Compliant Product - Cisco 5915 Embedded Services Router
Certificate Date: 29 April 2013
Validation Report Number: CCEVS-VR-VID10493-2013
Product Type: Router
Conformance Claim: EAL2 Augmented with ALC_DVS.1,ALC_FLR.2
PP Identifiers: None
CC Testing Lab: Leidos (formerly SAIC) Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is one or more Cisco 5915 Embedded Services Routers (conduction-cooled or air-cooled models) running IOS 15.2(2)GC.
The Cisco 5915 ESR is a router platform used to construct IP networks by interconnecting multiple smaller networks or network segments. The TOE provides connectivity and security services onto a single, secure device. The flexible, compact form factor of these routers, complemented by Cisco IOS® Software, provides secure data, voice, and video communications to stationary and mobile network nodes across wired links.
In support of the routing capabilities, the 5915 ESR provides IPSec connection capabilities for VPN enabled clients connecting through the 5915 ESR. The 5915 ESR is also compatible with VPN clients that use GDOI.
The 5915 ESR is a PCI-104 router module solution for protecting the network. The firewall capabilities provided by the TOE are provided via a stateful packet filtering firewall.
The TOE also includes on the 5915 Embedded Services Router modules a network-based Intrusion Prevention System that monitors traffic in real-time. It can analyze both the header and content of each packet. The TOE uses a rule-based expert system to interrogate the packet information to determine the type of attack.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which Cisco 5915 ESR TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 augmented with ALC_FLR.2 and ALC_DVS.1. The product, when delivered configured as identified in Cisco 5915 ESR Common Criteria Operational User Guidance and Preparative Procedures document, satisfies all of the security functional requirements stated in the Cisco 5915 ESR Security Target (Version 1.0). The project underwent two Validation Oversight Panel (VOR) panel reviews. The evaluation was completed in September 2012. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10493-2012, dated October 2012 prepared by CCEVS.
The logical boundaries of Cisco 5915 ESR TOE are realized in the security functions that it implements. These security functions are realized at the network interfaces that service clients and via the administrator commands. Each of these security functions is summarized below.
Security audit - The TOE generates audit messages that identify specific TOE operations. For each event, the TOE records the date and time of each event, the type of event, the subject identity, and the outcome of the event. Auditable events include: all use of the user identification mechanism; any use of the authentication mechanism; any change in the configuration of the TOE; any matching of packets to access control entries in ACLs when traversing the TOE; and any failure of a packet to match an access control list (ACL) rule allowing traversal of the TOE. The TOE will write audit records to the local logging buffer by default and can be configured to send audit data via syslog to a remote audit server, or display to the CLI console. These audit messages include a timestamp that can be provided by the TOE or an optional NTP server in the operational environment.
Cryptographic support - The TOE provides cryptography support for secure communications and protection of information when configured in FIPS mode. The crypto module is FIPS 140-2 SL1 validated, certificate number 1935. The cryptographic services provided by the TOE include: symmetric encryption and decryption using AES; digital signature using RSA; cryptographic hashing using SHA1; keyed-hash message authentication using HMAC-SHA1, and IPSec for authentication and encryption services to prevent unauthorized viewing or modification of data as it travels over the external network. The TOE also implements SSHv2 for secure remote administration. For GDOI, the TOE can perform the role of the GDOI key server and the group controller.
Traffic Filtering and Switching (ACLs) - This product supports IP ACLS, VPN policies and VLANs.
IP ACLs control whether routed IP packets are forwarded or blocked at the TOE interfaces that have been configured with IP addresses. The TOE examines each frame and packet to determine whether to forward or drop it, on the basis of criteria specified within the access lists applied to the interfaces through which the traffic would enter and leave the TOE. For those interfaces configured with Layer-3 addressing the ACLs can be configured to filter IP traffic using: the source address of the traffic; the destination address of the traffic; and the layer 3 and 4 protocol identifier. Use of Access Control Lists (ACLs) also allows restriction of remote administration connectivity to specific interfaces of the TOE so that sessions will only be accepted from approved management station addresses identified as specified by the administrator.
