CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

The TOE in the evaluated configuration contains the CUBE on CSR1000v software image. The CUBE on CSR1000v TOE requires the following:

·       Cisco UCS C-Series M5 Server or other general-purpose computing platforms with specified Intel processors as described in Section, 1.7, Table 5 of the ST

·       VMware ESXi 6.7 Hypervisor

·       Virtual Machine (VM) Requirements: The following minimum technical specs are required on the Cisco UCS Server or general-purpose computing platforms to support CUBE on a single CSR1000v guest VM running Cisco IOS-XE version 17.3 software:

o   Single virtual hard disk – 8 GB minimum

o   One dedicated management port

o   Two or more virtual network interfaces with adapter type VMXNET3 that are mapped to physical ethernet ports on the host server via ESXi

o   The following virtual CPU configurations are supported:

§  1 virtual CPU, requiring 4 GB minimum of RAM

§  2 virtual CPUs, requiring 4 GB minimum of RAM

§  4 virtual CPUs, requiring 4 GB minimum of RAM

§  8 virtual CPUs, requiring 4 GB minimum of RAM

The TOE has two or more network interfaces and is connected to at least one internal and one external network. The Cisco IOS-XE configuration determines how packets are handled to and from the TOE’s network interfaces. The router configuration will determine how traffic flows received on an interface will be handled. Typically, packet flows are passed through the internetworking device and forwarded to their configured destination.

The Evaluated Configuration is comprised of the TOE and the Virtual System. The UCS Server and ESXi virtualization software comprise the Virtual System. The Cisco UCS boxes are administered through a single management entity called the Cisco UCS Manager (Cisco Unified Computing System (UCS) Manager 2.2(3a)).  It is assumed the Cisco UCS C-Series M5 Server is setup, configured in its evaluated configuration, and ready for use.  The TOE can be run on one of two models of UCS C-Series M5 servers, the C220 and the C240 models.

The Cisco UCS C220 M5 Rack Server is a two-socket, 1 Rack Unit (1RU) rack-mount server that offers up to two Intel^® Xeon^® Scalable Series processors and supports VMware ESXi 6.7 Hypervisor. 

The UCS C220 M5 supports:

·       up to 24 DDR4 DIMMs

·       up to 10 Small-Form-Factor (SFF) 2.5-inch drives or 4 Large-Form-Factor (LFF) 3.5-inch drives (77 TB storage capacity with all NVMe PCIe SSDs)

·       support for 12-Gbps SAS modular RAID controller in a dedicated slot, leaving the remaining PCIe Generation 3.0 slots available for other expansion cards

·       Modular LAN-On-Motherboard (mLOM) slot that can be used to install a Cisco UCS Virtual Interface Card (VIC) without consuming a PCIe slot

·       Dual embedded Intel x550 10GBASE-T LAN-On-Motherboard (LOM) ports

·       2 PCIe 3.0 Slots

Figure 1 Cisco UCS C220 M5 Server

The Cisco C240 M5 2 Rack Server is a two-socket, 2 Rack Unit (2RU) rack-mount server that offers up to two Intel^® Xeon^® Scalable Series processors and supports VMware ESXi 6.7 Hypervisor. 

The C240 M5 supports:

• up to 24 DDR4 DIMM slots
• up to 26 hot-swappable Small-Form-Factor (SFF) 2.5-inch drives, including 2 rear hot-swappable SFF drives, or 12 Large-Form-Factor (LFF) 3.5-inch drives
• support for 12-Gbps SAS modular RAID controller in a dedicated slot
• Modular LAN-On-Motherboard (mLOM) slot that can be used to install a Cisco UCS Virtual Interface Card (VIC) without consuming a PCIe slot,   supporting dual 10- or 40-Gbps network connectivity
• Dual embedded Intel x550 10GBASE-T LAN-On-Motherboard (LOM) ports
• 6 PCIe 3.0 Slots

Figure 2 Cisco UCS C240 M5 Server

The bios, firmware, drivers, management software are the same for both models, the UCS C240 M5 is just a more robust server than the smaller C220 M5.

Evaluated configuration for the UCS C-Series M5 Servers with Intel Scalable 2nd Generation processors includes the following:

• UCS C220 M5 Server
• Intel Xeon Gold 6244 (Cascade Lake)
• VMware ESXi 6.7
• VMXNET3 NIC (3 physical GbE port mapped to 3 virtual NICs (Mgmt, WAN, LAN)
• 1vCPU
• 4GB RAM (virtual) / 64GB (physical)
• 8GB HDD (virtual) / 2TB (physical)

The following figure provides a visual depiction of an example TOE deployment.

