Compliant Product - Cisco Aggregation Services Router (ASR) 1000 Series running IOS XE version 2.4.2t
Certificate Date: 27 June 2011
Validation Report Number: CCEVS-VR-10361-2011
Product Type: Firewall, Router, VPN
Conformance Claim: EAL4 Augmented with ALC_FLR.2
PP Identifiers: None
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is the Cisco Aggregation Services Router (ASR) 1000 Series. The following models were evaluated:
- ASR 1002f
- ASR 1002
- ASR 1004
- ASR 1006
All appliance models comprising the TOE provide the same security functionality. They differ only in the number and speed of their network connections and their processing capacity (in terms of memory and processor speeds).
The TOE is a purpose-built, wide-area network (WAN) routing platform that includes firewall and VPN functionality. In support of the routing capabilities, the Cisco ASR 1000 Series Router provides IPSec connection capabilities for VPN enabled clients connecting through the Cisco ASR 1000 Series Router. The Cisco ASR 1000 Series Router also supports firewall capabilities. The ASR 1000 Series Router is a single-device security and routing solution for protecting the WAN entry point into the network. Zone-based firewall allows grouping of physical and virtual interfaces into zones to simplify logical network topology. The creation of these zones facilitates the application of firewall policies on a zone-to-zone basis, instead of having to configure policies separately on each interface.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Aggregation Services Router (ASR) 1000 Series TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.2. The product, when delivered configured as identified in Cisco Aggregation Services Router (ASR) 1000 Series Common Criteria Operational User Guidance and Preparative Procedures, Version 0.6, April 2011 document, satisfies all of the security functional requirements stated in the Cisco Aggregation Services Router (ASR) 1000 Series Security Target (Version .18). The project underwent one Validation Oversight Panel (VOR) panel review. The evaluation was completed in May 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10361-2011, dated 27 June 2011) prepared by CCEVS.
The logical boundaries of Cisco Aggregation Services Router (ASR) 1000 Series TOE are realized in the security functions that it implements. These security functions are realized at the network interfaces that service clients and via the administrator commands. Each of these security functions is summarized below.
Identification and Authentication – The ASR performs two types of authentication: device-level authentication of the remote device (VPN peers) and user authentication for the Authorized Administrator of the ASR. Device-level authentication allows the ASR to establish a secure channel with a trusted peer. The secure channel is established only after each device authenticates itself. Device-level authentication is performed via IKE/IPSec mutual authentication. The ASR provides authentication services for administrative users wishing to connect to the ASRs secure CLI administrative interface. ASR requires authorized administrators to authenticate prior to being granted access to any of the management functionality
Security Management - ASR provides secure administrative services for management of general configuration and the security functionality. All ASR administration occurs either through a secure SSHv2 session via terminal server or via a local console connection. ASR provides the ability to securely manage administrative users; all audit functionality; all cryptographic functionality; and the information flow control policies enforced by the TOE. The TOE supports three separate administrative roles: Cryptographic Administrator, Audit Administrator and Security Administrator. The Cryptographic Administrator is responsible for the configuration and maintenance of cryptographic elements related to the establishment of secure connections to and from the machine. The Audit Administrator is responsible for the regular review of the audit data. The Security Administrator is responsible for all other administrative tasks.
VPN, Router, and/or Firewall Information Flow Control - The VPN process includes remote device authentication, negotiation of specific cryptographic parameters for the session, and providing a secure connection from and to the remote device. For inbound or outbound connections with external IT entities that are capable of supporting VPN (e.g., a peer ASR 1000 series router, a VPN Peer), the TOE will establish a secure connection. For other inbound or outbound traffic a secure connection will not be established.
The Cisco ASR 1000 Series Routers mediate all information flows to and from the ASR itself. The TOE has the ability to permit or deny information flows based on the characteristics of the information flow. By examining the information flows to the TOE itself, the ASR is able to provide specific TOE services to requesting unauthenticated entities. The TOE services that are available to unauthenticated entities are configurable by the Security Administrator and must include, ICMP. All other TOE services are only available to authenticated entities.
The Cisco ASR 1000 mediates all information flows through the ASR for unauthenticated information flows. The TOE provides the ability to classify all data flows into zones. Configurable allow or deny rule sets are applied to each information flow on a zone by zone basis. All security attributes are inspected based on the configurable rule set of the information flow. The TOE makes the decision to allow or deny unauthenticated information flows based on the configured information flow rule set. The ASR generates and maintains “state” information for all approved connections mediated by the TOE. The “state” information is used to monitor the status of an approved connection and validate incoming packets received as part of an approved connection.
Trusted Path/Channel - The TOE establishes a trusted path between the TOE and the remote management station used by the administrators to manage the TOE. This Trusted path is secured using an SSHv2 secure connection. All remote administration occurs through the SSHv2 secure trusted path. Alternatively, the TOE supports local administration through a directly connected management station.
The ASR establishes a trusted channel between itself and peer IT devices. Between the ASR and peer routers, network control information is exchanged via trusted channels to allow dynamic connection establishment and packet routing. Network control information consists of specific requests and instructions that include destination address, routing controls, and signaling information. Trusted channels are secured via IPSec encryption.
Cryptography– The TOE provides cryptography in support of other ASR security functionality. This cryptography has been validated for conformance to the requirements of FIPS 140-2 overall Level 2 and Level 3 for sections 3 and 10. The ASR provides cryptography in support of VPN connections.
Security Audit– The ASR provides extensive auditing capabilities. The TOE can audit events related to security alarms, cryptographic functionality, information flow control enforcement, identification and authentication, and administrative actions. The ASR generates an audit record for each auditable event. In addition to generating audit records for auditable events, the TOE monitors the occurrences and identifies potential security violation based on the generated audit records. Once the ASR has detected a potential security violation, an alarm is generated and a message is displayed to administrators. Additionally, the Security Administrator can configure the TOE to generate an audible alarm to indicate a potential security violation and enforces confirmation of each alarm by an administrator. The ASR provides the Audit Administrator with a sorting and searching capability to improve audit analysis. The Security Administrator configures auditable events, backs-up and manages audit data storage. The TOE provides the Security Administrator with a circular audit trail or a configurable audit trail threshold to track the storage capacity of the audit trail.
High Availability - For ASR configurations that include dual ESPs or RPs, one of the ESPs or RPs act as the active hardware while the other acts as a hot standby. If there is a hardware failure within either the active ESP or active RP, the hot standby ESP or RP within the ASR automatically becomes active. If there is a software failure within the active software instance, the ASR automatically switches to the hot standby software instance resident within the TOE on the hot standby.