Compliant Product - Cisco Network Convergence System (NCS) 1000 Series
Certificate Date: 2020.07.07CC Certificate Security Target * Validation Report
Validation Report Number: CCEVS-VR-VID11093-2020
Product Type: Router
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
CC Testing Lab: Gossamer Security Solutions
* This is the Security Target (ST) associated with the latest Maintenance Release. To view previous STs for this TOE, click here.
The Cisco Network Convergence System 1000 Series TOE is a purpose-built, routing platform that’s primarily used for interconnecting data centers for mass scale.
The NCS 1000 optimizes Data Center Interconnect and is designed to scale with flexibility and automated operations. The NCS 1000 also scales efficiently and flexibly through its fully programmable, high-bandwidth capacity.
The NCS1000 router runs IOS-XR that is a distributed micro kernel-based network operating system. IOS-XR can process data as it comes into the router without buffering delays. The microkernel is responsible for specific functions such as memory management, interrupt handling, scheduling, task switching, synchronization, and inter-process communication. The microkernel's functions do not include other system services such as device drivers, file system, and network stacks; those services are implemented as independent processes outside the kernel, and they can be restarted like any other application.
The TOE is the Cisco Network Convergence System 1000 Series and consists of the following hardware models running IOS-XR 7.0 software:
· NCS 1001
· NCS 1004
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Cisco Cisco Network Convergence System 1000 Series Common Criteria Operational User Guidance and Preparative Procedures, Version 1.0, July 7, 2020 document, satisfies all of the security functional requirements stated in the Cisco Network Convergence System 1000 Series Security Target, Version 1.0, July 7, 2020. The project underwent CCEVS Validator review. The evaluation was completed in June 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.
Auditing allows Security Administrators to discover intentional and unintentional issues with the TOE’s configuration and/or operation. Auditing of administrative activities provides information that may be used to hasten corrective action should the system be configured incorrectly. Security audit data can also provide an indication of failure of critical portions of the TOE (e.g. a communication channel failure or anomalous activity (e.g. establishment of an administrative session at a suspicious time, repeated failures to establish sessions or authenticate to the TOE) of a suspicious nature.
The TOE provides extensive capabilities to generate audit data targeted at detecting such activity. The TOE generates an audit record for each auditable event. Each security relevant audit event has the date, timestamp, event description, and subject identity. The TOE provides circular audit trail. Audit logs are transmitted to an external audit server over a trusted channel protected with TLS.
The TOE provides cryptography in support of other TOE security functionality. All the algorithms claimed have CAVP certificates (Operational Environment –Intel Atom). The TOE leverages the Cisco FIPS Object Module 6.0 which resides in the IOS-XR software.
The TOE provides cryptography in support of remote administrative management via SSHv2 and secures the session between the NCS1000 and remote syslog server using TLS.
Identification and authentication:
The TOE provides authentication services for administrative users wishing to connect to the TOEs secure CLI administrator interface. The TOE requires Authorized Administrators to authenticate prior to being granted access to any of the management functionality. The TOE can be configured to require a minimum password length of 15 characters as well as mandatory password complexity rules. After a configurable number of incorrect login attempts, NCS1000 will lockout the account until a configured amount of time for lockout expires.
The TOE provides administrator authentication against a local user database. Password-based authentication can be performed on the serial console or SSH interfaces. The SSHv2 interface also supports authentication using SSH keys.
The TOE uses X.509v3 certificates as defined by RFC 5280 to support authentication for TLS connections.
The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs either through a secure SSHv2 session or via a local console connection. The TOE provides the ability to securely manage all TOE administrative users; all identification and authentication; all audit functionality of the TOE; all TOE cryptographic functionality; the timestamps maintained by the TOE; and updates to the TOE. The TOE supports privileged administrator. Only the privileged administrator can perform the above security relevant management functions.
Administrators can create configurable login banners to be displayed at time of login and can also define an inactivity timeout for each admin interface to terminate sessions after a set period of inactivity.
Protection of the TSF:
The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators. The TOE prevents reading of cryptographic keys and passwords. Additionally, Cisco IOS-XR is not a general-purpose operating system and access to Cisco IOS-XR memory space is restricted to only Cisco IOS-XR functions.
The TOE internally maintains the date and time. This date and time is used as the timestamp that is applied to audit records generated by the TOE. Administrators can update the TOE’s clock manually. Finally, the TOE performs testing to verify correct operation of the router itself and that of the cryptographic module.
The TOE can verify any software updates prior to the software updates being installed on the TOE to avoid the installation of unauthorized software.
The TOE can terminate inactive sessions after an Authorized Administrator configurable time-period. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.
The TOE can also display an Authorized Administrator specified banner on the CLI management interface prior to allowing any administrative access to the TOE.
The TOE establishes a trusted path between the appliance and the CLI using SSHv2 and the syslog server using TLS.
Cisco Systems, Inc.