will revert to the last configuration saved 3 2 3 Enabling FIPS Mode The TOE must be run in the FIPS mode of operation The use of the cryptographic engine in any other mode was not evaluated nor tested during the CC evaluation of the TOE This is done by setting the following in the configuration The value of the boot field must be 0x0102 This setting disables break from the console to the...

Page 16: ...y lines on the box i e 0 4 and time is the period of inactivity after which the session should be terminated Configuration of these settings is limited to the privileged administrator see Section 4 1 The line console setting is not immediately activated for the current session The current console session must be exited When the user logs back in the inactivity timer will be activated for the new s...

Page 17: ...er 1 Generate RSA key material choose a longer modulus length for more secure keys i e 1024 ex TOE common criteria crypto key generate rsa TOE common criteria How many bits in the modulus 512 2048 RSA keys are generated in pairs one public RSA key and one private RSA key This command is not saved in the router configuration however the RSA keys generated by this command are saved in the private co...

Page 18: ...SH client to support message authentication Only the following MACs are allowed and None for MAC is not allowed a hmac sha1 b hmac sha1 96 peer ssh l cisco m hmac sha1 160 1 1 1 1 peer ssh l cisco m hmac sha1 96 1 1 1 1 9 To verify the proper encryption algorithms are used for established connections use the show ssh sessions command TOE common criteria show ssh sessions Note To disconnect SSH ses...

Page 19: ...be enabled TOE common criteria config archive TOE common criteria config no logging console TOE common criteria config archive log config TOE common criteria config archive log cfg logging enable TOE common criteria config archive log cfg hidekeys TOE common criteria config archive log cfg notify syslog TOE common criteria config archive log cfg exit TOE common criteria config archive exit 2 Add y...

Page 20: ...he more critical the message Specifying a level causes messages at that severity level and numerically lower levels to be stored in the router s history table To change the number of syslog messages stored in the router s history table use the logging history size global configuration command The range of messages that can be stored is 1 500 When the history table is full that is it contains the m...

Page 21: ...at is part of the IPsec Tools on many Linux systems strongSwan Openswan and FreeS WAN Following are sample instructions to configure the TOE to support an IPsec tunnel with aes encryption with 10 10 10 101 as the IPsec peer IP on the syslog server 10 10 10 110 and 30 0 0 1 as the local TOE IPs and the syslog server running on 40 0 0 1 a separate interface on the syslog server TOE common criteria c...

Page 22: ...IPsec peer 10 1 1 7 and 11 1 1 6 as the local IPs and the syslog server on the 12 1 1 0 28 subnet TOE common criteria configure terminal TOE common criteria config crypto isakmp policy 1 TOE common criteria config isakmp encryption aes TOE common criteria config isakmp authentication pre share TOE common criteria config isakmp group 14 TOE common criteria config isakmp lifetime 28800 TOE common cr...

Page 23: ... set Configuration The Network Device PP VPN Gateway Extended Package VPNGW EP contains requirements for the TOE basic packet filtering Packet filtering is able to be done on many protocols by the TOE including but not limited to although the evaluation only covers IPv4 IPv6 TCP and UDP IPv4 RFC 791 IPv6 RFC 2460 TCP RFC 793 UDP RFC 768 IKEv1 RFCs 2407 2408 2409 RFC 4109 IKEv2 RFC 5996 IPsec ESP R...

Page 24: ... your access list entries are inserted above the default deny acl In this example we are assuming that interface GigabitEthernet0 0 is the external interface and is assigned an IP address of 10 200 1 1 Interface GigabitEthernet0 1 is the internal interface and is assigned an IP address of 10 100 1 1 If remote administration is required ssh has to be explicitly allowed through either the internal o...

Page 25: ...reation of packet filtering and VPN information flow policies is given in Section 4 6 4 below 3 3 7 Routing Protocols The routing protocols are used to maintain routing tables The routing tables can also be configured and maintained manually Refer to the applicable sections in 3 Configuration Fundamentals for configuration of the routing protocols 3 3 8 MACSEC and MKA Configuration The detailed st...

Page 26: ...are defined by default while levels 2 14 are undefined by default Levels 0 14 can be set to include any of the commands available to the level 15 administrator and are considered the semi privileged administrator for purposes of this evaluation The privilege level determines the functions the user can perform hence the authorized administrator with the appropriate privileges To establish a usernam...

