Cisco ISR 4000 series Скачать руководство пользователя страница 24 | Manualshive

Страница: 24 / 66

background image

Cisco ISR 4000 Family Routers Administrator Guidance

Page

24

of

66

o

Source Port

o

Destination Port

Traffic matching is done based on a top-down approach in the access list. The first entry that a
packet matches will be the one applied to it. The VPNGW EP requires that the TOE Access control
lists (ACLs) are to be configured to drop all packet flows as the default rule and that traffic
matching the acl be able to be logged. The drop all default rule can be achieved by including an
ACL rule to drop all packets as the last rule in the ACL configuration. The logging of matching
traffic is done by appending the key word “log-input” per the command reference at the end of the
acl statements, as done below.

A privileged authorized administrator may manipulate the ACLs using the commands ip inspect,
access-list, crypto map, and access-group as described

[8]

.

Access lists must be configured on the TOE to meet the requirements of the VPN Gateway
Extended Package.

Note: These access lists must be integrated with the defined security policy for your TOE router.
Enabling just these access lists with no permits will result in traffic being dropped. Ensure that
your access list entries are inserted above the default deny acl.

In this example, we are assuming that interface GigabitEthernet0/0 is the external interface, and is
assigned an IP address of 10.200.1.1. Interface GigabitEthernet0/1 is the internal interface and is
assigned an IP address of 10.100.1.1.

If remote administration is required, ssh has to be explicitly allowed through either the internal or
external interfaces.

TOE-common-criteria#

configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

TOE-common-criteria(config)#

access-list 199 permit tcp host 10.200.0.1 host

10.200.0.1 eq 22 log-input

To log connections to the Certificate Authority, implement the following acl:.

TOE-common-criteria(config)#

access-list 100 permit ip any host [IP of CA] log-

input

TOE-common-criteria(config)#

access-list 199 permit ip any host [IP of CA] log-

input

To close ports that don’t need to be open and may introduce additional vulnerabilities, implement
the following acl:.

TOE-common-criteria(config)#

access-list 100 deny 132 any any log-input

TOE-common-criteria(config)#

access-list 199 deny 132 any any log-input

To explicitly create the default deny acl for traffic with no other match, implement the following
acl:

TOE-common-criteria(config)#

access-list 100 deny any any log-input

TOE-common-criteria(config)#

access-list 199 deny any any log-input

«
...
22
23
24
25
26
...
»

Содержание ISR 4000 series

Страница 1: ...Cisco Integrated Services Routers ISR 4000 Family CC Configuration Guide Version 0 2 May 22 2017 ...

Страница 2: ...1 Options to be chosen during the initial setup of the ISR 4000 Family Routers 14 3 2 2 Saving Configuration 15 3 2 3 Enabling FIPS Mode 15 3 2 4 Administrator Configuration and Credentials 15 3 2 5 Session Termination 16 3 2 6 User Lockout 16 3 3 Network Protocols and Cryptographic Settings 17 3 3 1 Remote Administration Protocols 17 3 3 2 Authentication Server Protocols 19 3 3 3 Logging Configur...

Страница 3: ... Traversal 35 4 6 4 X 509 Certificates 35 4 6 5 Information Flow Policies 40 4 7 Product Updates 40 Configure Reference Identifier 40 5 Security Relevant Events 43 5 1 Deleting Audit Records 57 6 Network Services and Protocols 59 7 Modes of Operation 62 8 Security Measures for the Operational Environment 64 9 Obtaining Documentation and Submitting a Service Request 65 9 1 Documentation Feedback 65...

Страница 4: ...ntation 7 Table 3 IT Environment Components 9 Table 4 Excluded Functionality 10 Table 5 TOE External Identification 11 Table 6 Evaluated Software Images 13 Table 7 General Auditable Events 44 Table 8 Auditable Administrative Events 53 Table 9 Protocols and Services 59 Table 10 Operational Environment Security Measures 64 ...

