The Target of Evaluation (TOE) is Cisco Catalyst Switches (4503-E, 4506-E, 4507R+E, 4507R-E, 4510R+E, 4510R-E, and 4500X). The following models were evaluated as part of the Cisco Catalyst 4500 Series TOE configuration:
\r\n\r\n
| \r\n Feature \r\n | \r\n\r\n Cisco Catalyst \r\nWS-C4503-E Chassis \r\n | \r\n\r\n Cisco Catalyst \r\nWS-C4506-E Chassis \r\n | \r\n\r\n Cisco Catalyst \r\nWS-C4507R+E Chassis \r\n | \r\n\r\n Cisco Catalyst \r\nWS-C4510R+E Chassis \r\n | \r\n
| \r\n Total number of slots \r\n | \r\n\r\n 3 \r\n | \r\n\r\n 6 \r\n | \r\n\r\n 7 \r\n | \r\n\r\n 10 \r\n | \r\n
| \r\n Line-card slots \r\n | \r\n\r\n 2 \r\n | \r\n\r\n 5 \r\n | \r\n\r\n 5 \r\n | \r\n\r\n 8 \r\n | \r\n
| \r\n Supervisor engine slots \r\n | \r\n\r\n 1 \r\n | \r\n\r\n 1 \r\n | \r\n\r\n 2 \r\n | \r\n\r\n 2 \r\n | \r\n
| \r\n Dedicated supervisor engine slot numbers \r\n | \r\n\r\n 1 \r\n | \r\n\r\n 1 \r\n | \r\n\r\n 3 and 4 \r\n | \r\n\r\n 5 and 6 \r\n | \r\n
| \r\n Supervisor engine redundancy \r\n | \r\n\r\n No \r\n | \r\n\r\n No \r\n | \r\n\r\n Yes \r\n | \r\n\r\n Yes (Supervisor V-10GE, 6-E and 7-E) \r\n | \r\n
| \r\n Supervisor engines supported \r\n | \r\n\r\n Supervisor 7-E \r\nSupervisor 7L-E \r\n\r\n | \r\n\r\n Supervisor 7-E \r\nSupervisor 7L-E \r\n\r\n | \r\n\r\n Supervisor 7-E \r\nSupervisor 7L-E \r\n\r\n | \r\n\r\n Supervisor 7-E \r\n\r\n | \r\n
| \r\n Maximum PoE per slot \r\n | \r\n\r\n 1,500W \r\n | \r\n\r\n 1,500W \r\n | \r\n\r\n 1,500W \r\n | \r\n\r\n 1,500W slots 1 and 2, \r\n750W slots 3,4,7-10 \r\n | \r\n
| \r\n Bandwidth scalability per line-card slot \r\n | \r\n\r\n Up to 48 Gbps on all slots \r\n | \r\n\r\n Up to 48 Gbps on all slots \r\n | \r\n\r\n Up to 48 Gbps on all slots \r\n | \r\n\r\n Up to 48 Gbps on all slots[1] \r\n | \r\n
| \r\n Number of power supply bays \r\n | \r\n\r\n 2 \r\n | \r\n\r\n 2 \r\n | \r\n\r\n 2 \r\n | \r\n\r\n 2 \r\n | \r\n
| \r\n AC input power \r\n | \r\n\r\n Yes \r\n | \r\n\r\n Yes \r\n | \r\n\r\n Yes \r\n | \r\n\r\n Yes \r\n | \r\n
| \r\n DC Input power \r\n | \r\n\r\n Yes \r\n | \r\n\r\n Yes \r\n | \r\n\r\n Yes \r\n | \r\n\r\n Yes \r\n | \r\n
| \r\n Integrated Power over Ethernet \r\n | \r\n\r\n Yes \r\n | \r\n\r\n Yes \r\n | \r\n\r\n Yes \r\n | \r\n\r\n Yes \r\n | \r\n
| \r\n Minimum number of power supplies \r\n | \r\n\r\n 1 \r\n | \r\n\r\n 1 \r\n | \r\n\r\n 1 \r\n | \r\n\r\n 1 \r\n | \r\n
| \r\n Power supplies supported \r\n | \r\n\r\n ? 1000W AC \r\n? 1400W AC \r\n? 1300W ACV \r\n? 2800W ACV \r\n? 4200W ACV \r\n? 6000W ACV \r\n? 1400W DC (triple input) \r\n? 1400W-DC-P \r\n | \r\n\r\n ? 1000W AC \r\n? 1400W AC \r\n? 1300W ACV \r\n? 2800W ACV \r\n? 4200W ACV \r\n? 6000W ACV \r\n? 1400W DC (triple input) \r\n? 1400W-DC-P \r\n | \r\n\r\n ? 1000W AC \r\n? 1400W AC \r\n? 1300W ACV \r\n? 2800W ACV \r\n? 4200W ACV \r\n? 6000W ACV \r\n? 1400W DC (triple input) \r\n? 1400W-DC-P \r\n | \r\n\r\n ? 1400W AC \r\n? 2800W ACV \r\n? 4200W ACV \r\n? 6000W ACV \r\n? 1400W DC (triple input) \r\n? 1400W-DC-P \r\n | \r\n
| \r\n Number of fan-tray bays \r\n | \r\n\r\n 1 \r\n | \r\n\r\n 1 \r\n | \r\n\r\n 1 \r\n | \r\n\r\n 1 \r\n | \r\n
| \r\n Location of 19-inch rack mount \r\n | \r\n\r\n Front \r\n | \r\n\r\n Front \r\n | \r\n\r\n Front \r\n | \r\n\r\n Front \r\n | \r\n
| \r\n Location of 23-inch rack mount \r\n | \r\n\r\n Front (option) \r\n | \r\n\r\n Front (option) \r\n | \r\n\r\n Front (option) \r\n | \r\n\r\n Front (option) \r\n | \r\n
\r\n
The Cisco Catalyst 4500-X Series Switch is a fixed 10 Gigabit Ethernet aggregation platform that provides flexibility through two versions of base switches along with optional uplink module. Both the 32- and 16-port versions can be configured with optional network modules and offer similar features. The Small Form-Factor Pluggable Plus (SFP+) interface supports both 10 Gigabit Ethernet and 1 Gigabit Ethernet ports, allowing upgrades to 10 Gigabit Ethernet when organizational demands change. The uplink module is hot swappable.
