The TOE, which consists of the Cisco Email Security Appliance, is a network device.
","evaluation_configuration":"The TOE is a hardware and software solution that makes up the Cisco ESA. The TOE hardware includes the following: C195, C395, C695, C695F and the C100v, C300v, C600v running on Cisco UCS servers. The TOE software is the ESA AsyncOS software version 15.5. See table 5 in section 1.5 of the Cisco Email Security Appliance Common Criteria Security Target for a detailed specification for each TOE model.
\r\n\r\n
In addition, if the TOE is to be remotely administered, then the management workstation must be connected to an internal network, SSHv2 must be used to remotely connect to the appliance for the CLI interface and HTTPS/TLS for the GUI interface.
\r\nA syslog server is used to store audit records, and the connection is secured using SCP over SSHv2. It is recommended that these servers be installed on the internal (trusted) network. The internal (trusted) network is meant to be separated effectively from unauthorized individuals and user traffic, in a controlled environment where implementation of security policies can be enforced.
","security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Email Security Appliance with AsyncOS 15.5 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Rev. 5. The product, when configured as identified in the Cisco Email Security Appliance running AsyncOS 15.5 Common Criteria Operational User Guidance And Preparative Procedures, satisfies all of the security functional requirements stated in the Cisco Email Security Appliance Common Criteria Security Target. The project underwent CCEVS Validator review. The evaluation was completed in September 2024. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
","environmental_strengths":"Security Audit
\r\nThe Cisco Email Security Appliance provides extensive auditing capabilities. The TOE generates a comprehensive set of audit logs that identify specific TOE operations. For each event, the TOE records the date and time of each event, the type of event, the subject identity, and the outcome of the event.
\r\nAuditable events include:
\r\nThe TOE is configured to transmit its audit messages to an SCP server on a remote syslog server. Communication with the syslog server is protected using SCP over SSHv2, and the TOE can determine when communication with the syslog server fails. If the connection fails, the session will need to be reestablished following the configuration settings described in the Cisco Email Security Appliance (ESA) Common Criteria Configuration Guide document.
\r\nThe audit logs can be viewed on the TOE using the appropriate CLI commands and GUI webpages. The records include the date/time the event occurred, the event/type of event, the user associated with the event, and additional information of the event and its success and/or failure. The TOE does not have an interface to modify audit records, though there is an interface available for the Authorized Administrator to clear audit data stored locally on the TOE.
\r\nCryptographic Support
\r\nThe TOE provides cryptography in support of other TOE security functionality. All the algorithms claimed have CAVP certificates, based on ESA on the platforms and processors as noted in section 3.1.
\r\nThe TOE provides cryptography in support of other Cisco ESA security functionality. The ESA software calls the Cisco FIPS Object Module (FOM) v7.3a that has been validated in accordance with the specified standards to meet the requirements listed below and all the algorithms claimed have CAVP certificates.
\r\nRefer to tables 9 and 10 in the Cisco Email Security Appliance Common Criteria Security Target for algorithm certificate references.
\r\nThe TOE provides cryptography in support of remote administrative management via SSHv2 for the CLI and HTTPS/TLS for the GUI. SCP over SSHv2 is used to secure the transmission of audit records to the SCP server on the remote syslog server. In addition, the TOE uses the X.509v3 certificate for securing the TLS connections.
\r\nThe TOE also authenticates software updates to the TOE using a published hash.
\r\nIdentification and authentication
\r\nThe TOE provides authentication services for administrative users connecting to the TOE’s secure CLI and GUI administrative interfaces, using SSHv2 and HTTPS/TLS, respectively, to secure the connections. Prior to an administrator logging in, a login banner is presented at both the CLI and GUI interfaces. The TOE requires Authorized Administrators to be successfully identified and authenticated prior to being granted access to the TOE and any of the management functionality. The TOE can be configured to require a minimum password length of 15 characters as well as character complexity rules.
\r\nThe TOE also provides an automatic lockout when a user attempts to authenticate but enters invalid information. When the threshold for a defined number of authentication attempt failures has exceeded the configured allowable attempts, the user is locked out until an Authorized Administrator can re-enable the user account.
\r\nThe TOE uses X.509v3 certificates as defined by RFC 5280 to support authentication for TLS connections.
\r\nSecurity Management
\r\nThe TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs either through a secure HTTPS/TLS (GUI interface), SSHv2 (CLI interface) session or via a direct local console connection. The TOE provides the ability to securely manage:
\r\nThe CLI is the main interface used to administer the TOE, since all functionality to configure, securely manage and to monitor the TOE is available via the CLI. The GUI can also be used, but not all functionality to configure the TOE is available in the GUI. Therefore, in the evaluated configuration it is recommended to use the CLI to perform all configuration and setting of the security functions and to securely mange the TOE.
\r\nThe TOE supports the security administrator role and is referred to as the Authorized Administrator. Only the Authorized Administrator can perform the above security relevant management functions.
\r\nAuthorized Administrators can create configurable login banners to be displayed at time of login and can define an inactivity timeout threshold for each admin interface to terminate sessions after a set period of inactivity has been reached.
\r\nProtection of the TSF
\r\nThe TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators. The TOE prevents reading of cryptographic keys and passwords. Additionally, Cisco AsyncOS is not a general-purpose operating system, and access to Cisco AsyncOS memory space is restricted to only Cisco AsyncOS functions.
\r\nThe TOE performs testing to verify correct operation of the TOE itself and of the cryptographic module.
\r\nThe TOE internally maintains the date and time. This date and time are used as the timestamp applied to audit records generated by the TOE. The TOE provides the Authorized Administrators the capability to update the TOE’s clock manually to maintain a reliable timestamp.
\r\nFinally, the TOE is able to verify any software updates prior to the software updates being installed on the TOE to avoid the installation of unauthorized software.
\r\nTOE Access
\r\nThe TOE can terminate inactive sessions after an Authorized Administrator configurable time period. Once a session has been terminated, the TOE requires the user to be successfully re-identified and re-authenticated to establish a new session. Sessions can also be terminated if an Authorized Administrator enters the “exit” command.
\r\nThe TOE can display an Authorized Administrator specified banner on the CLI and GUI management interfaces prior to allowing any administrative access to the TOE.
\r\nTrusted path/Channels
\r\nThe TOE allows trusted path to be established to itself from remote administrators over SSHv2 for the CLI and HTTPS/TLS for the GUI. The TOE also uses SCP over SSHv2 to push the audit logs to a SCP server on a remote syslog server.
","features":[{"id":2813,"feature_name":"Asymmetric Key Generation"},{"id":2809,"feature_name":"Auditing"},{"id":2826,"feature_name":"Certificate Authentication"},{"id":2820,"feature_name":"Certificate Validation"},{"id":2816,"feature_name":"Cryptographic Hashing"},{"id":2814,"feature_name":"Cryptographic Key Establishment"},{"id":2815,"feature_name":"Cryptographic Signature Verification"},{"id":2811,"feature_name":"DRBG"},{"id":2825,"feature_name":"HTTPS Server without Mutual Authentication"},{"id":2810,"feature_name":"Key Destruction"},{"id":2819,"feature_name":"Keyed-hash message authentication"},{"id":2823,"feature_name":"SSH Client"},{"id":2824,"feature_name":"SSH Server"},{"id":2827,"feature_name":"TLS 1.1"},{"id":2828,"feature_name":"TLS 1.2"},{"id":2821,"feature_name":"TLS Server without Mutual Authentication"},{"id":2812,"feature_name":"Virtual Network Device"}]}