Страница 5: ...Administration Authorization and Accounting AES Advanced Encryption Standard FIPS Federal Information Processing Standards EAL Evaluation Assurance Level HTTPS Hyper Text Transport Protocol Secure IP Internet Protocol NTP Network Time Protocol RADIUS Remote Authentication Dial In User Service SFP Security Function Policy SSHv2 Secure Shell version 2 TCP Transport Control Protocol TOE Target of Eva...

Страница 6: ...Cisco Integrated Services Routers ISR 4000 4321 4331 and 4351 Family This Operational User Guidance with Preparative Procedures addresses the administration of the TOE software and hardware and describes how to install configure and maintain the TOE in the Common Criteria evaluated configuration Administrators of the TOE will be referred to as administrators authorized administrators TOE administr...

Страница 7: ...and interfaces that are necessary to configure and maintain the TOE in the evaluated configuration This document is not meant to detail specific actions performed by the administrator but rather is a road map for identifying the appropriate locations within Cisco documentation to get the specific details for configuring and maintaining ISR 4000 operations All security relevant commands to manage t...

Страница 8: ...ios security s1 sec s1 cr book html 9 Public Key Infrastructure Configuration Guide http www cisco com c en us td docs ios xml ios sec_conn_pki configuration xe 16 sec pki xe 16 book html 11 IPsec Data Plane Configuration Guide http www cisco com c en us td docs ios xml ios sec_conn_dplane configuration xe 16 sec ipsec data plane xe 16 book html 12 FlexVPN and Internet Key Exchange Version 2 Confi...

Страница 9: ...the Cisco IOS XE software image Release 16 3 2 In addition the software image is also downloadable from the Cisco web site 1 5 Operational Environment 1 5 1 Supported non TOE Hardware Software Firmware The TOE supports in some cases optionally the following hardware software and firmware in its environment Table 3 IT Environment Components Component Required Usage Purpose Description for TOE perfo...

Страница 10: ...ions with an NTP server in order to synchronize the date and time on the TOE with the NTP server s date and time A solution must be used that supports secure communications with up to a 32 character key Syslog Server Yes This includes any syslog server to which the TOE would transmit syslog messages 1 6 Excluded Functionality The following functionality is excluded from the evaluation Table 4 Excl...

Страница 11: ...of the device Verify the serial number on the shipping documentation matches the serial number on the separately mailed invoice for the equipment If it does not contact the supplier of the equipment Cisco Systems or an authorized Cisco distributor partner Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment Cisco Systems or an authorized Cisco distributor partn...

Страница 12: ...ntaining System Images Digitally Signed Cisco Software The show software authenticity file command allows you to display software authentication related information that includes image credential information key type used for verification signing information and other attributes in the signature envelope for a specific image file The command handler will extract the signature envelope and its fiel...

Страница 13: ...D5 4559bae68571648d40bdcb7c8387b393 SHA 256 14503889e9ebc7b6d869924d72c8062a1452688bd6e280 08bb09f8ebcfd9ff071e9218f4ea1513d3ddb20ba78d471 9fbf26714c3ead9393ad4c5566f9c25b929 4331 isr4300 universalk9 16 03 02 SPA bin MD5 4559bae68571648d40bdcb7c8387b393 SHA 256 14503889e9ebc7b6d869924d72c8062a1452688bd6e280 08bb09f8ebcfd9ff071e9218f4ea1513d3ddb20ba78d471 9fbf26714c3ead9393ad4c5566f9c25b929 4351 is...

Страница 14: ...ny administrator that has successfully authenticated to the switch and has access to the appropriate privileges to perform the requested functions Refer to the IOS Command Reference Guide for available commands associated roles and privilege levels as used in the example above 3 6 8 13 1 Enable Secret The password must adhere to the password complexity requirements as described in the relevant sec...

Страница 15: ...e Router will revert to the last configuration saved 3 2 3 Enabling FIPS Mode The TOE must be run in the FIPS mode of operation The use of the cryptographic engine in any other mode was not evaluated nor tested during the CC evaluation of the TOE This is done by setting the following in the configuration The value of the boot field must be 0x0102 This setting disables break from the console to the...

Страница 16: ...y lines on the box i e 0 4 and time is the period of inactivity after which the session should be terminated Configuration of these settings is limited to the privileged administrator see Section 4 1 The line console setting is not immediately activated for the current session The current console session must be exited When the user logs back in the inactivity timer will be activated for the new s...

