background image

Cisco Cat4K NDPP ST 

 

11 March 2014 

EDCS-1228241 

 

68 

TOE SFRs 

How the SFR is Met 

The TOE implements a NIST-approved AES-CTR Deterministic 
Random Bit Generator (DRBG), as specified in SP 800-90.   

The  entropy  source  used  to  seed  the  Deterministic  Random  Bit 
Generator (e.g. based on SP 800-90A/B/C) is a random set of bits 
or bytes that are regularly supplied to the DRBG from the internal 
Quack  (ACT)  processor  which  produces  a  minimum  of  256  bits 
of entropy. 

All RNG entropy source samplings are continuously health tested 
by  the  NIST  DRBG  as  per  SP  900-90A  before  using  them  as  a 
seed.    Though  related  to  this,  the  tests  are  part  of  the  FIPS 
validation  procedures  for  the  DBRG  and  are  part  of  the  NIST 
validations for FIPS 140-2 for the products.  Any initialization or 
system errors during bring-up or processing of this system causes 
a reboot as necessary to be FIPS compliant.  Finally, the system 
will  be  zeroizing  any  entropy  seeding  bytes,  which  will  not  be 
available after the current collection. 

 
 

FCS_COMM_PRO
T_EXT.1 

The TOE implements SSHv2 and IPsec either of which can be 
used to protect communications for remote administration.  IPsec 
is also used to protect communications with external servers (e.g., 
syslog server, NTP and if configured an external authentication 
server). 
 

FCS_SSH_EXT.1 

The TOE implements SSHv2 (telnet is disabled in the evaluated 
configuration) in compliance with RFCs 4251, 4252, 4253, and 
4254; using SSH RSA public key algorithm.   
 
SSHv2 sessions are limited to a configurable session timeout 
period of 120 seconds, a maximum number of failed 
authentication attempts limited to 3, and will be rekeyed upon 
request from the SSH client (no more than 2

28

 packets).   SSH 

connections will be dropped if the TOE receives a packet larger 
than 35,000 bytes.   
 
The TOE’s implementation of SSHv2 supports hashing 
algorithms hmac-sha1, hmac-sha1-96, hmac-md5-96.   
 
The TOE can also be configured to use only one of the identified 
DH groups for key exchange.  The available groups include Diffie 
Hellmen, group 14 (2048 bits) and group 16 (4096 bits). 
 
The network traffic between the remote admin console and the 
TOE establish and operate an encrypted session using AES in 
CBC mode with key sizes 128 or 256 bits (FIPS 197) supporting 
both public key-based and password-based authentication 

Содержание 4503-E - Catalyst Data Bundle Switch

Страница 1: ...Cisco Cat4K NDPP ST 11 March 2014 EDCS 1228241 1 Cisco Catalyst 4500 Series Switches 4503 E 4506 E 4507R E 4510R E 4500X and 4500X F Running IOS XE 3 5 2E Security Target Revision 1 0 11 March 2014 ...

Страница 2: ...4 1 7 1 Security Audit 25 1 7 2 Cryptographic Support 25 1 7 3 User Data Protection 25 1 7 4 Identification and Authentication 26 1 7 5 Security Management 26 1 7 6 Protection of the TSF 27 1 7 7 Resource Utilization 28 1 7 8 TOE Access 28 1 7 9 Trusted Path Channels 28 1 8 Excluded Functionality 28 2 Conformance Claims 30 2 1 Common Criteria Conformance Claim 30 2 2 Protection Profile Conformance...

Страница 3: ... 48 5 2 6 Protection of the TSF FPT 49 5 2 7 FRU Resource Utilization 50 5 2 8 TOE Access FTA 51 5 2 9 Trusted Path Channel FTP 51 5 3 Extended Components Definition 52 5 4 TOE SFR Dependencies Rationale 54 5 5 Security Assurance Requirements 56 5 5 1 SAR Requirements 56 5 5 2 Security Assurance Requirements Rationale 57 5 6 Assurance Measures 57 6 TOE Summary Specification 59 6 1 TOE Security Fun...

Страница 4: ...DENCY RATIONALE FROM NDPP 54 TABLE 18 ASSURANCE MEASURES 56 TABLE 19 ASSURANCE MEASURES 57 TABLE 20 HOW TOE SFRS ARE MET 59 TABLE 21 THREAT OBJECTIVES POLICIES MAPPINGS 81 TABLE 22 THREAT POLICIES TOE OBJECTIVES RATIONALE 82 TABLE 23 ASSUMPTIONS ENVIRONMENT OBJECTIVES MAPPINGS 83 TABLE 24 ASSUMPTIONS THREATS OBJECTIVES RATIONALE 83 TABLE 25 SECURITY OBJECTIVE TO SECURITY REQUIREMENTS MAPPINGS 84 T...

