NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Cisco CUBE on Cloud Services Router 1000V running IOS-XE 16.9

Certificate Date:  2019.06.14

Validation Report Number:  CCEVS-VR-VID10947-2019

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
  Extended Package for Session Border Controller Version 1.1

CC Testing Lab:  Acumen Security


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The TOE evaluated configuration consists of the Cisco IOS-XE software image Release 16.9 on the Cisco Unified Computing System (UCS) 220 M4, 240 M4, 220 M5, and 240 M5 and configured in accordance with the Cisco CUBE on CSR1000V running IOS-XE 16.9 Common Criteria Configuration Guide.


Evaluated Configuration

The TOE evaluated configuration consists of the Cisco IOS-XE software image Release 16.9 on the Cisco Unified Computing System (UCS) 220 M4, 240 M4, 220 M5, and 240 M5 and configured in accordance with the Cisco CUBE on CSR1000V running IOS-XE 16.9 Common Criteria Configuration Guide.

The following figure provides a visual depiction the TOE deployment.

 

 

 

The previous figure includes the following devices:

 

  • The TOE
    • Cisco CUBE on CSR 1000v running IOS-XE 16.9 on the Cisco UCS hardware

 

·         The following are considered to be in the IT Environment:

o   Local Console to support local Administratin

o   Management Workstation to support remote Administration

o   Authentication Server to support remote authentication

o   NTP Server

o   Syslog Server

o   Cisco CUCM

o   VVoIP end points

o   B2B Collaboration

o   Service Provider

 

 

 


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the CUBE on Cloud Services Router 1000V was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  The product, when delivered configured as identified in the Cisco CUBE on Cloud Service Router 1000V running IOS-XE 16.9 Common Criteria Configuration Guide, satisfies all of the security functional requirements stated in the Cisco CUBE on Cloud Service Router 1000V running IOS-XE 16.9 Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in May 2019.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below.

  • Security Audit
  • Cryptographic Support
  • Data Protection
  • Firewall
  • Identification and Authentication
  • Security Management
  • Protection of the TSF
  • Resource Utilization
  • TOE Access
  • Trusted Path/Channels

These features are described in more detail in the subsections below.  In addition, the TOE implements all security functional requirements of the NDcPP v2.0e and SBC EP v1.1 as necessary to satisfy testing/assurance measures prescribed therein.

Security Audit

The TOE provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions. The TOE generates an audit record for each auditable event.  Each security relevant audit event has the date, timestamp, event description, and subject identity.  The administrator configures auditable events, performs back-up operations and manages audit data storage.  The TOE provides the administrator with a circular audit trail or a configurable audit trail threshold to track the storage capacity of the audit trail.  Audit logs can also be sent to a remote syslog server using IPsec to secure connection.

In addition, the TOE provides the capabilities for the Authorized Administrator to define a set of rules to indicate a potential security violation.  Upon detection of a potential security violation, the TOE will transmit the log records associated with the potential security violation to a remote syslog server using IPsec to secure connection.

Cryptographic Support

The TOE provides cryptography in support of other TOE security functionality.  The CUBE software calls the calls the IOS Common Cryptographic Module (IC2M) Rel5 (Firmware Version: Rel 5) for cryptography support.  All the algorithms claimed have CAVP certificates based on CUBE on CSRv1000v which has Intel® Xeon® processors as noted the ST. 

The TOE provides cryptography in support of remote administrative management via SSHv2, to secure the connection to an external audit server using IPsec and for securing TLS connections including SIP and SRTP connections to endpoints and ESC.

The TOE also authenticates software updates using a published hash.

Refer to Table 1 for algorithm certificate references.

Table 1 FIPS References

Algorithm

Description

Supported Mode

CAVP Cert. #

Module

SFR

AES

Used for symmetric

encryption/decryption

CBC (128, 192, 256)

GCM (128, 192, 256)

C462 (UCS M4)

 

5474 (UCS M5)

 

 

IC2M

FCS_COP.1/DataEncryption

SHS (SHA-1, SHA-256, SHA-384 and SHA-512)

 

Cryptographic hashing services

Byte Oriented

 

C462 (UCS M4)

 

4392 (UCS M5)

IC2M

FCS_COP.1//Hash

HMAC SHA-1, SHA-256, SHA-384 and SHA-512

Keyed hashing services and software integrity test

Byte Oriented

 

C462 (UCS M4)

 

3629 (UCS M5)

IC2M

FCS_COP.1/KeyedHash

DRBG

Deterministic random bit generation services in accordance with ISO/IEC 18031:2011

CTR_DRBG (AES 256)

C462 (UCS M4)

 

2153 (UCS M5)

IC2M

FCS_RBG_EXT.1

RSA

Signature Verification and key transport

PKCS#1 v.1.5, 2048 bit key,

FIPS 186-4 Key Generation

 

C462 (UCS M4)

 

2940 (UCS M5)

IC2M

FCS_CKM.1

FCS_CKM.2

FCS_COP.1/SigGen

ECDSA

Cryptographic Signature services

FIPS 186-4, Digital Signature Standard (DSS)

 

C462 (UCS M4)

 

1465 (UCS M5)

IC2M

FCS_CKM.1

FCS_COP.1/SigGen

CVL – KAS-ECC

Key Agreement

NIST Special Publication 800-56A

C462 (UCS M4)

 

1926 (UCS M5)

IC2M

FCS_CKM.2

CVL IKE/SSH/SRTP/TLS

Key Agreement

NIST Special Publication 800-56A

C462 (UCS M4)

 

1927 (UCS M5)

IC2M

FCS_CKM.2

 

The algorithm certificates are applicable to the TOE based on CUBE on CSR1000v running on ESXi with Intel® Xeon® processors as noted in the ST.