Страница 17: ...er 1 Generate RSA key material choose a longer modulus length for more secure keys i e 1024 ex TOE common criteria crypto key generate rsa TOE common criteria How many bits in the modulus 512 2048 RSA keys are generated in pairs one public RSA key and one private RSA key This command is not saved in the router configuration however the RSA keys generated by this command are saved in the private co...

Страница 18: ...SH client to support message authentication Only the following MACs are allowed and None for MAC is not allowed a hmac sha1 b hmac sha1 96 peer ssh l cisco m hmac sha1 160 1 1 1 1 peer ssh l cisco m hmac sha1 96 1 1 1 1 9 To verify the proper encryption algorithms are used for established connections use the show ssh sessions command TOE common criteria show ssh sessions Note To disconnect SSH ses...

Страница 19: ...be enabled TOE common criteria config archive TOE common criteria config no logging console TOE common criteria config archive log config TOE common criteria config archive log cfg logging enable TOE common criteria config archive log cfg hidekeys TOE common criteria config archive log cfg notify syslog TOE common criteria config archive log cfg exit TOE common criteria config archive exit 2 Add y...

Страница 20: ...he more critical the message Specifying a level causes messages at that severity level and numerically lower levels to be stored in the router s history table To change the number of syslog messages stored in the router s history table use the logging history size global configuration command The range of messages that can be stored is 1 500 When the history table is full that is it contains the m...

Страница 21: ...at is part of the IPsec Tools on many Linux systems strongSwan Openswan and FreeS WAN Following are sample instructions to configure the TOE to support an IPsec tunnel with aes encryption with 10 10 10 101 as the IPsec peer IP on the syslog server 10 10 10 110 and 30 0 0 1 as the local TOE IPs and the syslog server running on 40 0 0 1 a separate interface on the syslog server TOE common criteria c...

Страница 22: ...IPsec peer 10 1 1 7 and 11 1 1 6 as the local IPs and the syslog server on the 12 1 1 0 28 subnet TOE common criteria configure terminal TOE common criteria config crypto isakmp policy 1 TOE common criteria config isakmp encryption aes TOE common criteria config isakmp authentication pre share TOE common criteria config isakmp group 14 TOE common criteria config isakmp lifetime 28800 TOE common cr...

Страница 23: ... set Configuration The Network Device PP VPN Gateway Extended Package VPNGW EP contains requirements for the TOE basic packet filtering Packet filtering is able to be done on many protocols by the TOE including but not limited to although the evaluation only covers IPv4 IPv6 TCP and UDP IPv4 RFC 791 IPv6 RFC 2460 TCP RFC 793 UDP RFC 768 IKEv1 RFCs 2407 2408 2409 RFC 4109 IKEv2 RFC 5996 IPsec ESP R...

Страница 24: ... your access list entries are inserted above the default deny acl In this example we are assuming that interface GigabitEthernet0 0 is the external interface and is assigned an IP address of 10 200 1 1 Interface GigabitEthernet0 1 is the internal interface and is assigned an IP address of 10 100 1 1 If remote administration is required ssh has to be explicitly allowed through either the internal o...

Страница 25: ...reation of packet filtering and VPN information flow policies is given in Section 4 6 4 below 3 3 7 Routing Protocols The routing protocols are used to maintain routing tables The routing tables can also be configured and maintained manually Refer to the applicable sections in 3 Configuration Fundamentals for configuration of the routing protocols 3 3 8 MACSEC and MKA Configuration The detailed st...

Страница 26: ...are defined by default while levels 2 14 are undefined by default Levels 0 14 can be set to include any of the commands available to the level 15 administrator and are considered the semi privileged administrator for purposes of this evaluation The privilege level determines the functions the user can perform hence the authorized administrator with the appropriate privileges To establish a usernam...

Страница 27: ...for s Note The aaa password restriction command can only be used after the aaa new model command is configured 8 Under Reference Guides Command References Security and VPN See manual Cisco IOS Security Command Reference Commands A to C The following configuration steps are optional but recommended for good password complexity The below items are recommended but are not enforced by the TOE 1 Does n...