Figure 3 TOE Example Deployment

The previous figure includes the following devices:

• The TOE
• Cisco CUBE on CSR 1000v (running IOS XE 17.3) as a vND (installed on a Cisco UCS C-Series Server).
• The following are considered to be in the IT Environment:
• Local Console to support local Administration (direct connection)
• Management Workstation to support remote Administration (secure connection is SSHv2)
• Authentication Server to support remote authentication (secure connection is IPsec)
• NTP Server (connection is NTPv4, IPsec)
• Syslog (Audit) Server (secure connection is IPsec)
• Cisco CUCM (ESC) (secure connection is SIP via TLS)
• VVoIP end points (secure connection is SIP via TLS, SRTP)
• Service Provider (secure connection is SIP via TLS, SRTP)

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco CUBE on Cloud Services Router 1000v (CSR1000v) running IOS-XE 17.3 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.  The product, when delivered configured as identified in the Cisco CUBE on Cloud Services Router 1000v (CSR1000v) running IOS-XE 17.3  Common Criteria Guide, satisfies all of the security functional requirements stated in the Cisco CUBE on Cloud Services Router 1000v (CSR1000v) running IOS-XE 17.3  Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in February 2022.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below:

·       Security Audit

·       Cryptographic Support

·       Data Protection

·       Firewall

·       Identification and Authentication

·       Security Management

·       Protection of the TSF

·       Resource Utilization

·       TOE Access

·       Trusted Path/Channels

These features are described in more detail in the subsections below.  In addition, the TOE implements all security functional requirements of CPP_ND_v2.2e and EP_SBC_v1.1 as necessary to satisfy testing/assurance measures prescribed therein.

Security Audit

The TOE provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions. The TOE generates an audit record for each auditable event.  Each security relevant audit event has the date, timestamp, event description, and subject identity.  The administrator configures auditable events, performs back-up operations and manages audit data storage.  The TOE provides the administrator with a circular audit trail or a configurable audit trail threshold to track the storage capacity of the audit trail.  Audit logs are also sent to a remote syslog server using IPsec to secure connection.

In addition, the TOE provides the capabilities for the Authorized Administrator to define a set of rules to indicate a potential security violation.  Upon detection of a potential security violation, the TOE will transmit the log records to a remote syslog server using IPsec to secure connection.

Cryptographic Support

The TOE provides cryptography in support of other TOE security functionality.  The CUBE software calls the IOS Common Cryptographic Module (IC2M) Rel5 (Firmware Version: Rel 5) and CiscoSSL FIPS Object Module (FOM) v7.02a for cryptography support.  All the algorithms claimed have CAVP certificates based on CUBE on CSRv1000v running IOS XE 17.3 install on Cisco UCS M5 220 or Cisco UCS M5 240, both of which have Intel® Xeon® Gold 6244 processors as noted in Section 1.7 Physical Scope of the TOE. 

The TOE provides cryptography in support of remote administrative management via SSHv2, to secure the connection to an external syslog (audit) server using IPsec, to secure the connection to the NTP server using NTPv4 and IPsec, to secure the connection for remote authentication using IPsec and for securing TLS connections including SIP and SRTP connections to endpoints and CUCM (ESC).

The TOE also authenticates software updates using a published hash.

The TOE provides cryptography in support of remote administrative management via SSHv2.  IPsec is used to secure the transmission of audit records to the remote syslog server and to the remote authentication servers.  In addition, the TOE uses X.509v3 certificates for securing the IPsec, SIP, SRTP and TLS connections. 

The TOE also authenticates software updates to the TOE using a published hash.

Data Protection

The TOE provides the capabilities for the Authorized Administrator to define Back-to-Back User Agent (B2BUA) policies that supports custom policies to be configured to only permit and/or deny communications through the TOE.

Firewall

The TOE provides the capabilities for the Authorized Administrator to define filtering rules based on network protocols.  By default, if no filtering polices have been configured, all traffic is allowed.

The TOE can also be configured to monitor and block malicious traffic by parsing the traffic.  The TOE ensures that SIP protocol traffic packets are correctly formatted, such as the Invite, the phone number and the BYE.  The TOE will also inspect to ensure the SIP protocol is associated with the correct SIP ports.  If there is an error detected, audit records will be generated to alert the Authorized Administrator of a potential issue.

In addition, the TOE supports NAT with the configuration settings that allow the setting of separate public and private IP addresses in support of SIP protocol.