Страница 5: ... Evaluation TOE the Cisco Catalyst 4500 Series Switches 4503 E 4506 E 4507R E 4510R E 4500X and 4500X F running IOS XE 3 5 2E This Security Target ST defines a set of assumptions about the aspects of the environment a list of threats that the product intends to counter a set of security objectives a set of security requirements and the IT security functions provided by the TOE which meet the set o...

Страница 6: ...rsion 1 0 Publication Date 11 March 2014 ST Author Cisco Systems Inc Developer of the TOE Cisco Systems Inc TOE Reference Cisco Catalyst 4500 Series Switches 4503 E 4506 E 4507R E 4510R E 4500X and 4500X F running IOS XE 3 5 2E TOE Hardware Models Cisco Catalyst 4500 Series Switches 4503 E 4506 E 4507R E 4510R E 4500X and 4500X F including one or more Supervisor cards and one or more of the line c...

Страница 7: ...itch where the configuration parameters are stored OS Operating System OSPF Open Shortest Path First An interior gateway protocol routes within a single autonomous system A link state routing protocol which calculates the shortest path to each node Packet A block of data sent over the network transmitting the identities of the sending and receiving stations error control information and message PP...

Страница 8: ...on of IOS XE software The Catalyst 4500 Series Switches chassis provides power cooling and backplane for the Supervisor Engine line cards and service modules SM 1 The Supervisor Engines run the IOS XE software The evaluated configurations consist of the following components e g at least one of the listed chassis at least one supervisor card running IOS XE 3 5 2E software and at least one line card...

Страница 9: ...ng available routes conditions distance and costs to determine the best route for a given packet Routing protocols used by the TOE include BGPv4 EIGRP EIGRPv6 for IPv6 RIPv2 and OSPFv2 BGPv4 EIGRP and EIGRPv6 supports routing updates with IPv6 or IPv4 while RIPv2 and OSPFv2 routing protocol support routing updates for IPv4 only Note the information flow functionality is not included in the scope o...

Страница 10: ...ned security relevant data can only be manipulated via the secured management interface a CLI and provides no general purpose programming capability There are no undocumented interfaces for managing the Catalyst switches All network traffic to the TOE protected internal network passes through Catalyst Switches There are no unmediated traffic flows into or out of the TOE Once network traffic is rec...

Страница 11: ...d to store switch configuration parameters used to initialize the system at start up Physical network interfaces minimally two e g RJ45 serial and standard 10 100 Ethernet ports Some models have a fixed number and or type of interfaces some models have slots that accept additional network interfaces 10 Gigabit Ethernet GE uplinks and supports Power over Ethernet Plus PoE and Universal POEP UPOE Un...

Страница 12: ...n internal network SSHv2 must be used to connect to the switch A syslog server can also be used to store audit records A remote authentication server can also be used for centralized authentication If these servers are used they must be attached to the internal trusted network The internal trusted network is meant to be separated effectively from unauthorized individuals and user traffic one that ...

Страница 13: ...e supervisors and chassis models included in the TOE These line cards and SMs are not security relevant 3 No specific service modules such as the Firewall Blade Wireless Service and Network Analysis being claimed in the evaluated configuration as they require additional license Cisco ASR 1006 PWR STATUS ASR1000 SIP10 PWR STATUS ASR1000 SIP10 PWR STAT STBY ASR1000 ESP20 ACTV PWR STAT STBY ASR1000 E...

Страница 14: ...slots 2 5 5 8 Supervisor engine slots 14 12 25 26 Dedicated supervisor engine slot numbers 1 1 3 and 4 5 and 6 Supervisor engine redundancy No No Yes Yes Supervisor V 10GE 6 E and 7 E Supervisor engines Supervisor 7 E Supervisor 7 E Supervisor 7 E Supervisor 7 E 4 Slot 1 is reserved for supervisor engine only slots 2 and higher are reserved for line cards 5 Slots 3 and 4 are reserved for superviso...

Страница 15: ...ys 2 2 2 2 AC input power Yes Yes Yes Yes DC Input power Yes Yes Yes Yes Integrated Power over Ethernet Yes Yes Yes Yes Minimum number of power supplies 1 1 1 1 Power supplies supported 1000W AC 1400W AC 1300W ACV 2800W ACV 4200W ACV 6000W ACV 1400W DC triple input 1400W DC P 1000W AC 1400W AC 1300W ACV 2800W ACV 4200W ACV 6000W ACV 1400W DC triple input 1400W DC P 1000W AC 1400W AC 1300W ACV 2800...