Страница 28: ... a Cisco router encrypted password Encrypted password that is copied from another router configuration Use of enable passwords are not necessary so all administrative passwords can be stored as SHA 256 if enable passwords are not used Note Cisco no longer recommends that the enable password command be used to configure a password for privileged EXEC mode The password that is entered with the enabl...

Страница 29: ...onfigured to use any of the following authentication methods Remote authentication RADIUS Refer to Authentication Server Protocols elsewhere in this document for more details Local authentication password or SSH public key authentication Note this should only be configured for local fallback if the remote authentication server is not available X 509v3 certificates Refer to X 509 Certificates in Se...

Страница 30: ... 4 protocol and port The access lists used for IPsec are only used to determine the traffic that needs to be protected by IPsec not the traffic that should be blocked or permitted through the interface Separate access lists define blocking and permitting at the interface A crypto map set can contain multiple entries each with a different access list The crypto map entries are searched in a sequenc...

Страница 31: ...tion with the peer so both sides must specify the same transform set Note If a transform set definition is changed during operation that the change is not applied to existing security associations but is used in subsequent negotiations to establish new SAs If you want the new settings to take effect sooner you can clear all or part of the SA database by using the clear crypto sa command The follow...

Страница 32: ...p aggressive mode disable ensures all IKEv1 Phase 1 exchanges will be handled in the default main mode TOE common criteria config isakmp exit 4 6 1 2 IKEv2 Transform Sets An Internet Key Exchange version 2 IKEv2 proposal is a set of transforms used in the negotiation of IKEv2 SA as part of the IKE_SA_INIT exchange An IKEv2 proposal is regarded as complete only when it has at least an encryption al...

Страница 33: ...ation TOE common criteria config crypto ikev2 keyring keyring 1 TOE common criteria config ikev2 keyring peer peer1 TOE common criteria config ikev2 keyring peer address 0 0 0 0 0 0 0 0 TOE common criteria config ikev2 keyring peer pre shared key xyz key This section creates a keyring to hold the pre shared keys referenced in the steps above In IKEv2 these pre shared keys are specific to the peer ...

Страница 34: ... 1 1 and 4 6 1 2 above If AES CBC 128 was selected there for use with IKE encryption then only AES CBC 128 or AES GCM 128 may be selected here TOE common criteria config crypto mode tunnel This configures tunnel mode for IPsec Tunnel is the default but by explicitly specifying tunnel mode the router will request tunnel mode and will accept only tunnel mode TOE common criteria config crypto mode tr...

Страница 35: ...ec router endpoints config terminal crypto ipsec nat transparency spi matching end 4 6 4 X 509 Certificates The TOE may be configured by the privileged administrators to use X 509v3 certificates to authenticate IPsec peers RSA certificates are supported Creation of these certificates and loading them on the TOE is covered in 9 and a portion of the TOE configuration for use of these certificates fo...

Страница 36: ... IP TOE common criteria configure terminal TOE common criteria config crypto isakmp policy 1 TOE common criteria config isakmp encryption aes TOE common criteria config isakmp authentication pre share TOE common criteria config isakmp group 14 TOE common criteria config isakmp lifetime 86400 TOE common criteria config crypto isakmp key insert 22 character preshared key address 10 10 10 101 TOE com...

Страница 37: ...ootflash slot disk USB flash or USB token During run time an authorized administrator can specify what active local storage device will be used to store certificates For more detailed information see 9 How to Specify a Local Storage Location for Certificates The summary steps for storing certificates locally to the TOE are as follows 1 Enter configure terminal mode 2 TOE common criteria configure ...

Страница 38: ...ither per client certificate or per group of client certificates by the match certificate override ocsp command The match certificate override ocsp command overrides the client certificate AIA field or the ocsp urlcommand setting if a client certificate is successfully matched to a certificate map during the revocation check 4 6 4 7 Configuring Certificate Chain Validation Perform this task to con...

