Compliant Product - Cisco 7600 Series of Routers
Certificate Date: 21 December 2012
Validation Report Number: CCEVS-VR-VID10494-2012
Product Type: Router
Conformance Claim: EAL2
PP Identifiers: None
CC Testing Lab: Leidos (formerly SAIC) Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is a hardware configuration of Cisco 7600 Series routers running IOS 15.1(3)S3 software. The evaluated hardware configurations consist of:
- One or more 7600 series chassis (7613, 7609-S, 7606-S, 7604 or 7603-S),
- One or more RSP720 Management Cards per chassis,
- One or more compatible line cards as identified in the Security Target.
- One VPN IPSec SPA (ws-ipsec-3) Line Card per chassis
A Cisco 7600 Series Router is a routing platform used to construct IP networks by interconnecting multiple smaller networks or network segments. As a Layer 3 router, it supports routing of traffic based on tables identifying available routes, conditions, distance, and costs to determine the best route for a given packet. Routing protocols used by the TOE include BGP, RIPv2, and OSPFv2.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria, against which Cisco 7600 Series Routers TOE was judged, are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 augmented with ALC_FLR.2 and ALC_DVS.1. The product, when configured as identified in the ST and Cisco 7600 Series Routers Common Criteria Operational User Guidance and Preparative Procedures document, satisfies all of the security functional requirements stated in the Cisco 7600 Series Routers Security Target (Version 1.0). The project underwent three Validation Oversight Panel (VOR) panel reviews. The evaluation was completed in November 2012. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10494-2012, dated December 20, 2012) prepared by CCEVS.
The logical boundaries of Cisco 7600 Series Routers TOE are realized in the security functions that it implements. These security functions are realized at the network interfaces that service clients and via the administrator commands. Each of these security functions is summarized below:
The TOE generates audit messages that identify specific TOE operations. For each event, the TOE records the date and time of each event, the type of event, the subject identity, and the outcome of the event. Auditable events include: all use of the user identification mechanism; any use of the authentication mechanism; any change in the configuration of the TOE; any matching of packets to access control entries in access control lists (ACLs) when traversing the TOE; and any failure of a packet to match an ACL rule allowing traversal of the TOE. The TOE will write audit records to the local logging buffer by default and can be configured to send audit data via syslog to a remote audit server, or display to the CLI console. These audit messages include a timestamp that can be provided by the TOE or an optional NTP server in the operational environment.
The TOE provides cryptography support for secure communications and protection of information when configured in FIPS mode. The crypto module is FIPS 140-2 SL2 validated with certificate number 1621. The cryptographic services provided by the TOE include: symmetric encryption and decryption using AES; cryptographic hashing using SHA1; keyed-hash message authentication using HMAC-SHA1, and IPSec for authentication and encryption services to prevent unauthorized viewing or modification of data as it travels over the external network. The TOE also implements SSHv2 for secure remote administration.
The TOE delivers VPN connections to remote entities using IPSEC. The VPN process includes remote device authentication, negotiation of specific cryptographic parameters for the session, and providing a secure connection to and from the remote device. For inbound or outbound connections with external IT entities that are capable of supporting VPN (e.g., a VPN Peer), the TOE will establish a secure connection. For other inbound or outbound traffic a secure connection will not be established.
ACLs control whether routed IP packets are forwarded or blocked at the TOE interfaces that have been configured with IP addresses. The TOE examines each frame and packet to determine whether to forward or drop it, on the basis of criteria specified within the access lists applied to the interfaces through which the traffic would enter and leave the TOE. For those interfaces configured with Layer-3 addressing the ACLs can be configured to filter IP traffic using: the source address of the traffic; the destination address of the traffic; and the layer 3 and 4 protocol identifier. Use of ACLs also allows restriction of remote administration connectivity to specific interfaces of the TOE so that sessions will only be accepted from approved management station addresses identified as specified by the administrator.