Страница 16: ... capacity with 250 Mpps of throughput 4 nonblocking 10 Gigabit Ethernet uplinks Small Form Factor Pluggable Plus SFP SFP support on uplinks to offer flexibility for up to 4 Gigabit Ethernet ports 384 ports of nonblocking 10 100 1000 PoEP 30W capabilities on all ports in a line card simultaneously UPOE 60W capabilities on all line card slots Energy Efficient Ethernet IEEE 802 3az 196 ports of nonbl...

Страница 17: ...formation MAC VLAN and TCP Flags and synthetic traffic monitoring with IP service level agreement IP SLA Medianet capabilities to simplify video QoS monitoring and security Energy efficient design with Cisco EnergyWise technology to manage network PoEP and PC Investment protection and reduced total cost of ownership TCO Full backward compatibility with 6 24 and 48 Gbps slot line cards with no perf...

Страница 18: ...igration Scalable routing IPv4 IPv6 and multicast tables Layer 2 tables and access control list ACL and quality of service QoS entries to make use of 8 queues per port and comprehensive security policies per port Infrastructure services Cisco IOS XE Software the modular open application platform for virtualized borderless services Maximum resiliency with redundant components Nonstop Forwarding Sta...

Страница 19: ...EE 802 3af at and Cisco prestandard PoE IEEE 802 3x flow control IEEE 802 1AE and Cisco TrustSec capability in hardware L2 4 Jumbo Frame support up to 9216 bytes Capable of up to 30 W of inline power per port on all ports simultaneously Enterprise and commercial designed to power next generation IP phones wireless base stations video cameras virtual desktop clients and other PoE UPOE devices Campu...

Страница 20: ... Frame support up to 9216 bytes Enterprise and commercial designed for high speed backbone and switch to switch applications Service provider 10GE GE mix aggregation for DSLAM PON mobile data backhaul WS X4712 SFP E is not supported on 4507R E and 4510R E chassis WS X4640 CSFP E 40 modules of Gigabit SFP line card 1000BaseX providing 24 gigabits per slot capacity SFP optional 40 ports with Gigabit...

Страница 21: ...0 Gigabit Ethernet when organizational demands change The uplink module is hot swappable Deployment Options include 32 x 10 Gigabit Ethernet Port switch with optional Small Form Factor Pluggable Plus SFP models 16 x 10 Gigabit Ethernet Port switch with optional Small Form Factor Pluggable Plus SFP models 8 x 10 Gigabit Ethernet SFP removable uplink module Dual redundant AC DC power supply and five...

Страница 22: ...v2 session or via a local console connection The switches are hardware platforms in which all operations in the TOE scope are protected from interference and tampering by untrusted subjects All administration and configuration operations are performed within the physical boundary of the TOE Also all TOE Security Policy TSP enforcement functions must be invoked and succeed prior to functions within...

Страница 23: ...d out of the TOE The physical network interface ports can be located on the supervisor card and or the line cards The network interface is the physical Ethernet interface to the TOE from the internal and external networks Within the scope of the evaluation this interface is used for the following purposes For network traffic entering and leaving the TOE This could be through traffic for example a ...

Страница 24: ...guidance documentation as follows The TOE is a hardware and software solution that uses a combination of chassis supervisor engine and line cards as defined in Section 1 3 1 Table 3 the Cisco Catalyst 4500 Series Switches 4503 E 4506 E 4507R E 4510R E 4500X and 4500X F running IOS XE 3 5 2E on the Supervisor Engine Installation and Configuration guidance for the Common Criteria NDPP Evaluated Cisc...

Страница 25: ...the event and additional information of the event and its success and or failure The TOE does not have an interface to modify audit records though there is an interface available for the authorized administrator to clear audit data stored locally on the TOE 1 7 2 Cryptographic Support The TOE provides cryptography support for secure communications and protection of information when configured in F...

Страница 26: ...ting users attempting to connect to the TOE s CLI Note the remote authentication server is not included within the scope of the TOE evaluated configuration it is considered to be provided by the operational environment The TOE can be configured to display an advisory banner when administrators log in and also to terminate administrator sessions after a configured period of inactivity The TOE also ...

Страница 27: ...tricted to the authorized administrator of the TOE The term authorized administrator is used in this ST to refer to any user account that has been assigned to a privilege level that is permitted to perform the relevant action therefore has the appropriate privileges to perform the requested functions 1 7 6 Protection of the TSF The TOE protects against interference and tampering by untrusted subje...

Страница 28: ...he CLI using SSHv2 with the syslog server and if configured with the NTP server and external authentication server using IPsec 1 8 Excluded Functionality The Cisco IOS contains a collection of features that build on the core components of the system Those features that are not within the scope of the evaluated configuration include Features that must remain disabled in the evaluated configuration ...

Страница 29: ...re to configure IOS Software and switch configuration without user intervention The Smart Install uses dynamic IP address allocation to facilitate installation providing transparent network plug and play This feature is not to be used as it could result in settings configurations that may interfere with the enforcement of the security policies as defined in the Security Target or the TOEs operatio...