Страница 39: ... ecdsa sig If an invalid certificate is loaded authentication will not succeed 4 6 4 9 Deleting Certificates If the need arises certificates that are saved on the router can be deleted The router saves its own certificates and the certificate of the CA To delete the router s certificate from the router s configuration the following commands can be used in global configuration mode Router show cryp...

Страница 40: ...ithin crypto maps for IPsec and the filter tunnel command for SSL VPN The criteria used in matching traffic in all of these access lists includes the source and destination address and optionally the Layer 4 protocol and port The TOE enforces information flow policies on network packets that are receive by TOE interfaces and leave the TOE through other TOE interfaces When network packets are recei...

Страница 41: ...only for name fields nc Does not contain valid only for name fields lt Less than valid only for date fields ge Greater than or equal valid only for date fields match value Specifies the name or date to test with the logical operator assigned by match criteria Step3 ca certificate map exit Exits ca certificate map mode Step4 For IKEv1 crypto isakmp profile ikev1 profile1 match certificate label For...

Страница 42: ... 4000 Family Routers Administrator Guidance Page 42 of 66 ca certificate map subject name co c US ca certificate map exit config crypto isakmp profile ike1 profile match cert match certificate cert map match all ...

Страница 43: ...ive Events includes auditable events for administrator actions Note In Table 7 if Embedded Event Manager is used as outlined in Section 3 3 4 that HA_EM 6 LOG logs will be created for each command executed in addition to the PARSER 5 CFGLOG_LOGGEDCMD syslog The TOE generates an audit record whenever an audited event occurs The types of events that cause audit records to be generated include crypto...

Страница 44: ...ryption passed Nov 19 13 55 59 CRYPTO 6 SELF_TEST_RESULT Self test info SHA hashing passed Nov 19 13 55 59 CRYPTO 6 SELF_TEST_RESULT Self test info AES encryption decryption passed Table 7 General Auditable Events Requirement Auditable Events Additional Audit Record Contents Sample Record FCS_MACSEC_EX T 1 Session establishment Secure Channel Identifier SCI Session Establishment Mar 15 2016 12 49 ...

Страница 45: ... current Latest AN KN 0 1 Old AN KN 0 1 for RxSCI f4cf e298 ccb8 000a AuditSessionID CKN 10000000000000000000000000000000 00000000000000000000000000000000 FCS_IPSEC_EXT 1 Failure to establish an IPsec SA Session establishment with peer Reason for failure Entire packet contents of packets transmitted rec eived during session establishment Initiation of IPSEC session outbound Jun 20 07 42 26 823 ISA...

Страница 46: ...g ISAKMP transform 1 against priority 1 policy Jun 20 07 42 26 827 ISAKMP encryption AES CBC Jun 20 07 42 26 827 ISAKMP keylength of 128 Jun 20 07 42 26 827 ISAKMP hash SHA Jun 20 07 42 26 827 ISAKMP default group 14 Jun 20 07 42 26 827 ISAKMP auth pre share Jun 20 07 42 26 843 ISAKMP 0 received packet from 100 1 1 5 dport 500 sport 500 Global R MM_SA_SETUP Jun 20 07 42 26 843 ISAKMP 0 Input IKE_M...

Страница 47: ...0 255 255 255 0 256 0 remote_proxy 12 1 1 0 255 255 255 0 256 0 Jun 19 21 10 37 575 ISAKMP 2034 purging node 506111676 Jun 19 21 10 39 615 ISAKMP 2034 purging node 22679511 Jun 20 04 46 14 789 IPSEC lifetime_expiry SA lifetime threshold reached expiring in 1412 seconds Failure to establish an IPSEC session outbound initiated Jun 19 11 12 33 905 CRYPTO 5 IKMP_AG_MODE_DISABLED Unable to initiate or ...

Страница 48: ...om 1 1 1 1 tty 0 for user cisco using crypto cipher aes256 cbc hmac hmac sha1 96 closed FIA_UIA_EXT 1 All use of the identification and authentication mechanism Provided user identity origin of the attempt e g IP address See Audit events in FIA_UAU_EXT 2 FIA_UAU_EXT 2 All use of the authentication mechanism Origin of the attempt e g IP address Login as an administrative user at the console Usernam...