Page 27: ...for s Note The aaa password restriction command can only be used after the aaa new model command is configured 8 Under Reference Guides Command References Security and VPN See manual Cisco IOS Security Command Reference Commands A to C The following configuration steps are optional but recommended for good password complexity The below items are recommended but are not enforced by the TOE 1 Does n...

Page 28: ... a Cisco router encrypted password Encrypted password that is copied from another router configuration Use of enable passwords are not necessary so all administrative passwords can be stored as SHA 256 if enable passwords are not used Note Cisco no longer recommends that the enable password command be used to configure a password for privileged EXEC mode The password that is entered with the enabl...

Page 29: ...onfigured to use any of the following authentication methods Remote authentication RADIUS Refer to Authentication Server Protocols elsewhere in this document for more details Local authentication password or SSH public key authentication Note this should only be configured for local fallback if the remote authentication server is not available X 509v3 certificates Refer to X 509 Certificates in Se...

Page 30: ... 4 protocol and port The access lists used for IPsec are only used to determine the traffic that needs to be protected by IPsec not the traffic that should be blocked or permitted through the interface Separate access lists define blocking and permitting at the interface A crypto map set can contain multiple entries each with a different access list The crypto map entries are searched in a sequenc...

Page 31: ...tion with the peer so both sides must specify the same transform set Note If a transform set definition is changed during operation that the change is not applied to existing security associations but is used in subsequent negotiations to establish new SAs If you want the new settings to take effect sooner you can clear all or part of the SA database by using the clear crypto sa command The follow...

Page 32: ...p aggressive mode disable ensures all IKEv1 Phase 1 exchanges will be handled in the default main mode TOE common criteria config isakmp exit 4 6 1 2 IKEv2 Transform Sets An Internet Key Exchange version 2 IKEv2 proposal is a set of transforms used in the negotiation of IKEv2 SA as part of the IKE_SA_INIT exchange An IKEv2 proposal is regarded as complete only when it has at least an encryption al...

Page 33: ...ation TOE common criteria config crypto ikev2 keyring keyring 1 TOE common criteria config ikev2 keyring peer peer1 TOE common criteria config ikev2 keyring peer address 0 0 0 0 0 0 0 0 TOE common criteria config ikev2 keyring peer pre shared key xyz key This section creates a keyring to hold the pre shared keys referenced in the steps above In IKEv2 these pre shared keys are specific to the peer ...

Page 34: ... 1 1 and 4 6 1 2 above If AES CBC 128 was selected there for use with IKE encryption then only AES CBC 128 or AES GCM 128 may be selected here TOE common criteria config crypto mode tunnel This configures tunnel mode for IPsec Tunnel is the default but by explicitly specifying tunnel mode the router will request tunnel mode and will accept only tunnel mode TOE common criteria config crypto mode tr...

Page 35: ...ec router endpoints config terminal crypto ipsec nat transparency spi matching end 4 6 4 X 509 Certificates The TOE may be configured by the privileged administrators to use X 509v3 certificates to authenticate IPsec peers RSA certificates are supported Creation of these certificates and loading them on the TOE is covered in 9 and a portion of the TOE configuration for use of these certificates fo...

Page 36: ... IP TOE common criteria configure terminal TOE common criteria config crypto isakmp policy 1 TOE common criteria config isakmp encryption aes TOE common criteria config isakmp authentication pre share TOE common criteria config isakmp group 14 TOE common criteria config isakmp lifetime 86400 TOE common criteria config crypto isakmp key insert 22 character preshared key address 10 10 10 101 TOE com...

Page 37: ...ootflash slot disk USB flash or USB token During run time an authorized administrator can specify what active local storage device will be used to store certificates For more detailed information see 9 How to Specify a Local Storage Location for Certificates The summary steps for storing certificates locally to the TOE are as follows 1 Enter configure terminal mode 2 TOE common criteria configure ...

Page 38: ...ither per client certificate or per group of client certificates by the match certificate override ocsp command The match certificate override ocsp command overrides the client certificate AIA field or the ocsp urlcommand setting if a client certificate is successfully matched to a certificate map during the revocation check 4 6 4 7 Configuring Certificate Chain Validation Perform this task to con...

Page 39: ... ecdsa sig If an invalid certificate is loaded authentication will not succeed 4 6 4 9 Deleting Certificates If the need arises certificates that are saved on the router can be deleted The router saves its own certificates and the certificate of the CA To delete the router s certificate from the router s configuration the following commands can be used in global configuration mode Router show cryp...

