NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Cisco Expressway X12.5

Certificate Date:  2019.08.19

Validation Report Number:  CCEVS-VR-VID10938-2019

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314

CC Testing Lab:  Acumen Security


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The Cisco Expressway X12.5 TOE is software installed on one or more Cisco UCS appliances UCS C220 M4, UCS C240 M4, UCS C220 M5, UCS C240 M5. Although it is recommended that the Cisco Expressway solution be deployed and installed on the same platform.


Evaluated Configuration


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Expressway X12.5 is evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4. Acumen Security determined that the evaluation is a collaborative Protection Profile for Network Devices (NDcPP) + Errata 20180314, Version 2.0e. The product, when delivered configured as identified in the Operational User Guidance and Preparative Procedures, satisfies all the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in August 2019.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below.

  • ·         Security Audit

 

  • ·         Communications

 

  • ·         Cryptographic Support

 

  • ·         Identification and Authentication

 

  • ·         Security Management

 

  • ·         Protection of the TSF

 

  • ·         TOE Access

 

  • ·         Trusted Path/Channels

 

 

Security Audit

The TOE provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions.  The Cisco Expressway generates an audit record for each auditable event.  Each security relevant audit event has the date, timestamp, event description, and subject identity.  The administrator configures auditable events, performs back-up operations, and manages audit data storage.  The TOE audit event logging is centralized and enabled by default.  Audit logs can be sent to an external audit server over a secure TLS channel.

 

Communications

The TOE provides the configuration options for the Authorized Administrator to enable the persistent, dedicated secure connections using SSHv2.0 between the two components, Expressway-C and Expressway-E.  This connection forms a highly secure traversal link to provide a collaboration gateway solution that extends the services and access to users inside and outside of the organization’s firewall. 

 

Cryptographic Support

The TOE provides cryptography in support of other Cisco Expressway security functionality. The Expressway software calls the CiscoSSL FIPS Object Module (FOM) v6.2 that has been validated in accordance with the specified standards to meet the requirements listed below and all the algorithms claimed have CAVP certificates.

 

 

Refer to below table for algorithm certificate references. 

 

FIPS References

Algorithm

Description

Supported Mode

CAVP Cert. #

Module

SFR

RSA

Signature Verification and key transport

FIPS PUB 186-4 Key Generation, PKCS#1 v.1.5, 2048 bit key

C905

(UCS M5)

 

C924

(UCS M4)

 

CiscoSSL FIPS Object Module (FOM) v6.2

FCS_CKM.1

FCS_CKM.2

FCS_COP.1/SigGen

ECDSA

Cryptographic Signature services

FIPS 186-4, Digital Signature Standard (DSS)

C905

(UCS M5)

 

C924

(UCS M4)

 

CiscoSSL FIPS Object Module (FOM) v6.2

FCS_CKM.1

FCS_COP.1/SigGen

AES

Used for symmetric

encryption/decryption

AES Key Wrap in CBC, CTR and GCM (128 and 256 bits)

C905

(UCS M5)

 

C924

(UCS M4)

 

CiscoSSL FIPS Object Module (FOM) v6.2

FCS_COP.1/DataEncryption

SHS (SHA-1, 256, 384, 512)

Cryptographic hashing services

Byte Oriented

C905

(UCS M5)

 

C924

(UCS M4)

 

CiscoSSL FIPS Object Module (FOM) v6.2

FCS_COP.1//Hash

HMAC SHA-1, SHA-256, SHA-384, SHA-512

Keyed hashing services and software integrity test

Byte Oriented

C905

(UCS M5)

 

C924

(UCS M4)

 

CiscoSSL FIPS Object Module (FOM) v6.2

FCS_COP.1/KeyedHash

DRBG

Deterministic random bit generation services in accordance with ISO/IEC 18031:2011

CTR_DRBG (AES 256)

C905

(UCS M5)

 

C924

(UCS M4)

 

CiscoSSL FIPS Object Module (FOM) v6.2

FCS_RBG_EXT.1

CVL SSH/ TLS

Key Agreement

NIST Special Publication 800-56A

C905

(UCS M5)

 

C924

(UCS M4)

 

CiscoSSL FIPS Object Module (FOM) v6.2

FCS_CKM.2

CVL – KAS-ECC

Key Agreement

NIST Special Publication 800-56A

C905

(UCS M5)

 

C924

(UCS M4)

 

CiscoSSL FIPS Object Module (FOM) v6.2

FCS_CKM.2

 

 

The TOE provides cryptography in support of remote administrative management via HTTPS/TLS, the secure connection to an external audit server using TLS and a dedicated SSHv2 secure connection between the Expressway C and E components.  The TOE uses the X.509v3 certificate for securing the SSH and TLS connections. The TOE also authenticates software updates to the TOE using a published SHA512 hash.