Страница 49: ... 5 11 10 18 749 IKEv2 SA ID 1 Sending Packet To 210 1 1 1 500 From 110 1 1 1 500 VRF i0 f0 42442 Feb 5 11 10 18 747 IKEv2 SA ID 1 PKI IKEv2 Getting of cert chain for the trustpoint PASSED 42441 Feb 5 11 10 18 747 IKEv2 SA ID 1 IKEv2 PKI Getting cert chain for the trustpoint rahul 42440 Feb 5 11 10 18 747 IKEv2 SA ID 1 PKI IKEv2 Retrieved trustpoint s rahul 42439 Feb 5 11 10 18 747 IKEv2 SA ID 1 IK...

Страница 50: ...R 5 CFGLOG_LOGGEDCMD User test_admin logged command logging informational FMT_MTD 1 Admi nAct Modification deletion generation import of cryptographic keys None Feb 17 2013 16 37 27 PARSER 5 CFGLOG_LOGGEDCMD User test_admin logged command crypto key zeroize FPF_RUL_EXT 1 Application of rules configured with the log operation Source and destination addresses Source and destination ports Transport L...

Страница 51: ...0000000000000000000 00000000000000000000000000000000 FPT_TUD_EXT 1 Initiation of update result of the update attempt success or failure No additional information Use of the upgrade command Jul 10 11 04 09 179 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command upgrade Jul 10 11 04 09 179 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command copy tftp Jul 10 11 04 09 179 PARSER 5 CFGLOG_LOGGEDCMD Use...

Страница 52: ...nation of a remote session by the session locking mechanism No additional information Audit record generated when SSH session is terminated because of idle timeout May 29 2012 15 18 00 UTC SYS 6 TTY_EXPIRE_TIMER exec timer expired tty 0 0 0 0 0 user admin FTA_SSL 4 The termination of an interactive session No additional information Audit record generate when admin logs out of CONSOLE May 17 2011 1...

Страница 53: ...gs Clearing logs Feb 17 2013 16 29 07 PARSER 5 CFGLOG_LOGGEDCMD User test_admin logged command logging enable Feb 17 2013 16 34 02 PARSER 5 CFGLOG_LOGGEDCMD User test_admin logged command logging informational Feb 17 2013 17 05 16 PARSER 5 CFGLOG_LOGGEDCMD User test_admin logged command clear logging FAU_GEN 2 User identity association None N A FAU_STG_EXT 1 External audit trail storage Configurat...

Страница 54: ...raphic signature None N A FCS_COP 1 3 Cryptographic operation for cryptographic hashing None N A FCS_COP 1 4 Cryptographic operation for keyed hash message authentication None N A FCS_RBG_EXT 1 Cryptographic operation random bit generation None N A FCS_IPSEC_EXT 1 1 IPSEC Configuration of IPsec settings including mode security policy IKE version algorithms lifetimes DH group and certificates Feb 1...

Страница 55: ...13 13 12 25 055 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command security passwords min length 15 FIA_PSK_EXT 1 Pre Shared Key Composition Creation of a pre shared key Feb 15 2013 13 12 25 055 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command crypto isakmp key FIA_UIA_EXT 1 User identification and authentication Logging into TOE Jan 17 2013 05 05 49 460 SEC_LOGIN 5 LOGIN_SUCCESS Login Success...

Страница 56: ... command username admin 15 FPT_RUL_EXT 1 Packet Filtering Configuring packet filtering rules Feb 15 2013 13 12 25 055 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command access list 199 deny ip 10 100 0 0 0 0 255 255 any log input FPT_FLS 1 Fail Secure None N A FPT_SKP_EXT 1 Protection of TSF Data for reading of all symmetric keys None N A FPT_APW_EXT 1 Protection of Administrator Passwords None N...

Страница 57: ...SSL 4 User initiated termination Logging out of TOE Feb 15 2013 13 12 25 055 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command exit FTA_TAB 1 Default TOE access banners Configuring the banner displayed prior to authentication Feb 15 2013 13 12 25 055 PARSER 5 CFGLOG_LOGGEDCMD User cisco logged command banner login d This is a banner d FTP_ITC 1 Inter TSF trusted channel None N A FTP_TRP 1 Truste...

