NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Cisco IM&P 11.5 SU3

Certificate Date:  2017.11.21

Validation Report Number:  CCEVS-VR-VID10760-2017

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 1.0

CC Testing Lab:  Acumen Security

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is Cisco Unified Communications Manager IM and Presence Service (IM&P). The TOE provides native standards-based, dual-protocol, enterprise instant messaging (IM) and network-based presence as part of Cisco Unified Communications capabilities.  The IM&P service is integrated with Cisco Unified Communications Manager (CUCM) that includes a suite of integrated applications that accelerate communication, and enable collaboration with either colleagues within the enterprise or external partners and suppliers.

This suite of basic enterprise IM, network-based presence (availability) and group and persistent chats are the core features that are available for use in the basic deployment.  IM is an important communication option that lets users efficiently interact. IM and Presence Service provides personal chat, group chat, and persistent chat capabilities that can quickly connect individuals and groups and conduct ongoing conversations.

Evaluated Configuration

The TOE configuration specifies the configuration settings for communications with CUCM and other properties such as the server name and date-time settings.  The TOE connects to an NTP server on its internal network for time services. The TOE is administered using the Cisco Unified Communications Manager IM and Presence Service Administration program from a PC that is not the web server or has Cisco Unified Communications Manager IM and Presence Service installed. No browser software exists on the IM&P server. When connecting to the IM&P the management station must be connected to an internal network, HTTPS/TLS must be used to connect to the TOE.  A syslog server is also used to store audit records.  These servers must be attached to the internal (trusted) network.  The internal (trusted) network is meant to be separated effectively from unauthorized individuals and user traffic; one that is in a controlled environment where implementation of security policies can be enforced.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which Cisco IM&P was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  The product, when delivered configured as identified in the Common Criteria Configuration Guide, satisfies all of the security functional requirements stated in the Cisco IM&P Common Criteria Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in October, 2017.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below.

  • Security Audit
  • Cryptographic Support
  • Identification and Authentication
  • Security Management
  • Protection of the TSF
  • TOE Access
  • Trusted Path/Channels

These features are described in more detail in the subsections below.  In addition, the TOE implements all RFCs of the NDcPP v1.0 as necessary to satisfy testing/assurance measures prescribed therein.

Security Audit

The Cisco IM&P provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions.  The Cisco IM&P generates an audit record for each auditable event.  Each security relevant audit event has the date, timestamp, event description, and subject identity.  The administrator configures auditable events, performs back-up operations, and manages audit data storage.  The TOE audit event logging is centralized and enabled by default.  Audit logs can be backed up over a secure TLS channel to an external audit server.

Cryptographic Support

The TOE provides cryptography support for secure communications and protection of information. The cryptographic services provided by the TOE include: symmetric encryption and decryption using AES; asymmetric key generation; cryptographic key establishment using RSA-based key establishment schemes and DH key establishment; digital signature using RSA; cryptographic hashing using SHA-256; random bit generation using DRBG and keyed-hash message authentication using HMAC-SHA (SHA-1, SHA-256, and SHA-384). The TOE implements the secure protocols TLS/HTTPS and TLS for the client and server. 

The TOE provides cryptography in support of remote administrative management via HTTPS. The TOE can also use the X.509v3 certificate for securing TLS sessions. 

Identification and authentication

The TOE provides authentication services for administrative users to connect to the TOEs GUI administrator interface.  The TOE requires Authorized Administrators to be successfully identified and authenticated prior to being granted access to any of the management functionality.  The TOE can be configured to require a minimum password length of 15 characters.  The TOE provides administrator authentication against a local user database using the GUI interface accessed via secure HTTPS connection. 

Security Management

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.  All TOE administration occurs either through a secure HTTPS session or via a local console connection.  The TOE provides the ability to securely manage:

  • the configuration of the TOE;
  • the configuration of access banners;
  • the configuration of session inactivity;
  • the verification and installation of TOE updates;
  • the auditing behavior; and
  • the cryptographic functionality 

The TOE supports the security administrator role.   Only the privileged administrator can perform the above security relevant management functions.

Administrators can create configurable login banners to be displayed at time of login, and can also define an inactivity timeout for each admin interface to terminate sessions after a set period of inactivity. 

Protection of the TSF

The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators.  The TOE prevents reading of cryptographic keys and passwords.  The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators.  The TOE prevents reading of cryptographic keys and passwords.  Additionally Cisco IM&P is not a general-purpose operating system and access to Cisco IM&P memory space is restricted to only Cisco IM&P functions.

The TOE initially synchronizes time with CUCM that maintains and synchronizes with an NTP server and then internally maintains the date and time.  This date and time is used as the timestamp that is applied to audit records generated by the TOE. 

The TOE performs testing to verify correct operation of the system itself and that of the cryptographic module.

Finally, the TOE is able to verify any software updates prior to the software updates being installed on the TOE to avoid the installation of unauthorized software.

TOE Access

The TOE can terminate inactive sessions after an Authorized Administrator configurable time-period.  Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. 

The TOE can also display an Authorized Administrator specified banner on the GUI management interface prior to allowing any administrative access to the TOE.

Trusted path/Channels

The TOE allows trusted paths to be established to itself from remote administrators over HTTPS and initiates secure HTTPS connections to transmit audit messages to remote syslog servers.

Vendor Information

Cisco Systems, Inc.
Terrie Diaz
Site Map              Contact Us              Home