Страница 30: ...trict conformance claim as noted below in the PP conformance claim rationale the ST includes all claims as indicated in NDPP and makes no additional claims 2 3 Protection Profile Conformance Claim Rationale 2 3 1 TOE Appropriateness The TOE provides all of the functionality at a level of security commensurate with that identified in the NDPP 2 3 2 TOE Security Problem Definition Conformance The As...

Страница 31: ...ified in the U S Government Protection Profile for Security Requirements for Network Devices for which conformance is claimed verbatim All concepts covered in the Protection Profile s Statement of Security Requirements are included in the Security Target Additionally the Security Assurance Requirements included in the Security Target are identical to the Security Assurance Requirements included in...

Страница 32: ...es Entity Definition Admin Human who administers the TOE Administration tasks include starting the TOE operating the TOE maintaining configuration data and inspection of security audit log files In this Security Target there are several levels of administrators all which are described in Section 6 1 and all considered an Admin Attacker A threat agent trying to undermine the security policy of the ...

Страница 33: ... TSF data The data which is used by the TOE for digital signature handling and encryption decryption purposes Security properties to be maintained by the TOE confidentiality integrity authenticity Ctrl data Secondary asset TSF data The data which is used by the TOE for firmware updates firmware registration and firmware identity checking purposes Security properties to be maintained by the TOE ava...

Страница 34: ...ay deny access to TOE services by exhausting critical resources on the TOE T TSF_FAILURE Security mechanisms of the TOE may fail leading to a compromise of the TSF T UNDETECTED_ACTIONS Malicious remote users or external IT entities may take actions that adversely affect the security of the TOE These actions may remain undetected and thus their effects cannot be effectively mitigated T UNAUTHORIZED...

Страница 35: ...al environment or a combination of the two 3 6 1 OSPs enforced by TOE The following security rules procedures or guidelines are enforced by the TOE Table 12 Organizational Security Policies Policy Name Policy Definition P ACCESS_BANNER The TOE shall display an initial banner describing restrictions of use legal agreements or any other appropriate information to which users consent by accessing the...

Страница 36: ... PROTECTED_COMMUNICATIONS The TOE will provide protected communication channels for administrators other parts of a distributed TOE and authorized IT entities O VERIFIABLE_UPDATES The TOE will provide the capability to help ensure that any updates to the TOE can be verified by the administrator to be unaltered and optionally from a trusted source O SYSTEM_MONITORING The TOE will provide the capabi...

Страница 37: ...ves Table 14 Security Objectives for the Environment Operational Environment Security Objective Operational Environment Security Objective Definition OE NO_GENERAL_PURPOSE There are no general purpose computing capabilities e g compilers or user applications available on the TOE other than those services necessary for the operation administration and support of the TOE OE PHYSICAL Physical securit...

Страница 38: ... iteration is indicated by a number placed at the end of the component For example FDP_IFF 1 1 and FDP_IFF 1 2 indicate that the ST includes two iterations of the FDP_IFF 1 requirement 1 and 2 Refinement allows the addition of details Refinements are indicated using bold for additions and strike through for deletions e g all objects or some big things The Extended SFRs are identified by having a l...

Страница 39: ..._EXT 1 IPSEC FCS_SSH_EXT 1 SSH FDP User data protection FDP_RIP 2 Full residual information protection FIA Identification and authentication FIA_PMG_EXT 1 Password management FIA_UIA_EXT 1 User identification and authentication FIA_UAU_EXT 5 Password based authentication mechanism FIA_UAU 6 Re authenticating FIA_UAU 7 Protected authentication feedback FMT Security management FMT_MTD 1 Management o...

Страница 40: ...path FTP_TRP 1 2 Trusted path 5 2 1 Security audit FAU 5 2 1 1 FAU_GEN 1 Audit data generation FAU_GEN 1 1 The TSF shall be able to generate an audit record of the following auditable events a Start up and shutdown of the audit functions b All auditable events for the basic level of audit and c All administrative actions d Specifically defined auditable events listed in Table 16 FAU_GEN 1 2 The TS...

Страница 41: ...ality No additional information FCS_RBG_EXT 1 Failure of the randomization process No additional information FCS_COMM_PROT_EXT 1 None FCS_IPSEC_EXT 1 Failure to establish an IPsec SA Establishment Termination of an IPsec SA Reason for failure Non TOE endpoint of connection IP address for both successes and failures FCS_SSH_EXT 1 Failure to establish an SSH Session Establishment Termination of an S...