Identification and Authentication

The TOE provides authentication services for administrative users to connect to the TOE’s GUI administrator interface.  The TOE requires Authorized Administrators to be successfully identified and authenticated prior to being granted access to any of the management functionality.  The TOE can be configured to require a minimum password length of 15 characters.  The TOE provides administrator authentication against a local user database using the GUI interface accessed via secure HTTPS connection.

 

The TOE also provides an automatic lockout when a user attempts to authenticate and enters invalid information.  When the threshold for the number of failed authentication attempts has exceeded the configured allowable attempts, the user is locked out until an authorized administrator can enable the user account. 

 

Security Management

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.  All TOE administration occurs either through a secure HTTPS session or via a local console connection.  The TOE provides the ability to securely manage:

  • ·         Ability to administer the TOE locally and remotely;

 

  • ·         Ability to configure the access banner;

 

  • ·         Ability to configure the session inactivity time before session termination or locking;

 

  • ·         Ability to update the TOE, and to verify the updates using published hash capability prior to installing those updates;

 

  • ·         Ability to configure the authentication failure parameters for FIA_AFL.1;

 

  • ·         Ability to configure audit behavior;

 

  • ·         Ability to configure the cryptographic functionality;

 

  • ·         Ability to configure the interaction between TOE components;

 

  • ·         Ability to re-enable an Administrator account;

 

  • ·         Change a user's password;

 

  • ·         Require a user's password to be changed upon next login;

 

  • ·         Configure NTP

 

The TOE supports the security administrator role. Only the Authorized Administrator can perform the above security relevant management functions.

Authorized Administrators can create configurable login banners to be displayed at time of login and can define an inactivity timeout threshold for each admin interface to terminate sessions after a set period of inactivity has been reached.

Protection of the TSF

The TOE protects against interference and tampering by untrusted subjects by implementing identification and authentication.  The TOE prevents reading of cryptographic keys and passwords.  Additionally, Cisco Expressway is not a general-purpose operating system and access to Cisco Expressway memory space is restricted to only Cisco Expressway functions.

The TOE initially synchronizes time with an NTP server and then internally maintains the date and time.  This date and time is used as the timestamp that is applied to audit records generated by the TOE. 

The TOE performs testing to verify correct operation of the system itself and that of the cryptographic module.

Finally, the TOE is able to verify any software updates prior to the software updates being installed on the TOE. The software is verified via a published hash.

 

TOE Access

The TOE can terminate inactive sessions after an Authorized Administrator configurable time-period.  Once a session has been terminated, the TOE requires the user to re-authenticate to establish a new session. 

The TOE can also display an Authorized Administrator specified banner on the GUI management interface prior to allowing any administrative access to the TOE.

Trusted Path/Channels

The TOE allows trusted channels to be established to itself from remote Authorized Administrators using HTTPS, initiates outbound TLS secure connection to transmit audit messages to remote syslog servers and uses NTPv4 to secure the connection to the NTP server.   

The TOE can also establish trusted paths between the Expressway C and Expressway E components using SSHv2 when configured in Mobile and Remote Access (MRA) mode.  In MRA mode, The TOE provides a highly secure traversal link to provide a collaboration gateway solution that extends the services and access to users inside and outside of the organization’s firewall.

In MRA mode, SSHv2 is used to secure the persistent, dedicated connection where Expressway C acts as the SSH server and the Expressway E acts as the SSH client, therefore creating a distributed TOE.

If any of the established trusted channels/paths is unintentionally broken, the connection will need to be re-established as described in this document and the referenced Cisco Expressway X12.5 System Common Criteria Configuration Guide.

 

Excluded Functionality

The following functionality is excluded from the evaluation.

 

Excluded Functionality

Exclusion Rationale

Non-FIPS mode of operation

This mode of operation includes non-FIPS allowed operations.

 

These services can be disabled by configuration settings as described in the Guidance documents (AGD). The exclusion of this functionality does not affect the compliance to the NDcPPv2.0e.

 


Vendor Information


Cisco Systems, Inc.
Cert Team
410-309-4862
certteam@cisco.com

www.cisco.com
Site Map              Contact Us              Home