Page 40: ...ithin crypto maps for IPsec and the filter tunnel command for SSL VPN The criteria used in matching traffic in all of these access lists includes the source and destination address and optionally the Layer 4 protocol and port The TOE enforces information flow policies on network packets that are receive by TOE interfaces and leave the TOE through other TOE interfaces When network packets are recei...

Page 41: ...only for name fields nc Does not contain valid only for name fields lt Less than valid only for date fields ge Greater than or equal valid only for date fields match value Specifies the name or date to test with the logical operator assigned by match criteria Step3 ca certificate map exit Exits ca certificate map mode Step4 For IKEv1 crypto isakmp profile ikev1 profile1 match certificate label For...

Page 42: ... 4000 Family Routers Administrator Guidance Page 42 of 66 ca certificate map subject name co c US ca certificate map exit config crypto isakmp profile ike1 profile match cert match certificate cert map match all ...

Page 43: ...ive Events includes auditable events for administrator actions Note In Table 7 if Embedded Event Manager is used as outlined in Section 3 3 4 that HA_EM 6 LOG logs will be created for each command executed in addition to the PARSER 5 CFGLOG_LOGGEDCMD syslog The TOE generates an audit record whenever an audited event occurs The types of events that cause audit records to be generated include crypto...

Page 44: ...ryption passed Nov 19 13 55 59 CRYPTO 6 SELF_TEST_RESULT Self test info SHA hashing passed Nov 19 13 55 59 CRYPTO 6 SELF_TEST_RESULT Self test info AES encryption decryption passed Table 7 General Auditable Events Requirement Auditable Events Additional Audit Record Contents Sample Record FCS_MACSEC_EX T 1 Session establishment Secure Channel Identifier SCI Session Establishment Mar 15 2016 12 49 ...

Page 45: ... current Latest AN KN 0 1 Old AN KN 0 1 for RxSCI f4cf e298 ccb8 000a AuditSessionID CKN 10000000000000000000000000000000 00000000000000000000000000000000 FCS_IPSEC_EXT 1 Failure to establish an IPsec SA Session establishment with peer Reason for failure Entire packet contents of packets transmitted rec eived during session establishment Initiation of IPSEC session outbound Jun 20 07 42 26 823 ISA...

Page 46: ...g ISAKMP transform 1 against priority 1 policy Jun 20 07 42 26 827 ISAKMP encryption AES CBC Jun 20 07 42 26 827 ISAKMP keylength of 128 Jun 20 07 42 26 827 ISAKMP hash SHA Jun 20 07 42 26 827 ISAKMP default group 14 Jun 20 07 42 26 827 ISAKMP auth pre share Jun 20 07 42 26 843 ISAKMP 0 received packet from 100 1 1 5 dport 500 sport 500 Global R MM_SA_SETUP Jun 20 07 42 26 843 ISAKMP 0 Input IKE_M...

Page 47: ...0 255 255 255 0 256 0 remote_proxy 12 1 1 0 255 255 255 0 256 0 Jun 19 21 10 37 575 ISAKMP 2034 purging node 506111676 Jun 19 21 10 39 615 ISAKMP 2034 purging node 22679511 Jun 20 04 46 14 789 IPSEC lifetime_expiry SA lifetime threshold reached expiring in 1412 seconds Failure to establish an IPSEC session outbound initiated Jun 19 11 12 33 905 CRYPTO 5 IKMP_AG_MODE_DISABLED Unable to initiate or ...

Page 48: ...om 1 1 1 1 tty 0 for user cisco using crypto cipher aes256 cbc hmac hmac sha1 96 closed FIA_UIA_EXT 1 All use of the identification and authentication mechanism Provided user identity origin of the attempt e g IP address See Audit events in FIA_UAU_EXT 2 FIA_UAU_EXT 2 All use of the authentication mechanism Origin of the attempt e g IP address Login as an administrative user at the console Usernam...

Page 49: ... 5 11 10 18 749 IKEv2 SA ID 1 Sending Packet To 210 1 1 1 500 From 110 1 1 1 500 VRF i0 f0 42442 Feb 5 11 10 18 747 IKEv2 SA ID 1 PKI IKEv2 Getting of cert chain for the trustpoint PASSED 42441 Feb 5 11 10 18 747 IKEv2 SA ID 1 IKEv2 PKI Getting cert chain for the trustpoint rahul 42440 Feb 5 11 10 18 747 IKEv2 SA ID 1 PKI IKEv2 Retrieved trustpoint s rahul 42439 Feb 5 11 10 18 747 IKEv2 SA ID 1 IK...