Страница 42: ...ion generated by the tests beyond success or failure FRU_RSA 1 Maximum quota being exceeded Resource identifier FTA_SSL_EXT 1 Any attempts at unlocking of an interactive session No additional information FTA_SSL 3 The termination of a remote session by the session locking mechanism No additional information FTA_TAB 1 None FTP_ITC 1 1 Initiation of the trusted channel Termination of the trusted cha...

Страница 43: ...th the identity of the user that caused the event 5 2 1 2 FAU_STG_EXT 1 External audit trail storage FAU_STG_EXT 1 1 The TSF shall be able to transmit the generated audit data to an external IT entity over a trusted channel defined in FTP_ITC 1 5 2 1 3 FAU_STG_EXT 3 Action in case of loss of audit server connectivity FAU_STG_EXT 3 1 The TSF shall store audit records on the TOE and attempt re estab...

Страница 44: ... 2 3 FCS_COP 1 1 Cryptographic operation for data encryption decryption FCS_COP 1 1 1 The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm AES operating in CBC mode and cryptographic key sizes 128 bits 256 bits and no other key sizes that meets the following FIPS PUB 197 Advanced Encryption Standard AES NIST SP 800 38A NIST SP 800 38D 5 2 2 4 FCS_C...

Страница 45: ...ce with NIST Special Publication 800 90 using CTR_DRBG AES seeded by an entropy source that accumulated entropy from at least one independent TSF hardware based noise source FCS_RBG_EXT 1 2 The deterministic RBG shall be seeded with a minimum of 256 bits of entropy at least equal to the greatest length of the keys and authorization factors that it will generate 5 2 2 8 FCS_COMM_PROT_EXT 1 Communic...

Страница 46: ...tters numbers and special characters that include and Pre shared keys of 22 characters no other lengths 5 2 2 10 FCS_SSH_EXT 1 SSH FCS_SSH_EXT 1 1 The TSF shall implement the SSH protocol that complies with RFCs 4251 4252 4253 and 4254 FCS_SSH_EXT 1 2 The TSF shall ensure that the SSH connection be rekeyed after no more than 228 packets have been transmitted using that key FCS_SSH_EXT 1 3 The TSF ...

Страница 47: ...e unavailable upon the allocation of the resource to all objects 5 2 4 Identification and authentication FIA 5 2 4 1 FIA_PMG_EXT 1 Password management FIA_PMG_EXT 1 1 The TSF shall provide the following password management capabilities for administrative passwords 1 Passwords shall be able to be composed of any combination of upper and lower case letters numbers and special characters that include...

Страница 48: ...eir password is reset by an administrator 5 2 4 4 FIA_UAU 6 Re authenticating FIA_UAU 6 1 The TSF shall re authenticate the user under the conditions when the user changes their password following TSF initiated locking FTA_SSL 5 2 4 5 FIA_UAU 7 Protected authentication feedback FIA_UAU 7 1 The TSF shall provide only obscured feedback to the user while the authentication is in progress at the local...

Страница 49: ...strator No other roles FMT_SMR 1 2 The TSF shall be able to associate users with roles 5 2 6 Protection of the TSF FPT 5 2 6 1 FPT_ITT 1 1 Basic Internal TSF Data Transfer Protection Disclosure FPT_ITT 1 1 1 Refinement The TSF shall protect TSF data from disclosure when it is transmitted between separate parts of the TOE through the use of the TSF provided cryptographic services FCS_IPSEC_EXT 1 IP...

Страница 50: ... 1 The TSF shall provide security administrators the ability to query the current version of the TOE firmware software FPT_TUD_EXT 1 2 The TSF shall provide security administrators the ability to initiate updates to the TOE firmware software FPT_TUD_EXT 1 3 The TSF shall provide a means to verify firmware software updates to the TOE using a published hash prior to installing those updates 5 2 6 8 ...

Страница 51: ...ure FTP_ITC 1 1 1 The TSF shall use IPSec to provide a trusted communication channel between itself and authorized IT entities that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure FTP_ITC 1 2 1 The TSF shall permit the TSF or the authorized IT entities to initiate communication via the ...

Страница 52: ...SSH as specified in FCS_SSH_EXT 1 to access the CLI that is logically distinct from other communication paths and provides assured identification of its end points and detection of modification of the communicated data FTP_TRP 1 2 2 The TSF shall permit remote administrators to initiate communication via the trusted path FTP_TRP 1 3 2 Refinement The TSF shall require the use of the trusted path fo...

Страница 53: ... from NDPP where it is defined as a requirement to export audit records outside the TOE FAU_STG_EXT 3 This SFR was taken from NDPP where it is defined as a requirement to detect and take a defined action when an external audit server becomes inaccessible FCS_CKM_EXT 4 This SFR was taken from NDPP where it is defined as a requirement for immediate zeroization when keys and CSPs are no longer requir...