Identification and Authentication

The TOE provides authentication services for administrative users to connect to the TOE’s secure CLI administrator interface.  The TOE requires Authorized Administrators to authenticate prior to being granted access to any of the management functionality.  The TOE can be configured to require a minimum password length of 15 characters. The TOE provides administrator authentication against a local user database.  Password-based authentication can be performed on the serial console or SSH interfaces.  The SSHv2 interface also supports authentication using SSH keys.  The TOE also supports use of a RADIUS AAA server (part of the IT Environment) for authentication of administrative users attempting to connect to the TOE’s CLI.

The TOE provides an automatic lockout when a user attempts to authenticate and enters invalid information.  After a defined number of authentication attempts fail exceeding the configured allowable attempts, the user is locked out until an Authorized Administrator enables the user account. 

The TOE also supports SIP trunking and can be configured to support authenticated and encrypted SIP traffic.

The TOE uses X.509v3 certificates as defined by RFC 5280 to support authentication for IPsec, SIP, SRTP and TLS connections.

Security Management

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.  All TOE administration occurs either through a secure SSHv2 session or via a local console connection.  The TOE provides the ability to securely manage:

• Ability to administer the TOE locally and remotely;
• Ability to configure the access banner;
• Ability to configure the session inactivity time before session termination or locking;
• Ability to update the TOE, and to verify the updates using [hash comparison] capability prior to installing those updates;
• Ability to configure the authentication failure parameters for FIA_AFL.1;
• Change a user's password;
• Require a user's password to be changed upon next login;
• Configure the auditable events that will result in the generation of an alarm;
• Configure the back-to-back user agent policy;
• Configure traffic filtering rules;
• Configure NAT;
• Configure SIP communications
• Ability to start and stop services;
• Ability to configure audit behaviour (e.g. changes to storage locations for audit; changes to behaviour when local audit storage space is full);
• Ability to configure the cryptographic functionality;
• Ability to configure thresholds for SSH rekeying;
• Ability to configure the lifetime for IPsec SAs;
• Ability to re-enable an Administrator account; and
• Ability to configure NTP;
• Ability to configure the reference identifier for the peer;
• Ability to manage the TOE's trust store and designate X509.v3 certificates as trust anchors;
• Ability to import X.509v3 certificates to the TOE's trust store;

The TOE supports the security administrator role and is referred to as the Authorized Administrator.   Only the Authorized Administrator can perform the above security relevant management functions.

Authorized Administrators can create configurable login banners to be displayed at time of login and can define an inactivity timeout threshold for each admin interface to terminate sessions after a set period of inactivity has been reached. 

Protection of the TSF

The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators.  The TOE prevents reading of cryptographic keys and passwords.  Additionally, Cisco IOS-XE is not a general-purpose operating system and access to Cisco IOS-XE memory space is restricted to only Cisco IOS-XE functions.

The TOE has an internal clock, however the TOE synchronizes time with an NTP server and then internally maintains the date and time.  This date and time are used as the timestamp that is applied to audit records generated by the TOE.  

The TOE performs testing to verify correct operation of the system itself and that of the cryptographic module.

Finally, the TOE is able to verify any software updates prior to the software updates being installed on the TOE to avoid the installation of unauthorized software via a published hash.

Resource Utilization

The total resources available to the TOE is based on the deployment size of the organization and the platform in which the TOE software is installed.  As such, the TOE provides the ability for the Authorized Administrator to control the amount of bandwidth used by the endpoints.  The bandwidths limits may be set on a call-by-call basis and/or on a total consumption usage basis.

TOE Access

The TOE can terminate inactive sessions after an Authorized Administrator configurable time-period.  Once a session has been terminated the TOE requires the Authorized Administrator to re-authenticate to establish a new session.  Sessions can also be terminated if an Authorized Administrator enters the “exit” command. 

The TOE can also display a Security Administrator specified banner on the CLI management interface prior to allowing any administrative access to the TOE.

Trusted Path/Channel

The TOE allows trusted paths to be established to itself from remote administrators over SSHv2 which has the ability to be encrypted further using IPsec and initiates outbound IPsec tunnels to transmit audit messages to remote syslog servers.  In addition, IPsec is used to secure the session between the TOE and the remote authentication servers and uses NTPv4 to secure the connection to the NTP server.    

The TOE also allows secure communications between itself and authorized entities using SRTP and SIP TLS to secure VVoIP signaling and media channels and uses TLS to secure the signaling channel with an ESC.

Vendor Information