Page 50: ...R 5 CFGLOG_LOGGEDCMD User test_admin logged command logging informational FMT_MTD 1 Admi nAct Modification deletion generation import of cryptographic keys None Feb 17 2013 16 37 27 PARSER 5 CFGLOG_LOGGEDCMD User test_admin logged command crypto key zeroize FPF_RUL_EXT 1 Application of rules configured with the log operation Source and destination addresses Source and destination ports Transport L...

Page 51: ...0000000000000000000 00000000000000000000000000000000 FPT_TUD_EXT 1 Initiation of update result of the update attempt success or failure No additional information Use of the upgrade command Jul 10 11 04 09 179 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command upgrade Jul 10 11 04 09 179 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command copy tftp Jul 10 11 04 09 179 PARSER 5 CFGLOG_LOGGEDCMD Use...

Page 52: ...nation of a remote session by the session locking mechanism No additional information Audit record generated when SSH session is terminated because of idle timeout May 29 2012 15 18 00 UTC SYS 6 TTY_EXPIRE_TIMER exec timer expired tty 0 0 0 0 0 user admin FTA_SSL 4 The termination of an interactive session No additional information Audit record generate when admin logs out of CONSOLE May 17 2011 1...

Page 53: ...gs Clearing logs Feb 17 2013 16 29 07 PARSER 5 CFGLOG_LOGGEDCMD User test_admin logged command logging enable Feb 17 2013 16 34 02 PARSER 5 CFGLOG_LOGGEDCMD User test_admin logged command logging informational Feb 17 2013 17 05 16 PARSER 5 CFGLOG_LOGGEDCMD User test_admin logged command clear logging FAU_GEN 2 User identity association None N A FAU_STG_EXT 1 External audit trail storage Configurat...

Page 54: ...raphic signature None N A FCS_COP 1 3 Cryptographic operation for cryptographic hashing None N A FCS_COP 1 4 Cryptographic operation for keyed hash message authentication None N A FCS_RBG_EXT 1 Cryptographic operation random bit generation None N A FCS_IPSEC_EXT 1 1 IPSEC Configuration of IPsec settings including mode security policy IKE version algorithms lifetimes DH group and certificates Feb 1...

Page 55: ...13 13 12 25 055 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command security passwords min length 15 FIA_PSK_EXT 1 Pre Shared Key Composition Creation of a pre shared key Feb 15 2013 13 12 25 055 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command crypto isakmp key FIA_UIA_EXT 1 User identification and authentication Logging into TOE Jan 17 2013 05 05 49 460 SEC_LOGIN 5 LOGIN_SUCCESS Login Success...

Page 56: ... command username admin 15 FPT_RUL_EXT 1 Packet Filtering Configuring packet filtering rules Feb 15 2013 13 12 25 055 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command access list 199 deny ip 10 100 0 0 0 0 255 255 any log input FPT_FLS 1 Fail Secure None N A FPT_SKP_EXT 1 Protection of TSF Data for reading of all symmetric keys None N A FPT_APW_EXT 1 Protection of Administrator Passwords None N...

Page 57: ...SSL 4 User initiated termination Logging out of TOE Feb 15 2013 13 12 25 055 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command exit FTA_TAB 1 Default TOE access banners Configuring the banner displayed prior to authentication Feb 15 2013 13 12 25 055 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command banner login d This is a banner d FTP_ITC 1 Inter TSF trusted channel None N A FTP_TRP 1 Truste...

Page 58: ...Cisco ISR 4000 Family Routers Administrator Guidance Page 58 of 66 TOE common criteria ...

Page 59: ...sec connections Use of AH in addition to ESP is optional Protocol is not considered part of the evaluation DHCP Dynamic Host Configuration Protocol Yes Yes Yes Yes No restrictions Protocol is not considered part of the evaluation DNS Domain Name Service Yes Yes No n a No restrictions Protocol is not considered part of the evaluation ESP Encapsulating Security Payload part of IPsec Yes Yes Yes Yes ...