Страница 54: ... ST Author has corrected by including the EXT qualifier FPT_PTD_EXT 2 This SFR was taken from NDPP as FPT_PTD 1 2 where it is defined as a requirement specifically disallowing access to identified TSF data Note in the NDPP this SFR is not represented as an Extended Requirement with the inclusion of the EXT qualifier However this SFR is not represented in the Part 2 CC as such the ST Author has cor...

Страница 55: ...CS_CKM 4 Met by FCS_CKM 1 and Met by FCS_CKM_EXT 4 FCS_COP 1 3 FDP_ITC 1 or 2 or FCS_CKM 1 FCS_CKM 4 Met by FCS_CKM 1 and Met by FCS_CKM_EXT 4 FCS_COP 1 4 FDP_ITC 1 or 2 or FCS_CKM 1 FCS_CKM 4 Met by FCS_CKM 1 and Met by FCS_CKM_EXT 4 FCS_RBG_EXT 1 No dependencies N A FCS_COMM_PROT_EXT 1 FCS_HTTPS_EXT 1 or FCS_IPSEC_EXT 1 or FCS_SSH_EXT 1 or FCS_TLS_EXT 1 Met by FCS_IPSEC_EXT 1 and FCS_SSH_EXT 1 F...

Страница 56: ...pendencies N A FTP_TRP 1 1 No dependencies N A FTP_TRP 1 2 No dependencies N A 5 5 Security Assurance Requirements 5 5 1 SAR Requirements The TOE assurance requirements for this ST are taken directly from the NDPP which are derived from Common Criteria Version 3 1 Revision 3 The assurance requirements are summarized in the table below as identified in the NDPP Section 4 3 The ST does not include a...

Страница 57: ...ents The table below lists the details Table 19 Assurance Measures Component How requirement will be met ADV_FSP 1 The functional specification describes the external interfaces of the TOE such as the means for a user to invoke a service and the corresponding response of those services The description includes the interface s that enforces a security functional requirement the interface s that sup...

Страница 58: ...ponents of the TOE in the evaluated configuration ALC_CMC 1 The Configuration Management CM document s describes how the consumer end user of the TOE can identify the evaluated TOE Target of Evaluation The CM document s identifies the configuration items how those configuration items are uniquely identified and the adequacy of the procedures that are used to control and track changes that are made...

Страница 59: ...unctionality is audited The audit trail consist of the individual audit records one audit record for each event that occurred The audit record can contain up to 80 characters and a percent sign which follows the time stamp information As noted above the information includes at least all of the required information Additional information can be configured and included if desired Refer to the Guidan...

Страница 60: ...ifications and information type message can be sent to the syslog server whereas message is only for information switch functionality is not affected To configure the TOE to send audit records to a syslog server the set logging server command is used A maximum of three syslog servers can be configured Refer to the Guidance document for complete guidance and command syntax The audit records are tra...

Страница 61: ...th the origin or source of the attempt Changes to the time Changes to the time are logged Updates software An audit record will be generated on the initiation of updates software firmware Failure to establish and or establishment failure of an SSH and IPsec session Attempts to establish an SSH and IPsec session or the failure of an established SSH and or IPsec is logged Resources quotas are exceed...

Страница 62: ...chemes conformant to NIST SP 800 56B The TOE is also compliant to ANSI X9 80 3 January 2000 Prime Number Generation Primality Testing and Primality Certificates using random integers with deterministic tests Furthermore the TOE does not implement elliptic curve based key establishment schemes FCS_CKM_EXT 4 9 The TOE meets all requirements specified in FIPS 140 2 for destruction of keys and Critica...

Страница 63: ... on Method10 General Keys CSPs User Password Passwo rd Variable 8 characters Used to authenticate local users NVRA M plainte xt Zeroized by overwriti ng with new password Enable Password Passwo rd Variable 8 characters Used to authenticate local users at a higher privilege level NVRA M plainte xt Zeroized by overwriti ng with new password RADIUS secret Shared Secret Variable 8 characters The RADIU...

Страница 64: ...4096 bits The private exponent used in Diffie Hellman DH exchange DRAM plainte xt Zeroized upon completio n of DH exchange Overwritt en with 0x00 Diffie Hellman Shared Secret DH 1024 4096 bits This is the shared secret agreed upon as part of DH exchange DRAM plainte xt0 Automati cally after completio n of DH exchange Overwritt en with 0x00 SSH SSH RSA private key RSA 1024 1536 2048 bits modulus SS...

Страница 65: ... plainte xt Automati cally when session terminate d TLS session key Triple DES A ES 168 bits 256 bits This is the TLS session key DRAM plainte xt Automati cally when session terminate d MacSec MACsec Security Associati on Key SAK AES GCM 128 256 bits Used for creating Security Associations SA for encrypting decr ypting the MACSec traffic in the MACSec hardware MACse c PHY plainte xt Automati cally...

