The Target of Evaluation (TOE) is the Nexus 7000 Series Switch running software version NX-OS version 5.1(1a) and the Cisco Secure Access Control Server (ACS) solution running software version 5.2 patch 3. The following models were evaluated:
\r\n\r\n
All appliance models comprising the TOE provide the same security functionality. They differ only in the number and speed of their network connections and their processing capacity (in terms of memory and processor speeds).
\r\nThe Nexus 7000 TOE component is a data center-class switch for 10 Gigabit Ethernet networks with a fabric architecture that scales to 15 terabits per second (Tbps). The Nexus 7000 TOE is both IPv4 and IPv6 capable.
\r\n\r\n
The ACS TOE component is an Administration, Authorization, and Accounting (AAA) server that provided authentication services and supports the implementation of information flow policies by the Nexus 7000 switch TOE component. The AAA services provided by the ACS server include RADIUS and TACACS+ for authentication. The ACS server also maintains the authentication credentials for the Network Devices that are part of the TOE protected network and the authentication credentials for the Endpoints attempting to connect to the TOE protected network. Finally, the ACS TOE component creates the PAC Key used in the protection of packets on the TOE protected network. The PAC Key and all Transport Layer Security (TLS) 1.0 and Secure Shell (SSH) v2 communications are performed using FIPS validated cryptography (see, certificates #1533 and #1534).
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Nexus 7000 Series Switch and ACS TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.2. The product, when delivered configured as identified in Cisco Nexus 7000 Series Switch Preparative Procedures Wrapper, Version 0.5, February 2011 document, satisfies all of the security functional requirements stated in the Cisco Nexus 7000 Switch Series Security Target (Version 1.0). The project underwent one Validation Oversight Panel (VOR) panel review. The evaluation was completed in April 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10349-2011, dated April 2011) prepared by CCEVS.
","environmental_strengths":"The logical boundaries of Nexus 7000 and ACS TOE are realized in the security functions that they implement. These security functions are realized at the Nexus 7000 and ACS interfaces that service clients and via the administrator commands. Each of these security functions is summarized below.
\r\n\r\n
Data Plane Information Flow Control – The TOE provides the ability to control traffic flow into or out of the Nexus 7000 switch using Routing Access Control Lists (RACLs), Port Access Control Lists (PACLs), VLAN Access Control Lists (VACLs), and Virtual Routing and Forwarding (VRF). A RACL is an administratively configured access control list that is applied to Layer 3 traffic that is routed into or out Nexus 7000 switch. A PACL is an administratively configured access control list that is applied to Layer 2 traffic that is routed into Nexus 7000 switch. A VACL is an administratively configured access control list that is applied to packets that are routed into or out of a VLAN or are bridged within a VLAN. VACLs are strictly for security packet filtering and for redirecting traffic to specific physical interfaces. VRFs allow multiple instances of routing tables to exist within the Nexus 7000 switch TOE component simultaneously
\r\n\r\n
Data Plane Information Flow Accountability - The Nexus 7000 switch TOE component provides the ability to audit the information flow decisions associated with RACLs, PACLs, and VACLs. Audited events include when a packet matches a configured RACL, PACL IP ACLs rule, when a packet matches a configured VACL IP ACLs rule, when a packet is dropped as the result of matching a configured VACL IP ACLs rule, when a packet matches a configured PACL MAC ACLs rule, when a packet matches a configured VACL MAC ACLs rule, or when a packet is dropped as the result of matching a configured VACL MAC ACLs rule.
\r\n\r\n
Cisco TrustSec (CTS) - The Cisco TrustSec security architecture builds secure networks by establishing clouds of trusted network devices. Each device in the cloud is authenticated by its neighbors. Communication on the links between devices in the cloud is secured with a combination of encryption and message integrity checks. Cisco TrustSec also uses the device and user identification information acquired during authentication for classifying traffic as it enters the network. This traffic classification is maintained by tagging packets on ingress to the Cisco TrustSec network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path.
\r\n\r\n
Management Security - Users must be authenticated prior to gaining access to the administrative functionality of the Nexus 7000 switch and ACS TOE components. Administrative authentication options include RADIUS or TACACS+ authentication facilitated by the ACS TOE component and authentication against a database local to the Nexus 7000 appliance. Both the Nexus 7000 switch and ACS TOE components also audit administrator actions.
\r\n\r\n
Virtualization and Availability – The TOE provides several measures to help assure that Nexus 7000 switch is able to constantly provide the desired switching services. The TOE protects the Virtual Device Contexts resident within the Nexus 7000 switch from interfering with other Virtual Device Contexts. The TOE also provides a several traffic control policies specifically to ensure that the TOE services are available to legitimate traffic.
","features":[]}