5915 ESR delivers VPN connections to remote entities. The VPN process includes remote device authentication, negotiation of specific cryptographic parameters for the session, and providing a secure connection to and from the remote device. For inbound or outbound connections with external IT entities that are capable of supporting VPN (e.g., a VPN Peer), the TOE will establish a secure connection. For other inbound or outbound traffic a secure connection will not be established.
5915 ESR allows VLAN connections to/from remote entities. The TOE provides the ability to identify the VLAN the network traffic is associated with. The TOE then permits or denies the network traffic based on the VLANs configured on the interface the network traffic is received /destined. This policy is applied after the Firewall policy.
Identification and authentication - The TOE performs authentication, using Cisco IOS platform authentication mechanisms, to authenticate access to user EXEC and privileged EXEC command modes. All users wanting to use TOE services are identified and authenticated prior to being allowed access to any of the services. Once a user attempts to access the management functionality of the TOE (via EXEC mode), the TOE prompts the user for a user name and password. Only after the administrative user presents the correct identification and authentication credentials will access to the TOE functionality be granted.
The TOE supports use of a remote AAA server (RADIUS and TACACS+) as the enforcement point for identifying and authenticating users, including login and password dialog, challenge and response, and messaging support. Encryption of the packet body is provided through the use of RADIUS (note RADIUS only encrypts the password within the packet body, while TACACS+ encrypts the entire packet body except the header).
The TOE can be configured to display an advisory banner when administrators log in and also to terminate administrator sessions after a configured period of inactivity.
The TOE also performs device-level authentication of the remote device (VPN peers). Device-level authentication allows the TOE to establish a secure channel with a trusted peer. The secure channel is established only after each device authenticates itself. Device-level authentication is performed via IKE v1/IPSec v3 mutual authentication.
Security management - The TOE allows authorized administrators to add new administrators, start-up and shutdown the device, create, modify, or delete configuration details such as interface parameters and ACLs, and to modify and set the time and date. All TOE administration occurs either through a secure SSH session via a SSH client, or via a local console connection.
The TOE router platform maintains privileged and semi-privileged administrator roles. The TOE performs role-based authorization, using TOE platform authorization mechanisms, to grant access to the semi-privileged and privileged roles. For the purposes of this evaluation, the privileged role is equivalent to full administrative access to the CLI, which is the default access for IOS privilege level 15 (has all privileges on the box); and the semi-privileged role equates to any privilege level that has a subset of the privileges assigned to level 15. Privilege levels 0 and 1 are defined by default and are customizable, while levels 2-14 are undefined by default and are also customizable. The term “authorized administrator” is used in this ST to refer to any user which has been assigned to a privilege level is permitted to perform the relevant action; therefore has the appropriate privileges to perform the requested functions.
The TOE also supports external IT entities. These external IT entities are peer routers that pass network control information (e.g., routing tables) to the TOE. Also included are any other VPN peers with whom the TOE exchanges information, including VPN clients and VPN gateways
Protection of the TSF - The TOE provides secure transmission when TSF data is transmitted between separate parts of the TOE (encrypted sessions for remote administration (via SSHv2)). The TOE is also able to detect replay of information and/or operations. The detection applied to network packets that are terminated at the TOE, such as trusted communications between the administrators to TOE, IT entity (e.g., authentication server) to TOE. If replay is detected, the packets are discarded. In addition, the TOE internally maintains the date and time. This date and time is used as the timestamp that is applied to TOE generated audit records. Alternatively, an NTP server can be used to synchronize the clock.
TOE access - The TOE can terminate inactive sessions after an authorized administrator configurable time-period. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. The TOE can also display a Security Administrator specified banner on the CLI management interface prior to allowing any administrative access to the TOE.
Intrusion Prevention Services - The 5915 ESR IOS software Intrusion Prevention System (IPS) operates as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When Cisco IOS IPS detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog messages stored in the local buffer and then offloaded to an external syslog server. The privileged administrator can configure Cisco IOS IPS to choose the appropriate response to various threats. When packets in a session match a signature, Cisco IOS IPS can take any of the following actions, as appropriate:
- Send an audit record to a syslog server or a management interface
- Drop the packet
- Reset the connection
- Deny traffic from the source IP address of the attacker for a specified amount of time
- Deny traffic on the connection for which the signature was seen for a specified amount of time
For inbound packets the IDS processing is done after IP ACLs and then VPN policies have been applied.