The Target of Evaluation (TOE) is Cisco Catalyst 6500 Series running IOS 15.0(1)SY1. The following models were evaluated:
\r\n\r\n
\r\n
The TOE is a switching and routing platform used to construct IP networks by interconnecting multiple smaller networks or network segments. As a Layer2 switch, it performs analysis of incoming frames, makes forwarding decisions based on information contained in the frames, and forwards the frames toward the destination. As a Layer3 switch/router, it supports routing of traffic based on tables identifying available routes, conditions, distance, and costs to determine the best route for a given packet. Routing protocols used by the TOE include BGPv4, EIGRP, EIGRPv6 for IPv6, RIPv2, and OSPFv2. BGPv4, EIGRP, and EIGRPv6 supports routing updates with IPv6 or IPv4, while RIPv2 and OSPFv2 routing protocol support routing updates for IPv4 only.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which Cisco Catalyst 6500 Series TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 augmented with ALC_FLR.2 and ALC_DVS.1. The product, when delivered configured as identified in Cisco Catalyst 6500 Series Common Criteria Operational User Guidance and Preparative Procedures document, satisfies all of the security functional requirements stated in the Cisco Catalyst 6500 Series Security Target (Version 1.0). The project underwent one Validation Oversight Panel (VOR) panel review. The evaluation was completed in August 2012. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10490-2012, dated August 2012) prepared by CCEVS.
","environmental_strengths":"The logical boundaries of Cisco Catalyst 6500 Series TOE are realized in the security functions that it implements. These security functions are realized at the network interfaces that service clients and via the administrator commands. Each of these security functions is summarized below.
\r\nSecurity audit - The TOE generates audit messages that identify specific TOE operations. For each event, the TOE records the date and time of each event, the type of event, the subject identity, and the outcome of the event. Auditable events include: modifications to the group of users that are part of the authorized administrator roles (assigned the appropriate privilege level), all use of the user identification mechanism; any use of the authentication mechanism; any change in the configuration of the TOE; any matching of packets to access control entries in ACLs when traversing the TOE; and any failure of a packet to match an access control list (ACL) rule allowing traversal of the TOE. The TOE will write audit records to the local logging buffer by default and can be configured to send audit data via syslog to a remote audit server, or display to the local console. The TOE does not have an interface to modify audit records, though there is an interface available for the authorized administrator to delete audit data stored locally on the TOE.
\r\nCryptographic support - The TOE provides cryptography support for secure communications and protection of information when operated in FIPS mode. The crypto module is FIPS 140-2 SL2 validated (certificate number 1717). The cryptographic services provided by the TOE include: symmetric encryption and decryption using AES; digital signature using RSA; cryptographic hashing using SHA1; and keyed-hash message authentication using HMAC-SHA1. The TOE also implements SSHv2 for secure remote administration. In the evaluated configuration, the TOE must be operated in FIPS mode of operation per the FIPS Security Policy (certificate 1717).
\r\nTraffic Filtering and Switching (VLAN Processing and ACLs) - VLANs control whether Ethernet frames are passed through the switch interfaces based on the VLAN tag information in the frame header. IP ACLs or ICMP ACLs control whether routed IP packets are forwarded or blocked at Layer 3 TOE interfaces (interfaces that have been configured with IP addresses). VACLs (using access mapping) control whether non-routed frames (by inspection of MAC addresses in the frame header) and packets (by inspection of IP addresses in the packet header) are forwarded or blocked at Layer 2 ports assigned to VLANs. The TOE examines each frame and packet to determine whether to forward or drop it, on the basis of criteria specified within the VLANs access lists and access maps applied to the interfaces through which the traffic would enter and leave the TOE. For those interfaces configured with Layer-3 addressing the ACLs can be configured to filter IP traffic using: the source address of the traffic; the destination address of the traffic; and the upper-layer protocol identifier. Layer-2 interfaces can be made part of Private VLANs (PVLANs), to allow traffic to pass in a pre-defined manner among a primary, and secondary (‘isolated’ or ‘community’) VLANs within the same PVLAN.
\r\nVACL access mapping is used to match IP ACLs or MAC ACLs to the action to be taken by the TOE as the traffic crosses the interface, causing the packet to be forwarded or dropped. The traffic is matched only against access lists of the same protocol type; IP packets can be matched against IP access lists, and any Ethernet frame can be matched against MAC access lists. Both IP and MAC addresses can be specified within the VLAN access map. Use of Access Control Lists (ACLs) also allows restriction of remote administration connectivity to specific interfaces of the TOE so that sessions will only be accepted from approved management station addresses identified as specified by the administrator.
\r\nThe TOE supports routing protocols including BGPv4, EIGRP, EIGRPv6 for IPv6, RIPv2, and OSPFv2 to maintain routing tables, or routing tables can configured and maintained manually. Since routing tables are used to determine which egress ACL is applied, the authority to modify the routing tables is restricted to authenticated administrators, and authenticated neighbor routers. The only aspects of routing protocols that are security relevant in this TOE is the TOE’s ability to authenticate neighbor routers using shared passwords. Other security features and configuration options of routing protocols are beyond the scope of this Security Target and described in administrative guidance.
\r\nThe TOE supports VACLs (VLAN ACLs), which can filter traffic traversing VLANs on the TOE based on IP addressing and MAC addressing.
\r\nThe TOE also ensures that packets transmitted from the TOE do not contain residual information from previous packets. Packets that are not the required length use zeros for padding so that residual data from previous traffic is never transmitted from the TOE.
\r\nIdentification and authentication - The TOE performs authentication, using Cisco IOS platform authentication mechanisms, to authenticate access to user EXEC and privileged EXEC command modes. All users wanting to use TOE services are identified and authenticated prior to being allowed access to any of the services. Once a user attempts to access the management functionality of the TOE (via EXEC mode), the TOE prompts the user for a user name and password. Only after the administrative user presents the correct identification and authentication credentials will access to the TOE functionality be granted.
\r\nThe TOE supports use of a remote AAA server (RADIUS and TACACS+) as the enforcement point for identifying and authenticating users, including login and password dialog, challenge and response, and messaging support. Encryption of the packet body is provided through the use of RADIUS (note RADIUS only encrypts the password within the packet body, while TACACS+ encrypts the entire packet body except the header).
\r\nThe TOE can be configured to display an advisory banner when administrators log in and also to terminate administrator sessions after a configured period of inactivity.
\r\nThe TOE also supports authentication of other routers using router authentication supported by BGPv4, EIGRP, EIGRPv6 for IPv6, RIPv2, and OSPFv2. Each of these protocols supports authentication by transmission of MD5-hashed password strings, which each neighbor router uses to authenticate others. It is noted that per the FIPS Security Policy, that MD5 is not a validated algorithm during FIPS mode of operation. For additional security, it is recommended router protocol traffic also be isolated to separate VLANs.
\r\nSecurity management - The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs through either a secure session via SSHv2, a terminal server directly connected to the Catalysis Switch (RJ45), or a local console connection (serial port). The TOE provides the ability to perform the following actions:
\r\nAll of these management functions are restricted to the authorized administrator of the TOE. The TOE switch platform maintains administrative privilege level and non-administrative access. Non-administrative access is granted to authenticated neighbor routers for the ability to receive updated routing tables per the information flow rules. There is no other access or functions associated with non-administrative access. The administrative privilege levels include:
\r\nProtection of the TSF - The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication and access controls to limit configuration to authorized administrators. Additionally Cisco IOS is not a general-purpose operating system and access to Cisco IOS memory space is restricted to only Cisco IOS functions.
\r\nThe TOE provides secure transmission when TSF data is transmitted between separate parts of the TOE (encrypted sessions for remote administration (via SSHv2)). Separate VLANs can be used to ensure routing protocol communications between the TOE and neighbor routers including routing table updates and neighbor router authentication will be logically isolated from traffic on other VLANs.
\r\nThe TOE is also able to detect replay of information and/or operations for encrypted communication paths (e.g. SSH). The detection applied to network packets that terminate at the TOE, such as trusted communications between the administrators and the TOE, or between an IT entity (e.g., authentication server) and the TOE. If replay is detected, the packets are discarded.
\r\nIn addition, the TOE internally maintains the date and time. This date and time is used as the time stamp that is applied to TOE generated audit records. Alternatively, an NTP server can be used to synchronize the date-timestamp. Finally, the TOE performs testing to verify correct operation of the switch itself and that of the cryptographic module.
\r\nTOE access - The TOE can terminate inactive sessions after an authorized administrator configurable time-period. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. The TOE can also display a Security Administrator specified banner on the CLI management interface prior to allowing any administrative access to the TOE.
","features":[]}