Страница 66: ...sed to protect traffic over stacking ports DRAM plainte xt Upon bringing down the stack IKE session encrypt key This structure contains all of the SA items including the skeyid skeyid_d IKE Session Encryption Key and IKE Session Authentication Key All values overwritten by 0 s 0x00 automatically after IKE session terminated IKE session authentication key This structure contains all of the SA items...

Страница 67: ... for authentication of routing updates RIPv2 uses MD5 for authentication of routing updates as defined in Section 2 4 of RFC 2453 OSPFv2 uses MD5 for authentication of routing updates as defined in Appendix D of RFC 2328 OSPF version 2 Routing tables for IPv4 and IPv6 can be created and maintained manually using static routes configured by the administrator Use of routing protocols in IPv4 or IPv6...

Страница 68: ...2 and IPsec either of which can be used to protect communications for remote administration IPsec is also used to protect communications with external servers e g syslog server NTP and if configured an external authentication server FCS_SSH_EXT 1 The TOE implements SSHv2 telnet is disabled in the evaluated configuration in compliance with RFCs 4251 4252 4253 and 4254 using SSH RSA public key algor...

Страница 69: ...ciation SA between IPsec peers that is also used to manage IPsec connections including The negotiation of mutually acceptable IPsec options between peers The establishment of additional Security Associations to protect packets flows using ESP and The agreement of secure bulk data encryption AES 128 and 256 bit keys for use with ESP After the two peers agree upon a policy the security parameters of...

Страница 70: ...TOE do not contain residual information from previous packets Packets that are not the required length use zeros for padding Residual data is never transmitted from the TOE Once packet handling is completed its content is overwritten before memory buffer which previously contained the packet is reused This applies to both data plane traffic and administrative session traffic FIA_PMG_EXT 1 The TOE ...

Страница 71: ...or remote authentication via a RADIUS or TACACS server as defined in the authentication policy for interactive human users Neighbor routers are authenticated only to passwords stored locally The policy for interactive human users Administrators can be authenticated to the local user database or have redirection to a remote authentication server Interfaces can be configured to try one or more remot...

Страница 72: ...me level of access to the TOE data though with some privilege levels the access is limited The TOE performs role based authorization using TOE platform authorization mechanisms to grant access to the semi privileged and privileged roles The term authorized administrator is used in this ST to refer to any user which has been assigned to a privilege level that is permitted to perform the relevant ac...

Страница 73: ...verify the updates are valid FMT_SMR 1 The TOE switch platform maintains administrative privilege level and non administrative access Non administrative access is granted to authenticated neighbor routers for the ability to receive updated routing tables per the information flow rules There is no other access or functions associated with non administrative access The administrative privilege level...

Страница 74: ...up of commands the all keyword is used When a group of commands is set to a privilege level using the all keyword all commands which match the beginning string are enabled for that level and all commands which are available in submodes of that command are enabled for that level For example if the show ip keywords is set to level 5 show and ip will be changed to level 5 and all the options that fol...

Страница 75: ...evel level password Configures a new enable secret password for privilege level 7 Router config enable secret level 7 Zy72sKj Step 4 privilege exec level level command string Changes the privilege level of the clear counters command from privilege level 15 to privilege level 7 Router config privilege exec level 7 clear counters Step 5 privilege exec all level level command string Changes the privi...

Страница 76: ...t changed from privilege level 15 to privilege level 7 Router clear ip route Invalid input detected at marker Router Step 5 reload in time The reload command causes the networking device to reboot Router reload in 10 Reload scheduled in 10 minutes by console Proceed with reload confirm Router SHUTDOWN in 0 10 00 02 59 50 SYS 5 SCHEDULED_RELOAD Reload requested for 23 08 30 PST Sun Mar 20 Step 6 re...

Страница 77: ...he configuration the TOE may be configured to use the cryptographic services as described in the FCS SFRs to secure the connection and protect the transmitted data FPT_PTD_EXT 1 and FPT_PTD_EXT 2 The TOE includes a Master Passphrase features that can be used to configure the TOE to encrypt all locally defined user passwords In this manner the TOE ensures that plaintext user passwords will not be d...

Страница 78: ...ts during initial start up to verify its correct operation If any of the tests fail the security administrator will have to log into the CLI to determine which test failed and why If the tests pass successfully the login prompt is displayed and the administrator will be able to login and administer the TOE Refer to the FIPS Security Policy for available options and management of the cryptographic ...

Страница 79: ...TSC proceeding The TOE has been designed so that all locally maintained TSF data can only be manipulated via the secured management interface the CLI interface There are no undocumented interfaces for managing the product All sub components included in the TOE rely on the main chassis for power memory management and access control In order to access any portion of the TOE the Identification and Au...

