{"product_id":10578,"v_id":10578,"product_name":"Cisco Integrated Services Router (ISR) 800 Series","certification_status":"Certified","certification_date":"2014-11-24T00:00:00Z","tech_type":"Network Device, Router, Virtual Private Network","vendor_id":{"name":"Cisco Systems, Inc.","website":"https://www.cisco.com"},"vendor_poc":"Cert Team","vendor_phone":"410-309-4862","vendor_email":"certteam@cisco.com","assigned_lab":{"cctl_name":"Booz Allen Hamilton Common Criteria Testing Laboratory"},"product_description":"

The Security Target (ST) defines the Information Technology (IT) security requirements for the Cisco Integrated Services Router (ISR) 800 Series. The Cisco ISR-800s are fixed configuration routers that provide business solutions for secure voice and data communications to enterprise small branch offices. They are designed to deliver secure broadband, Metro Ethernet (MAN Ethernet) and wireless LAN (WLAN) connectivity. The TOE is a VPN Gateway that terminates an IPsec tunnel, which provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. Additional security functionality as provided by the devices was not evaluated and no claims can be made as to their effectiveness.

","evaluation_configuration":"

The TOE is a hardware and software solution that makes up the router models as follows: C819G-4G-A-K9, C819G-S-K9, C819HG-4G-G-K9, C819HGW-S-A-K9, C819G-4G-V-K9, C819H-K9, C819HGW+7-A-A-K9, C819HGW-V-A-K9, C819HWD-A-K9, C881-V-K9, C881WD-A-K9, CISCO881-SEC-K9, CISCO891-K9, C881W-A-K9, CISCO881-K9, CISCO881W-GN-A-K9, CISCO891W-AGN-A-K9. The software is comprised of the IOS 15.2(4)M7 version. The TOE models are comprised of the following specifications as described in the table below:

\r\n\r\n \r\n\r\n\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
\r\n

Model

\r\n		\r\n

Architecture Generation

\r\n		\r\n

Onboard DRAM

\r\n		\r\n

Flash Memory

\r\n
\r\n

Cisco ISR-C819G-4G-A-K9

\r\n		\r\n

880-B 

\r\n		\r\n

1024 MB

\r\n		\r\n

1024 MB

\r\n
\r\n

Cisco ISR-C819G-S-K9

\r\n		\r\n

880-B

\r\n		\r\n

512 MB

\r\n		\r\n

256 MB

\r\n
\r\n

Cisco ISR-C819HG-4G-G-K9

\r\n		\r\n

880-B

\r\n		\r\n

1024 MB

\r\n		\r\n

1024 MB

\r\n
\r\n

Cisco ISR-C819HGW-S-A-K9

\r\n		\r\n

880-B

\r\n		\r\n

1024 MB

\r\n		\r\n

1024 MB

\r\n
\r\n

Cisco ISR-C819G-4G-V-K9

\r\n		\r\n

880-B

\r\n		\r\n

1024 MB

\r\n		\r\n

1024 MB

\r\n
\r\n

Cisco ISR-C819H-K9

\r\n		\r\n

880-B

\r\n		\r\n

1024 MB

\r\n		\r\n

1024 MB

\r\n
\r\n

Cisco ISR-C819HGW+7-A-A-K9

\r\n		\r\n

880-B

\r\n		\r\n

1024 MB

\r\n		\r\n

1024 MB

\r\n
\r\n

Cisco ISR-C819HGW-V-A-K9

\r\n		\r\n

880-B

\r\n		\r\n

1024 MB

\r\n		\r\n

1024 MB

\r\n
\r\n

Cisco ISR-C819HWD-A-K9

\r\n		\r\n

880-B

\r\n		\r\n

1024 MB

\r\n		\r\n

1024 MB

\r\n
\r\n

Cisco ISR-C881-V-K9

\r\n		\r\n

880-A

\r\n		\r\n

256 MB

\r\n		\r\n

256 MB

\r\n
\r\n

Cisco ISR-C881WD-A-K9

\r\n		\r\n

880-B

\r\n		\r\n

512 MB

\r\n		\r\n

256 MB

\r\n
\r\n

CISCO881-SEC-K9

\r\n		\r\n

880-A

\r\n		\r\n

256 MB

\r\n		\r\n

128 MB

\r\n
\r\n

CISCO891-K9

\r\n		\r\n

890-A

\r\n		\r\n

256 MB

\r\n		\r\n

256 MB

\r\n
\r\n

Cisco ISR-C881W-A-K9

\r\n		\r\n

880-B

\r\n		\r\n

512 MB

\r\n		\r\n

256 MB

\r\n
\r\n

CISCO881-K9

\r\n		\r\n

880-C

\r\n		\r\n

512 MB

\r\n		\r\n

256 MB

\r\n
\r\n

CISCO881W-GN-A-K9

\r\n		\r\n

890-A

\r\n		\r\n

256 MB

\r\n		\r\n

128 MB

\r\n
\r\n

CISCO891W-AGN-A-K9

\r\n		\r\n

890-A

\r\n		\r\n

256 MB

\r\n		\r\n

256 MB

\r\n
","security_evaluation_summary":"

