NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Cisco ISE v2.0

Certificate Date:  2017.04.13

Validation Report Number:  CCEVS-VR-VID10795-2017

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 1.0

CC Testing Lab:  Booz Allen Hamilton Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Cisco Identity Services Engine (ISE) is an identity and access control platform that enables organizations to enforce compliance and security within the network infrastructure. The TOE includes four hardware options: Cisco Identity Services Engine Appliance 3415, Cisco Identity Services Engine Appliance 3495, Cisco Identity Services Engine Appliance 3515 and Cisco Identity Services Engine Appliance 3595. The TOE’s software version is ISE v2.0, running on Cisco Application Deployment Engine (ADE) Release 2.4 operating system (ADE-OS).

ISE is a network device identity, authentication, and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline service operations. ISE allows enterprises to gather real-time contextual information from networks, users, and devices. The administrator can then use that information to make proactive governance decisions by tying identity to various network elements including access switches, wireless LAN controllers (WLCs), virtual private network (VPN) gateways, and data center switches. 

The logical boundary of the TOE includes only the relevant security functionality that is defined by the claimed Protection Profile; the network device identity, authentication, and access control policy capabilities, for example, are outside the scope of the TOE. The logical boundary of the TOE includes its auditing, cryptography, identification and authentication, security management, self-protection, TOE access, and trusted path/channel functionality.

Evaluated Configuration

The ISE architecture supports both stand-alone and distributed deployments.  In a distributed configuration, one machine assumes the primary role and another “backup” machine assumes the secondary role.

The administrator can deploy ISE nodes with one or more of the Administration, Monitoring, and Policy Service personas, each one performing a different vital part in the overall network policy management topology. Installing ISE with an Administration persona allows the administrator to configure and manage the network from a centralized portal. 

The TOE architecture includes the following components:

               Nodes and persona types – A Cisco ISE node can assume the Administration, Policy Service, or Monitoring personas. It can provide various services based on the persona that it assumes.

               Network resources – The clients that are provided authentication services by ISE

               Endpoints – Devices through which the administrators can log in and manage the TOE.

The TOE’s evaluated configuration also includes, at minimum, the following environmental components:

               Administrative Console – A general purpose computer that is able to interface with the TOE over either a local CLI, remote SSH CLI, or remote TLS/HTTPS web GUI

               Syslog Target – A syslog audit server that is capable of supporting TLS-protected syslog transfer

Optionally, the TOE may also use a remote authentication store (LDAP/Active Directory) as a third-party source for administrator credentials. If this is not used, the TOE provides locally-defined administrator accounts.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Cisco ISE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Cisco Identity Services Engine (ISE) Security Target Version 0.8. The evaluation underwent CCEVS Validator review. The evaluation was completed in April 2017. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (CCEVS-VR-10795-2017, dated 13 April 17) prepared by CCEVS.

Environmental Strengths

Security Audit

The TOE contains mechanisms to generate audit data to record predefined events on the TOE. Each audit record includes timestamp, event type, and additional data as applicable depending on the record type. Audit data can be stored locally on the TOE and also transmitted to other devices using TLS-protected syslog. Locally stored audit data cannot be modified and can only be deleted by a Security Administrator. Logs are classified into various predefined categories and Security Administrators have the ability to specify different types of log output by editing the categories with respect to values such as their target(s) and severity level(s). 

Cryptographic Support

The TOE provides cryptography in support of SSH, TLS, and TLS/HTTPS trusted communications. The TOE includes a cryptographic module that provides CAVP-validated implementations of the individual cryptographic algorithms used by the TOE. These include AES, HMAC, DRBG, DSA, RSA, CVL – KAS-FFC, and SHS (hash) services. The TOE implements SSH and TLS/HTTPS as a server capability and TLS as a client capability. In the evaluated configuration, the TOE will be configured into a FIPS mode of operation and cryptographic settings such as allowed TLS ciphersuites will be restricted to those claimed in the Security Target. 

Identification and Authentication

Users authenticate to the TOE as administrators via the local console, remote CLI, or remote web GUI. Administrators are authenticated through a username and password defined on the TOE, a username and password defined on an environmental LDAP/AD server, or username and SSH public key. The TOE does not allow any TSF functionality to be performed prior to successful authentication other than a display of the warning banner. For locally-stored passwords, the TOE enforces minimum length and allowed character rules in order to allow and mandate the use of complex passwords. When authenticating via the local console, any input credential data is not echoed back to the screen by the TSF. 

Security Management

The TOE enforces a role-based access control (RBAC) model for granting administrative privilege. Various types of administrative roles on the TOE are considered to be Security Administrators because of their ability to view and/or modify security-relevant functions and data. The primary management interface is the HTTPS Cisco ISE user interface. The Cisco ISE user interface provides an integrated network administration console from which you can manage various identity services. These services include authentication, authorization, posture, guest, profiler, as well as monitoring, troubleshooting, and reporting. All of these services can be managed from a single console window called the Cisco ISE dashboard. The navigation tabs and menus at the top of the window provide point-and-click access to all other administration features. A Command Line Interface (CLI) is also supplied for additional administration functionality like system-level configuration in EXEC mode and other configuration tasks in configuration mode and to generate operational logs for troubleshooting. 

Protection of the TSF

The TOE secures authentication and cryptographic data that is stored on it. It also maintains system time through its own hardware clock. Self-tests are executed at power on to verify the integrity of the TOE software and the correctness of the cryptographic implementation. TOE updates can be applied by security administrators and are verified using digital signatures prior to installation.

TOE Access 

The TOE can terminate inactive sessions after an administrator-configurable time period. The TOE also allows users to terminate their own interactive session. Once a session has been terminated, the TOE requires the user to re-authenticate to establish a new session. The TOE also displays a configurable warning banner prior to use of the TSF.

Trusted Path/Channels 

The TOE establishes trusted channels to the Operational Environment using TLS for LDAP server communications and syslog server communications. Administrators can establish trusted paths to the TOE using SSH for remote CLI administration and TLS/HTTPS for remote web GUI administration. All cryptographic functionality supporting the use of these trusted channels and paths is facilitated by the cryptographic module contained within the TOE. In the evaluated configuration, the TOE will be configured into its FIPS mode of operation and have its specific protocol implementation details (such as key exchange method for SSH and TLS cipher suites) configured in the manner specified by the administrative guidance.

Vendor Information

Cisco Systems, Inc.
Alicia Squires
Site Map              Contact Us              Home