Compliant Product - Cisco 5940 Series Embedded Services Router
Certificate Date: 05 July 2011
Validation Report Number: CCEVS-VR-VID10429-2011
Product Type: Router
Conformance Claim: EAL2 Augmented with ALC_FLR.2
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is the Cisco 5940 Series Embedded Services Router. The following models were evaluated:
- conduction cooled processor module
- air cooled processor module
All models comprising the TOE provide the same security functionality. They differ only in the number cooling mechanism and external ports.
The Cisco 5940 Series Embedded Services Router is a router platform that provides connectivity and security services onto a single, secure device. In support of the routing capabilities, the Cisco 5940 Series Embedded Services Router provides IPSec connection capabilities for VPN enabled clients connecting through the Cisco 5940 Series Embedded Services Router. The Cisco 5940 Series Embedded Services Router is also compatible with the GET VPN (using GDOI).
The Cisco 5940 Series Embedded Services Router also supports firewall capabilities consistent with the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments. The Cisco 5940 Series Embedded Services Router is a 3U (cPCI) router module solution for protecting the network. The firewall capabilities provided by the TOE are provided via a stateful packet filtering firewall. A stateful packet filtering firewall controls the flow of IP traffic by matching information contained in the headers of connection-oriented or connection-less IP packets against a set of rules specified by the authorized administrator for firewalls. This header information includes source and destination host (IP) addresses, source and destination port numbers, and the transport service application protocol (TSAP) held within the data field of the IP packet. Depending upon the rule and the results of the match, the firewall either passes or drops the packet. The stateful firewall remembers the state of the connection from information gleaned from prior packets flowing on the connection and uses it to regulate current packets. The packet will be denied if the security policy is violated.
In addition to IP header information, the TOE mediates information flows on the basis of other information, such as the direction (incoming or outgoing) of the packet on any given firewall network interface. For connection-oriented transport services, the firewall either permits connections and subsequent packets for the connection or denies the connection and subsequent packets associated with the connection.
The TOE also includes on the 5940 Series Embedded Services Router modules a network-based Intrusion Prevention System that monitors traffic in real-time. It can analyze both the header and content of each packet. The TOE uses a rule-based expert system to interrogate the packet information to determine the type of attack, be it simple or complex.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco 5940 Series Embedded Services Router TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 augmented with ALC_FLR.2. The product, when delivered configured as identified in Cisco 5940 Series Embedded Services Router Common Criteria Operational User Guidance and Preparative Procedures document, satisfies all of the security functional requirements stated in the Cisco 5940 Series Embedded Services Router Security Target (Version .07). The project underwent one Validation Oversight Panel (VOR) panel review. The evaluation was completed in June 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10429-2011, dated June 2011) prepared by CCEVS.
The logical boundaries of Cisco 5940 Series Embedded Services Router TOE are realized in the security functions that it implements. These security functions are realized at the network interfaces that service clients and via the administrator commands. Each of these security functions is summarized below.
Identification and Authentication – The TOE performs two types of authentication: device-level authentication of the remote device (VPN peers) and user authentication for the administrators of the TOE. Device-level authentication allows the TOE to establish a secure channel with a trusted peer. The secure channel is established only after each device authenticates itself. Device-level authentication is performed via IKE/IPSec mutual authentication. The TOE provides authentication services for all administrators wishing to connect to the TOEs secure CLI administrative interface. The TOE requires all administrators to authenticate prior to being granted access to any of the management functionality. The TOE facilitates single-use authentication for all administrators and external IT entities attempting to connect to the TOE by invoking an external RADIUS AAA (IT environment) to provide single-use authentication. The TOE provides single use authentication to external IT entities through the use of IKE/IPSec mutual authentication.
Security Management - The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs either through a secure SSH session, via terminal server (such as a Cisco 2811), or via a local console connection. The TOE provides the ability to securely manage all TOE administrators; all identification and authentication; all audit functionality of the TOE; all TOE cryptographic functionality; the timestamps maintained by the TOE (including settings for an NTP server, if used as the timestamp source); TOE configuration backup and recovery, and the information flow control policies enforced by the TOE. The TOE supports two separate administrative roles that make up the authorized administrator: non-privileged Administrator and privileged Administrator.
Firewall Information Flow Control, VPN, and/or VLAN - The Cisco 5940 Series Embedded Services Router mediate information flows through the TOE for unauthenticated information flows. The Information Control functionality of the TOE allows privileged administrators to set up rules between interfaces of the TOE. These rules control whether a packet is transferred from one interface to another and/or transferred encrypted based upon header attributes. Packets will be dropped unless a specific rule or policy in an access control list (ACL) has been set up to allow the packet to pass. The order of Access Control Entries (ACEs) in an ACL is important. When the TOE decides whether to forward or drop a packet, the TOE tests the packet against the ACE in the order in which the entries are listed. After a match is found, no more ACEs are checked such that if the ACE at the beginning of the ACL explicitly permits all traffic, no further ACEs are checked. Interface ACLs are applied first before IPsec negotiations occur in the evaluated configuration.
Cisco 5940 Series Embedded Services Router delivers VPN connections to remote entities. The VPN process includes remote device authentication, negotiation of specific cryptographic parameters for the session, and providing a secure connection to and from the remote device. For inbound or outbound connections with external IT entities that are capable of supporting VPN (e.g., a VPN Peer), the TOE will establish a secure connection. For other inbound or outbound traffic a secure connection will not be established.
Cisco 5940 Series Embedded Services Router allows VLAN connections to/from remote entities. The TOE provides the ability to identify the VLAN the network traffic is associated with. The TOE then permits or denies the network traffic based on the VLANs configured on the interface the network traffic is received /destined. This policy is applied after the Firewall policy.
Intrusion Prevention - The Cisco 5940 Series Embedded Services Router IOS software Intrusion Prevention System (IPS) operates as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When Cisco IOS IPS detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog messages stored in the local buffer and then offloaded to an external syslog server. The privileged administrator can configure Cisco IOS IPS to choose the appropriate response to various threats. When packets in a session match a signature, Cisco IOS IPS can take any of the following actions, as appropriate:
- Send an audit record to a syslog server or a centralized management interface
- Drop the packet
- Reset the connection
- Deny traffic from the source IP address of the attacker for a specified amount of time
- Deny traffic on the connection for which the signature was seen for a specified amount of time.
Cryptography– The TOE provides cryptography in support of other Cisco 5940 Series Embedded Services Router security functionality. This cryptography has been validated for conformance to the requirements of FIPS 140-2 Level 1. Further details regarding the FIPS validation can be found in Certificate #1639. The TOE provides cryptography in support of VPN connections and remote administrative management via SSH.
Security Audit– The Cisco 5940 Series Embedded Services Router provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, information flow control enforcement, intrusion prevention, identification and authentication, and administrative actions. The Cisco 5940 Series Embedded Services Router generates an audit record for each auditable event. These events include a timestamp that can be provided by the TOE or an optional NTP server in the operational environment. The Cisco 5940 Series Embedded Services Router provides the privileged administrator with a sorting and searching capability to improve audit analysis. The privileged administrator configures auditable events, backs-up and manages audit data storage. The TOE provides the privileged administrator with a local circular audit trail, also referred to as the Event Store, and allows for configuration of offload of audit data via TCP syslog to a syslog server in the operational environment so that audit events are not lost when the Event Store reaches capacity and begins to overwrite old events.