The Security Target (ST) defines the Information Technology (IT) security requirements for the Cisco Aggregation Services Router (ASR) 1000 Series. A Cisco ASR 1000 Series product has two or more network interfaces and is connected to at least one internal and one external network. The Cisco ASR 1000 Series product’s configuration determines how packets are handled to and from its network interfaces. The router configuration will determine how traffic flows received on an interface will be handled. Typically, packet flows are passed through the internetworking device and forwarded to their configured destination.
","evaluation_configuration":"The TOE is a hardware and software solution that is made up of the following router models: ASR 1001, ASR 1002, ASR 1002X, ASR 1004, ASR 1006, and ASR 1013. The software is pre-installed and is comprised of the Cisco IOS-XE software image Release 3.7.2t(S). The TOE was evaluated on the following platforms:
\r\n\r\n
| \r\n Hardware Model \r\n | \r\n\r\n ASR 1001 \r\n | \r\n\r\n ASR 1002-X \r\n | \r\n\r\n ASR 1002 \r\n | \r\n\r\n ASR 1004 \r\n | \r\n\r\n ASR 1006 \r\n | \r\n\r\n ASR 1013 \r\n | \r\n
| \r\n Supported Embedded Services Processors \r\n | \r\n\r\n Integrated ESP \r\n | \r\n\r\n Integrated ESP \r\n | \r\n\r\n ESP5 \r\nESP10 \r\n | \r\n\r\n ESP10 \r\nESP20 \r\n | \r\n\r\n Dual ESP10 \r\nDual ESP20 \r\nDual ESP40 \r\nDual ESP100 \r\n | \r\n\r\n Dual ESP40 \r\nDual ESP100 \r\n | \r\n
| \r\n Supported Route Processors \r\n | \r\n\r\n Integrated RP1 \r\n | \r\n\r\n Integrated RP1 \r\n | \r\n\r\n Integrated RP1 \r\n | \r\n\r\n RP1 \r\nRP2 \r\n | \r\n\r\n Dual RP1 \r\nDual RP2 \r\n | \r\n\r\n Dual RP2 \r\n | \r\n
| \r\n Shared Port Adaptors Slots \r\n | \r\n\r\n 1 SPA slot \r\n | \r\n\r\n 1 SPA slot \r\n | \r\n\r\n 3 SPA slots \r\n | \r\n\r\n 8 SPA slots \r\n | \r\n\r\n 12 SPA slots \r\n | \r\n\r\n 24 SPA slots \r\n | \r\n
| \r\n Supported Shared Port Adaptors \r\n | \r\n\r\n Cisco 1-Port Clear Channel OC3 ATM Shared Port Adapter (SPA-1XOC3-ATM-V2) \r\nCisco 3-Port Clear Channel OC3 ATM Shared Port Adapter (SPA-3XOC3-ATM-V2) \r\nCisco 1-Port OC12 STM Shared Port Adapter (SPA-1XOC12-ATM-V2) \r\nCisco 2-Port T3/E3 Circuit Emulation and ATM SPA (SPA-2CHT3-CE-ATM) \r\nCisco 8-Port Channelized T1/E1 Shared Port Adapter (SPA-8XCHT1/E1) \r\nCisco 4-Port Channelized T3 (DS0) Shared Port Adapter (SPA-4XCT3/DS0) \r\nCisco 2-Port Channelized T3 (DS0) Shared Port Adapter (SPA-2XCT3/DS0) \r\nCisco 1-port Channelized STM-1/OC-3c to DS0 Shared Port Adapter (SPA-1XCHSTM1/OC3) \r\nCisco 2-Port Clear Channel T3/E3 Shared Port Adapter (SPA-2XT3/E3) \r\nCisco 4-Port Clear Channel T3/E3 Shared Port Adapter (SPA-4XT3/E3) \r\nCisco 4-Port Serial Interface Shared Port Adapter (SPA-4XT-Serial) \r\n1-port Channelized OC12 to DS0 SPA (SPA-1XCHOC12/DS0) \r\nCisco 4-Port 10BASE-T/100BASE Fast Ethernet Shared Port Adapter (SPA-4X1FE-TX-V2) \r\nCisco 8-Port 10BASE-T/100BASE Fast Ethernet Shared Port Adapter (SPA-8X1FE-TX-V2) \r\nCisco 2-Port Gigabit Ethernet Shared Port Adapter (SPA-2X1GE-V2) \r\nCisco 5-Port Gigabit Ethernet Shared Port Adapter (SPA-5X1GE-V2) \r\nCisco 8-Port Gigabit Ethernet Shared Port Adapter (SPA-8X1GE-V2) \r\nCisco 10-Port Gigabit Ethernet Shared Port Adapter (SPA-10X1GE-V2) \r\nCisco 1-Port 10 Gigabit Ethernet Shared Port Adapter (SPA-1X10GE-L-V2) \r\nCisco 1-port 10GE LAN/WAN-PHY Shared Port Adapter (SPA-1X10GE-WL-V2) \r\nCisco Synchronous Ethernet SPA (SPA-2X1GE-SYNCE) \r\nCisco 2-Port OC3c/STM-1c POS Shared Port Adapter (SPA-2XOC3-POS) \r\nCisco 4-Port OC3c/STM-1c POS Shared Port Adapter (SPA-4XOC3-POS) \r\nCisco 8-port OC3/STM4 POS Shared Port Adapter (SPA-8XOC3-POS) \r\nCisco 1-Port OC12c/STM-4c POS Shared Port Adapter (SPA-1XOC12-POS) \r\nCisco 2-port OC12/STM4 POS Shared Port Adapter (SPA-2XOC12-POS) \r\nCisco 4-port OC12/STM4 POS Shared Port Adapter (SPA-4XOC12-POS) \r\nCisco 8-port OC12/STM4 POS SPA Shared Port Adapter (SPA-8XOC12-POS) \r\nCisco 1-port OC48/STM16 POS/RPR Shared Port Adapter (SPA-1XOC48-POS/RPR) \r\nCisco 2-port OC48/STM16 POS/RPR Shared Port Adapter (SPA-2XOC48POS/RPR) \r\nCisco 4-port OC48/STM16 POS/RPR Shared Port Adapter (SPA-4XOC48POS/RPR) \r\nCisco 1-Port OC-192c/STM-64c POS/RPR Shared Port Adapter with XFP Optics (SPA-OC192POS-XFP) \r\n | \r\n
","security_evaluation_summary":"