Страница 80: ... plane allows the ability to manage network elements There is no opportunity for unaccounted traffic flows to flow into or out of the TOE This design combined with the fact that only an administrative user with the appropriate role may access the TOE security functions provides a distinct protected domain for the TOE that is logically protected from interference and is not bypassable ...

Страница 81: ...sented in Sections 2 and 3 of the NDPP 7 1 Rationale for TOE Security Objectives Table 21 Threat Objectives Policies Mappings T UNAUTHORIZED_ACCESS T UNAUTHORIZED_UPDATE T ADMIN_ERROR T UNDETECTED_ACTIONS T RESOURCE_EXHAUSTION T USER_DATA_REUSE T TSF_FAILURE P ACCESS BANNER O PROTECTED_COMMUNICATIONS X X O VERIFIABLE_UPDATES X O SYSTEM_MONITORING X O DISPLAY_BANNER X O TOE_ADMINISTRATION X O RESID...

Страница 82: ...ss the Organization Security Policy P ACCESS_BANNER to ensure an advisory notice and consent warning message regarding unauthorized use of the TOE is displayed before the session is established O TOE_ADMINISTRATION This security objective is necessary to counter the T ADMIN_ERROR that ensures actions performed on the TOE are logged so that indications of a failure or compromise of a TOE security m...

Страница 83: ...PURP OSE OE PHYSICAL OE TRUSTED_ADMIN A NO_GENERAL_PURPOSE X A PHYSICAL X A TRUSTED_ADMIN X Table 24 Assumptions Threats Objectives Rationale Environment Objective Rationale OE NO_GENERAL_PURPOSE This security objective is necessary to address the assumption A NO_GENERAL_PURPOSE by ensuring there are no general purpose computing capabilities e g the ability to execute arbitrary code or application...

Страница 84: ...he security objectives and the relationship between the threats policies and IT security objectives The functional and assurance requirements presented in this Security Target are mutually supportive and their combination meets the stated security objectives Table 25 Security Objective to Security Requirements Mappings O PROTECTED_COMMUNICATIONS O VERIFIABLE_UPDATES O SYSTEM_MONITORING O DISPLAY_B...

Страница 85: ..._CLEARING O RESOURCE_AVAILABILITY O SESSION_LOCK O TSF_SELF_TEST FCS_RBG_EXT 1 X FCS_COMM_PROT_EXT 1 X FCS_IPSEC_EXT 1 X FCS_SSH_EXT 1 X FDP_RIP 2 X FIA_PMG_EXT 1 X FIA_UIA_EXT 1 X FIA_UAU_EXT 5 X FIA_UAU 6 X FIA_UAU 7 X FMT_MTD 1 X FMT_SMF 1 X FMT_SMR 1 X FPT_ITT 1 1 X FPT_ITT 1 2 X FPT_PTD_EXT 1 1 X X FPT_PTD_EXT 1 2 X X FPT_RPL 1 X FPT_STM 1 X FPT_TUD_EXT 1 X FPT_TST_EXT 1 X ...

Страница 86: ...ionale Security Functional Requirements Drawn from Security Requirements for NDPP O PROTECTED_COMMUNICA TIONS The SFRs FAU_STG_EXT 3 FCS_CKM 1 FCS_CKM_EXT 4 FCS_COP 1 1 FCS_COP 1 2 FCS_COP 1 3 FCS_COP 1 4 FCS_RBG_EXT 1 FCS_COMM_PROT_EXT 1 FCS_IPSEC_EXT 1 FCS_SSH_EXT 1 FPT_ITT 1 1 FPT_ITT 1 2 FPT_PTD 1 1 FPT_PTD 1 2 FPT_RPL 1 FTP_ITC 1 1 FTP_ITC 1 2 FTP_TRP 1 1 FTP_TRP 1 2 meet this objective by en...

Страница 87: ...MINISTRATION The SFRs FIA_UIA_EXT 1 FIA_UAU_EXT 5 FIA_UAU 6 FIA_UAU 7 FMT_MTD 1 FMT_SMF 1 FMT_SFR 1 FPT_PTD 1 1 FTA_SSL_EXT 1 FTA_SSL 3 meet this objective by ensuring the TOE supports a password based authentication mechanism with password complexity enforcement such as strong passwords password life time constraints providing current password when changing the password obscured password feedback...

Страница 88: ...eria for Information Technology Security Evaluation Part 2 Security functional components dated July 2009 version 3 1 Revision 3 CC_PART3 Common Criteria for Information Technology Security Evaluation Part 3 Security assurance components dated July 2009 version 3 1 Revision 3 CEM Common Methodology for Information Technology Security Evaluation Evaluation Methodology dated July 2009 version 3 1 Re...

Отзывы: