NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Cisco Unified Communications Manager and the IM and Presence Service v12.5

Certificate Date:  2021.01.11

Validation Report Number:  CCEVS-VR-VID11094-2021

Product Type:    Network Device
   SIP Server

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.1
  Extended Package for Enterprise Session Controller (ESC) Version 1.0

CC Testing Lab:  Acumen Security


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The Cisco Unified Communications Manager and the IM and Presence Service v12.5 Target of Evaluation (TOE) is a distributed TOE. Deployment of the TOE in its evaluated configuration consists of at least one CUCM component and at least one IM&P component and the required IT environment components in Table 2 (see evaluated configuration section).   The evaluated configuration of each CUCM and IM&P component is limited to only one vND instance for each physical platform.  In addition, there must be no other guest VMs providing non-network device functionality


Evaluated Configuration

The Cisco Unified Communications Manager and the IM and Presence Service v12.5 Target of Evaluation (TOE) is a distributed TOE. Deployment of the TOE in its evaluated configuration consists of at least one CUCM component and at least one IM&P component and the required IT environment components in Table 2.   The evaluated configuration of each CUCM and IM&P component is limited to only one vND instance for each physical platform.  In addition, there must be no other guest VMs providing non-network device functionality.

The TOE physical boundary consists of the CUCM and IM&P components as denoted by hashed red lines in Figure 1 below: 

Figure 1: TOE Example Deployment

In Figure 1, the following are considered to be in the IT environment:

¦        NTP Servers (connection is NTPv4)

¦        Video and Voice Endpoints (SIP over TLS)

¦        Extensible Messaging and Presence Protocol clients (XMPP over HTTPS)

¦        Management Workstation (secure connection is HTTPS)

¦        Syslog Server (secure connection is TLS)

¦        DNS Server (does not require a secure connection)

¦        OCSP Responder (does not require a secure connection)

Physical Scope of the TOE

The TOE components are Cisco Unified Communications Manager (CUCM) and the IM and Presence (IM&P) Service.  Each TOE component is comprised of the following physical specifications:

Hardware/Software Models and Specifications

TOE Component

UCS C-Series M5 Hardware Specifications

Cisco Unified Communications Manager with CentOS 7.6

¦        Form Factor:

o    UCS C220 M5: 1RU

o    UCS C240 M5: 2RU

¦        Memory: 24 DDR4 DIMM slots: 8, 16, 32, 64, and 128 GB up to 2666 MHz

¦        Internal Storage, backplane options, UCS C220 M5:

o    Up to 10 x 2.5-inch SAS and SATA HDDs and SSDs and up to 2 NVMe PCIe drives

o    Up to 10 x 2.5-inch NVMe PCIe drives

o    Up to 4 x 3.5-inch SAS and SATA HDDs and SSDs and up to 2 NVMe PCIe drive

¦        Internal Storage, backplane options, UCS C220 M5:

o    Up to 26 x 2.5-inch SAS and SATA HDDs and SSDs and up to 4 NVMe PCIe drives

o    Up to 10 x 2.5-inch NVMe PCIe and 16 SAS and SATA HDDs and SSDs

o    Up to 12 x 3.5-inch SAS and SATA HDDs and SSDs, and 2 rear 2.5-inch HDDs and SSDs and up to 4 NVMe PCIe drives

¦        Ports:

o    1x RJ-45 console port

o    2x USB 3.0 ports

o    1x RJ-45 management port

o    2x 10GTbase-T ports

o    VGA connector

o    One KVM console connector (supplies two USB 2.0 connectors, one VGA DB15 video connector, and one serial port (RS232) RJ45 connector)

¦        CPU:  Intel Xeon Cascade Lake SP (Cascade Lake microarchitecture)

Cisco IM and Presence Service with CentOS 7.6

 

¦        Form Factor:

o    UCS C220 M5: 1RU

o    UCS C240 M5: 2RU

¦        Memory: 24 DDR4 DIMM slots: 8, 16, 32, 64, and 128 GB up to 2666 MHz

¦        Internal Storage, backplane options, UCS C220 M5:

o    Up to 10 x 2.5-inch SAS and SATA HDDs and SSDs and up to 2 NVMe PCIe drives

o    Up to 10 x 2.5-inch NVMe PCIe drives

o    Up to 4 x 3.5-inch SAS and SATA HDDs and SSDs and up to 2 NVMe PCIe drive

¦        Internal Storage, backplane options, UCS C220 M5:

o    Up to 26 x 2.5-inch SAS and SATA HDDs and SSDs and up to 4 NVMe PCIe drives

o    Up to 10 x 2.5-inch NVMe PCIe and 16 SAS and SATA HDDs and SSDs

o    Up to 12 x 3.5-inch SAS and SATA HDDs and SSDs, and 2 rear 2.5-inch HDDs and SSDs and up to 4 NVMe PCIe drives

¦        Ports:

o    1x RJ-45 console port

o    2x USB 3.0 ports

o    1x RJ-45 management port

o    2x 10GTbase-T ports

o    VGA connector

o    One KVM console connector (supplies two USB 2.0 connectors, one VGA DB15 video connector, and one serial port (RS232) RJ45 connector)

¦        CPU:  Intel Xeon Cascade Lake SP (Cascade Lake microarchitecture)


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Unified Communications Manager 12.5 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the evaluation is conformant to the collaborative Protection Profile for Network Devices (v2.1, 11 March 2019 ) NDcPP and Network Device Collaborative Protection Profile (NDcPP) Extended Package Enterprise Session Controller (ESC EP) (v1.0, 25 October 2016).  The product, when delivered configured as identified in the Cisco Unified Communications Manager 12.5 Common Criteria Configuration Guide, satisfies all of the security functional requirements stated in the Cisco Unified Communications Manager 12.5 Common Criteria Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in January 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below:

·         Security Audit

·         Communication

·         Cryptographic Support

·         User Data Protection

·         Identification and Authentication

·         Security Management

·         Protection of the TSF

·         TOE Access

·         Trusted Path/Channels

These features are described in more detail in the subsections below. In addition, the TOE implements all RFCs of the NDcPP v2.1 and ESC EP v1.0 as necessary to satisfy testing and assurance measures prescribed therein.

Security Audit

Auditing allows Security Administrators to discover intentional and unintentional issues with the TOE’s configuration and/or operation.  Auditing of administrative activities provides information that may be used to hasten corrective action should the system be configured incorrectly.  Security audit data can also provide an indication of failure of critical portions of the TOE (e.g. a communication channel failure or anomalous activity (e.g. establishment of an administrative session at a suspicious time, repeated failures to establish sessions or authenticate to the TOE) of a suspicious nature.

The TOE provides extensive capabilities to generate audit data targeted at detecting such activity.  The TOE generates an audit record for each auditable event.  Each security relevant audit event has the date, timestamp, event description, and subject identity. 

The TOE also generates Call Detail Records (CDR) which contain log information about each VVoIP call processed by the CUCM TOE component.

Each TOE component stores audit data locally and each component transmits its own audit data in real-time to a specified syslog audit server.  For a secure connection to the remote syslog server, TLS is used to protect the communication channel.

Communication

The TOE provides a secure internal channel, under control of the Security Administrator, for the IM&P component to register and join the CUCM to form a distributed TOE

Cryptographic Support

The TOE provides cryptographic functions to support HTTPS/TLS communication protocols.  The cryptographic algorithm implementation has been validated for CAVP conformance.  This includes key generation and random bit generation, key establishment methods, key destruction, and the various types of cryptographic operations to provide AES encryption/decryption, signature verification, hash generation, and keyed hash generation.  All cryptography is implemented using the CiscoSSL FOM cryptographic module.  Refer to Table 1 for identification of the relevant CAVP certificates.

Table 1 CAVP Certificates

TOE

Component

SFR

Selection

Algorithm

Certificate Number

CUCM

IM&P

FCS_CKM.1/KeyGen – Cryptographic Key Generation

 

P-256, P-384, P-521

2048

ECDSA

RSA

A511

FCS_COP.1/SigGen – Cryptographic Operation (Signature Generation and Verification)

CUCM

IM&P

FCS_CKM.2/KeyEst – Cryptographic Key Establishment

P-256

P-384

P-521

KAS-ECC

A511

CUCM

IM&P

FCS_COP.1/DataEncryption – AES Data Encryption/Decryption

AES-CBC-128

AES-CBC-256

 

AES-GCM-128

AES-GCM-256

 

 

AES

A511

CUCM

IM&P

FCS_COP.1/Hash – Cryptographic Operation (Hash Algorithm

SHA-1

SHA-256

SHA-384

SHS

A511

CUCM

IM&P

FCS_COP.1/KeyedHash – Cryptographic Operation (Keyed Hash Algorithm)

HMAC-SHA-1

HMAC-SHA-256

HMAC-SHA-384

HMAC

A511

CUCM

IM&P

FCS_RBG_EXT.1 – Random Bit Generation

CTR_DRBG (AES)

DRBG

A511

User Data Protection

The TOE ensures VVoIP calls are set up using the SIP call control protocol prior to redirecting streaming media data between the endpoints.

If the organization has a policy that requires all data on all disks to be cleared, the TOE provides the Security Administrator the ability wipe all residual information from storage.

Identification and authentication

The TOE implements two types of authentication:  1) X.509v3 certificate-based authentication for remote devices; and 2) password-based authentication for Security Administrators.  Device-level authentication allows the TOE to establish a secure communication channel with remote endpoints and devices over TLS. 

Security Administrators have the ability to compose strong passwords of 15 characters in length which are stored in an obscured form.  Additionally, the TOE detects and tracks successive unsuccessful remote authentication attempts and will prevent the offending account from further attempts if a Security Administrator defined threshold is reached.

Security Management

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.  All TOE administration occurs either through a secure HTTPS session or via a local console connection.  The TOE provides the ability to securely manage:

¦       Ability to administer the TOE locally and remotely;

¦       Ability to configure the access banner;

¦       Ability to configure the session inactivity time before session termination or locking;

¦       Ability to update the TOE, and to verify the updates using digital signature capability prior to installing those updates;

¦       Ability to configure the authentication failure parameters for FIA_AFL.1;

¦       Ability to display the real-time connection status of all VVoIP endpoints (hardware and software) and telecommunications devices;

¦       Ability to clear all TSF data stored on disk;

¦       Ability to configure audit behavior;

¦       Ability to manage cryptographic keys;

¦       Ability to configure the cryptographic functionality;

¦       Ability to configure the interaction between TOE components;

¦       Ability to re-enable an Administrator account;

¦       Ability to configure NTP;

¦       Ability to configure the reference identifier for the peer;

¦       Ability to manage the TOE's trust store and designate X509.v3 certificates as trust anchors;

¦       Ability to import X.509v3 certificates to the TOE's trust store

The TOE supports the security administrator and user role.  Both roles are considered to be Authorized Administrators that can perform the above security relevant management functions. 

Protection of the TSF

The TOE protects critical security data including keys and passwords against tampering by untrusted subjects and prevents unintentional flow of any data or information should the TOE encounter a critical error.  The TOE ensures software updates are authentic by verifying those updates are from Cisco Systems, Inc.

The TOE provides a secure internal channel, under control of the Security Administrator, between the CUCM and IM&P TOE components.  The TOE protects this communication channel with TLS.

The TOE ensures accurate date and time by implementing a clock function reliant upon NTP Servers in the IT Environment.  Accurate system time is used by the TOE to support monitoring local and remote interactive administrative sessions for inactivity, validating X.509 certificates (to determine if a certificate has expired), and to support accurate timestamps in audit records.

TOE Access

At each administrative interface the TOE is capable of displaying a Security Administrator specified advisory notice and consent warning message prior to initiating identification and authentication.  Once the Security Administrator has successfully authenticated, the TOE monitors both local and remote admin sessions for inactivity and terminates when a threshold time period is reached.  If a session has been terminated the TOE requires the user to re-authenticate. 

Trusted path/Channels

The TOE provides encryption (protection from disclosure and detection of modification) for communication paths between itself and remote endpoints.

In addition, the TOE provides two-way authentication of each endpoint in a cryptographically secure manner, meaning that even if there was a malicious attacker between the two endpoints, any attempt to represent themselves to either endpoint of the communications path as the other communicating party would be detected.

Excluded Functionality

The functionality listed below is not included in the evaluated configuration:

Table 2 Excluded Functionality

Excluded Functionality

Exclusion Rationale

Non-FIPS and non-CC modes of operation

The TOE includes FIPS and CC modes of operation.  The FIPS modes allows the TOE to use only approved cryptography and CC mode removes the ability to use PFS ciphersuites for DTLS.  FIPS and CC modes of operation must be enabled in order for the TOE to be operating in its evaluated configuration.

Additionally, the TOE includes a number of functions where there are no Security Functional Requirements that apply from the collaborative Protection Profile for Network Devices v2.1 or the Extended Package Enterprise Session Controller (ESC EP) Version 1.0.  The excluded functionality does not affect the TOE’s conformance to the claimed Protection Profiles.


Vendor Information


Cisco Systems, Inc.
Lisa Rogers
(410) 309-4862
certteam@cisco.com

cisco.com
Site Map              Contact Us              Home