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Cisco Aggregation Services Router (ASR) 1000 Series was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. Booz Allen Hamilton determined that the evaluation assurance level (EAL) for the product is EAL 1. The product, when delivered configured as identified in the Cisco Aggregation Services Router (ASR) 1000 Series Common Criteria Operational User Guidance And Preparative Procedures version .13 document, satisfies all of the security functional requirements stated in the Cisco Aggregation Services Router (ASR) 1000 Series Security Target, Version .15. The evaluation underwent CCEVS Validator review. The evaluation was completed in December 2013. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10518-2013, dated December 19, 2013) prepared by CCEVS.
","environmental_strengths":"Security Audit
\r\nThe TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions. The administrator configures auditable events, performs back-up operations and manages audit data storage. The TOE provides the administrator with a circular audit trail or a configurable audit trail threshold to track the storage capacity of the audit trail. Audit logs are backed up over an encrypted IPSec channel to an external audit server.
\r\nCryptographic Support
\r\nThe TOE provides cryptography in support of secure trusted path and channel connections with other IT entities via IPSec. This cryptography has been validated for conformance to the requirements of FIPS 140-2 Level 2.
\r\nUser Data Protection
\r\nThe TOE ensures that all information flows from the TOE do not contain residual information from previous traffic. Packets are padded with zeros. Residual data is never transmitted from the TOE.
\r\nIdentification and Authentication
\r\nThe TOE performs two types of authentication: device-level authentication of remote IT device peers and user authentication for the Authorized Administrator of the TOE. Device-level authentication allows the TOE to establish a secure channel with a trusted peer. The TOE provides authentication services for administrative users wishing to connect to the TOEs secure CLI administrative interface. Password-based authentication can be performed on the serial console or remote interfaces. The TOE provides administrator authentication against a local user database or optionally supports the use of a RADIUS or TACACS+ AAA servers for authentication.
\r\nSecurity Management
\r\nThe TOE provides the ability to securely manage all TOE administrative users; all identification and authentication; all audit functionality of the TOE; all TOE cryptographic functionality; the timestamps maintained by the TOE; updates to the TOE; and TOE configuration file storage and retrieval. The TOE supports two separate administrative roles: non-privileged Administrator and privileged Administrator. Only the privileged administrator can perform all of the above security relevant management functions. The privileged Administrator is also considered to be the Authorized Administrator.
\r\nProtection of the TSF
\r\nThe TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators. The TOE prevents reading of cryptographic keys and passwords. The TOE is able to verify any software updates prior to the software updates being installed on the TOE to avoid the installation of malicious software. The TOE internally maintains the date and time. Administrators can update the TOE’s clock manually, or can configure the TOE to use NTP to synchronize the TOE’s clock with an external time source. Finally, the TOE performs testing to verify correct operation of the router itself and that of the cryptographic module.
\r\nTOE Access
\r\nThe TOE can terminate or lock inactive sessions after an Authorized Administrator configurable time-period. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. Sessions can also be terminated if an Authorized Administrator enters the “exit” command. The TOE can also display a Security Administrator specified banner on the CLI management interface prior to allowing any administrative access to the TOE.
\r\nTrusted Path/Channels
\r\nTrusted path and channel connections to/from the TOE are protected using the standards defined within the Cryptographic Support section. The TOE establishes a trusted path or channel between itself and the remote management station, peer IT devices, syslog servers, RADIUS Servers, and TACACS+ Servers.
","features":[]}