The TOE provides cryptography in support of remote administrative management via SSHv2.  IPsec is used to secure the transmission of audit records to the remote syslog server and to the remote authentication servers.  In addition, the TOE uses the X.509v3 certificate for securing the IPsec, SIP, SRTP and TLS connections. 

The TOE also authenticates software updates to the TOE using a published hash.

Data Protection

The TOE provides the capabilities for the Authorized Administrator to define Back-to-Back User Agent (B2BUA) policies that supports custom policies to be configured to only permit and/or deny communications through the TOE.

Packet Filter Firewall[1]

 

The TOE provides the capabilities for the Authorized Administrator to define filtering rules based on network protocols.  By default, if no filtering polices have been configured, all traffic is allowed.

The TOE can also be configured to monitor and block malicious traffic by parsing the traffic.  The TOE ensures that SIP protocol traffic packets are correctly formatted, such as the Invite, the phone number and the BYE.  The TOE will also inspect to ensure the SIP protocol is associated with the correct SIP ports.  If there is an error detected, audit records will be generated to alert the Authorized Administrator of a potential issue.

In addition, the TOE supports NAT with the configuration settings that allow the setting of separate public and private IP addresses in support of SIP protocol.

Identification and Authentication

The TOE provides authentication services for administrative users to connect to the TOE’s secure CLI administrator interface.  The TOE requires Authorized Administrators to authenticate prior to being granted access to any of the management functionality.  The TOE can be configured to require a minimum password length of 15 characters. The TOE provides administrator authentication against a local user database.  Password-based authentication can be performed on the serial console or SSH interfaces.  The SSHv2 interface also supports authentication using SSH keys.  The TOE also supports use of a RADIUS AAA server (part of the IT Environment) for authentication of administrative users attempting to connect to the TOE’s CLI.

The TOE provides an automatic lockout when a user attempts to authenticate and enters invalid information.  After a defined number of remote authentication attempts fail exceeding the configured allowable attempts, the user is locked out until an authorized administrator enables the user account. 

The TOE also supports SIP trunking and can be configured to support authenticated and encrypted SIP traffic.

The TOE uses X.509v3 certificates as defined by RFC 5280 to support authentication for IPsec, SIP, SRTP and TLS connections.

Security Management

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.  All TOE administration occurs either through a secure SSHv2 session or via a local console connection.  The TOE provides the ability to securely manage:

  • Ability to administer the TOE locally and remotely;
  • Ability to configure the access banner;
  • Ability to configure the session inactivity time before session termination;
  • Ability to update the TOE, and to verify the updates using published hash prior to installing those updates;
  • Ability to configure the authentication failure parameters;
  • Ability to configure audit behaviour;
  • Ability to configure the cryptographic functionality;
  • Ability to re-enable an Administrator account;
  • Change a user's password;
  • Require a user's password to be changed upon next login;
  • Configure the auditable events that will result in the generation of an alarm;
  • Configure the back-to-back user agent policy;
  • Configure traffic filtering rules;
  • Configure NAT;
  • Configure SIP communications and
  • Configure NTP 

The TOE supports the security administrator role and is referred to as the Authorized Administrator.   Only the Authorized Administrator can perform the above security relevant management functions.

Authorized Administrators can create configurable login banners to be displayed at time of login and can define an inactivity timeout threshold for each admin interface to terminate sessions after a set period of inactivity has been reached. 

Protection of the TSF

The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators.  The TOE prevents reading of cryptographic keys and passwords.  Additionally, Cisco IOS-XE is not a general-purpose operating system and access to Cisco IOS-XE memory space is restricted to only Cisco IOS-XE functions.

The TOE has an internal clock, however the TOE synchronizes time with an NTP server and then internally maintains the date and time.  This date and time is used as the timestamp that is applied to audit records generated by the TOE.  

The TOE performs testing to verify correct operation of the system itself and that of the cryptographic module.

Finally, the TOE is able to verify any software updates prior to the software updates being installed on the TOE to avoid the installation of unauthorized software via a published hash.

Resource Utilization

The total resources available to the TOE is based on the deployment size of the organization and the platform in which the TOE software is installed.  As such, the TOE provides the ability for the Authorized Administrator to control the amount of bandwidth used by the endpoints.  The bandwidths limits may be set on a call-by-call basis and/or on a total consumption usage basis.

TOE Access

The TOE can terminate inactive sessions after an Authorized Administrator configurable time-period.  Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.  Sessions can also be terminated if an Authorized Administrator enters the “exit” command. 

The TOE can also display a Security Administrator specified banner on the CLI management interface prior to allowing any administrative access to the TOE.

Trusted Path/Channel

The TOE allows trusted paths to be established to itself from remote administrators over SSHv2 and initiates outbound IPsec tunnels to transmit audit messages to remote syslog servers.  In addition, IPsec is used to secure the session between the TOE and the remote authentication servers and uses NTPv4 to secure the connection to the NTP server.    

The TOE also allows secure communications between itself and authorized entities using SRTP and SIP TLS to secure VVoIP signaling and media channels and uses TLS to secure the signaling channel with an ESC..



[1] Packet Filter Firewall functionality required per the SBC EP.


Vendor Information


Cisco Systems, Inc.
Alicia Squires
4103094862
certteam@cisco.com

www.cisco.com
Site Map              Contact Us              Home