Compliant Product - Cisco Aggregation Services Router (ASR) 9000 series with Carrier Routing System (CRS) routers CRS-1 and CRS-3, v4.1.1
Certificate Date: 09 December 2011
Validation Report Number: CCEVS-VR-VID10439-2011
Product Type: Router
Conformance Claim: EAL3 Augmented with ALC_FLR.2
PP Identifiers: None
CC Testing Lab: Leidos (formerly SAIC) Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is the Cisco Aggregation Services Router (ASR) 9000 series, with IOS XR operating system version 4.1.1 plus the following SMUs: asr9k-p-4.1.1.CSCtq56564, asr9k-p-4.1.1.CSCtr86240, and asr9k-p-4.1.1.CSCtq59879, and the Carrier Routing System (CRS) routers CRS-1 and CRS-3, with IOS XR operating system version 4.1.1 plus the following SMUs: hfr-px-4.1.1.CSCtq21686.pie, hfr-px-4.1.1.CSCtq59879.pie, hfr-px-4.1.1.CSCtr70418.pie, hfr-px-4.1.1.CSCtq16133.pie, hfr-px-4.1.1.CSCtr16132.pie.
The TOE is a purpose-built, wide-area network (WAN) routing platform that provides basic security functionality including network Access Control Lists, administrative security, and firewall functionality. The TOE includes a number of chassis options: the ASR 9006and ASR 9010, the CRS-1 4-slot, CRS-1 8-slot, and CRS-1 16-slot single shelf options, multiple shelf/chassis options of the CRS-1 16-slot, as well as upgraded switching fabric (CRS-3) models including CRS-3 4-slot, CRS-3 8-slot, CRS-3 16-slot single shelf options and multiple shelf/chassis options of the CRS-3 16-slot.
Each physical variation of the TOE features redundant routing engines (Route Processors or Route Switch Processors) as well as capability for highly-redundant power supplies and additional reliability features. These features provide High-Availability failover functionality. As noted above the TOE also supports firewall capabilities such as allowing network traffic to be monitored based on source and destination address as well as transport layer protocol defined in ACLs (Access Control Lists). The ASR 9000 Series Router is designed to provide the necessary feature set for routing of very high-speed network traffic at or near the edge of a service provider network, in a physically dense form factor with additional capability for upgraded speeds (100Gbps per port) in future without requiring a change to the chassis or switching fabric. The CRS series routers are designed to operate closer to the backbone or core of a major carrier or service provider, in an environment where much of the traffic is separated through MPLS (Multiprotocol Label Switching) or other techniques, and therefore provides fewer functions that are directly related to firewalling of traffic and more functions related to routing/switching the traffic at the very highest possible speed. As noted above, both the ASR9000 series and the CRS series provide security-relevant functionality to protect the router itself, to keep the control plane separate from the data plane, and to ensure that administrative interfaces are protected. More details of these functions are provided in the TOE Architecture (MPP) and in the TOE Summary Specification section of the Security Target.
The TOE provides capabilities to manage its routing functions, and controls access to those capabilities through the use of administrative roles with varying security management authorizations. All administrative users of the TOE are required to be identified and authenticated before accessing the TOE’s management capabilities, and administrative actions are audited. Additionally, the TOE provides cryptographic capabilities to protect remote administrator sessions and information transmitted to remote authorized IT entities.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco ASR 9000 series with CRS routers CRS-1 and CRS-3 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 3 augmented with ALC_FLR.2. The product, when delivered configured as identified in Cisco ASR9K with CRS-1/3, v4.1 Common Criteria Operational User Guidance and Preparative Procedures document, satisfies all of the security functional requirements stated in the Cisco ASR9K with CRS-1/3, v4.1.1 Security Target (Version 1.0). The project underwent several Validation Oversight Panel (VOR) reviews. The evaluation was completed in November 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10439-2011, dated December 2011) prepared by CCEVS.
The logical boundaries of Cisco ASR 9000 series with CRS routers CRS-1 and CRS-3 TOE are realized in the security functions that it implements. These security functions are realized at the network interfaces that service clients and via the administrator commands. Each of these security functions is summarized below.
Security Audit – The TOE can audit events related to cryptographic functionality, information flow control enforcement, identification and authentication, and administrative actions. The IOS generates an audit record for each auditable event. Administrators can search, view and manage the set of auditable events.
Cryptographic Support - The TOE provides cryptography in support of other TOE security functionality, including AES, Triple DES and DSA, to support SSHv2 and SSL. This cryptography is stated by the manufacturer to be conformant to the applicable FIPS publications; however, neither the algorithm implementations nor the embodiment have been formally validated.
Identification and Authentication – The TOE provides authentication services for administrative users wishing to connect to the TOE’s secure CLI administrative interface. The TOE requires authorized administrators to authenticate prior to being granted access to any of the management functionality. In addition, the TOE supports local and remote identification and authentication of TOE users. Unsuccessful authentication attempts can be limited based on authorized administrator configuration.
Security Management - The Management Plane Protection (MPP) feature in Cisco IOS XR software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows an administrator to designate one or more router interfaces as management interfaces. Once a management interface is configured and MPP is enabled, management traffic may only enter the device through this interface. The management interface is restricted to authorized administrators and provides the ability to manage the security functions and users of the TOE. The pre-defined management roles can be augmented with additional fine-grained defined roles to provide role separation.
User Data Protection - The TOE enforces the two information flow control policies.
- The Unauthenticated TOE services—the TOE mediates all information flows to and from the TOE itself. The TOE has the ability to permit or deny information flows based on the characteristics of the information flow.
- Unauthenticated information flow—the TOE mediates all information flows through the TOE for unauthenticated information flows.
Trusted Path/Channel - The TOE establishes a trusted path between itself and the remote management station used by the administrators to manage the TOE. This Trusted path is secured using an SSHv2 or SNMPv3 secure connection.
Protection of the TSF - The TOE is capable of preserving a secure state when software or hardware failures occur. The TOE provides manual and automatic recovery mechanisms. In addition, the TOE protects all TSF data from unauthorized modification and disclosure during transmission. The TOE provides hardware failover for hardware or software faults within the TSF for configurations that include dual RPs or dual RSPs.
TOE Access - The TOE provides the capability for the TSF to determinate when there is user inactivity and terminates the session. A user will have to re-authenticate and start a new session. Advisory user interface banners can be configured.