The TOE supports routing protocols including BGP, RIPv2, and OSPFv2 to maintain routing tables, or routing tables can configured and maintained manually. The security of the routing protocols is beyond the scope of this evaluation. Refer to the preparative procedures and operational guidance for the most secure configuration of the supported routing protocols. Since routing tables are used to determine which egress ACL is applied, the authority to modify the routing tables is restricted to authenticated administrators, and authenticated neighbor routers.
The TOE also ensures that packets transmitted from the TOE do not contain residual information from previous packets. Packets that are not the required length use zeros for padding so that residual data from previous traffic is never transmitted from the TOE.
The TOE allows VLAN connections to/from remote entities. The TOE provides the ability to identify the VLAN the network traffic is associated with. The TOE then permits or denies the network traffic based on the VLANs configured on the interface where the network traffic is received /destined. This policy is applied after the Firewall policy.
Identification and Authentication
The TOE performs authentication, using Cisco IOS platform authentication mechanisms, to authenticate access to user EXEC and privileged EXEC command modes. All users wanting to use TOE services are identified and authenticated prior to being allowed access to any of the services. Once a user attempts to access the management functionality of the TOE (via EXEC mode), the TOE prompts the user for a user name and password. Only after the administrative user presents the correct identification and authentication credentials will access to the TOE functionality be granted.
The TOE supports use of a remote AAA server (RADIUS and TACACS+) as the enforcement point for identifying and authenticating users, including login and password dialog, challenge and response, and messaging support. Encryption of the packet body is provided through the use of RADIUS (note RADIUS only encrypts the password within the packet body, while TACACS+ encrypts the entire packet body except the header).
The TOE can be configured to display an advisory banner when administrators log in and also to terminate administrator sessions after a configured period of inactivity.
The TOE also supports authentication of other routers using router authentication supported by BGP, RIPv2, and OSPFv2. Each of these protocols supports authentication by transmission of MD5-hashed password strings, which each neighbor router uses to authenticate others.
The TOE also performs device-level authentication of the remote device (VPN peers). Device-level authentication allows the TOE to establish a secure channel with a trusted peer. The secure channel is established only after each device authenticates itself. Device-level authentication is performed via IKE v1/IPSec v3 mutual authentication.
The TOE allows authorized administrators to add new administrators, create, modify, or delete configuration details such as interface parameters and ACLs, and to modify and set the time and date.
The TOE router platform maintains privileged and semi-privileged administrator roles. The TOE performs role-based authorization, using TOE platform authorization mechanisms, to grant access to the semi-privileged and privileged roles. For the purposes of this evaluation, the privileged role is equivalent to full administrative access to the CLI, which is the default access for IOS privilege level 15 (has all privileges on the box); and the semi-privileged role equates to any privilege level that has a subset of the privileges assigned to level 15. Privilege levels 0 and 1 are defined by default and are customizable, while levels 2-14 are undefined by default and are also customizable. The term “authorized administrator” is used in this ST to refer to any user which has been assigned to a privilege level permitted to perform the relevant action; therefore has the appropriate privileges to perform the requested functions.
The TOE also supports external IT entities. These external IT entities are peer routers that pass network control information (e.g., routing tables) to the TOE. Also included are any other VPN peers with whom the TOE exchanges information, including VPN clients and VPN gateways.
Protection of the TSF
The TOE provides secure transmission when TSF data is transmitted between separate parts of the TOE (encrypted sessions for remote administration (via SSHv2)). The TOE is also able to detect replay of information and/or operations. The detection applied to network packets that are terminated at the TOE, such as trusted communications between the administrators to TOE, IT entity (e.g., authentication server) to TOE. If replay is detected, the packets are discarded. In addition, the TOE internally maintains the date and time. This date and time is used as the timestamp that is applied to TOE generated audit records. Alternatively, an NTP server can be used to synchronize the clock.
Finally, the TOE performs testing to verify correct operation of the router itself and that of the cryptographic module.
The TOE can terminate inactive sessions after an authorized administrator configurable time-period. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.
The TOE can also display a Security Administrator specified banner on the CLI management interface prior to allowing any administrative access to the TOE