The Target of Evaluation (TOE) is the Cisco Unified Computing System. The TOE consists of a minimum of one of each of the following components:
\r\nAll appliance models comprising the TOE provide the same security functionality. They differ only in the number and speed of their network connections and their processing capacity (in terms of memory and processor speeds).
\r\nThe TOE consists of hardware and software components that support Cisco's unified fabric, which run multiple types of data-center traffic over a single converged network adapter. The UCS features a role based access control policy to control the separation of administrative duties and provide a security log of all changes made.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Unified Computing System TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.2. The product, when delivered configured as identified in Cisco Unified Computing System (UCS), version 1.4(1m) Common Criteria Operational User Guidance and Preparative Procedures document, satisfies all of the security functional requirements stated in the Cisco Unified Computing System Security Target (Version 1.0). The project underwent two Validation Oversight Reviews (VORs). The evaluation was completed in December 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10403-2011, dated December 2011) prepared by CCEVS.
\r\nFor this evaluation, it was appropriate for the Security Target to claim compliance with the appropriate external standards for all cryptography required for the TOE for the definition of the encryption algorithm. There are many ways of determining compliance with a standard. The Cisco Unified Computing System TOE developer has chosen to make a developer claim of compliance. This means that there has been no independent verification (by either the evaluators or a third party standards body, such as a FIPS laboratory) that the implementation of the cryptographic algorithms actually meets the claimed standards. Potential users of this product should confirm that the cryptographic capabilities are suitable to meet the user's requirements.
","environmental_strengths":"The logical boundaries of Cisco Unified Computing System TOE are realized in the security functions that it implements. These security functions are realized at the network interfaces that service clients and via the administrator commands. Each of these security functions is summarized below.
\r\nSecurity Audit – Cisco UCS provides extensive auditing capabilities. The UCS Manager TOE component provides the ability to audit the actions taken by authorized administrators. Audited events include start-up and shutdown, configuration changes, administrative authentication, and administrative log-off. The TOE provides the capability for authorized administrators to review the audit records stored within the TOE. The locally stored audit data includes records of events that completed successfully. Audit records for failed events are transmitted from the TOE to a remote syslog server, so the complete set of successful and failed audit events would need to be reviewed via the remote syslog server.
\r\nIdentification and Authentication – Cisco UCS supports two methods of authenticating administrator logins on the Cisco UCS Manager: a local user database of passwords (and optionally SSH keys) or a remote authentication server accessed either via LDAP, RADIUS, or TACACS+. The TOE may be configured to use either the local user database or one of the remote authentication methods, but multiple authentication methods may not be selected. Remote authentication may be used to centralize user account management to an external authentication server. When the UCS is deployed in a clustered configuration, all instances of the UCS Manager share the local user database. The system has a default user account, admin, which cannot be modified or deleted. This account is the system administrator account and has full privileges. Identification and Authentication services are also extended to the Cisco Integrated Management Controller (CIMC) via IPMI Access Profiles. These provide the ability to access the CIMC via the Intelligent Platform Management Interface (IPMI) using a username/password database stored on the CIMC.
\r\nSecurity Management - UCS can be managed using the graphical user interface (over SSL3.1/TLS1.0), the command line (over SSHv2 or by local console access via the RS-232 port), or by manipulating an XML API. Each of these interfaces can be used in the evaluated configuration to administer the UCS. The interfaces all operate on the same XML data structures and provide identical functionality. For all management channels, users have a default read-only authorization to access non-sensitive management objects (keys and passwords are never exposed to an external management interface). Additional user privileges each grant access to modify specific management objects. An administrator can use Cisco UCS Manager to perform management tasks for all physical and virtual devices within a Cisco UCS instance.
\r\nNetwork Separation - VLANs provide effective traffic separation and better bandwidth utilization, and alleviate scaling issues by logically segmenting the physical local-area network (LAN) infrastructure into different logically separated Layer 2 networks so that traffic within one VLAN are presented to interfaces within the same VLAN.
\r\nThe most important requirement of VLANs is the ability to identify the origination point for traffic with a VLAN tag to ensure traffic can only travel to interfaces for which they are authorized. The Cisco UCS 6100 Series Fabric Switch Hardware requires VLANs to function. When the administrator configures network adapters on a per server basis, VLANs are specified for each adapter.
\r\nVirtual SAN (VSAN) technology partitions a single physical Storage Area Network (SAN) into multiple VSANs. VSAN capabilities allow the Cisco UCS 6100 Series Fabric Switch Hardware to logically divide a large physical fabric into separate isolated environments to improve SAN scalability, availability, manageability, and network security. Each VSAN is a logically and functionally separate SAN with its own set of Fibre Channel fabric services. This partitioning of fabric services greatly reduces network instability by containing fabric reconfigurations and error conditions within an individual VSAN. The strict traffic segregation provided by VSANs helps ensure that the control and data traffic of a given VSAN is confined within its own domain, increasing SAN security. Traffic is contained within VSAN boundaries and devices reside only in one VSAN thus ensuring absolute separation between user groups. This ensures the confidentiality of data traversing the VSAN from users and devices belonging to other VSANs. It should be noted that devices, such as file servers and tape storage devices are not part of the TOE but part of the TOE environment and may be configured to participate in a VSAN. Each network interface of a device connected to the TOE may only participate in a single VSAN.
\r\nRole Based Access Control - Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and locales. A role defines the privileges of a user in the system and the locale defines the organizations (domains) that a user is allowed access. Because users are not directly assigned privileges, management of individual user privileges is simply a matter of assigning the appropriate roles and locales. A user is granted write access to desired system resources only if the assigned role grants the access privileges and the assigned locale allows access. For example, a user with the Server Administrator role in the Engineering organization could update server configurations in the Engineering organization, but would not be able to update server configurations in the Finance organization unless the locales assigned to the user include the Finance organization.
","features":[]}