Compliant Product - Cisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform
Certificate Date: 11 July 2011
Validation Report Number: CCEVS-VR-VID10381-2011
Product Type: Firewall, VPN
Conformance Claim: EAL4 Augmented with ALC_FLR.2
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is the Cisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform. The following models and software versions were evaluated:
- Hardware Models
- Cisco ASA 5505, 5510, 5520, 5540, 5550, 5580-20, and 5580-40
- Software Versions
- Cisco ASA Release 8.3.2
- Cisco AnyConnect Release 2.5
- Cisco VPN Client Release 5.0
- Cisco Adaptive Security Device Manager (ASDM) 6.3.2
All appliance models comprising the TOE provide the same security functionality. They differ only in the number and speed of their network connections and their processing capacity (in terms of memory and processor speeds).
The TOE is a purpose-built security platform that combines application-aware firewall and VPN services for small and medium-sized business (SMB) and enterprise application For firewall services, the ASA 5500 Series provides application-aware stateful packet filtering firewalls. The application-inspection capabilities automate the network to treat traffic according to detailed policies based not only on port, state, and addressing information, but also on application information buried deep within the packet header. For VPN Services, the ASA 5500 Series provides a complete remote-access VPN solution that supports numerous connectivity options, including Cisco VPN Client for IP Security (IPSec), Cisco Clientless SSL VPN, network-aware site-to-site VPN connectivity, and Cisco AnyConnect VPN client. IPSec provides confidentiality, authenticity, and integrity for IP data transmitted between trusted (private) networks over untrusted (public) links or networks. For management purposes, the ASDM is included. ASDM allows the ASA to be managed from a graphical user interfaceThe TOE is a purpose-built security platform that combines application-aware firewall and VPN services for small and medium-sized business (SMB) and enterprise application For firewall services, the ASA 5500 Series provides application-aware stateful packet filtering firewalls. The application-inspection capabilities automate the network to treat traffic according to detailed policies based not only on port, state, and addressing information, but also on application information buried deep within the packet header. For VPN Services, the ASA 5500 Series provides a complete remote-access VPN solution that supports numerous connectivity options, including Cisco VPN Client for IP Security (IPSec), Cisco Clientless SSL VPN, network-aware site-to-site VPN connectivity, and Cisco AnyConnect VPN client. IPSec provides confidentiality, authenticity, and integrity for IP data transmitted between trusted (private) networks over untrusted (public) links or networks. For management purposes, the ASDM is included. ASDM allows the ASA to be managed from a graphical user interface.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.2. The product, when delivered configured as identified in Cisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform Common Criteria Operational User Guidance and Preparative Proceduresdocument, satisfies all of the security functional requirements stated in the Cisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform Security Target (Version .18). The project underwent one Validation Oversight Panel (VOR) panel review. The evaluation was completed in June 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10381-2011, dated July 2011) prepared by CCEVS.
The logical boundaries of Cisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform TOE are realized in the security functions that it implements. These security functions are realized at the network interfaces that service clients and via the administrator commands. Each of these security functions is summarized below.
VPN and/or Firewall Information Flow Control - The Information Control functionality of the TOE allows authorized administrators to set up rules between interfaces of the TOE. These rules control whether a packet is transferred from one interface to another and/or transferred encrypted.
In providing the Information Flow Control functionality, the TOE has the ability to translate network addresses contain within a packet, called Network Address Translation. Depending upon the TOE configuration the address can be translated into a permanently defined static address, an address selected from a range or into a single address with a unique port number (Port Address Translation). Also Network Address Translation can be disabled, so that addresses are not changed when passing through the TOE.
The TOE provides and IPSec and SSL VPN capability. The IPSec VPN Function includes IPSec and Internet Security Association and Key Management Protocol (ISAKMP) functionality to support VPNs. A secure connection between two IPSec peers is called a tunnel. The TOE implements ISAKMP and IPSec tunneling standards to build and manage VPN tunnels. The TOE implements IPSec in two types of configurations:
- LAN-to-LAN configurations are between two IPSec security gateways, such as security appliance units or other protocol-compliant VPN devices. A LAN-to-LAN VPN connects networks in different geographic locations.
- Remote access configurations provide secure remote access for Cisco VPN clients, such as mobile users. A remote access VPN lets remote users securely access centralized network resources. The Cisco VPN client complies with the IPSec protocol and is specifically designed to work with the TOE.