Page 60: ...ory Access Protocol Yes Over IPsec No n a Use LDAP over SSL instead Protocol is not considered part of the evaluation LDAP over SSL LDAP over Secure Sockets Layer Yes Over TLS No n a If used for authentication of TOE administrators configure LDAP to be tunneled over IPsec Protocol is not considered part of the evaluation NTP Network Time Protocol Yes Yes No n a Any configuration Use of key based a...

Page 61: ...ation Note The table above does not include the types of protocols and services listed here OSI Layer 2 protocols such as CDP VLAN protocols like 802 11q Ethernet encapsulation protocols like PPPoE etc The certified configuration places no restrictions on the use of these protocols however evaluation of these protocols was beyond the scope of the Common Criteria product evaluation Follow best prac...

Page 62: ...e router is in this mode no network traffic is routed between the network interfaces In this state the router may be configured to upload a new boot image from a specified TFTP server perform configuration tasks and run various debugging commands It should be noted that while no administrator password is required to enter ROM monitor mode physical access to the router is required therefore the rou...

Page 63: ...tart the TOE to perform POST and determine if normal operation can be resumed If the problem persists contact Cisco Technical Assistance via http www cisco com techsupport or 1 800 553 2447 If necessary return the TOE to Cisco under guidance of Cisco Technical Assistance ...

Page 64: ...ompilers or user applications available on the TOE other than those services necessary for the operation administration and support of the TOE Administrators will make sure there are no general purpose computing capabilities e g compilers or user applications available on the TOE OE PHYSICAL Physical security commensurate with the value of the TOE and the data it contains is provided by the enviro...

Page 65: ...n the World Wide Web at the following sites http www cisco com http www china cisco com http www europe cisco com 9 1 Documentation Feedback If you are reading Cisco product documentation on the World Wide Web you can submit technical comments electronically Click Feedback in the toolbar and select Documentation After you complete the form click Submit to send it to Cisco You can e mail your comme...

Page 66: ...vity Through Cisco com you can find information about Cisco and our networking solutions services and programs In addition you can resolve technical issues with online technical support download and test software packages and order Cisco learning materials and merchandise Valuable online skill assessment training and certification programs are also available Customers and partners can self registe...

Reviews:

No comments

Related manuals for ISR 4000 series

D-Link DSL-2750U Setup preview
DSL-2750U
Brand: D-Link Pages: 14
D-Link DVG-7022S Quick Installation Manual preview
DVG-7022S
Brand: D-Link Pages: 7
D-Link DIR-878 Quick Installation Manual preview
DIR-878
Brand: D-Link Pages: 41
A-Link WNAP4G Quick Installaion Manual preview
WNAP4G
Brand: A-Link Pages: 6
LaCie d2 Network 2 Quick Install Manual preview
d2 Network 2
Brand: LaCie Pages: 44
LaCie LaCie Ethernet Disk Datasheet preview
LaCie Ethernet Disk
Brand: LaCie Pages: 2
LaCie 5big - Network NAS Server Quick Start Manual preview
5big - Network NAS Server
Brand: LaCie Pages: 9
LaCie 2big NAS Quick Install Manual preview
2big NAS
Brand: LaCie Pages: 14
LaCie 12big Rack Fibre 8 Quick Install Manual preview
12big Rack Fibre 8
Brand: LaCie Pages: 9
Pakedge Device & Software X-Series Quick Start Manual preview
X-Series
Brand: Pakedge Device & Software Pages: 20
Paradyne FrameSaver 9120 Installation Instruction Supplement preview
FrameSaver 9120
Brand: Paradyne Pages: 2
Ubiquiti NanoBeam M5 Setup preview
NanoBeam M5
Brand: Ubiquiti Pages: 3
Dahua NVR2104-S2 Quick Start Manual preview
NVR2104-S2
Brand: Dahua Pages: 6
Riverbed SteelCentral NetExpress Installation Manual preview
SteelCentral NetExpress
Brand: Riverbed Pages: 38
Compaq StorageWorks AIT 35GB AutoLoader Overview And Installation preview
StorageWorks AIT 35GB AutoLoader
Brand: Compaq Pages: 4
Juniper MX2010 Hardware Manual preview
MX2010
Brand: Juniper Pages: 825
Schrack Technik HSERG245GS Instruction Sheet preview
HSERG245GS
Brand: Schrack Technik Pages: 2
Network Critical SmartNA-X User Manual preview
SmartNA-X
Brand: Network Critical Pages: 200

Brands by name

Popular brands

Load more brands