Compliant Product - Cisco Catalyst 3650 and 3850 Series Switches running IOS-XE 16.9
Certificate Date: 2019.03.14CC Certificate Security Target * Validation Report
Validation Report Number: CCEVS-VR-VID10940-2019
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
Extended Package for MACsec Ethernet Encryption Version 1.2
CC Testing Lab: Acumen Security
* This is the Security Target (ST) associated with the latest Maintenance Release. To view previous STs for this TOE, click here.
The Cisco Catalyst Switches 3650 Series and 3850 Series running IOS XE 16.9 are purpose-built, switching and routing platforms with OSI Layer2 and Layer3 traffic filtering capabilities. They support MACsec encryption for switch-to-switch (inter-network device) security.
Cisco Catalyst 3650 and 3850 Series Switches
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Catalyst 3650 and 3850 Series Switches were evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4. The product, when delivered configured as identified in the AGD, satisfies all of the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review. The evaluation was completed in March 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report numbered CCEVS-VR-VID10940-2019) prepared by CCEVS.
The Cisco Catalyst 3650 and 3850 Series Switches provide extensive auditing capabilities. A comprehensive set of audit logs, identifying specific operations, is generated. The date and time of each event, the type of event, the subject identity, and the outcome of the event are recorded.
Audit messages are configured to be transmitted to an external syslog server. Communication with the syslog server is protected using IPsec and the switch can determine when communication with the syslog server fails. If that should occur, it can be configured to block new permit actions.
The audit logs can be viewed using the appropriate IOS commands. The records include the date/time the event occurred, the event/type of event, the user associated with the event, and additional information of the event and its success and/or failure. An interface to modify audit records does not exist, though there is an interface available for the authorized administrator to clear audit data stored locally.
The Cisco Catalyst 3650 and 3850 Series Switches provide cryptography in support of security functionality. All the algorithms claimed have CAVP certificates.
The IOS Common Criteria Module (IC2M) Rel5 is leveraged. The IOS software calls the IOS Common Cryptographic Module (IC2M) Rel5 and has been validated for conformance to the requirements of FIPS 140-2 Level 1.
In addition, MACsec is supported using proprietary Unified Access Data Plane (UADP) ASIC. The MACsec Controller (MSC) is embedded within the ASICs that are utilized within Cisco hardware platforms.
Cryptography is provided in support of VPN connections that include remote administrative management via SSHv2 and IPsec to secure the transmission of audit records to the remote syslog server. In addition, IPsec is used to secure the session with the authentication servers.
Also, packets with a MACsec peer are authenticated and encrypted. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys to protect data exchanged by the peers.
The Cisco Catalyst 3650 and 3850 Series Switches perform two types of authentication: device-level authentication of the remote device (TOE peers) and user authentication for the Authorized Administrator. Device-level authentication allows the establishment of a secure channel with a trusted peer. The secure channel is established only after each device authenticates the other. Device-level authentication is performed via IKE/IPsec mutual authentication.
Authentication services are provided for administrative users to connect to the secure CLI. Authorized Administrators are required to authenticate prior to being granted access to any of the management functionality. Minimum password length of 15 characters, as well as mandatory password complexity rules, can be configured. Administrator authentication is provided to a local user database. Password-based authentication can be performed on the serial console or SSHv2 interfaces. The SSHv2 interface also supports authentication using SSH keys. Use of RADIUS AAA server (part of the IT Environment) is supported for authentication of administrative users attempting to connect to the CLI.
Automatic lockout is provided when a user attempts to authenticate and enters invalid information. When the threshold for a defined number of authentication failed attempts has exceeded the configured allowable attempts, the user is locked out until an authorized administrator can enable the user account.
Finally, X.509v3 certificates as defined by RFC 5280 are used to support authentication for IPsec connections.
The Cisco Catalyst 3650 and 3850 Series Switches provide secure administrative services for management of general configuration and the security functionality. All administration occurs either through a secure SSHv2 session or via a local console connection.
Two separate administrator roles are supported: non-privileged administrator and privileged administrator. Only the privileged administrator can perform the security relevant management functions. The privileged administrator is the Authorized Administrator who has the ability to enable, disable, determine and modify the behavior of all of the security functions.
The Cisco Catalyst 3650 and 3850 Series Switches protect against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators. Reading of cryptographic keys and passwords is prevented. Additionally, Cisco IOS is not a general-purpose operating system and access to Cisco IOS memory space is restricted to only Cisco IOS functions.
Software updates are able to be verified prior to the updates being installed to avoid the installation of unauthorized software.
Replay of information received via secure channels (MACsec) can also be detected. Detection is applied to network packets, such as trusted communications with an IT entity (e.g., MACsec peer). If replay is detected, the packets are discarded.
Date and time are internally maintained. That date and time is used as the timestamp applied to generated audit records. Authorized Administrators can update the clock manually to maintain a reliable timestamp.
Finally, testing is performed to verify correct operation and that of the cryptographic module.
The Cisco Catalyst 3650 and 3850 Series Switches can terminate inactive sessions after an Authorized Administrator configurable time-period. Once a session has been terminated the user is required to re-authenticate to establish a new session. User accounts can be configured to lock after a specified number of failed logon attempts until an authorized administrator can enable the user account.
An Authorized Administrator specified banner can be displayed on the CLI management interface prior to allowing any administrative access.
The Cisco Catalyst 3650 and 3850 Series Switches allow trusted channels to be established from remote administrators over SSHv2. Outbound IPsec tunnels can also be initiated to transmit audit messages to remote syslog servers. In addition, IPsec is used to secure the session with the authentication servers.
Trusted paths can also be established for peer-to-peer IPsec sessions. The peer-to-peer IPsec sessions can be used for securing the communications with the authentication server/syslog server, as well as to protect the communications with the CA server.
Cisco Systems, Inc.