SSL VPN connectivity is provided through a clientless solution and a client solution – AnyConnect. The clientless SSL VPN, which is actually branded as SSL VPN, uses the SSL (v3.1) protocol and its successor, Transport Layer Security (TLS) v1.0 to provide a secure connection between remote users and specific, supported internal resources as configured by the administrator. The TOE recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. Establishing an SSL VPN session requires the following:
- Use of HTTPS to access the TOE. In a Web browser, remote users enter the TOE IP address in the format https://address where address is the IP address or DNS hostname of the TOE interface.
- Administrator enabling clientless SSL VPN sessions on the TOE interface that remote users connect to with the ‘svc enable’ command
Audit - The TOE’s Audit security function supports audit record generation and review. The TOE provides date and time information that is used in audit timestamps. The events generated by the TOE include all commands executed by the authorized administrator, in addition to cryptographic operations, traffic decisions, indication of the logging starting and stopping and other system events.
The local buffer on the ASA stores the audit records, and its size is configurable by the authorized administrator. The same protection is given to these stored events that is given to all system files on the ASA. Access to them is restricted only to the authorized administrator, who has no access to edit them, only to copy or delete (clear) them.
The audit records can be viewed either locally or remotely (via SSH v2) on the ASA CLI or through a Real-Time Log Viewer in ASDM (secured via HTTPS tunnel). The Real-Time Log Viewer in ASDM allows for filtering of events or searches by keyword and for sorting of events by the header fields in the event viewer. This allows an authorized administrator to quickly locate the information that they are looking for and quickly detect issues. This log viewer needs to be open and active during TOE operation in order to display the records as they are received.
Identification and Authentication – Authentication performed by the TOE makes use of a reusable password mechanism for access to the TOE by authorized administrators as well as by human users establishing VPN connections. The TOE by default is configured to perform local authentication and stores user names and passwords in an internal user authentication database which is only accessible by the administrator via privileged commands at the CLI or screens in ASDM. The TOE can be configured to use an external authentication server for single-use authentication such that the TOE is responsible for correctly invoking the external authentication mechanism, and for taking the correct actions based on the external server’s authentication decisions.
VPN users are authenticated through their client (or through SSL session if clientless) to the TOE via a reusable password mechanism. If enabled, certificate-based authentication is used for clientless SSL VPN
Management - The Management functionality permits an authorized administrator from a physically secure local connection, an SSHv2 encrypted connection (the encryption is subject to FIPS PUB 140-2 security functional requirements) or an HTTPS-tunneled ASDM connection from an internal trusted host or a remote connected network. All of the management functions are restricted to the authorized administrator of the TOE. The authorized administrator is defined as having the full set of privileges on the ASA, which is indicated by a level 15 privilege on a scale from 0 to 15.
Cryptography– The TOE relies on FIPS PUB 140-2 validation for testing of cryptographic functions. The FIPS certificate is 1436 for ASA and the clients are FIPS compliant.
The Cisco VPN Client uses cryptography at two abstraction levels:
- User space: Here cryptography is used for IKE. Once the IKE exchange is completed the keys are plumbed down to the kernel space. For supporting IKE, the module utilizes AES, Triple-DES, HMAC-SHA-1, SHA-1, RSA (digital signatures), RSA (encrypt/decrypt), and Diffie-Hellman. These algorithms are provided by RSA Crypto-C Micro Edition dynamic library.
- Kernel space: At this level, cryptography is used for bulk IPSec encryption/decryption and MACing. To support this, the module uses AES, Triple-DES, SHA-1 and HMAC-SHA-1 algorithms. These algorithms are provided by RSA BSAFE Crypto-Kernel library.
The Cisco AnyConnect client uses cryptography at two junctures:
- Session setup: Here cryptography is used as part of the protocol used to set-up HTTPS sessions using TLS.
- Data protection: Once the session set-up is complete, cryptography is used to protect data that traverses over the TLS and DTLS tunnels.
Unlike session set-up, all crypto for data protection is offloaded to the openSSL library on Windows, Linux as well as MAC OS platforms. To ensure that openSSL utilizes only FIPS approved crypto algorithms, the client has a policy file (called AnyConnectLocalPolicy) where FIPS mode can be set.
The ASA uses cryptography in the following forms:
- Identity certificates for the ASA itself, and also for use in IPSEC, TLS, and SSH negotiations. This is provided by RSA keys.
- Key agreement for IKE, TLS, and SSH sessions. This is provided by Diffie-Hellman.
For TLS traffic keys, SSH session keys, IPSec authentication keys, IPSec traffic keys, IKE authentication keys, IKE encryption keys, and key wrap for communication with an remote authentication server. These are provided in the form of AES or Triple-DES keys (with the exception of communications with an authentication server which are only in the form of AES keys).