\r\nDeployment Options include:
\r\nThe evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which Cisco Catalyst 4500 Series TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 revision 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 revision 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 augmented with ALC_FLR.2 and ALC_DVS.1. The product, when delivered and configured as identified in Cisco Catalyst Switches (4503-E, 4506-E, 4507R+E, 4507R-E, 4510R+E, 4510R-E, and 4500X) Common Criteria Operational User Guidance and Preparative Procedures document (version .7), satisfies all of the security functional requirements stated in the Cisco Catalyst Switches (4503-E, 4506-E, 4507R+E, 4507R-E, 4510R+E, 4510R-E, and 4500X) Security Target (version 0.098). The project underwent three Validation Oversight Panel (VOR) panel reviews. The evaluation was completed in November 2012. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10489-0001, dated 13 August 2012) prepared by CCEVS.
","environmental_strengths":"The logical boundaries of Cisco Catalyst Switches (4503-E, 4506-E, 4507R+E, 4507R-E, 4510R+E, 4510R-E, 4500X) TOE are realized in the security functions that it implements. These security functions are realized at the network interfaces that service clients and via the administrator commands. Each of these security functions is summarized below.
\r\nSecurity Audit — The TOE generates a comprehensive set of audit logs that identify specific TOE operations. For each event, the TOE records the date and time of each event, the type of event, the subject identity, and the outcome of the event. Auditable events include; modifications to the group of users that are part of the authorized administrator roles (assigned the appropriate privilege level), all use of the user identification mechanism, any use of the authentication mechanism, any change in the configuration of the TOE, any matching of packets to access control entries in ACLs when traversing the TOE; and any failure of a packet to match an access control list (ACL) rule allowing traversal of the TOE. The TOE will write audit records to the local logging buffer by default and can be configured to send audit data via syslog to a remote audit server, or display to the local console. The TOE does not have an interface to modify audit records, though there is an interface available for the authorized administrator to delete audit data stored locally on the TOE.
\r\nCryptographic Support — The TOE provides cryptography support for secure communications and protection of information when operated in FIPS mode. The crypto module is FIPS 140-2 SL2 validated. The cryptographic services provided by the TOE include: symmetric encryption and decryption using AES; digital signature using RSA; cryptographic hashing using SHA1; keyed-hash message authentication using HMAC-SHA1.The TOE also implements SSHv2 secure protocol for secure remote administration. In the evaluated configuration, the TOE must be operated in FIPS mode of operation per the FIPS Security Policy.
\r\nTraffic Filtering and Switching (VLAN Processing and ACLs) — VLANs control whether Ethernet frames are passed through the switch interfaces based on the VLAN tag information in the frame header. IP ACLs or ICMP ACLs control whether routed IP packets are forwarded or blocked at Layer 3 TOE interfaces (interfaces that have been configured with IP addresses). VACLs (using access mapping) control whether non-routed frames (by inspection of MAC addresses in the frame header) and packets (by inspection of IP addresses in the packet header) are forwarded or blocked at Layer 2 ports assigned to VLANs. The TOE examines each frame and packet to determine whether to forward or drop it, on the basis of criteria specified within the VLANs access lists and access maps applied to the interfaces through which the traffic would enter and leave the TOE. For those interfaces configured with Layer-3 addressing the ACLs can be configured to filter IP traffic using: the source address of the traffic; the destination address of the traffic; and the upper-layer protocol identifier. Layer-2 interfaces can be made part of Private VLANs (PVLANs), to allow traffic to pass in a pre-defined manner among a primary, and secondary (‘isolated’ or ‘community’) VLANs within the same PVLAN.
