Compliant Product - Cisco Unified Communications Manager (CUCM) 12.5
Certificate Date: 2020.12.16CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11092-2020
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
Extended Package for Enterprise Session Controller (ESC) Version 1.0
CC Testing Lab: Acumen Security
The TOE consists of CUCM v12.5 software installed on VMware ESXi 6.5 or higher running on one (1) or more UCS M5 appliances as specified below. The evaluated configuration of the CUCM v12.5 TOE is limited to only one vND instance for each physical platform. In addition, there must be no other guest VMs providing non-network device functionality.
The TOE configuration specifies the SIP ports and other properties such as the server name and date-time settings. The TOE connects to an NTP server via NTPv4 on its internal network for time services. The TOE is administered using the Cisco Unified Communications Manager Administration program from a workstation that is not the web server or has Cisco Unified Communications Manager installed. No browser software exists on the CUCM server. When connecting to the CUCM the management workstation must be connected to an internal network using HTTPS to secure the connection to the TOE. A syslog server is also required to store audit records. The audit server must be attached to the internal (trusted) network and the connection to the server must be secured using TLS.
The following figure provides a visual depiction of an example TOE deployment. The TOE boundary is surrounded with a hashed red line.
Figure 1 : TOE Example Deployment
In figure 1 the following are considered to be in the IT Environment:
o DNS Server (does not require a secure connection)
o Certificate Authority (CA) and OCSP Responder (does not require a secure connection)
o Management Workstation (secure connection is HTTPS (over TLS))
o NTP Servers (connection is NTPv4)
o Peer ESC (secure connection is TLS)
o Syslog Server (secure connection is TLS)
o Video and Voice End-points (VVoIP) (secure connection is SIP over TLS
Physical Scope of the TOE
The TOE is comprised of hardware and software. The hardware platform is the UCS C220 M5 or the UCS C240 M5 as described below. The software is VMware ESXi 6.5 and CUCM v12.5 with CentOS 7.6. The network, on which the TOE resides, is considered part of the environment.
Hardware/Software Models and Specifications
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Unified Communications Manager 12.5 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the evaluation is conformant to the collaborative Protection Profile for Network Devices (v2.1, 11 March 2019 ) NDcPP and Network Device Collaborative Protection Profile (NDcPP) Extended Package Enterprise Session Controller (ESC EP) (v1.0, 25 October 2016). The product, when delivered configured as identified in the Cisco Unified Communications Manager 12.5 Common Criteria Configuration Guide, satisfies all of the security functional requirements stated in the Cisco Unified Communications Manager 12.5 Common Criteria Security Target. The project underwent CCEVS Validator review. The evaluation was completed in December 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
· Security Audit
· User Data Protection
· Cryptographic Support
· Identification and Authentication
· Security Management
· Protection of the TSF
· TOE Access
· Trusted Path/Channels
These features are described in more detail in the subsections below. In addition, the TOE implements all RFCs of the NDcPP v2.1 and ESC EP v1.0 as necessary to satisfy testing and assurance measures prescribed therein.
Auditing allows Security Administrators to discover intentional and unintentional issues with the TOE’s configuration and/or operation. Auditing of administrative activities provides information that may be used to hasten corrective action should the system be configured incorrectly. Security audit data can also provide an indication of failure of critical portions of the TOE (e.g. a communication channel failure or anomalous activity (e.g. establishment of an administrative session at a suspicious time, repeated failures to establish sessions or authenticate to the TOE) of a suspicious nature.
The TOE provides extensive capabilities to generate audit data targeted at detecting such activity. The TOE generates an audit record for each auditable event. Each security relevant audit event has the date, timestamp, event description, and subject identity.
The TOE also generates Call Detail Records (CDR) which contain log information about each VVoIP call processed by the CUCM TOE.
The TOE transmits its audit messages to an external syslog server over a secure TLS channel.
The TOE provides cryptographic functions to support HTTPS/TLS communication protocols. The cryptographic algorithm implementation has been validated for CAVP conformance. This includes key generation and random bit generation, key establishment methods, key destruction, and the various types of cryptographic operations to provide AES encryption/decryption, signature verification, hash generation, and keyed hash generation. All cryptography is implemented using the CiscoSSL FOM 6.2 cryptographic module. Refer to Table 1 for algorithm certificate references.
The algorithm certificates are applicable to the TOE based on CUCM and Intel® Xeon® processors as noted in above.
The TOE provides cryptography in support of remote administrative management via HTTPS/TLS, the secure connection to an external audit server using TLS. The TOE uses the X.509v3 certificate for securing TLS connections.
The TOE also ensures software updates to the TOE are from Cisco Systems, Inc. using digital signature verification.
The TOE ensures VVoIP calls are set up using the SIP call control protocol prior to redirecting streaming media data between the endpoints.
If the organization has a policy that requires all data on all disks to be cleared, the TOE provides the Security Administrator the ability wipe all residual information from storage.
Identification and authentication
The TOE implements two types of authentication: 1) X.509v3 certificate-based authentication for remote devices; and 2) password-based authentication for Security Administrators. Device-level authentication allows the TOE to establish a secure communication channel with remote endpoints over TLS.
Security Administrators have the ability to compose strong passwords of 15 characters in length which are stored in an obscured form. Additionally, the TOE detects and tracks successive unsuccessful remote authentication attempts and will prevent the offending account from further attempts if a Security Administrator defined threshold is reached.
The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs either through a secure HTTPS session or via a local console connection. The TOE provides the ability to securely manage:
· Ability to administer the TOE locally and remotely;
· Ability to configure the access banner;
· Ability to configure the session inactivity time before session termination or locking;
· Ability to update the TOE, and to verify the updates using digital signature capability prior to installing those updates;
· Ability to configure the authentication failure parameters for FIA_AFL.1;
· Configure the number of failed administrator authentication attempts;
· Ability to enable/disable voice and video recordings for any registered VVoIP endpoint;
· Ability to display the real-time connection status of all VVoIP endpoints (hardware and software) and telecommunications devices;
· Ability to clear all TSF data stored on disk;
· Ability to configure audit behavior;
· Ability to configure the cryptographic functionality;
· Ability to re-enable an Administrator account and
· Ability to configure NTP
The TOE supports the security administrator and user role. Both roles are considered to be Authorized Administrators that can perform the above security relevant management functions.
The TOE protects critical security data including keys and passwords against tampering by untrusted subjects and prevents unintentional flow of any data or information should the TOE encounter a critical error. The TOE ensures software updates are authentic by verifying those updates are from Cisco Systems, Inc.
The TOE ensures accurate date and time by implementing a clock function reliant upon NTP Servers in the IT Environment. Accurate system time is used by the TOE to support monitoring local and remote interactive administrative sessions for inactivity, validating X.509 certificates (to determine if a certificate has expired), and to support accurate timestamps in audit records.
At each administrative interface, the TOE is capable of displaying a Security Administrator specified advisory notice and consent warning message prior to initiating identification and authentication. Once the Security Administrator has successfully authenticated, the TOE monitors both local and remote admin sessions for inactivity and terminates when a threshold time period is reached. If a session has been terminated the TOE requires the user to re-authenticate.
The TOE allows trusted paths to be established to itself from remote administrators over HTTPS and initiates secure TLS connections to transmit audit messages to remote syslog servers.
The connection to NTP is secured using NTPv4. The TOE also allows secure communications between itself and a VVoIP endpoint using TLS and between itself and another ESC Server using TLS.Excluded Functionality
The following functionality is excluded from the evaluation.
Cisco Systems, Inc.