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Cisco Integrated Services Router (ISR) 800 Series with the IOS 15.2(4)M7 software version was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. Booz Allen Hamilton determined that the evaluation assurance level (EAL) for the product is EAL 1. The product, when configured as identified in the Cisco Integrated Services Router 800 Series Common Criteria Operational User Guidance and Preparative Procedures version 0.5 document, satisfies all of the security functional requirements stated in the Cisco Integrated Services Router 800 Series Security Target, Version 0.9. The evaluation underwent CCEVS Validation review. The evaluation was completed in November 2014. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10578-2014, dated November 24, 2014) prepared by CCEVS.

","environmental_strengths":"

Security Audit

\r\n

The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions. The Cisco ISR-800 generates an audit record for each auditable event. The administrator configures auditable events, performs back-up operations, and manages audit data storage. The TOE provides the audit trail protection by providing remote backup to a syslog server over an IPsec channel.

\r\n

Cryptographic Support

\r\n

The TOE provides cryptography in support of secure trusted path and channel connections with administrators and other IT entities via IPsec and SSHv2.

\r\n

User Data Protection

\r\n

The TOE ensures that all information flows from the TOE do not contain residual information from previous traffic. Packets are padded with zeros. Residual data is never transmitted from the TOE.

\r\n

Identification and Authentication

\r\n

The TOE performs two types of authentication: device-level authentication of the remote device (VPN peers) and user authentication for the Authorized Administrator of the TOE. Device-level authentication allows the TOE to establish a secure channel with a trusted peer. Device-level authentication is performed via IKE/IPsec mutual authentication. The TOE supports use of IKEv1 (ISAKMP) and IKEv2 pre-shared keys for authentication of IPsec tunnels.

\r\n

The TOE provides authentication services for administrative users attempting to connect to the TOE’s local console and secure remote CLI administrative interfaces. Password-based authentication can be performed on all interfaces and public key authentication is available via the secure remote CLI only. The TOE provides administrator authentication against a local user database, a RADIUS server or a TACACS+ server.

\r\n

Security Management

\r\n

The TOE provides the ability to securely manage all TOE administrative users; all identification and authentication; all audit functionality of the TOE; all TOE cryptographic functionality; the timestamps maintained by the TOE; updates to the TOE; configuration of IPsec functionality; and TOE configuration file storage and retrieval. The TOE supports multiple administrative roles that restrict access to TOE functions depending on the admin role assigned to a user. The management interfaces are the remote CLI via SSHv2 or IPsec and the local console.

\r\n

Packet Filtering

\r\n

The TOE provides packet filtering and secure IPsec tunneling.  The tunnels can be established between two trusted VPN peers.  More accurately, these tunnels are sets of security associations (SAs).  The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying material to be used.  SAs are unidirectional and are established per the ESP security protocol.  An authorized administrator can define the traffic that needs to be protected via IPsec by configuring access lists (permit, deny, log) and applying these access lists to interfaces using crypto map sets.

\r\n

Protection of the TSF

\r\n

The TOE provides protection of TSF data (authentication data and cryptographic keys). In addition, the TOE internally maintains the date and time. This date and time is used as the time stamp that is applied to TOE generated audit records. This time can be set manually, or an NTP server (or servers) can be used to synchronize the date-timestamp. The TOE is also capable of verifying software updates prior to the software updates being installed. Finally, the TOE performs testing to verify correct operation of the appliance itself and the cryptographic module.

\r\n

TOE Access

\r\n

The TOE can terminate inactive sessions after an Authorized Administrator configurable time-period. The TOE also allows users to terminate their own interactive session. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. The TOE can also display an Authorized Administrator specified banner on the local console and remote CLI prior to allowing any administrative access to the TOE.

\r\n

Trusted Path/Channels

\r\n

The TOE establishes a trusted path between the TOE and the remote CLI using SSHv2 or IPsec. The TOE establishes a secure IPsec connection to an external syslog server to send audit data, to a CA server to validate certificates, and to an external authentication server to authenticate users. The TOE can also establish trusted paths of peer-to-peer IPsec sessions. 

","features":[]}