\r\nVACL access mapping is used to match IP ACLs or MAC ACLs to the action to be taken by the TOE as the traffic crosses the interface, causing the packet to be forwarded or dropped. The traffic is matched only against access lists of the same protocol type; IP packets can be matched against IP access lists, and any Ethernet frame can be matched against MAC access lists. Both IP and MAC addresses can be specified within the VLAN access map.
\r\nUse of Access Control Lists (ACLs) also allows restriction of remote administration connectivity to specific interfaces of the TOE so that sessions will only be accepted from approved management station addresses identified as specified by the administrator.
\r\nThe TOE supports routing protocols including BGPv4, EIGRP, EIGRPv6 for IPv6, RIPv2, and OSPFv2 to maintain the routing tables. The routing tables can also be configured and maintained manually. Since routing tables are used to determine which egress ACL is applied, the authority to modify the routing tables is restricted to authenticated administrators and authenticated neighbor routers. The only aspects of the routing protocol that is security relevant in this TOE is the ability to authenticate neighbor routers using shared passwords. Other security features and configuration options of routing protocols are beyond the scope of this Security Target and are described in administrative guidance.
\r\nThe TOE supports VACLs (VLAN ACLs), which can filter traffic traversing VLANs on the TOE based on IP addressing and MAC addressing.
\r\nThe TOE also ensures that packets transmitted from the TOE do not contain residual information from previous packets. Packets that are not the required length use zeros for padding so that residual data from previous traffic is never transmitted from the TOE.
\r\nIdentification and Authentication — The TOE performs authentication, using Cisco IOS platform authentication mechanisms, to authenticate access to user EXEC and privileged EXEC command modes. All users wanting to use TOE services are identified and authenticated prior to being allowed access to any of the services. Once a user attempts to access the management functionality of the TOE (via EXEC mode), the TOE prompts the user for a user name and password. Only after the administrative user presents the correct identification and authentication credentials will access to the TOE functionality be granted.
\r\nThe TOE supports use of a remote AAA server (RADIUS and TACACS+) as the enforcement point for identifying and authenticating users, including login and password dialog, challenge and response, and messaging support. For RADIUS, only the password is encrypted, while TACACS+ encrypts the entire packet body except the header. Note the remote authentication server is not included within the scope of the TOE evaluated configuration, it is considered to be provided by the operational environment.
\r\nThe TOE can be configured to display an advisory banner when administrators log in and also to terminate administrator sessions after a configured period of inactivity.
\r\nThe TOE also supports authentication of other routers using router authentication supported by BGPv4, EIGRP, EIGRPv6 for IPv6, RIPv2, and OSPFv2. Each of these protocols supports authentication by transmission of MD5-hashed password strings, which each neighbor router uses to authenticate others. It is noted that per the FIPS Security Policy, that MD5 is not a validated algorithm during FIPS mode of operation. For additional security, it is recommended router protocol traffic also be isolated to separate VLANs.
\r\nSecurity Management — The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs through either a secure session via SSHv2, a terminal server directly connected to the Catalysis Switch (RJ45), or a local console connection (serial port). The TOE provides the ability to perform the following actions:
\r\nAll of these management functions are restricted to the authorized administrator of the TOE.
\r\nThe TOE switch platform maintains administrative privilege level and non-administrative access. Non-administrative access is granted to authenticated neighbor routers for the ability to receive updated routing tables per the information flow rules. There is no other access or functions associated with non-administrative access. The administrative privilege levels include:
\r\nThe term “authorized administrator” is used in this ST to refer to any user which has been assigned to a privilege level that is permitted to perform the relevant action; therefore has the appropriate privileges to perform the requested functions.
\r\nProtection of the TSF — The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication and access controls to limit configuration to authorized administrators. Additionally Cisco IOS is not a general-purpose operating system and access to Cisco IOS memory space is restricted to only Cisco IOS functions.
\r\nThe TOE provides secure transmission when TSF data is transmitted between separate parts of the TOE (encrypted sessions for remote administration (via SSHv2)). A separate VLAN should be used to ensure the routing protocol communications between the TOE and neighbor routers (including routing table updates and neighbor router authentication) is logically isolated from the traffic on other VLANs.
\r\nThe TOE also supports replay detection, though it is only applicable to the encrypted sessions for remote administration via SSHv2. If replay is detected, the packets are discarded.
\r\nIn addition, the TOE internally maintains the date and time. This date and time is used as the time stamp that is applied to TOE generated audit records. Alternatively, an NTP server can be used to synchronize the date-timestamp. Finally, the TOE performs testing to verify correct operation of the switch itself and that of the cryptographic module.
\r\n\r\n
TOE Access — The TOE can terminate inactive sessions after an authorized administrator configurable time-period. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.
\r\nThe TOE can also display a Security Administrator specified banner on the CLI management interface prior to allowing any administrative access to the TOE.
","features":[]}