The Cisco AnyConnect TOE is a client application that provides remote users a secure VPN tunnel to protect data in transit on both IPv4 and IPv6 networks. The TOE provides IPsec to authenticate and encrypt network traffic travelling across an unprotected public network. By protecting the communication from unauthorized disclosure or modification, remote users can securely connect to an organization’s network resources and applications.
","evaluation_configuration":"The evaluated configuration is Cisco Secure Client – AnyConnect v5.1 installed on Red Hat Enterprise Linux 8.2.
","security_evaluation_summary":"The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Cisco Secure Client - AnyConnect 5.1 for Red Hat Enterprise Linux 8.2 CC Configuration Guide, Version 0.3, February 15, 2024 document, satisfies all of the security functional requirements stated in the Cisco Secure Client - AnyConnect 5.1 for Red Hat Enterprise Linux 8.2 Security Target, Version 0.5, May 7, 2024. The project underwent CCEVS Validator review. The evaluation was completed in June 2024. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11439-2024) prepared by CCEVS.
","environmental_strengths":"The logical boundaries of the Cisco Secure Client - AnyConnect 5.1 for Red Hat Enterprise Linux 8.2 are realized in the security functions that it implements. Each of these security functions is summarized below.
\r\n\r\n
Cryptographic support:
\r\nThe TOE incorporates a cryptographic module, CiscoSSL FIPS Object Module, to provide the cryptography in support of IPsec with ESP symmetric cryptography for bulk AES encryption/decryption and SHA-2 algorithm for hashing. In addition, the TOE provides the cryptography to support Elliptic-Curve Diffie-Hellman key exchange and the derivation function used in the IKEv2 and ESP protocols. The cryptographic algorithm implementation has been validated for CAVP conformance.
\r\nThe TOE platform provides asymmetric cryptography, which is used by the TOE for IKE peer authentication using digital signature and hashing services. In addition, the TOE platform provides a DRBG.
\r\nUser data protection:
\r\nThe TOE platform ensures that residual information from previously sent network packets processed through the platform are protected from being passed into subsequent network packets.
\r\nIdentification and authentication:
\r\nThe TOE and TOE platform perform device-level X.509 certificate-based authentication of the VPN Gateway during IKE v2 key exchange. Device-level authentication allows the TOE to establish a secure channel with a trusted VPN Gateway. The secure channel is established only after each endpoint successfully authenticates each other.
\r\nSecurity management:
\r\nThe TOE, TOE platform, and VPN Gateway provide the management functions to configure the security functionality provided by the TOE. The TOE provides a Security Administrator role and only the Security Administrator can perform the above security management functions.
\r\nPrivacy:
\r\nThe TOE does not store or transmit Personally Identifiable Information (PII) over a network.
\r\nProtection of the TSF:
\r\nThe TOE performs a suite of self-tests during initial start-up to verify correct operation of its CAVP tested algorithms. Upon execution, the integrity of the TOEs software executables is also verified.
\r\nThe TOE Platform provides for verification of TOE software updates prior to installation.
\r\nTrusted path/channels:
\r\nThe TOE’s implementation of IPsec provides a trusted channel ensuring sensitive data is protected from unauthorized disclosure or modification when transmitted from the host to a VPN gateway.
","features":[{"id":1335,"feature_name":"Application Software"},{"id":1342,"feature_name":"Asymmetric Key Generation"},{"id":1333,"feature_name":"Auditing"},{"id":1351,"feature_name":"Certificate Authentication"},{"id":1350,"feature_name":"Certificate Validation"},{"id":1336,"feature_name":"Credential Storage"},{"id":1345,"feature_name":"Cryptographic Hashing"},{"id":1344,"feature_name":"Cryptographic Key Establishmentâ"},{"id":1347,"feature_name":"Cryptographic Signature Generation"},{"id":1340,"feature_name":"DTLS Client"},{"id":1341,"feature_name":"DTLS Server with Mutual Authentication"},{"id":1332,"feature_name":"Flaw Remediation"},{"id":1348,"feature_name":"HTTPS Client"},{"id":1349,"feature_name":"HTTPS Server without Mutual Authentication"},{"id":1353,"feature_name":"IKEv1"},{"id":1354,"feature_name":"IKEv2"},{"id":1334,"feature_name":"Key Destruction"},{"id":1346,"feature_name":"Keyed-hash message authentication"},{"id":1343,"feature_name":"PBKDF"},{"id":1337,"feature_name":"TLS Client"},{"id":1338,"feature_name":"TLS Server with Mutual Authentication"},{"id":1339,"feature_name":"TLS Server without Mutual Authentication"},{"id":1352,"feature_name":"VPN Client"}]}