Страница 58: ...Cisco ISR 4000 Family Routers Administrator Guidance Page 58 of 66 TOE common criteria ...

Страница 59: ...sec connections Use of AH in addition to ESP is optional Protocol is not considered part of the evaluation DHCP Dynamic Host Configuration Protocol Yes Yes Yes Yes No restrictions Protocol is not considered part of the evaluation DNS Domain Name Service Yes Yes No n a No restrictions Protocol is not considered part of the evaluation ESP Encapsulating Security Payload part of IPsec Yes Yes Yes Yes ...

Страница 60: ...ory Access Protocol Yes Over IPsec No n a Use LDAP over SSL instead Protocol is not considered part of the evaluation LDAP over SSL LDAP over Secure Sockets Layer Yes Over TLS No n a If used for authentication of TOE administrators configure LDAP to be tunneled over IPsec Protocol is not considered part of the evaluation NTP Network Time Protocol Yes Yes No n a Any configuration Use of key based a...

Страница 61: ...ation Note The table above does not include the types of protocols and services listed here OSI Layer 2 protocols such as CDP VLAN protocols like 802 11q Ethernet encapsulation protocols like PPPoE etc The certified configuration places no restrictions on the use of these protocols however evaluation of these protocols was beyond the scope of the Common Criteria product evaluation Follow best prac...

Страница 62: ...e router is in this mode no network traffic is routed between the network interfaces In this state the router may be configured to upload a new boot image from a specified TFTP server perform configuration tasks and run various debugging commands It should be noted that while no administrator password is required to enter ROM monitor mode physical access to the router is required therefore the rou...

Страница 63: ...tart the TOE to perform POST and determine if normal operation can be resumed If the problem persists contact Cisco Technical Assistance via http www cisco com techsupport or 1 800 553 2447 If necessary return the TOE to Cisco under guidance of Cisco Technical Assistance ...

Страница 64: ...ompilers or user applications available on the TOE other than those services necessary for the operation administration and support of the TOE Administrators will make sure there are no general purpose computing capabilities e g compilers or user applications available on the TOE OE PHYSICAL Physical security commensurate with the value of the TOE and the data it contains is provided by the enviro...

Страница 65: ...n the World Wide Web at the following sites http www cisco com http www china cisco com http www europe cisco com 9 1 Documentation Feedback If you are reading Cisco product documentation on the World Wide Web you can submit technical comments electronically Click Feedback in the toolbar and select Documentation After you complete the form click Submit to send it to Cisco You can e mail your comme...

Страница 66: ...vity Through Cisco com you can find information about Cisco and our networking solutions services and programs In addition you can resolve technical issues with online technical support download and test software packages and order Cisco learning materials and merchandise Valuable online skill assessment training and certification programs are also available Customers and partners can self registe...

Отзывы:

Нет отзывов

Похожие инструкции для ISR 4000 series

Бренд: IBM Страницы: 72

Бренд: D-Link Страницы: 38

Бренд: D-Link Страницы: 8

Бренд: D-Link Страницы: 22

Бренд: D-Link Страницы: 20

Бренд: D-Link Страницы: 2

Бренд: D-Link Страницы: 16

Бренд: D-Link Страницы: 12

DIR-615 - Wireless N Router

Бренд: D-Link Страницы: 13

Бренд: D-Link Страницы: 124

Web Smart DES-1210-28P

Бренд: D-Link Страницы: 6

2Voice + 4SW VoIP Router DVG-1402S

Бренд: D-Link Страницы: 57

xStack Storage DSN-4000 Series

Бренд: D-Link Страницы: 23

Express EtherNetwork DI-604

Бренд: D-Link Страницы: 7

xStack Storage DSN-4000 Series

Бренд: D-Link Страницы: 97

SharePort DIR-825

Бренд: D-Link Страницы: 2

Amplifi DIR-645

Бренд: D-Link Страницы: 28

Бренд: Cisco MERAKI Страницы: 4

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды