Cisco ASR 1000 Series, ASR 1001, ASR 1002X, ASR 1001X, ASR 1004 Common Criteria Operational User Guidance And Preparative Procedures

...

Download

Cisco Aggregation Services Router (ASR) 1000 Series

Common Criteria Operational User Guidance And Preparative Procedures

Version 0.4

October 27, 2017

Page 2 of 72

Table of Contents

1 Introduction ............................................................................................................................. 7

1.1 Audience ......................................................................................................................... 7

1.2 Purpose ............................................................................................................................ 7

1.3 Document References ..................................................................................................... 7

1.4 Supported Hardware and Software ................................................................................. 9

1.5 Operational Environment ................................................................................................ 9

1.5.1 Supported non-TOE Hardware/Software/Firmware ................................................... 9

1.6 Excluded Functionality ................................................................................................. 10

2 Secure Acceptance of the TOE ............................................................................................. 11

3 Secure Installation and Configuration .................................................................................. 16

3.1 Physical Installation ...................................................................................................... 16

3.2 Initial Setup via Direct Console Connection ................................................................ 16

3.2.1 Options to be chosen during the initial setup of the ASR ......................................... 16

3.2.2 Saving Configuration ................................................................................................ 16

3.2.3 Enabling FIPS Mode ................................................................................................. 17

3.2.4 Administrator Configuration and Credentials ........................................................... 17

3.2.5 Session Termination.................................................................................................. 17

3.2.6 User Lockout ............................................................................................................. 18

3.3 Network Protocols and Cryptographic Settings ............................................................ 19

3.3.1 Remote Administration Protocols ............................................................................. 19

3.3.2 Authentication Server Protocols ............................................................................... 20

3.3.3 Logging Configuration.............................................................................................. 20

3.3.4 Logging Protection.................................................................................................... 22

3.3.5 Base Firewall Rule set Configuration ....................................................................... 24

3.3.6 Routing Protocols...................................................................................................... 26

3.3.7 MACSEC and MKA Configuration.......................................................................... 26

4 Secure Management .............................................................................................................. 27

4.1 User Roles ..................................................................................................................... 27

4.2 Passwords ...................................................................................................................... 27

4.3 Clock Management ....................................................................................................... 30

Page 3 of 72

4.4 Identification and Authentication ................................................................................. 30

4.5 Login Banners ............................................................................................................... 30

4.6 Virtual Private Networks (VPN) ................................................................................... 30

4.6.1 IPsec Overview ......................................................................................................... 30

4.6.2 IPsec Transforms and Lifetimes ............................................................................... 34

4.6.3 NAT Traversal .......................................................................................................... 36

4.6.4 X.509 Certificates ..................................................................................................... 36

4.6.5 Information Flow Policies......................................................................................... 41

4.6.6 IPsec Session Interuption/Recovery ......................................................................... 42

4.7 Product Updates ............................................................................................................ 43

4.8 Configure Reference Identifier ..................................................................................... 43

5 Security Relevant Events ...................................................................................................... 45

5.1 Deleting Audit Records................................................................................................. 62

6 Network Services and Protocols ........................................................................................... 63

7 Modes of Operation .............................................................................................................. 67

8 Security Measures for the Operational Environment............................................................ 70

9 Related Documentation ......................................................................................................... 71

9.1 World Wide Web .......................................................................................................... 71

9.2 Ordering Documentation .............................................................................................. 71

9.3 Documentation Feedback.............................................................................................. 71

10 Obtaining Technical Assistance ............................................................................................ 72

Page 4 of 72

List of Tables

Table 1: Acronyms .......................................................................................................................... 5

Table 2: Cisco Documentation....................................................................................................... 7

Table 3: Operational Environment Components ............................................................................ 9

Table 4: Excluded Functionality .................................................................................................. 10

Table 5: TOE External Identification .......................................................................................... 11

Table 6: Evaluated Software Images ........................................................................................... 13

Table 7: Auditable Events ............................................................................................................. 46

Table 8 Auditable Administrative Events .................................................................................... 55

Table 8: Protocols and Services .................................................................................................... 63

Table 9: Operational Environment Security Measures ................................................................ 70

Page 5 of 72

List of Acronyms

The following acronyms and abbreviations are used in this document:

Table 1: Acronyms

Acronyms /

Abbreviations

Definition

AAA

Administration, Authorization, and Accounting

AES

Advanced Encryption Standard

ASR

Aggregation Services Router

EAL

Evaluation Assurance Level

FIPS

Federal Information Processing Standards

HTTPS

Hyper-Text Transport Protocol Secure

Internet Protocol

NTP

Network Time Protocol

RADIUS

Remote Authentication Dial In User Service

SSHv2

Secure Shell (version 2)

TCP

Transport Control Protocol

TOE

Target of Evaluation

Page 6 of 72

DOCUMENT INTRODUCTION

Prepared By:

Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134

DOCUMENT INTRODUCTION

This document provides supporting evidence for an evaluation of a specific Target of Evaluation (TOE), the Aggregation Services Router (ASR) 1000 Series (ASR). This Operational User Guidance with Preparative Procedures addresses the administration of the TOE software and hardware and describes how to install, configure, and maintain the TOE in the Common Criteria evaluated configuration. Administrators of the TOE will be referred to as administrators, authorized administrators, TOE administrators, semi-privileged administrators, and privileged administrators in this document.

Page 7 of 72

1 Introduction

This Operational User Guidance with Preparative Procedures documents the administration of the Aggregation Services Router (ASR) 1000 Series (ASR), the TOE, as it was certified under Common Criteria. The Aggregation Services Router (ASR) 1000 Series (ASR ) may be referenced below as the model number series ex. ASR 1000, TOE, or simply router.

1.1 Audience

This document is written for administrators configuring the TOE. This document assumes that you are familiar with the basic concepts and terminologies used in internetworking, and understand your network topology and the protocols that the devices in your network can use, that you are a trusted individual, and that you are trained to use the operating systems on which you are running your network.

1.2 Purpose

This document is the Operational User Guidance with Preparative Procedures for the Common Criteria evaluation. It was written to highlight the specific TOE configuration and administrator functions and interfaces that are necessary to configure and maintain the TOE in the evaluated configuration. This document is not meant to detail specific actions performed by the administrator but rather is a road map for identifying the appropriate locations within Cisco documentation to get the specific details for configuring and maintaining ASR operations. All security relevant commands to manage the TSF data are provided within this documentation within each functional section.

1.3 Document References

This document makes reference to several Cisco Systems documents. The documents used are shown below in Table 2. Throughout this document, the guides will be referred to by the “#”, such as [1].

Table 2: Cisco Documentation

Title

Link

[1]

Loading and Managing System Images Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sys-imagemgmt/configuration/xe-16/sysimgmgmt-xe-16-book.html

[2]

Cisco ASR 1000 Series Router Hardware Installation Guide, July 2013, OL-13208-11

http://www.cisco.com/c/en/us/td/docs/routers/asr1000/install/guide/asr 1routers/asr1higV8.html

[3]

Configuration Fundamentals Configuration Guide

http://www.cisco.com/c/en/us/td/docs/iosxml/ios/fundamentals/configuration/xe-16/fundamentals-xe-16book.html

Page 8 of 72

Title

Link

[4]

Using Setup Mode to Configure a Cisco Networking Device

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guid e/cf_setup.html

[6]

Cisco ASR 1000 Series Aggregation Services Routers SIP and SPA Software Configuration Guide

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/shared_port_ adapters/configuration/ASR1000/asr1000-sip-spa-book.html

[8]

Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/ chassis/asrswcfg.html

[10]

Cisco IOS Security Command Reference

http://www.cisco.com/c/en/us/td/docs/ios/fundamentals/command/refer ence/cf_book.html

[15]

Basic System Management Configuration Guide

http://www.cisco.com/c/en/us/td/docs/iosxml/ios/bsm/configuration/xe-16/bsm-xe-16-book.html

[17]

RADIUS Configuration Guide

http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_usr_rad/configuration/xe-16/sec-usr-rad-xe-16-book.html

[18]

FlexVPN and Internet Key Exchange Version 2 Configuration Guide

http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_conn_ike2vpn/configuration/xe-16/sec-flex-vpn-xe-16book.html

[19]

Authentication, Authorization, and Accounting Configuration Guide

http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_usr_aaa/configuration/xe-16/sec-usr-aaa-xe-16-book.html

[20]

Cisco ASR 1001-X Router Hardware Installation Guide

http://www.cisco.com/c/en/us/td/docs/routers/asr1000/install/guide/100 1-x/asr1hig-book.html

[21]

IP Addressing: NAT Configuration Guide

http://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book.html

[22]

Public Key Infrastructure Configuration Guide

http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_conn_pki/configuration/xe-16/sec-pki-xe-16-book.html

[23]

IPsec Data Plane Configuration Guide

https://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_data_acl/configuration/xe-16/sec-data-acl-xe-16-book.html

[24]

MACSEC and MKA Configuration Guide

http://www.cisco.com/c/en/us/td/docs/iosxml/ios/macsec/configuration/xe-16/macsec-xe-16-book.html

Page 9 of 72

1.4 Supported Hardware and Software

Only the hardware and software listed in section 1.5 of the Security Target (ST) is compliant with the Common Criteria evaluation. Using hardware not specified in the ST invalidates the secure configuration. Likewise, using any software version other than the evaluated software listed in the ST will invalidate the secure configuration. The TOE is a hardware and software solution that makes up the router models as follows: Chassis: ASR 1001, ASR 1001X, ASR 1002, ASR 1002X, ASR 1004, ASR 1006, ASR 1013; Embedded Services Processors (ESPr): ESPr5, ESPr10, ESPr20, ESPr40, ESPr100, ESPr200; Route Processor (RP): RP1, RP2. The network, on which they reside, is considered part of the environment. The software comes preinstalled and is comprised of the Cisco IOS-XE software image Release 16.3.2.

1.5 Operational Environment

1.5.1 Supported non-TOE Hardware/Software/Firmware

The TOE supports (in some cases optionally) the following hardware, software, and firmware in its environment:

Table 3: Operational Environment Components

Component

Required

Usage/Purpose Description for TOE performance

RADIUS AAA Server

This includes any IT environment RADIUS AAA server that provides single-use authentication mechanisms. This can be any RADIUS AAA server that provides single-use authentication. The TOE correctly leverages the services provided by this RADIUS AAA server to provide single-use authentication to administrators.

Management Workstation with SSH client

Yes

This includes any IT Environment Management workstation with a SSH client installed that is used by the TOE administrator to support TOE administration through SSH protected channels. Any SSH client that supports SSHv2 may be used.

Local Console

Yes

This includes any IT Environment Console that is directly connected to the TOE via the Serial Console Port and is used by the TOE administrator to support TOE administration.

Certification Authority (CA)

Yes

This includes any IT Environment Certification Authority on the TOE network. This can be used to provide the TOE with a valid certificate during certificate enrollment.

Remote VPN Gateway/Peer

Yes

This includes any VPN peer with which the TOE participates in VPN communications. Remote VPN Endpoints may be any device that supports IPsec VPN communications.

Page 10 of 72

Component

Required

Usage/Purpose Description for TOE performance

NTP Server

The TOE supports communications with an NTP server in order to synchronize

the date and time on the TOE with the NTP server’s date and time. A solution

must be used that supports secure communications with up to a 32 character key. Audit (syslog)

Server

Yes

This includes any syslog server to which the TOE would transmit syslog messages.

Another instance of the TOE

Includes “another instance of the TOE” that would be installed in the evaluated

configuration, and likely administered by the same personnel. Used as a VPN peer.

1.6 Excluded Functionality

Table 4: Excluded Functionality

Excluded Functionality

Exclusion Rationale

Non-FIPS 140-2 mode of operation on the router.

This mode of operation includes non-FIPS allowed operations.

These services will be disabled by configuration. The exclusion of this functionality does not affect compliance to the U.S. Government Protection Profile for Security Requirements for Network Devices.

Page 11 of 72

2 Secure Acceptance of the TOE

In order to ensure the correct TOE is received, the TOE should be examined to ensure that that is has not been tampered with during delivery.

Verify that the TOE software and hardware were not tampered with during delivery by performing the following actions:

Step 1 Before unpacking the TOE, inspect the physical packaging the equipment was delivered in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs. If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 2 Verify that the packaging has not obviously been opened and resealed by examining the tape that seals the package. If the package appears to have been resealed, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems bar coded label applied to the external cardboard box. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco product number, serial number, and other information regarding the contents of the box.

Step 4 Note the serial number of the TOE on the shipping documentation. The serial number displayed on the white label affixed to the outer box will be that of the device. Verify the serial number on the shipping documentation matches the serial number on the separately mailed invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with the supplier that they shipped the box with the courier company that delivered the box and that the consignment note number for the shipment matches that used on the delivery. Also verify that the serial numbers of the items shipped match the serial numbers of the items delivered. This verification should be performed by some mechanism that was not involved in the actual equipment delivery, for example, phone/FAX or other online tracking service.

Step 6 Once the TOE is unpacked, inspect the unit. Verify that the serial number displayed on the unit itself matches the serial number on the shipping documentation and the invoice. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). Also verify that the unit has the following external identification as described in Table 5 below.

Table 5: TOE External Identification

Product Name

Model Number

External Identification

ASR Series

1001X

CISCO 1001X

1001HX

CISCO 1001HX

1002X

CISCO 1002X

1002HX

CISCO 1002HX

1004

CISCO 1004

Page 12 of 72

Product Name

Model Number

External Identification

1006

CISCO 1006

1006X

CISCO 1006X

1009X

CISCO 1009X

1013

CISCO 1013

Step 7 Approved methods for obtaining a Common Criteria evaluated software images:

 Download the Common Criteria evaluated software image file from Cisco.com onto a

trusted computer system. Software images are available from Cisco.com at the following: http://www.cisco.com/cisco/software/navigator.html.

 The TOE ships with the correct software images installed.

Step 8 Once the file is downloaded, verify that it was not tampered with by using an SHA-1 utility to compute a SHA-1 hash for the downloaded file and comparing this with the SHA-1 hash for the image listed in Table 6 below. If the SHA-1 hashes do not match, contact Cisco Technical Assistance Center (TAC)

https://tools.cisco.com/ServiceRequestTool/create/launch.do.

Step 9 Install the downloaded and verified software image onto your ASR as described in [1] Under Configure  Click on Configuration Guides  System Management  Click on Loading and Managing System Images Configuration Guide.

Start your ASR as described in [2] and [20] Cisco ASR 1000 Series Routers Power Up and Initial Configuration  “Powering Up the Cisco ASR 1000 Series Routers.” Confirm that your ASR loads the image correctly, completes internal self-checks and displays the cryptographic export warning on the console.

Step 10 The end-user must confirm once the TOE has booted that they are indeed running the evaluated version. Use the “show version” command [3] to display the currently running system image filename and the system software release version. An authorized administrator can verify the TOE software image through reloading of the TOE or via the ‘verify’ command. See Table 6 below for the detailed hash value that must be checked to ensure the software has not been modified in any way.

Page 13 of 72

Table 6: Evaluated Software Images

Page 14 of 72

Platform

Image Name

Hash

ASR 1001X

asr1001x-universalk9.16.03.02.SPA.bin

MD5: fa13528532ea51d5f242ecafe200d118 SHA-512:

247cdad2a7bc31940f30379999aab3c225748154ed0881 273f3ec6dbef3cd5aa36501670022d6941b6525e44d946 25a2a714f05a5c56b23b1e0417d935a20c43

ASR 1001HX

asr1000-universalk9.16.03.02.SPA.bin

MD5: 785b1f2089e8b93dcc5db4120c981e66 SHA-512:

fe2c0c0d3899cfe743872050738fcf06cf17dbfc57dade19 769a3f5974cf708f11240673d5f2bef8ef84de6ff59d4b51 a9ff8c756758446f0938ae4f837240c2

ASR 1002X

asr1002x-universalk9.16.03.02.SPA.bin

MD5: 8fca93734b7882cf8a4cf05a783c970a SHA-512:

1fbd63a356bd7b43cb3f11877e97e882cff78c999b57688 ba044fdf4d70ccc0140a5881dc7591dee0a4595e10120c7 d10518f7040fbfeeff8ef2ee6167bcb20c

ASR 1002HX

asr1000-universalk9.16.03.02.SPA.bin

MD5: 785b1f2089e8b93dcc5db4120c981e66 SHA-512:

fe2c0c0d3899cfe743872050738fcf06cf17dbfc57dade19 769a3f5974cf708f11240673d5f2bef8ef84de6ff59d4b51 a9ff8c756758446f0938ae4f837240c2

ASR 1004

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287 SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10 8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99 21e59866ecf38c5a33d801c11c59367093

ASR 1006

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287 SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10 8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99 21e59866ecf38c5a33d801c11c59367093

ASR 1006X

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287 SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10 8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99 21e59866ecf38c5a33d801c11c59367093

Page 15 of 72

ASR 1009X

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287 SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10 8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99 21e59866ecf38c5a33d801c11c59367093

ASR 1013

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287 SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10 8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99 21e59866ecf38c5a33d801c11c59367093

Page 16 of 72

3 Secure Installation and Configuration

3.1 Physical Installation

Follow the Cisco ASR 1000 Series Router Hardware Installation Guide, [2] and [20] for hardware installation instructions.

3.2 Initial Setup via Direct Console Connection

The ASR must be given basic configuration via console connection prior to being connected to any network.

3.2.1 Options to be chosen during the initial setup of the ASR

When you run the “setup” command, or after initially turning on the router you are free to choose

answers that fit your policies with the exception of the following values. 1 – Enable Secret – Must adhere to the password complexity requirements. Note that this setting

can be confirmed after “setup” is complete by examining the configuration file for “enable secret

5 …” [4] Under Configure  Click on Configuration Guides  System Management  Click on Using Setup Mode to Configure a Cisco Networking Device  Click on subsection “Using the System Configuration Dialog to Create an Initial Configuration File”

2 – Enable Password - Must adhere to the password complexity requirements. Note that this must

be set to something different than the enable secret during “setup”, however after setup this will

not be used within the evaluated configuration. [10] Under Reference Guides  Command References  Security and VPN  See manual Cisco IOS Security Command Reference: Commands D to L.

3 – Virtual Terminal Password - Must adhere to the password complexity requirements. Note that securing the virtual terminal (or vty) lines with a password in the evaluated configuration is suggested. This password allows access to the device through only the console port. Later in this guide steps will be given to allow ssh into the vty lines. [4] Under Configure  Click on Configuration Guides  System Management  Click on Using Setup Mode to Configure a

Cisco Networking Device  Click on subsection “Using the System Configuration Dialog to Create an Initial Configuration File”

4 – Configure SNMP Network Management – NO (this is the default). Note that this setting can be confirmed after “setup” is complete by examining the configuration file to ensure that there is no “snmp-server” entry. [4] Under Configure Click on Configuration Guides System

Management Click on Using Setup Mode to Configure a Cisco Networking Device Click on subsection “Using the System Configuration Dialog to Create an Initial Configuration File”

3.2.2 Saving Configuration

IOS uses both a running configuration and a starting configuration. Configuration changes affect the running configuration, in order to save that configuration the running configuration (held in memory) must be copied to the startup configuration. This may be achieved by either using the write memory command [3] or the copy system:running-config nvram:startup-config command [3] under section “C commands” (Note: A short hand version of the command is copy run start). These commands should be used frequently when making changes to the

Page 17 of 72

configuration of the Router. If the Router reboots and resumes operation when uncommitted changes have been made, these changes will be lost and the Router will revert to the last configuration saved.

3.2.3 Enabling FIPS Mode

The TOE must be run in the FIPS mode of operation. The use of the cryptographic engine in any other mode was not evaluated nor tested during the CC evaluation of the TOE. This is done by setting the following in the configuration:

The value of the boot field must be 0x0102. This setting disables break from the console to the ROM monitor and automatically boots the IOS image. From the ROMMON command line enter the following:

confreg 0x0102 [3] under section “C commands” The self-tests for the cryptographic functions in the TOE are run automatically during power-on

as part of the POST. The same POST self-tests for the cryptographic operations can also be executed manually at any time by the privileged administrator using the command:

test crypto self-test [10] Cisco IOS Security Command Reference: Commands S to Z

3.2.4 Administrator Configuration and Credentials

The ASR must be configured to use a username and password for each administrator and one password for the enable command. Ensure all passwords are stored encrypted by using the following command:

service password-encryption [10] Cisco IOS Security Command Reference: Commands S to Z

Configures local AAA authentication: aaa authentication login default local [10] Cisco IOS Security Command Reference:

Commands A to C aaa authorization exec default local [10] Cisco IOS Security Command Reference:

Commands A to C

When creating administrator accounts, all individual accounts are to be set to a privilege level of one. This is done by using the following commands:

username <name> password <password> [10] Cisco IOS Security Command Reference: Commands S to Z

to create a new username and password combination, and

username <name> privilege 1 [10] Cisco IOS Security Command Reference: Commands S to Z

to set the privilege level of <name> to 1.

3.2.5 Session Termination

Inactivity settings must trigger termination of the administrator session. These settings are configurable by setting

Page 18 of 72

line vty <first> <last> [2] and [20] under section “Configuring Virtual Terminal Lines for Remote Console Access”

exec-timeout <time> [10] >System Management > Cisco IOS Configuration

Fundamentals Command Reference, section D through E

line console [19] under section “Configuring Line Password Protection” exec-timeout <time>

To save these configuration settings to the startup configuration:

copy run start [3] under section “C commands”

where first and last are the range of vty lines on the box (i.e. “0 4”), and time is the period of inactivity after which the session should be terminated. Configuration of these settings is limited to the privileged administrator (see Section 4.1). These settings are not immediately activated for the current session. The current line console session must be exited. When the user logs back in, the inactivity timer will be activated for the new session.

3.2.6 User Lockout

User accounts must be configured to lockout after a specified number of authentication failures TOE-common-criteria(config)# aaa local authentication attempts max-fail [number of

failures]

where number of failures is the number of consecutive failures that will trigger locking of the account. Configuration of these settings is limited to the privileged administrator (see Section

4.1). Related commands:

clear aaa local user fail-attempts

Clears the unsuccessful login attempts of the user.

clear aaa local user lockout username [username]

Unlocks the locked-out user.

show aaa local user lockout

Displays a list of all locked-out users.

Note: this lockout only applies to privilege 14 users and below. Note: this applies to consecutive failures, and is not affected by the SSH or Telnet session

disconnections after their default number of failures. In other words, if this lockout command is set to 5 failures, and SSH disconnects after 3 failed attempts, if the user attempts another SSH session and enters the wrong credentials two additional times, the account will lock.

Page 19 of 72

3.3 Network Protocols and Cryptographic Settings

3.3.1 Remote Administration Protocols

All TOE administration must be performed through an IPsec tunnel. However, it is recommended that the interactive interface be over SSH. The following method is used to configure SSH for use in a secure manner.

To only allow ssh for remote administrator sessions, use the transport input ssh command. This command disables telnet by only allowing ssh connections for remote administrator access.

3.3.1.1 Steps to configure SSH on router: [10] Cisco IOS Security Command Reference

Guides

1. Generate RSA or ECDSA key material– choose a longer modulus length for the

evaluated configuration (i.e., 2048 for RSA and 256 or 384 for ECDSA):

TOE-common-criteria(config)# crypto key generate rsa How many bits in the modulus [512]: 2048 or

TOE-common-criteria(config)# crypto key generate ec keysize [256 or 384]

RSA and ECDSA keys are generated in pairs—one public key and one private key. This command is not saved in the router configuration; however, the keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.

Note: Only one set of keys can be configured using the crypto key generate command at a time. Repeating the command overwrites the old keys.

Note: If the configuration is not saved to NVRAM with a “copy run start”, the generated keys are lost on the next reload of the router.

Note: If the error “% Please define a domain-name first” is received, enter the command ‘ip domain-name [domain name]’.

Note: to delete a key, an administrator may use the crypto key zeroize <label> command.

2. Enable ssh

TOE-common-criteria# ip ssh authentication-retries 2

3. Configure –ssh timeout

TOE-common-criteria# ip ssh time-out 60

4. Set to use SSH v2

TOE-common-criteria# ip ssh version 2

5. Ensure that the product is configured not to support diffie-hellman-group1-sha1 key

exchange using the following command ‘ip ssh dh min size 2048’:

TOE-common-criteria(config)# ip ssh dh min size 2048

Page 20 of 72

6. Configure vty lines to accept ‘ssh’ login services

TOE-common-criteria(config-line)# transport input ssh

7. Configure a SSH client to support only the following specific encryption algorithms:

o AES-CBC-128 o AES-CBC-256

peer#ssh -l cisco -c aes128-cbc 1.1.1.1 peer#ssh -l cisco -c aes256-cbc 1.1.1.1

8. Configure a SSH client to support message authentication. Only the following MACs are

allowed and “None” for MAC is not allowed:

a. hmac-sha1-96 b. hmac-sha1 peer#ssh -l cisco -m hmac-sha1-96 1.1.1.1

9. Configure the SSH rekey time-based rekey and volume-based rekey values (values can be

configured to be lower than the default values if a shorter interval is desired):

a. ip ssh rekey time 60 b. ip ssh rekey volume 1000000

 HTTP and HTTPS servers were not evaluated and must be disabled: no ip http server

no ip http secure-server

 SNMP server was not evaluated and must be disabled: no snmp-server

3.3.2 Authentication Server Protocols

 RADIUS (outbound) for authentication of TOE administrators to remote authentication

servers are disabled by default but should be enabled by administrators in the evaluated configuration.

o To configure RADIUS refer to [17] Under Configure  Click on Configuration

Guides  Security, Services, and VPN  Click on Securing User Services

Configuration Guide Library  click on Authentication, Authorization, and Accounting (AAA) Configuration Guide Configuring Authentication  How to

Configure AAA Authentication Methods  Configuring Login Authentication Using AAA  Login Authentication Using Group RADIUS. Use best practices for the selection and protection of a key to ensure that the key is not easily guessable and is not shared with unauthorized users.

This protocol is to be tunneled over an IPsec connection in the evaluated configuration. The instructions for setting up this communication are the same as those for protecting communications with a syslog server, detailed in Section 3.3.4 below.

3.3.3 Logging Configuration

Logging of command execution must be enabled: [10] Cisco IOS Configuration Fundamentals

Command Reference and Cisco IOS Debug Command References

Page 21 of 72

1. Logging of command execution must be enabled:

TOE-common-criteria(config)#archive TOE-common-criteria(config)#no logging console

TOE-common-criteria(config-archive)#log config TOE-common-criteria(config-archive-log-cfg)#logging enable TOE-common-criteria(config-archive-log-cfg)#hidekeys TOE-common-criteria(config-archive-log-cfg)# logging size <1000> ! Increases queue size for messages to be sent to syslogd TOE-common-criteria(config-archive-log-cfg)#notify syslog TOE-common-criteria(config-archive-log-cfg)#exit TOE-common-criteria(config-archive)#exit

2. Add year to the timestamp:

TOE-common-criteria(config)# service timestamps log datetime year TOE-common-criteria(config)# service timestamps debug datetime year

3. Enable any required debugging. Debugging is needed for radius (if used), isakmp (if

using ikev1), ipsec, ikev2 (if using ikev2), and ntp to generate the events required in the Security Target, however administrators should use discretion when enabling a large number of debugs on an on-going basis: TOE-common-criteria# debug radius authentication

TOE-common-criteria# debug crypto isakmp TOE-common-criteria# debug crypto ipsec TOE-common-criteria# debug crypto ikev2 TOE-common-criteria# debug ntp all TOE-common-criteria# debug crypto pki server

4. Set the size and severity of the local logging buffer. The local logging buffer size can be

configured from a range of 4096 (default) to 2,148,483,647 bytes. It is noted to not make the buffer size too large because the TOE could run out of memory for other tasks. It is recommended to set it to at least 150000000: TOE-common-criteria(config)# logging buffer 150000000 TOE-common-criteria(config)# logging buffer debug

5. To generate logging messages for failed and successful login attempts in the evaluated

configuration, issue the login on-failure and login on-success commands: TOE-common-criteria(config)#login on-failure log TOE-common-criteria(config)#login on-success log

6. To configure the logs to be sent to a syslog server:

TOE-common-criteria(config)# logging host <ip address of syslog server> Ex. TOE-common-criteria(config)# logging host 192.168.202.169

7. To specify the severity level for logging to the syslog host, use the logging trap

command. Level 7 will send all logs required in the evaluation up to the debug level logs (as enabled in step 3 above) to the syslog server: TOE-common-criteria(config)# logging trap 7

Page 22 of 72

WARNING: this setting has the ability to generate a large number of events that could affect the performance of your device, network, and syslog host.

3.3.4 Logging Protection

If an authorized administrator wants to backup the logs to a syslog server, then protection must be provided for the syslog server communications. This can be provided in one of two ways:

1. With a syslog server operating as an IPsec peer of the TOE and the records tunneled over

that connection, or

2. With a syslog server is not directly co-located with the TOE, but is adjacent to an IPsec

peer within a trusted facility, and the records are tunneled over the public network.

3.3.4.1 Syslog Server Running on an IPsec Endpoint

For deployments where the syslog server is able to operate as an IPsec peer of the TOE, the IPsec tunnel will protect events as they are sent to the server. When an audit event is generated, it is simultaneously sent to both the external server and the local store. Examples of products that can be installed on a syslog server to allow it to be an IPsec peer include the Racoon tool that is part of the IPsec Tools on many Linux systems, strongSwan, Openswan, and FreeS/WAN.

Following are sample instructions to configure the TOE to support an IPsec tunnel with aes encryption, with 10.10.10.101 as the IPsec peer IP on the syslog server, 10.10.10.110 and

30.0.0.1 as the local TOE IPs, and the syslog server running on 40.0.0.1 (a separate interface on the syslog server). For the following commands see the [10] Cisco IOS Configuration

Fundamentals Command References, and Cisco IOS Security Command References.

TOE-common-criteria# configure terminal TOE-common-criteria(config)#crypto isakmp policy 1 TOE-common-criteria(config-isakmp)#encryption aes TOE-common-criteria(config-isakmp)#authentication pre-share TOE-common-criteria(config-isakmp)#group 14 TOE-common-criteria(config-isakmp)#lifetime 28800 TOE-common-criteria(config)#crypto isakmp key [insert 22 character preshared key] address 10.10.10.101 TOE-common-criteria(config)#crypto isakmp key [insert 22 character preshared key] address 40.0.0.1 TOE-common-criteria(config)#crypto ipsec transform-set sampleset esp-aes esp-sha-

hmac

TOE-common-criteria(config-crypto-map)#match address 170 TOE-common-criteria(config-crypto-map)#exit TOE-common-criteria(config)#interface g0/0

Page 23 of 72

TOE-common-criteria(config-if)#ip address 10.10.10.110 255.255.255.0 TOE-common-criteria(config-if)#crypto map sample TOE-common-criteria(config-if)#interface Loopback1 TOE-common-criteria(config-if)#ip address 30.0.0.1 255.0.0.0 TOE-common-criteria(config-if)#exit TOE-common-criteria(config)# ip route 40.0.0.0 255.0.0.0 10.10.10.101 TOE-common-criteria(config)# access-list 170 permit ip 30.0.0.0 0.255.255.255

40.0.0.0 0.255.255.255

TOE-common-criteria(config)#logging source-interface Loopback1 TOE-common-criteria(config)#logging host 40.0.0.1

3.3.4.2 Syslog Server Adjacent to an IPsec Peer

If the syslog server is not directly co-located with the TOE, then the syslog server must be located in a physically protected facility and connected to a router capable of establishing an IPsec tunnel with the TOE. This will protect the syslog records as they traverse the public network.

Following are sample instructions to configure the TOE to support an IPsec tunnel with aes encryption, with 11.1.1.4 as the IPsec peer, 10.1.1.7 and 11.1.1.6 as the local IPs, and the syslog server on the 12.1.1.0 /28 subnet.

For the following commands see the [10] Cisco IOS Configuration Fundamentals Command

References, and Cisco IOS Security Command References:

TOE-common-criteria(config)#crypto isakmp key [insert 22 character preshared key] address 40.0.0.1 TOE-common-criteria(config)#crypto ipsec transform-set sampleset esp-aes esp-sha-

hmac

TOE-common-criteria(cfg-crypto-trans)#mode tunnel TOE-common-criteria(config)#crypto map sample 1 ipsec-isakmp TOE-common-criteria(config-crypto-map)#set peer 11.1.1.4 TOE-common-criteria(config-crypto-map)#set transform-set sampleset TOE-common-criteria(config-crypto-map)#match address 115 TOE-common-criteria(config-crypto-map)#exit TOE-common-criteria(config)#interface g0/1 TOE-common-criteria(config-if)#ip address 10.1.1.7 255.255.255.0 TOE-common-criteria(config-if)#no ip route-cache TOE-common-criteria(config-if)#crypto map sample

Page 24 of 72

TOE-common-criteria(config-if)#interface g0/0 TOE-common-criteria(config-if)#ip address 11.1.1.6 255.255.255.0 TOE-common-criteria(config-if)#crypto map sample TOE-common-criteria(config-if)#exit TOE-common-criteria(config)#ip route 12.1.1.0 255.255.255.0 11.1.1.4 TOE-common-criteria(config)#access-list 115 permit ip 10.1.1.0 0.0.0.255 12.1.1.0

0.0.0.255 log TOE-common-criteria(config)#logging host 12.1.1.1

3.3.5 Base Firewall Rule set Configuration

The Network Device PP VPN Gateway Extended Package (VPNGW EP) contains requirements for the TOE basic packet filtering. Packet filtering is able to be done on many protocols by the TOE, including but not limited to:

o IPv4 (RFC 791) o IPv6 (RFC 2460) o TCP (RFC 793) o UDP (RFC 768) o IKEv1 (RFCs 2407, 2408, 2409, RFC 4109) o IKEv2 (RFC 5996) o IPsec ESP (RFCs 4301, 4303) o SSH (RFCs 4251, 4252, 4253, and 4254)

The following attributes, at a minimum, are configurable within Packet filtering rules for the associated protocols:

 IPv4

o Source address o Destination Address o Protocol

 IPv6

o Source address o Destination Address o Next Header (Protocol)

 TCP

o Source Port o Destination Port

 UDP

o Source Port

Page 25 of 72

o Destination Port

Traffic matching is done based on a top-down approach in the access list. The first entry that a packet matches will be the one applied to it. The VPNGW EP requires that the TOE Access control lists (ACLs) are to be configured to drop all packet flows as the default rule and that traffic matching the acl be able to be logged. The drop all default rule can be achieved by including an ACL rule to drop all packets as the last rule in the ACL configuration. The logging of matching traffic is done by appending the key word “log-input” per the command reference at the end of the acl statements, as done below.

A privileged authorized administrator may manipulate the ACLs using the commands ip inspect, access-list, crypto map, and access-group as described in [10]

Access lists must be configured on the TOE to meet the requirements of the VPN Gateway Extended Package.

Note: These access lists must be integrated with the defined security policy for your TOE router. Enabling just these access lists with no permits will result in traffic being dropped. Ensure that your access list entries are inserted above the default deny acl.

In this example, we are assuming that interface GigabitEthernet0/0 is the external interface, and is assigned an IP address of 10.200.1.1. Interface GigabitEthernet0/1 is the internal interface and is assigned an IP address of 10.100.1.1.

If remote administration is required, ssh has to be explicitly allowed through either the internal or external interfaces.

TOE-common-criteria# configure terminal Enter configuration commands, one per line. End with CNTL/Z. TOE-common-criteria(config)# access-list 199 permit tcp host 10.200.0.1 host

10.200.0.1 eq 22 log-input

To log connections to the Certificate Authority, implement the following acl:.

TOE-common-criteria(config)# access-list 100 permit ip any host [IP of CA] log-

input TOE-common-criteria(config)# access-list 199 permit ip any host [IP of CA] log-

input

To close ports that don’t need to be open and may introduce additional vulnerabilities, implement the following acl:.

TOE-common-criteria(config)# access-list 100 deny 132 any any log-input TOE-common-criteria(config)# access-list 199 deny 132 any any log-input

To explicitly create the default deny acl for traffic with no other match, implement the following acl:.

TOE-common-criteria(config)# access-list 100 deny any any log-input TOE-common-criteria(config)# access-list 199 deny any any log-input

Page 26 of 72

Note: Logging of all traffic hitting the default deny acl can generate a large number of logs, and a determination should be made whether it is necessary prior to entering this at the end of all access lists.

To apply the acls to the interfaces:

TOE-common-criteria(config)# interface GigabitEthernet0/0 TOE-common-criteria(config-if)# ip access-group 199 in TOE-common-criteria(config)# interface GigabitEthernet0/1 TOE-common-criteria(config-if)# ip access-group 100 in

Additional information on creation of packet filtering and VPN information flow policies is given in Section 4.6.4 below.

The following ACL in the running-configuration can be used to block unknown protocols (Explicitly permitting and logging specific IPv6 protocols then explicitly denying any other IPv6 packet) -

permit 1 <source> <destination> log permit 2 <source> <destination> log permit 3 <source> <destination> log permit 4 <source> <destination> log permit 5 <source> <destination> log permit tcp <source> <destination> log permit 7 <source> <destination> log permit 8 <source> <destination> log

!…. continue the ACL entries to include all IPv6 protocol numbers listed in the PP. deny ipv6 <source> <destination> log

3.3.6 Routing Protocols

The routing protocols are used to maintain routing tables. The routing tables can also be configured and maintained manually. Refer to the applicable sections in [3] for configuration of the routing protocols.

3.3.7 MACSEC and MKA Configuration

The detailed steps to configure MKA, configure MACsec and MKA on interfaces are listed in [24] - http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-16/macsec-xe-

16-book/wan-macsec-mka-support-enhance.html#d74e990a1635

Note: For 256-bit encryption, the key-string length will be 64-characters. For 128-bit encryption, the key-string length will be 32 characters.

Page 27 of 72

4 Secure Management

4.1 User Roles

The ASR has both privileged and semi-privileged administrator roles as well as nonadministrative access. Non-administrative access is granted to authenticated neighbor routers for the ability to receive updated routing tables per the information flow rules. There is no other access or functions associated with non-administrative access. These privileged and semiprivileged roles are configured in the Access Control and Session Termination section above. The TOE also allows for customization of other levels. Privileged access is defined by any privilege level entering an enable password after their individual login. Privilege levels are number 0-15 that specifies the various levels for the user. The privilege levels are not necessarily hierarchical. Privilege level 15 has access to all commands on the TOE. Privilege levels 0 and 1 are defined by default, while levels 2-14 are undefined by default. Levels 0-14 can be set to include any of the commands available to the level 15 administrator, and are considered the semi-privileged administrator for purposes of this evaluation. The privilege level determines the functions the user can perform; hence the authorized administrator with the appropriate privileges.

To establish a username-based authentication system, use the username command in global configuration mode.

router(config)# username name [privilege level]

When a user no longer requires access to the ASR, the user account can be removed. To remove an established username-based authentication account, use the “no” form of the command. router(config)# no username name

Refer to the IOS Command Reference Guide for available commands and associated roles and privilege levels.

4.2 Passwords

The password complexity is not enforced by the router by default, and must be administratively set in the configuration. To prevent administrators from choosing insecure passwords, each password must be as follows: See [10] Under Reference Guides  Command References  Security and VPN  See manual Cisco IOS Security Command Reference: Commands A to Z for this section.

1. At least 15 characters long. Use the following command to set the minimum length to 15

or greater.

router(config)#security passwords min-length length

Example: router(config)# security passwords min-length 15

Page 28 of 72

Note: Details for the security passwords min-length command can be found in the: [10] Under Reference Guides  Command References  Security and VPN  See manual Cisco IOS Security Command Reference: Commands S to Z.

2. Composed of any combination of characters that includes characters for at least 3 of these

four character sets: upper case letters, lower case letters, numerals, and the following

special characters: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”. Configure the router

to enforce that complexity requirement by using enabling “aaa password restriction”.

Example: router(config)# security passwords min-length 15

Enabling aaa password restriction will also enforce the following restrictions:

1. The new password cannot have any character repeated more than three times

consecutively.

2. The new password cannot be the same as the associated username.

3. The password obtained by capitalization of the username or username reversed is not

accepted.

4. The new password cannot be “cisco”, “ocsic”, or any variant obtained by changing the

capitalization of letters therein, or by substituting “1”, “|”, or “!” for i, or by substituting “0” for “o”, or substituting “$” for “s”.

Note: The aaa password restriction command can only be used after the aaa new-model command is configured. [10] Under Reference Guides  Command References  Security and VPN  See manual Cisco IOS Security Command Reference: Commands A to C.

The following configuration steps are optional, but recommended for good password complexity. The below items are recommended but are not enforced by the TOE:

1. Does not contain more than three sequential characters, such as abcd

2. Does not contain dictionary words

3. Does not contain common proper names

Administrative passwords, including any “enable” password that may be set for any privilege

level, must be stored in non-plaintext form. To have passwords stored as a SHA-256 hash, use the “service password-encryption” command in config mode.

router(config)#service password-encryption

Once that service has been enabled, passwords can be entered in plaintext, or has SHA-256 hash values, and will be stored as SHA-256 hash values in the configuration file when using the “username” command.

router(config)#username name {password password | password encryption-type encryptedpassword}

Page 29 of 72

Whether or not “service password-encryption” has been enabled, a password for an individual username can be entered in either plaintext or as a SHA-256 hash value, and be stored as a SHA-256 hash value by using the following command:

router(config)#username name secret {0 password | 4 secret-string | 5 SHA256 secret-string}

To store the enable password in non-plaintext form, use the ‘enable secret’ command when setting the enable password. The enable password can be entered as plaintext, or as an MD5 hash value. Example:

router(config)#enable secret [level level] {password | 0 | 4 | 5 [encryption-type] encrypted- password }

level - (Optional) Specifies the level for which the password applies. You can specify up to sixteen privilege levels, using the numerals 0 through 15.

password – password that will be entered 0 - Specifies an unencrypted clear-text password. The password is converted to a SHA256 secret

and gets stored in the router. 4 - Specifies an SHA256 encrypted secret string. The SHA256 secret string is copied from the

router configuration. 5 - Specifies a message digest alogrithm5 (MD5) encrypted secret. encryption-type - (Optional) Cisco-proprietary algorithm used to encrypt the password. The

encryption types available for this command are 4 and 5. If you specify a value for encryption- type argument, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router).

encrypted-password - Encrypted password that is copied from another router configuration. Use of enable passwords are not necessary, so all administrative passwords can be stored as

SHA-256 if enable passwords are not used.

Note: Cisco requires that the ‘enable password’ command be used to configure a password for privileged EXEC mode. The password that is entered with the ‘enable password’ command is

stored as plain text in the configuration file of the networking device. If passwords were created

with the ‘enable password’ command, it can be hashed by using the ‘service passwordencryption’ command. Instead of using the ‘enable password’ command, Cisco recommends using the ‘enable secret’ command because it stores a SHA-256 hash value of the password.

To have IKE preshared keys stored in encrypted form, use the password encryption aes command to enable the functionality and the key config-key password-encrypt command to set the master password to be used to encrypt the preshared keys. The preshared keys will be stored encrypted with symmetric cipher Advanced Encryption Standard [AES].

router(config)# password encryption aes router(config)# key config-key password-encryption [text]

Page 30 of 72

Note: Details for the password encryption aes command can be found in the: [10] Under Reference Guides  Command References  Security and VPN  See manual Cisco IOS Security Command Reference: Commands M to R.

4.3 Clock Management

Clock management is restricted to the privileged administrator. [15] contains information on setting the local hardware clock or NTP sources. When Network

Time Protocol (NTP) is configured, the time is synchronized with a NTP server over NTPv3. NTP runs on UDP, which in turn runs on IP. NTP Version 3 (NTPv3) is documented in RFC

1305.

4.4 Identification and Authentication

Configuration of Identification and Authentication settings is restricted to the privileged administrator.

The ASR can be configured to use any of the following authentication methods:

 Remote authentication (RADIUS)

o Refer to “Authentication Server Protocols” elsewhere in this document for more

details.

 Local authentication (password or SSH public key authentication);

o Note: this should only be configured for local fallback if the remote authentication

server is not available.

 X.509v3 certificates

o Refer to “X.509 Certificates” in Section Error! Reference source not

found.below for more details.

4.5 Login Banners

The TOE may be configured by the privileged administrators with banners using the banner login command. This banner is displayed before the username and password prompts. To create

a banner of text “This is a banner” use the command banner login ^c This is a banner ^c where c is the delimiting character. The delimiting character may be any character except ?, and

it must not be part of the banner message.

4.6 Virtual Private Networks (VPN)

4.6.1 IPsec Overview

The TOE allows all privileged administrators to configure Internet Key Exchange (IKE) and IPSEC policies. IPsec provides the following network security services:

Page 31 of 72

 Data confidentiality--The IPsec sender can encrypt packets before transmitting them

across a network.

 Data integrity--The IPsec receiver can authenticate packets sent by the IPsec sender to

ensure that the data has not been altered during transmission.

 Data origin authentication--The IPsec receiver can authenticate the source of the sent

IPsec packets. This service is dependent upon the data integrity service.

 Anti-replay--The IPsec receiver can detect and reject replayed packets.

IPsec provides secure tunnels between two peers, such as two routers. The privileged administrator defines which packets are considered sensitive and should be sent through these secure tunnels and specifies the parameters that should be used to protect these sensitive packets by specifying the characteristics of these tunnels. When the IPsec peer recognizes a sensitive packet, the peer sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.

More accurately, these tunnels are sets of security associations (SAs) that are established between two IPsec peers. The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol (AH or ESP).

With IPsec, privileged administrators can define the traffic that needs to be protected between two IPsec peers by configuring access lists and applying these access lists to interfaces using crypto map sets. Therefore, traffic may be selected on the basis of the source and destination address, and optionally the Layer 4 protocol and port. (The access lists used for IPsec are only used to determine the traffic that needs to be protected by IPsec, not the traffic that should be blocked or permitted through the interface. Separate access lists define blocking and permitting at the interface.)

A crypto map set can contain multiple entries, each with a different access list. The crypto map entries are searched in a sequence--the router attempts to match the packet to the access list specified in that entry.

When a packet matches a permit entry in a particular access list, and the corresponding crypto map entry is tagged as cisco, connections are established, if necessary. If the crypto map entry is tagged as ipsec-isakmp, IPsec is triggered. If there is no SA that the IPsec can use to protect this traffic to the peer, IPsec uses IKE to negotiate with the remote peer to set up the necessary IPsec SAs on behalf of the data flow. The negotiation uses information specified in the crypto map entry as well as the data flow information from the specific access list entry.

Once established, the set of SAs (outbound to the peer) is then applied to the triggering packet and to subsequent applicable packets as those packets exit the router. "Applicable" packets are packets that match the same access list criteria that the original packet matched. For example, all applicable packets could be encrypted before being forwarded to the remote peer. The corresponding inbound SAs are used when processing the incoming traffic from that peer.

Access lists associated with IPsec crypto map entries also represent the traffic that the router needs protected by IPsec. Inbound traffic is processed against crypto map entries--if an unprotected packet matches a permit entry in a particular access list associated with an IPsec crypto map entry, that packet is dropped because it was not sent as an IPsec-protected packet.

Page 32 of 72

Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms, and other settings that can be applied to IPsec-protected traffic. During the IPsec SA negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

4.6.1.1 IKEv1 Transform Sets

An Internet Key Exchange version 1 (IKEv1) transform set represents a certain combination of security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.

Privileged administrators can specify multiple transform sets and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPsec SA negotiation to protect the data flows specified by that crypto map entry's access list.

During IPsec security association negotiations with IKE, peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and applied to the protected traffic as part of both peers' IPsec SAs. (With manually established SAs, there is no negotiation with the peer, so both sides must specify the same transform set.)

Note: If a transform set definition is changed during operation that the change is not applied to existing security associations, but is used in subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner, you can clear all or part of the SA database by using the clear crypto sa command.

The following settings must be set in configuring the IPsec with IKEv1 functionality for the TOE:

TOE-common-criteria # conf t TOE-common-criteria (config)#crypto isakmp policy 1 TOE-common-criteria (config-isakmp)# hash sha TOE-common-criteria (config-isakmp)# encryption aes

This configures IPsec IKEv1 to use AES-CBC-128 for payload encryption. AESCBC-256 can be selected with ‘encryption aes 256’.

Note: the authorized administrator must ensure that the keysize for this setting is greater than or equal to the keysize selected for ESP in Section 4.6.2 below. If AES 128 is selected here, then the highest keysize that can be selected on the TOE for ESP is AES 128 (either CBC or GCM).

Note: Both confidentiality and integrity are configured with the hash sha and encryption aes commands respectively. As a result, confidentiality-only mode is disabled.

TOE-common-criteria (config-isakmp)# authentication pre-share

This configures IPsec to use pre-shared keys. X.509 v3 certificates are also supported for authentication of IPsec peers. See Section 4.6.3 below for additional information.

Page 33 of 72

TOE-common-criteria(config-isakmp)# exit TOE-common-criteria(config)# Crypto isakmp key cisco123!cisco123!CISC address

11.1.1.4

Note: Pre-shared keys on the TOE must be at least 22 characters in length and can be composed of any combination of upper and lower case letters, numbers,

and special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”).

The TOE supports pre-shared keys up to 127 characters in length. While longer keys increase the difficulty of brute-force attacks, longer keys increase processing time.

TOE-common-criteria (config-isakmp)# group 14

This selects DH Group 14 (2048-bit MODP) for IKE, but 19 (256-bit Random ECP), 24 (2048-bit MODP with 256-bit POS), 20 (384-bit Random ECP), 15 (3072 bit MODP), and 16 (4096-bit MODP) are also allowed and supported.

TOE-common-criteria (config-isakmp)# lifetime 86400

The default time value for Phase 1 SAs is 24 hours (86400 seconds), but this setting can be changed using the command above with different values.

TOE-common-criteria (config-isakmp)# crypto isakmp aggressive-mode disable

Main mode is the default mode and the crypto isakmp aggressive-mode disable ensures all IKEv1 Phase 1 exchanges will be handled in the default main mode.

TOE-common-criteria(config-isakmp)#exit

4.6.1.2 IKEv2 Transform Sets

An Internet Key Exchange version 2 (IKEv2) proposal is a set of transforms used in the negotiation of IKEv2 SA as part of the IKE_SA_INIT exchange. An IKEv2 proposal is regarded as complete only when it has at least an encryption algorithm, an integrity algorithm, and a Diffie-Hellman (DH) group configured. If no proposal is configured and attached to an IKEv2 policy, then the default proposal is used in the negotiation, and it contains selections that are not valid for the TOE. Thus the following settings must be set in configuring the IPsec with IKEv2 functionality for the TOE:

TOE-common-criteria # conf t TOE-common-criteria (config)#crypto ikev2 proposal sample TOE-common-criteria (config-ikev2-proposal)# integrity sha1 TOE-common-criteria (config-ikev2-proposal)# encryption aes-cbc-128

This configures IPsec IKEv2 to use AES-CBC-128 for payload encryption. AESCBC-256 can be selected with ‘encryption aes-cbc-256’. AES-GCM-128 and AES-GCM-256 can also be selected similarly.

Page 34 of 72

Note: Both confidentiality and integrity are configured with the hash sha and encryption aes commands respectively. As a result, confidentiality-only mode is disabled.

TOE-common-criteria (config-ikev2-proposal)# group 14

TOE-common-criteria (config)#crypto ikev2 keyring keyring-1 TOE-common-criteria (config-ikev2-keyring)# peer peer1 TOE-common-criteria (config-ikev2-keyring-peer)# address 0.0.0.0 0.0.0.0 TOE-common-criteria (config-ikev2-keyring-peer)# pre-shared-key

cisco123!cisco123!CISC

This section creates a keyring to hold the pre-shared keys referenced in the steps above. In IKEv2 these pre-shared keys are specific to the peer.

Note: Pre-shared keys on the TOE must be at least 22 characters in length and can be composed of any combination of upper and lower case letters, numbers,

and special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”).

The TOE supports pre-shared keys up to 128 bytes in length. While longer keys increase the difficulty of brute-force attacks, longer keys increase processing time.

HEX keys generated off system can also be input for IKEv2 using the following instead of the pre-shared-key command above: ‘pre-shared-key hex [hex key]’. For example: pre-shared-key hex 0x6A6B6C.

This configures IPsec to use pre-shared keys. X.509 v3 certificates are also supported for authentication of IPsec peers. See Section 4.6.3 below for additional information.

TOE-common-criteria (config)#crypto logging ikev2

This setting enables IKEv2 syslog messages.

Note: The configuration above is not a complete IKE v2 configuration, and that additional settings will be needed. See [18] Configuring Internet Key Exchange Version 2 (IKEv2) for additional information on IKE v2 configuration.

Page 35 of 72

4.6.2 IPsec Transforms and Lifetimes

Regardless of the IKE version selected, the TOE must be configured with the proper transform for IPsec ESP encryption and integrity as well as IPsec lifetimes.

TOE-common-criteria(config)# crypto ipsec transform-set example esp-aes 128 esp-

sha-hmac

Note that this configures IPsec ESP to use HMAC-SHA-1 and AES-CBC-128. To change this to the other allowed algorithms the following options can replace ‘esp-aes 128’ in the command above:

Encryption Algorithm

Command

AES-CBC-256

esp-aes 256

AES-GCM-128

esp-gcm 128

AES-GCM-256

esp-gcm 256

Note: The size of the key selected here must be less than or equal to the key size selected for the IKE encryption setting in 4.6.1.1 and 4.6.1.2 above. If AESCBC-128 was selected there for use with IKE encryption, then only AES-CBC128 or AES-GCM-128 may be selected here.

TOE-common-criteria(config-crypto)#mode tunnel

This configures tunnel mode for IPsec. Tunnel is the default, but by explicitly specifying tunnel mode, the router will request tunnel mode and will accept only tunnel mode.

TOE-common-criteria(config-crypto)#mode transport

This configures transport mode for IPsec.

TOE-common-criteria (config)#crypto ipsec security-association lifetime seconds 28800

The default time value for Phase 2 SAs is 1 hour. There is no configuration required for this setting since the default is acceptable, however to change the setting to 8 hours as claimed in the Security Target the crypto ipsec securityassociation lifetime command can be used as specified above.

TOE-common-criteria (config)#crypto ipsec security-association lifetime kilobytes

100000

This configures a lifetime of 100 MB of traffic for Phase 2 SAs. The default amount for this setting is 2560KB, which is the minimum configurable value for this command. The maximum configurable value for this command is 4GB.

Additional information regarding configuration of IPsec can be found in [10]. The IPSEC commands are dispersed within the Security Command References.

• This functionality is available to the Privileged Administrator. Configuration of VPN settings is restricted to the privileged administrator.

Page 36 of 72

4.6.3 NAT Traversal

For successful NAT traversal over an IOS-XE NAT device for an IPsec connection between two IOS-XE peers, the following configuration needs to be used (Also refer to Chapter 7 of [21])–

On an IOS NAT device (router between the IPsec endpoints):

config terminal ip nat service list <ACL-number> ESP spi-match access-list <ACL-number> permit <protocol> <local-range> <remote-range> end

On each IOS peer (IPsec router endpoints):

config terminal crypto ipsec nat-transparency spi-matching end

4.6.4 X.509 Certificates

The TOE may be configured by the privileged administrators to use X.509v3 certificates to authenticate IPsec peers. Both RSA and ECDSA certificates are supported. Creation of these certificates and loading them on the TOE is covered in the section – “How to Configure Certificate Enrollment for a PKI” in [22], and a portion of the TOE configuration for use of these certificates follows below.

4.6.4.1 Creation of the Certificate Signing Request

The certificate signing request for the TOE will be created using the RSA or ECDSA key pair and the domain name configured in Section 3.3.1 above.

In order for a certificate signing request to be generated, the TOE must be configured with a, hostname and trustpoint.

1. Enter configure terminal mode:

Device # configure terminal

2. Specify the hostname: hostname name

Device(config)# hostname asrTOE

3. Configure the trustpoint: crypto pki trustpoint trustpoint-name

Device (config)#crypto pki trustpoint ciscotest

4. Configure an enrollment method: enrollment [terminal, url url]

Device (ca-trustpoint)#enrollment url http://192.168.2.137:80

Page 37 of 72

5. Configure subject-name settings for the certificate: subject-name

CN=hostname.domain.com,OU=OU-name

Device (ca-trustpoint)#subject-name CN=asrTOE.cisco.com,OU=TAC

6. Set revocation check method: revocation-check crl

Device (ca-trustpoint)#revocation-check crl Device (ca-trustpoint)#exit

7. Create the certificate signing request: crypto pki enroll trustpoint-name

Device (config)#crypto pki enroll ciscotest

4.6.4.2 Securely Connecting to a Certificate Authority for Certificate

Signing

The TOE must communicate with the CA for Certificate Signing over IPSEC. This authentication will use pre-shared keys.

Following are sample instructions to configure the TOE to support an IPsec tunnel with aes encryption, with 10.10.10.102 as the IPsec peer IP on the CA, 10.10.10.110 as the local TOE IP.

TOE-common-criteria#configure terminal TOE-common-criteria(config)#crypto isakmp policy 1 TOE-common-criteria(config-isakmp)#encryption aes TOE-common-criteria(config-isakmp)#authentication pre-share TOE-common-criteria(config-isakmp)#group 14 TOE-common-criteria(config-isakmp)#lifetime 86400 TOE-common-criteria(config)#crypto isakmp key [insert 22 character preshared key] address 10.10.10.101 TOE-common-criteria(config)#crypto ipsec transform-set sampleset esp-aes esp-sha-

hmac

TOE-common-criteria(cfg-crypto-trans)#mode tunnel TOE-common-criteria(config)#crypto map sample 19 ipsec-isakmp TOE-common-criteria(config-crypto-map)#set peer 10.10.10.102 TOE-common-criteria(config-crypto-map)#set transform-set sampleset TOE-common-criteria(config-crypto-map)#set pfs group14 TOE-common-criteria(config-crypto-map)#match address 170 TOE-common-criteria(config-crypto-map)#exit TOE-common-criteria(config)#interface g0/0 TOE-common-criteria(config-if)#ip address 10.10.10.110 255.255.255.0 TOE-common-criteria(config-if)#crypto map sample TOE-common-criteria(config-if)#exit TOE-common-criteria(config)# access-list 170 permit ip 10.10.10.0 0.255.255.255

10.10.10.0 0.255.255.255

Page 38 of 72

4.6.4.3 Authenticating the Certificate Authority

The TOE must authenticate the CA by acknowledging its attributes match the publicly posted fingerprint. The TOE administrator must verify that the output of the command below matches the fingerprint of the CA on its public site.

1. Authenticate the CA: crypto ca authenticate trustpoint-name

Device (config)#crypto ca authenticate ciscotest Certificate has the following attributes: Fingerprint MD5: 8DE88FE5 78FF27DF 97BA7CCA 57DC1217 Fingerprint SHA1: 271E80EC 30304CC1 624EEE32 99F43AF8 DB9D0280

% Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.

4.6.4.4 Storing Certificates to a Local Storage Location

Certificates are stored to NVRAM by default; however, some routers do not have the required amount of NVRAM to successfully store certificates. All Cisco platforms support NVRAM and flash local storage. Depending on the platform, an authorized administrator may have other supported local storage options including bootflash, slot, disk, USB flash, or USB token. During run time, an authorized administrator can specify what active local storage device will be used to store certificates. For more detailed information see the Public Key Infrastructure Configuration Guide Guidance document section "How to Configure PKI Storage." http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe3s-book.pdf

4.6.4.4.1. How to Specify a Local Storage Location for Certificates

The summary steps for storing certificates locally to the TOE are as follows:

1. Enter configure terminal mode:

Device # configure terminal

2. Specify the local storage location for certificates: crypto pki certificate storage

location-name

Device(config)# crypto pki certificate storage flash:/certs

3. Exit:

Device(config)# exit

4. Save the changes made:

Device# copy system:running-config nvram:startup-config

5. Display the current setting for the PKI certificate storage location:

Device# show crypto pki certificates storage

The following is sample output from the show crypto pki certificates storage command, which shows that the certificates are stored in the certs subdirectory of disk0:

Device# show crypto pki certificates storage

Certificates will be stored in disk0:/certs/

Page 39 of 72

4.6.4.5 Configuring a Revocation Mechanism for PKI Certificate Status

Checking

Perform this task to set up the certificate revocation mechanism--CRLs or OCSP--that is used to check the status of certificates in a PKI.

Use the revocation-check command to specify at least one method (OCSP, CRL, or skip the revocation check) that is to be used to ensure that the certificate of a peer has not been revoked. For multiple methods, the order in which the methods are applied is determined by the order specified via this command.

If the TOE does not have the applicable CRL and is unable to obtain one, or if the OCSP server returns an error, the TOE will reject the peer’s certificate--unless an administrator includes the ‘none’ keyword in your configuration. If the 'none' keyword is configured, a revocation check will not be performed and the certificate will always be accepted.

When using OCSP, nonces, unique identifiers for OCSP requests, are sent by default during peer communications with a OCSP server. The use of nonces offers a more secure and reliable communication channel between the peer and OCSP server. If the OCSP server does not support nonces, an authorized administrator may disable the sending of nonces.

Note: The TOE supports use of OCSP only when using RSA certs and not when using ECDSA certificates.

4.6.4.6 Manually Overriding the OCSP Server Setting in a Certificate

Administrators can override the OCSP server setting specified in the Authority Information Access (AIA) field of the client certificate or set by the issuing the ocsp url command. One or more OCSP servers may be manually specified, either per client certificate or per group of client certificates by the match certificate override ocsp command. The match certificate override ocspcommand overrides the client certificate AIA field or the ocsp urlcommand setting if a client certificate is successfully matched to a certificate map during the revocation check

4.6.4.7 Configuring Certificate Chain Validation

Perform this task to configure the processing level for the certificate chain path of peer certificates.

Prerequisites:

 The device must be enrolled in your PKI hierarchy.  The appropriate key pair must be associated with the certificate.

1. Enter configure terminal mode:

TOE-common-criteria# configure terminal

2. Set the crypto pki trustpoint name:

TOE-common-criteria(config)# crypto pki trustpoint ca-sub1

3. Configure the level to which a certificate chain is processed on all certificates including

subordinate CA certificates using the chain-validation [{stop | continue} [parent- trustpoint]] command: TOE-common-criteria(ca-trustpoint)# chain-validation continue ca-sub1

Page 40 of 72

 Use the stop keyword to specify that the certificate is already trusted. This is the

default setting.

 Use the continue keyword to specify that the that the subordinate CA certificate

associated with the trustpoint must be validated.

 The parent-trustpoint argument specifies the name of the parent trustpoint the

certificate must be validated against.

Note: A trustpoint associated with the root CA cannot be configured to be validated to the next level. The chain-validation command is configured with the continue keyword for the trust point associated with the root CA, an error message will be displayed and the chain validation will revert to the default chain-validation command setting.

4. Exit:

TOE-common-criteria(ca-trustpoint)# exit

4.6.4.8 Certificate Validation

By default the TOE will validate the certificate of the IPsec peer including a Basic Constraints extension. No configuration is required by the administrator. Optionally as a way to test a Basic Constraints extension, the administrator can add subject name restrictions to the CA root trustpoint. Refer to How to Configure Certificate Enrollment for a PKI” in [22]. A portion of an example TOE configuration follows below.

TOE-common-criteria (config)# crypto pki certificate map <certificate map name> 1 subject-name co example

TOE-common-criteria (config)# crypto pki trustpoint CAroot TOE-common-criteria (ca-trustpoint)# enrollment terminal TOE-common-criteria (ca-trustpoint)# match certificate <certificate map name> TOE-common-criteria (ca-trustpoint)#end

TOE-common-criteria (config)# crypto pki trustpoint CA sub TOE-common-criteria (ca-trustpoint)# enrollment terminal

TOE-common-criteria (ca-trustpoint)# subject-name CN=example.organization.com,OU=Spiral Dept,O=Example TOE-common-criteria (ca-trustpoint)# match certificate <certificate map name> TOE-common-criteria (ca-trustpoint)#end

The administrator should find an error message stating that certificate chain validation has failed because a certificate in the chain was not a valid CA certificate.

4.6.4.9 Setting X.509 for use with IKE

Once X.509v3 keys are installed on the TOE, they can be set for use with IKEv1 with the commands:

TOE-common-criteria (config)#crypto isakmp policy 1 TOE-common-criteria (config-isakmp)# authentication rsa-sig

Page 41 of 72

Or TOE-common-criteria (config-isakmp)# authentication ecdsa-sig

And for IKEv2 with the commands:

TOE-common-criteria (config)#crypto ikev2 profile sample TOE-common-criteria(config-ikev2-profile)#authentication [remote | local] rsa-sig or TOE-common-criteria(config-ikev2-profile)#authentication [remote | local] ecdsa-sig

If an invalid certificate is loaded, authentication will not succeed.

4.6.4.10 Deleting Certificates

If the need arises, certificates that are saved on the router can be deleted. The router saves its own certificates and the certificate of the CA.

To delete the router's certificate from the router's configuration, the following commands can be used in global configuration mode:

Router# show crypto ca certificates [Displays the certificates stored on router] Router(config)# crypto ca certificate chain name [Enters certificate chain configuration mode] Router(config-cert-cha)# no certificate certificate-serial-number [deletes the certificate]

To delete the CA's certificate, the entire CA identity must be removed, which also removes all certificates associated with the CA—router's certificate and the CA certificate. To remove a CA identity, the following command in global configuration mode can be used:

Router(config)# no crypto ca identity name [Deletes all identity information and certificates associated with the CA]

4.6.5 Information Flow Policies

The TOE may be configured by the privileged administrators for information flow control/ firewall rules as well as VPN capabilities using the access control functionality. Configuration of information flow policies is restricted to the privileged administrator.

The VPNGW Extended Package requires that the TOE be able to support options for information flow policies that include discarding, bypassing, and protecting. On the TOE, an authorized administrator can define the traffic rules on the box by configuring access lists (with permit, deny, and/or log actions) and applying these access lists to interfaces using access and crypto map sets:

Page 42 of 72

 The ‘discard’ option is accomplished using access lists with deny entries, which are

applied to interfaces within access-groups. Guidance for configuration of IOS Information Flow Policies is located in the [23] Under “IP Access List Overview”

 The ‘bypassing’ option is accomplished using access lists with deny entries, which

are applied to interfaces within crypto maps for IPsec. Guidance for configuration of entries for IPsec is in [10]

 The ‘protecting’ option is accomplished using access lists with permit entries, which

are applied to interfaces within crypto maps for IPsec VPN.

The criteria used in matching traffic in all of these access lists includes the source and destination address, and optionally the Layer 4 protocol and port.

The TOE enforces information flow policies on network packets that are receive by TOE interfaces and leave the TOE through other TOE interfaces. When network packets are received on a TOE interface, the TOE verifies whether the network traffic is allowed or not and performs one of the following actions, pass/not pass information, as well as optional logging.

4.6.6 IPsec Session Interuption/Recovery

If an IPsec session with a peer is unexpectedly interrupted, the connection will be broken. In these cases, no administrative interaction is required. The IPsec session will be reestablished (a new SA set up) once the peer is back online.

Page 43 of 72

4.7 Product Updates

Verification of authenticity of updated software is done in the same manner as ensuring that the TOE is running a valid image. See Section 2, steps 7 and 9 above for the method to download and verify an image prior to running it on the TOE.

4.8 Configure Reference Identifier

This section describes configuration of the peer reference identifier which is achieved through a certificate map.

Certificate maps provide the ability for a certificate to be matched with a given set of criteria. You can specify which fields within a certificate should be checked and which values those fields may or may not have. There are six logical tests for comparing the field with the value: equal, not equal, contains, does not contain, less than, and greater than or equal. ISAKMP and ikev2 profiles can bind themselves to certificate maps, and the TOE will determine if they are valid during IKE authentication.

Step1

(config)# crypto pki certificate map label sequence-number

Starts certificate-map mode

Step2

(ca-certificate-map)# field-name matchcriteria match-value

In ca-certificate-map mode, you specify one or more certificate fields together with their matching criteria and the value to match.

 field-name—Specifies one of the following case-

insensitive name strings or a date:

–subject-name –issuer-name –unstructured-subject-name –alt-subject-name –name –valid-start –expires-on

Note Date field format is dd mm yyyy hh:mm:ss or mm dd yyyy hh:mm:ss.

 match-criteria—Specifies one of the following

logical operators:

–eq—Equal (valid for name and date fields) –ne—Not equal (valid for name and date fields) –co—Contains (valid only for name fields) –nc—Does not contain (valid only for name fields) –lt —Less than (valid only for date fields) –ge —Greater than or equal (valid only for date

fields)

Page 44 of 72

 match-value—Specifies the name or date to test with

the logical operator assigned by match-criteria.

Step3

(ca-certificate-map)# exit

Exits ca-certificate-map mode.

Step4

For IKEv1: crypto isakmp profile ikev1-profile1 match certificate label

For IKEv2: crypto ikev2 profile ikev2-profile1 match certificate label

Associates the certificate-based ACL defined with the crypto pki certificate map command to the profile.

For example: To create a certificate map for IKEv1 to match four subject-name values of the peer enter:

# conf t (config)# crypto pki certificate map cert-map-match-all 99 (ca-certificate-map)# subject-name co cn=CC_PEER (ca-certificate-map)# subject-name co o=ACME (ca-certificate-map)# subject-name co ou=North America (ca-certificate-map)# subject-name co c=US (ca-certificate-map)#exit (config)# crypto isakmp profile ike1-profile-match-cert match certificate cert-map-match-all

5 Security Relevant Events

ASR can maintain logs in multiple locations: local storage of the generated audit records, and when configured for a syslog backup will simultaneously offload those events to the external syslog server. ASR administrators should review logs at both locations.

The TOE generates an audit record whenever an audited event occurs. The types of events that cause audit records to be generated include, cryptography related events, identification and authentication related events, and administrative events (the specific events and the contents of each audit record are listed in Table 7 below). Each of the events is specified in syslog records in enough detail to identify the user for which the event is associated, when the event occurred, where the event occurred, the outcome of the event, and the type of event that occurred. Additionally, the startup and shutdown of the audit functionality is audited.

The audit trail consists of the individual audit records; one audit record for each event that occurred. The audit record can contain up to 80 characters and a percent sign (%), which follows the time-stamp information. The audit fields in each audit event will contain at a minimum the following:

Example Audit Event: Nov 19 13:55:59: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (DES encryption/decryption ... passed)

Date: Nov 19 Time: 13:55:59 Type of event: %CRYPTO-6-SELF_TEST_RESULT Subject identity: Available when the command is run by an authorized TOE administrator user

such as “user: lab”. In cases where the audit event is not associated with an authorized user, an

IP address may be provided for the Non-TOE endpoint and/ or TOE. IP address: (Optional) May be provided along with the subject identity of a specific authorized

TOE administrator.

Port number: (Optional) May be provided along with the IP address for throughput traffic Outcome (Success or Failure): Success may be explicitly stated with “success” or

“passed”contained within the audit event or is implicit in that there is not a failure or error message. More specifically for failed logins, a “Login failed” will appear in the audit event. For successful logins, a “Login success” will appear in the associated audit event. For failed events “failure” will be denoted in the audit event. For other audit events a detailed description of the outcome may be given in lieu of an explicit success or failure. For example, for an IPsec session where the lifetime of the SA has expired a detailed description is given in the associated audit event: “SA lifetime threshold reached, expiring in 1412 seconds.”

Page 46 of 72

As noted above, the information includes at least all of the required information. Example audit events are included below:

Additional Audit Information: As described in Column 3 of Table 7 below.

Table 7: Auditable Events

Requirement

Auditable

Events

Additional Audit Record Contents

Sample Record

FCS_MACSEC_

EXT.1

Session

establishment

Secure Channel Identifier (SCI)

 Session Establishment

Mar 15 2016 12:49:11.891 IST: %MKA-5SESSION_START: (Te1/2 : 22) MKA Session started for RxSCI 188b.9d3c.c83f/0000, AuditSessionID 092B033C0000000E000C08B8, AuthMgr-Handle 45000002 Mar 15 2016 12:49:11.891 IST: MKA-EVENT: Started a new MKA Session on interface TenGigabitEthernet1/2 for Peer MAC 188b.9d3c.c83f with SCI80E0.1DC6.3E7F/0016 successfully

FCS_MACSEC_ EXT.1.7

Creation of Connectivity Association

Connectivity Association Key Names

 Creation of Connectivity Association

Mar 15 2016 <Gi1/0/2 : 9> 14:38:53.326 IST: %MKA-5-SESSION_SECURED:

(Gi1/0/2 : 9) MKA Session was secured for RxSCI 90e2.ba12.a00d/0000, AuditSessionID 000000000000000D001C2D92, CKN

24AA15376050334AE1EA9BE8A1D0894B0000000 0000000000000000000000000

FCS_MACSEC_ EXT.3.1

Creation and update of Secure Association Key

Creation and

update times

 For SAK (Security Association Key) creation-

Mar 15 2016 12:54:49.937 IST: MKA-EVENT 80e0.1dc6.3e7f/0016 C7000003:

Generation of new Latest SAK succeeded (Latest AN=0, KN=1)...

 For SAK (Security Association Key) update –

Mar 15 2016 <tel:2016> 14:38:53.326 IST: %MKA6-SAK_REKEY: (Gi0/1/0 : 10) MKA Session is beginning a SAK Rekey (current Latest AN/KN 0/1, Old AN/KN

0/1) for RxSCI f4cf.e298.ccb8/000a, AuditSessionID CKN

1000000000000000000000000000000000000000000 000000000000000000000

FCS_IPSEC_EX T.1

Failure to establish an IPsec SA.

Reason for failure.

 Initiation of IPSEC session (outbound):

Page 47 of 72

Requirement

Auditable

Events

Additional Audit Record Contents

Sample Record

Session establishment with peer

Entire packet contents of packets transmitted/receive d during session establishment

Jun 20 07:42:26.823: ISAKMP (0): received packet from 100.1.1.5 dport 500 sport 500 Global (N) NEW SA

Jun 20 07:42:26.823: ISAKMP: Created a peer struct for 100.1.1.5, peer port 500

Jun 20 07:42:26.823: ISAKMP: New peer created peer = 0x89C3879C peer_handle = 0x8000000C

Jun 20 07:42:26.823: ISAKMP: Locking peer struct 0x89C3879C, refcount 1 for crypto_isakmp_process_block

Jun 20 07:42:26.823: ISAKMP: local port 500, remote port 500

Jun 20 07:42:26.823: ISAKMP:(0):insert sa successfully sa = 8C1C1FD4

Jun 20 07:42:26.823: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jun 20 07:42:26.823: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 …

Jun 20 07:42:26.823: ISAKMP:(0):found peer preshared key matching 100.1.1.5

Jun 20 07:42:26.823: ISAKMP:(0): local preshared key found

Jun 20 07:42:26.823: ISAKMP : Scanning profiles for xauth ...

Jun 20 07:42:26.823: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

Jun 20 07:42:26.827: ISAKMP: encryption AESCBC

Jun 20 07:42:26.827: ISAKMP: keylength of 128 Jun 20 07:42:26.827: ISAKMP: hash SHA Jun 20 07:42:26.827: ISAKMP: default group 14 Jun 20 07:42:26.827: ISAKMP: auth pre-share… Jun 20 07:42:26.843: ISAKMP (0): received packet

from 100.1.1.5 dport 500 sport 500 Global (R) MM_SA_SETUP

Jun 20 07:42:26.843: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Page 48 of 72

Requirement

Auditable

Events

Additional Audit Record Contents

Sample Record

Jun 20 07:42:26.843: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Jun 20 07:42:26.843: ISAKMP:(0): processing KE payload. message ID = 0

Jun 20 07:42:27.055: ISAKMP:(0): processing NONCE payload. message ID = 0

Jun 20 07:42:27.059: ISAKMP:(0):found peer preshared key matching 100.1.1.5

 Termination of IPSEC session (outbound-

initiated)

.Jun 19 21:09:49.619: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 100.1.1.5, sa_proto= 50, sa_spi= 0x3C81B171(1015132529), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 62 sa_lifetime(k/sec)= (4608000/28800), (identity) local= 100.1.1.1:0, remote= 100.1.1.5:0, local_proxy= 10.1.1.0/255.255.255.0/256/0, remote_proxy= 12.1.1.0/255.255.255.0/256/0

Jun 19 21:10:37.575: ISAKMP:(2034):purging node 506111676

.Jun 19 21:10:39.615: ISAKMP:(2034):purging node -22679511

.Jun 20 04:46:14.789: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 1412 seconds

 Failure of an established IPSEC session

(outbound-initiated)

Jun 19 11:12:33.905: %CRYPTO-5IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

Configuration of IPsec:

1/3 1/1

8:2 6:32 Info Jan 30 18:56:50 10.104.49.55 Time set to Jan 30

18:56:50, from server 10.104.49.22.

1/3 0/1

11: 04:

No tic e

131: *Jan 30 2013 05:20:15: %PARSER-5- CFGLOG_LOGGEDCMD: User:console logged command:logging trap 7

Page 49 of 72

Requirement

Auditable

Events

Additional Audit Record Contents

Sample Record

1/3 0/1

11: 04:

No tice 132: *Jan 30 2013 05:20:16: %SYS-5-CONFIG_I: Configured from console by console

1/3 0/1

11: 09:

De bug 136: *Jan 30 10:54:46.421 IST: crypto_engine: Delete IPsec SA

1/3 0/1

11: 09:

De bug 135: *Jan 30 10:54:46.421 IST: crypto engine: deleting IPsec SA :12

1/3 0/1

11: 11:

No tic e

171: *Jan 30 2013 05:27:31: %PARSER-5CFGLOG_LOGGEDCMD: User:console logged command:no crypto map

1/3 0/1

11: 12:

No tic e

172: *Jan 30 2013 05:27:42: %PARSER-5CFGLOG_LOGGEDCMD: User:console logged command:crypto map cc

1/3 0/1

11: 11:

No tic e

171: *Jan 30 2013 05:27:31: %PARSER-5CFGLOG_LOGGEDCMD: User:console logged command:no crypto map

1/3 0/1

11: 12:

No tic e

172: *Jan 30 2013 05:27:42: %PARSER-5CFGLOG_LOGGEDCMD: User:console logged command:crypto map cc

1/3 0/1

11: 11:

No tic e

171: *Jan 30 2013 05:27:31: %PARSER-5CFGLOG_LOGGEDCMD: User:console logged command:no crypto map

1/3 0/1

11: 12:

No tic e

172: *Jan 30 2013 05:27:42: %PARSER-5CFGLOG_LOGGEDCMD: User:console logged command:crypto map cc

1/3 0/1

11: 11:

No tic e

171: *Jan 30 2013 05:27:31: %PARSER-5CFGLOG_LOGGEDCMD: User:console logged command:no crypto map

FCS_SSHS_EX T.1

Failure to establish an SSH session

Reason for failure.

Failure to establish a SSH Session. IP address of remote host Reason for failure. GENERIC EXAMPLE: Jun 18 2012 11:19:06 UTC:

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: anonymous] [Source: 100.1.1.5] [localport: 22] [Reason: Login Authentication Failed] at 11:19:06 UTC Mon Jun 18 2012

Establishment of a SSH session IP address of remote host Jun 18 2012 11:31:35 UTC: %SEC_LOGIN-5-

LOGIN_SUCCESS: Login Success [user: ranger]

Page 50 of 72

Requirement

Auditable

Events

Additional Audit Record Contents

Sample Record

[Source: 100.1.1.5] [localport: 22] at 11:31:35 UTC Mon Jun 18 2012

Feb 8 06:47:17.041: %SSH-5-SSH2_CLOSE: SSH2 Session from 1.1.1.1 (tty = 0) for user 'cisco' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1-96' closed



FIA_UIA_EXT. 1

All use of the identification and authentication mechanism.

Provided user identity, origin of the attempt (e.g., IP address).

See Audit events in FIA_UAU_EXT.2

FIA_UAU_EXT. 2

All use of the authentication mechanism.

Origin of the attempt (e.g., IP address).

 Login as an administrative user at the console Username: auditperson Password: ASR-SL-491>? 000278: *Apr 23 07:11:56: %SEC_LOGIN-5-

LOGIN_SUCCESS: Login Success [user: auditperson] [Source: 0.0.0.0] [localport: 0] at 07:11:56 UTC Thu Apr 23 2009?

 Failed login via the console does not allow any

actions Username: auditperson Password: % Authentication failed Username: 000254: *Apr 26 00:45:43.340: %SEC_LOGIN-4-

LOGIN_FAILED: Login failed [user: auditperson] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed] at 23:45:43 a Sat Apr 25 2009

 Successful login via ssh

Mar 24 07:30:02.488: \%SEC_LOGIN-5LOGIN_SUCCESS: Login Success [user: admin15] [Source: 10.21.0.101] [localport: 22] at 07:30:02 EDT Tue Mar 24 2015

 Failed login via ssh

Page 51 of 72

Requirement

Auditable

Events

Additional Audit Record Contents

Sample Record

Mar 24 07:29:59.480: \%SEC_LOGIN-4LOGIN_FAILED: Login failed [user: admin15] [Source: 10.21.0.101] [localport: 22] [Reason: Login Authentication Failed] at 07:29:59 EDT Tue Mar 24 2015

FIA_X509_EXT .1

Unsuccessful attempt to validate a certificate

Session establishment with CA

Reason for failure

Entire packet contents of packets transmitted/receive d during session establishment.

42479: Initiator SPI : 6038B31E75BFF128 Responder SPI : ECB6C134F5652076 Message id: 1

42478: *Feb 5 11:10:18.749: IKEv2:(SA ID =

1):Sending Packet [To 210.1.1.1:500/From

110.1.1.1:500/VRF i0:f0]42442: *Feb 5 11:10:18.747: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED

42441: *Feb 5 11:10:18.747: IKEv2:(SA ID =

1):[IKEv2 -> PKI] Getting cert chain for the trustpoint rahul

42440: *Feb 5 11:10:18.747: IKEv2:(SA ID =

1):[PKI -> IKEv2] Retrieved trustpoint(s): 'rahul' 42439: *Feb 5 11:10:18.747: IKEv2:(SA ID =

1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)

42438: *Feb 5 11:10:18.747: IKEv2:(SA ID =

1):Processing IKE_SA_INIT message 42437: *Feb 5 11:10:18.747: IKEv2:(SA ID =

1):Verify SA init message 42436: *Feb 5 11:10:18.747: IKEv2:(SA ID =

1):Processing IKE_SA_INIT message 42435: SA KE N VID VID

NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

Aug 3 19:10:18.621: %PKI-3CERTIFICATE_REVOKED: Certificate chain validation has failed. The certificate (SN: 04) is revoked



FMT_MOF.1(1)/ AdminAct

Modification of the behaviour of the TSF.

None.

Feb 17 2013 16:34:02: %PARSER-5CFGLOG_LOGGEDCMD: User:test_admin logged command:logging informational

Page 52 of 72

Requirement

Auditable

Events

Additional Audit Record Contents

Sample Record

FMT_MOF.1(1)/ Trusted Update

Any attempt to initiate a manual update

None.

*Jul 10 11:04:09.179: %PARSER-5CFGLOG_LOGGEDCMD: User:cisco logged command:upgrade

FMT_MTD.1

All management activities of TSF data

None.

Feb 17 2013 16:34:02: %PARSER-5CFGLOG_LOGGEDCMD: User:test_admin logged command:logging informational

FMT_MTD.1/A

dminAct

Modification, deletion, generation/impor t of cryptographic keys.

None.

Feb 17 2013 16:37:27: %PARSER-5CFGLOG_LOGGEDCMD: User:test_admin logged command:crypto key zeroize

FPF_RUL_EXT. 1

Application of rules configured

with the ‘log’

operation

Source and destination addresses

Source and destination ports

Transport Layer Protocol

TOE Interface

Jan 21 2013 11:29:16 UTC: %SEC-6IPACCESSLOGP: list 111 permitted tcp

21.0.0.20(3333) -> 21.0.0.1(21), 1 packet Jan 21 2013 11:43:45 UTC: %SEC-6-

IPACCESSLOGP: list 111 denied tcp 21.0.0.20(0) ->

21.0.0.1(21), 1 packet Indication of packets dropped due to too much network traffic

TOE interface that is unable to process packets

*May 6 04:04:28.279: %HA_EM-6-LOG: test2: value GigabitEthernet0/2 output_packets_dropped increased from 1058406890 to 1061078215

FPT_STM.1

Changes to the time.

The old and new values for the time.

Origin of the attempt to change time for success and failure (e.g., IP address).

++++ 14:18:21 ASR1001X Control::transmit +++ Transmit: show logging | include CLOCKUPDATE +--- 14:18:21 --- ++++ 14:18:21 ASR1001X Control::receive +++ show logging | include CLOCKUPDATE Mar 18 13:18:19.639: \%SYS-6-CLOCKUPDATE: System clock has been updated from 14:18:19 EDT Wed Mar 18 2015 to 13:18:19 EDT Wed Mar 18 2015, configured from console by script on console. ASR1001X#

--- 14:18:36 --.Dec 22 22:22:35.812: NTP message sent to

10.24.0.1, from interface 'GigabitEthernet0/0/0' (10.21.0.110). .Dec 22 22:22:35.812: NTP message received from

10.24.0.1 on interface 'GigabitEthernet0/0/0'

Page 53 of 72

Requirement

Auditable

Events

Additional Audit Record Contents

Sample Record

(10.21.0.110). .Dec 22 22:22:35.812: NTP Core(DEBUG): ntp_receive: message received .Dec 22 22:22:35.812: NTP Core(DEBUG): ntp_receive: peer is 0x7FD044C809B0, next action is

1. .Dec 22 22:22:35.812: NTP Core(DEBUG): Peer becomes reachable, poll set to 6. .Dec 22 22:22:35.812: NTP Core(INFO): 10.24.0.1 8014 84 reachable .Dec 22 22:22:35.812: NTP Core(INFO): 10.24.0.1 902D 8D popcorn popcorn .Dec 22 22:22:37.112: \%HA_EM-6-LOG: cli_log: host[ASR1001X] user[script] port[0] exec_lvl[15] command[show ntp status ] Executed .Dec 22 22:22:37.811: NTP message sent to

10.24.0.1, from interface 'GigabitEthernet0/0/0' (10.21.0.110). .Dec 22 22:22:37.812: NTP message received from

10.24.0.1 on interface 'GigabitEthernet0/0/0' (10.21.0.110). .Dec 22 22:22:37.812: NTP Core(DEBUG): ntp_receive: message received .Dec 22 22:22:37.812: NTP Core(DEBUG): ntp_receive: peer is 0x7FD044C809B0, next action is

1. .Dec 22 22:22:37.812: NTP Core(INFO): 10.24.0.1 963A 8A sys_peer .Dec 22 22:22:37.812: NTP: step(0xF164A290.06E65E00): local_offset = 0x00000000.00000000, curtime = 0xE74F9D7D.CFDF3DA0 .Mar 18 14:18:53.838: NTP Core(NOTICE): trans state : 5

FPT_RPL.1

Detected replay attempt

None.

*Jul 7 18:43:14.595: %MKA-3MKPDU_VALIDATE_FAILURE: (Gi0/0/1 : 11) Validation of a MKPDU failed for RxSCI

6412.25a1.a409/0009, AuditSessionID , CKN 1234000000000000000000000000000000000000000 000000000000000000000

FPT_TUD_EXT. 1

Initiation of update.

result of the update attempt (success or failure)

No additional information.

 Use of the “upgrade” command.

*Jul 10 11:04:09.179: %PARSER-5CFGLOG_LOGGEDCMD: User:cisco logged command:upgrade

*Jul 10 11:04:09.179: %PARSER-5CFGLOG_LOGGEDCMD: User:cisco logged

Page 54 of 72

Requirement

Auditable

Events

Additional Audit Record Contents

Sample Record

command:copy tftp …. *Jul 10 11:04:09.179: %PARSER-5-

CFGLOG_LOGGEDCMD: User:cisco logged command:reload

FPT_TST_EXT. 1

Indication that TSF self-test was completed.

Any additional information generated by the tests beyond

“success” or “failure”.

Jan 23 2013 06:53:24.570: %CRYPTO-6SELF_TEST_RESULT: Self test info: (Self test activated by user: admin)

Jan 23 2013 06:53:24.670: %CRYPTO-6SELF_TEST_RESULT: Self test info: (Software checksum ... passed)

FPT_TST_EXT.

Failure of self-

test

Reason for failure (including identifier of invalid certificate)

Cause: c3m_set_fips_mode, Fatal Fault, FIPS POST Failure requested by: Process ID: 147461 (syslogd) app_name: ssl Process: syslogd

FTA_SSL_EXT. 1

Any attempts at unlocking of an [local] interactive session.

No additional information.

In the TOE this is represented by login attempts that occur after the timeout of a local administrative user.

001383: May 10 18:06:34.091: %SYS-6EXEC_EXPIRE_TIMER: (tty 0 (0.0.0.0)) exectimeout timer expired for user securityperson

001384: May 10 18:06:34.091: %SYS-6EXIT_CONFIG: User securityperson has exited tty session 0(0.0.0.0)

FTA_SSL.3

The termination of a remote session by the session locking mechanism.

No additional information.

Audit record generated when SSH session is terminated because of idle timeout: May 29 2012 15:18:00 UTC: %SYS-6TTY_EXPIRE_TIMER: (exec timer expired, tty 0 (0.0.0.0)), user admin

FTA_SSL.4

The termination of an interactive session.

No additional information.

 Audit record generate when admin logs out of

CONSOLE. May 17 2011 16:29:09: %PARSER-5-

CFGLOG_LOGGEDCMD: User:test_admin logged command:exit  Audit record generated when the admin logs out

of SSH: Jun 18 11:17:36.653: SSH0: Session terminated normally

FTP_ITC.1

Initiation of the trusted channel.

Termination of the trusted channel.

Identification of the initiator and target of failed trusted channels establishment attempt.

AUDIT: See logs provided by FCS_IPSEC_EXT.1.

Page 55 of 72

Requirement

Auditable

Events

Additional Audit Record Contents

Sample Record

Failure of the trusted channel functions.

FTP_TRP.1

Initiation of the trusted channel.

Termination of the trusted channel.

Failures of the trusted path functions.

Identification of the claimed user identity.

AUDIT: See logs provided by FCS_SSHS_EXT.1.

Table 8 Auditable Administrative Events

Requirement

Management Action to Log

Sample Log

FAU_GEN.1: Audit data generation

Changing logging settings.

Clearing logs.

Feb 17 2013 16:29:07: %PARSER-5CFGLOG_LOGGEDCMD: User:test_admin logged command:logging enable

Feb 17 2013 16:34:02: %PARSER-5CFGLOG_LOGGEDCMD: User:test_admin logged command:logging informational

Feb 17 2013 17:05:16: %PARSER-5CFGLOG_LOGGEDCMD: User:test_admin logged command:clear logging

FAU_GEN.2: User identity association

None

N/A

FAU_STG_EXT.1: Protected Audit Event Storage

Configuration of syslog export settings

Feb 17 2013 17:05:16: %PARSER-5CFGLOG_LOGGEDCMD: User:test_admin logged command:logging host

FCS_CKM.1: Cryptographic key generation (refined)

Manual key generation

Feb 17 2013 16:14:47: %PARSER-5CFGLOG_LOGGEDCMD: User:test_admin logged command:crypto key *****

Page 56 of 72

Requirement

Management Action to Log

Sample Log

Jan 24 2013 03:10:08.878: %GDOI-5KS_REKEY_TRANS_2_UNI: Group getvpn transitioned to Unicast Rekey.ip

FCS_CKM_EXT.4: Cryptographic key destruction

Manual key zeroization

Feb 17 2013 16:37:27: %PARSER-5CFGLOG_LOGGEDCMD: User:test_admin logged command:crypto key zeroize

FCS_COP.1(1): Cryptographic operation (AES data encryption/decryption)

None

N/A

FCS_COP.1(2): Cryptographic operation (Signature Generation and Verification)

None

N/A FCS_COP.1(3): Cryptographic operation (Hash Algorithm)

None

N/A

FCS_COP.1(4): Cryptographic operation (for keyed-hash message authentication)

None

N/A FCS_RBG_EXT.1: Cryptographic operation (random bit generation)

None

N/A

FCS_IPSEC_EXT.1.1 Extended: IPSEC

Configuration of IPsec settings: including mode, security policy, IKE version, algorithms, lifetimes, DH group, and certificates.

ESP-Algorithms: *Mar 13 11:56:12.491: \%PARSER-5-

CFGLOG_LOGGEDCMD: User:script logged command:interface GigabitEthernet0/0/1

*Mar 13 11:56:15.762: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:ip access-list extended acl_ASR1001X

Page 57 of 72

Requirement

Management Action to Log

Sample Log

*Mar 13 11:56:16.407: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:permit icmp 10.21.0.0 0.0.0.255

10.22.05.0 0.0.0.255

*Mar 13 11:56:16.690: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:crypto ipsec transform-set set_1 espgcm 128

*Mar 13 11:56:16.779: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:mode tunnel

*Mar 13 11:56:18.195: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:crypto ikev2 policy ikev2_policy_1

*Mar 13 11:56:20.618: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:authentication local pre-share

*Mar 13 11:56:20.756: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:authentication remote pre-share

Mar 13 11:59:19.529: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:encryption aes-cbc-256

Mar 13 11:59:19.745: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:group 14

Mar 13 12:11:01.999: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:integrity sha256

*Mar 13 11:56:21.109: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:crypto map cmap_1 1 ipsec-isakmp

Page 58 of 72

Requirement

Management Action to Log

Sample Log

*Mar 13 11:56:21.344: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:set peer 10.22.0.2

*Mar 13 11:56:21.471: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:set transform-set set_1

*Mar 13 11:56:21.737: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:match address acl_ASR1001X

*Mar 13 11:56:22.512: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:ip route 10.22.05.0 255.255.255.0

10.22.0.2

IKEv2-SA-Lifetime: Mar 14 23:16:24.170: \%PARSER-5-

CFGLOG_LOGGEDCMD: User:script logged command:crypto ipsec security-association lifetime kilobytes 10240

IKEv2-DH: Jan 16 00:36:43 cc_toe 279: *Jan 16 00:36:43.032:

\%PARSER-5-CFGLOG_LOGGEDCMD: User:script logged command:crypto ikev2 proposal ike2aes2sha2

Jan 16 00:36:43 cc_toe 283: *Jan 16 00:36:43.509: \%PARSER-5-CFGLOG_LOGGEDCMD: User:script logged command:integrity sha256

Jan 16 00:36:44 cc_toe 291: *Jan 16 00:36:44.046: \%PARSER-5-CFGLOG_LOGGEDCMD: User:script logged command:proposal ike2aes2sha2

Jan 16 00:36:44 cc_toe 293: *Jan 16 00:36:44.182: \%PARSER-5-CFGLOG_LOGGEDCMD: User:script logged command:crypto ikev2 keyring keyring1

Page 59 of 72

Requirement

Management Action to Log

Sample Log

Jan 16 00:36:44 cc_toe 299: *Jan 16 00:36:44.570: \%PARSER-5-CFGLOG_LOGGEDCMD: User:script logged command:pre-shared-key 0 Cisco123

Jan 16 00:36:44 cc_toe 301: *Jan 16 00:36:44.712: \%PARSER-5-CFGLOG_LOGGEDCMD: User:script logged command:crypto ikev2 profile profile1

FCS_SSHS_EXT.1: SSH Server Protocol

Configuration of SSH settings: including certificates or passwords, algorithms, host names, users.

*Feb 4 15:02:06.415: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:ip ssh version 2

*Feb 4 15:02:06.531: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:ip ssh dh min size 2048

*Feb 4 15:02:06.644: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:ip ssh logging events

FIA_AFL.1 Authentication Failure Handling

Administrator lockout due to excessive authentication failures

Feb 17 2013 16:14:47: %PARSER-5CFGLOG_LOGGEDCMD: User:test_admin logged command: aaa local authentication attempts max-fail [number of failures]

Feb 7 2013 02:05:41.953: %AAA-5USER_UNLOCKED: User user unlocked by admin on vty0 (21.0.0.1)

FIA_PMG_EXT.1: Password management

None

FIA_PSK_EXT.1: Extended: Pre-Shared Key Composition

Creation of a pre-shared key.

Feb 15 2013 13:12:25.055: %PARSER-5CFGLOG_LOGGEDCMD: User:cisco logged command: crypto isakmp key *****

FIA_UIA_EXT.1: User identification and authentication

Logging into TOE.

Jan 17 2013 05:05:49.460: %SEC_LOGIN-5LOGIN_SUCCESS: Login Success [user: ranger]

Page 60 of 72

Requirement

Management Action to Log

Sample Log

[Source: 21.0.0.3] [localport: 22] at 00:05:49 EST Thu Jan 17 2013

FIA_UAU_EXT.2: Password-based authentication mechanism

None

N/A FIA_UAU.7: Protected authentication feedback

None

N/A

FIA_X509_EXT.1: X.509 Certificate Validation

Generating a certificate.

Feb 17 2013 16:14:47: %PARSER-5CFGLOG_LOGGEDCMD: User:test_admin logged command: crypto key generate

FMT_MOF.1: Management of Security Functions Behavior

See all other rows in table.

N/A FMT_MTD.1: Management of TSF data

See all other rows in table.

N/A

FMT_SMF.1: Specification of management functions

See all other rows in table.

N/A

FMT_SMR.2: Restrictions on Security roles

Configuring administrative users with specified roles.

Feb 15 2013 13:12:25.055: %PARSER-5CFGLOG_LOGGEDCMD: User:cisco logged command: username admin 15

FPT_RUL_EXT.1: Packet Filtering

Configuring packet filtering rules.

Oct 15 23:39:50 cc_toe 21698: Oct 15 23:39:50.077: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:permit icmp 10.32.0.203 0.0.0.0

10.31.0.101 0.0.0.0 log

Oct 15 23:39:50 cc_toe 21700: Oct 15 23:39:50.261: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:deny icmp 10.32.0.203 0.0.0.0

10.31.0.101 0.0.0.0 log

Page 61 of 72

Requirement

Management Action to Log

Sample Log

Oct 15 23:39:50 cc_toe 21696: Oct 15 23:39:49.881: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:ip access-list extended FPF_RUL_EXT.1.6.T1-permit

Oct 15 23:39:50 cc_toe 21704: Oct 15 23:39:50.625: \%PARSER-5CFGLOG_LOGGEDCMD: User:script logged command:ip access-group

FPT_FLS.1: Fail Secure

None

N/A

FPT_SKP_EXT.1: Protection of TSF Data (for reading of all symmetric keys)

None

N/A

FPT_APW_EXT.1: Protection of Administrator Passwords

None

N/A

FPT_STM.1: Reliable time stamps

Changes to NTP settings.

Manual changes to the system time.

Changes to NTP settings:

Manual changes to the system time: Feb 5 2013 06:28:00.000: %SYS-6-

CLOCKUPDATE: System clock has been updated from 11:27:52 UTC Tue Feb 5 2013 to 06:28:00 UTC Tue Feb 5 2013, configured from console by admin on console.

FPT_TUD_EXT.1: Trusted update

Software updates

Jul 10 2013 11:04:09.179: %PARSER-5CFGLOG_LOGGEDCMD: User:cisco logged command:upgrade

FPT_TST_EXT.1: TSF testing

None

N/A

FTA_SSL_EXT.1: TSFinitiated session locking

Specifying the inactivity time period.

Feb 15 2013 13:12:25.055: %PARSER-5CFGLOG_LOGGEDCMD: User:cisco logged command: exec-timeout 60

Page 62 of 72

Requirement

Management Action to Log

Sample Log

FTA_SSL.3: TSF-initiated termination

Specifying the inactivity time period.

Feb 15 2013 13:12:25.055: %PARSER-5CFGLOG_LOGGEDCMD: User:cisco logged command: exec-timeout 60

FTA_SSL.4: User-initiated termination

Logging out of TOE.

Feb 15 2013 13:12:25.055: %PARSER-5CFGLOG_LOGGEDCMD: User:cisco logged command: exit

FTA_TAB.1: Default TOE access banners

Configuring the banner displayed prior to authentication.

Feb 15 2013 13:12:25.055: %PARSER-5CFGLOG_LOGGEDCMD: User:cisco logged command: banner login d This is a banner d

FTP_ITC.1: Inter-TSF trusted channel

None

N/A

FTP_TRP.1: Trusted path

Connecting to the TOE with SSH.

Jan 17 05:05:49.460: %SEC_LOGIN-5LOGIN_SUCCESS: Login Success [user: ranger] [Source: 21.0.0.3] [localport: 22] at 00:05:49 EST Thu Jan 17 2013

5.1 Deleting Audit Records

The TOE provides the privileged Administrator the ability to delete audit records stored within the TOE.

This is done with the clear logging command. See the [10] Cisco IOS Configuration

Fundamentals Command References.

Page 63 of 72

6 Network Services and Protocols

The table below lists the network services/protocols available on the ASR as a client (initiated outbound) and/or server (listening for inbound connections), all of which run as system-level processes. The table indicates whether each service or protocol is allowed to be used in the certified configuration.

For more detail about each service, including whether the service is limited by firewall mode (routed or transparent), or by context (single, multiple, system), refer to Command Reference guides listed in Table 2.

Table 9: Protocols and Services

Service or Protocol

Description

Client (initiating)

Allowed

Server (terminating)

Allowed

Allowed use in the certified configuration

DHCP

Dynamic Host Configuration Protocol

Yes

No restrictions. DNS

Domain Name Service

Yes

n/a

No restrictions.

ESP

Encapsulating Security Payload (part of IPsec)

Yes

Configure ESP as described in the section Error! Reference source not found.of this document.

FTP

File Transfer Protocol

Yes

n/a

Use SCP or HTTPS instead.

ICMP

Internet Control Message Protocol

Yes

No restrictions.

IKE

Internet Key Exchange

Yes

As described in section Error! Reference source not found. of this document.

IPsec

Internet Protocol Security (suite of protocols including IKE, ESP and AH)

Yes

Only to be used for securing traffic that originates from or terminates at the ASA, not

for “VPN Gateway” functionality to secure

traffic through the ASA. See IKE and ESP for other usage restrictions.

Kerberos

A ticket-based authentication protocol

Yes

Over IPsec

n/a

If used for authentication of ASA administrators, tunnel this authentication protocol secure with IPsec.

Page 64 of 72

Service or Protocol

Description

Client (initiating)

Allowed

Server (terminating)

Allowed

Allowed use in the certified configuration

NTP

Network Time Protocol

Yes

n/a

Any configuration. Use of key-based authentication is recommended.

RADIUS

Remote Authentication Dial In User Service

Yes

n/a

If used for authentication of ASA administrators, secure through IPsec.

SDI (RSA SecureID)

RSA SecurID authentication

Yes

Over IPsec

n/a

If used for authentication of ASA administrators, secure through IPsec.

SNMP

Simple Network Management Protocol

Yes (snmp-trap)

Yes

Outbound (traps) only. Recommended to tunnel through IPsec.

SSH

Secure Shell

Yes

As described in the section 3.3.1 of this document.

Telnet

A protocol used for terminal emulation

Yes

Use of SSH is recommended.

TFTP

Trivial File Transfer Protocol

Yes

n/a

Recommend using SCP instead, or tunneling through IPsec.

CDP

Cisco Discovery Protocol

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

DTP

Dynamic Trunking Protocol

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

Frame Relay

Standardized wide

area network

technology that specifies the physical and logical link layers of digital telecommunications channels using a

packet switching

methodology

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

Page 65 of 72

Service or Protocol

Description

Client (initiating)

Allowed

Server (terminating)

Allowed

Allowed use in the certified configuration

HDLC

High-Level Data Link Control

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

L2F

Layer 2 Forwarding

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

L2TP

Layer 2 Tunneling Protocol

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

STP

Spanning Tree Protocol

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

VTP

VLAN Trunking Protocol

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

PPPoE

Point-to-point protocol over Ethernet

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

Token Ring

Data Link layer Protocol

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

BGP

Border Gateway Protocol

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

MP-BGP

Multiprotocol BGP

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

OSP

Open Shortest Path First

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

Page 66 of 72

Service or Protocol

Description

Client (initiating)

Allowed

Server (terminating)

Allowed

Allowed use in the certified configuration

EIGRP

Enhanced Interior Gateway Routing Protocol

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

RIP

Routing Information Protocol

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

IS-IS

Intermediate system to intermediate system

n/a

Follow best practices for the secure usage as there are no restrictions on use of these protocols

Page 67 of 72

7 Modes of Operation

An IOS router has several modes of operation, these modes are as follows:

Booting – while booting, the routers drop all network traffic until the router image and configuration has loaded. This mode of operation automatically progresses to the Normal mode of operation. During booting, an administrator may press the break key on a console connection within the first 60 seconds of startup to enter the ROM Monitor mode of operation. This Booting mode is referred to in the IOS guidance documentation as

“ROM Monitor Initialization”. Additionally if the Router does not find a valid operating

system image it will enter ROM Monitor mode and not normal mode therefore protecting the router from booting into an insecure state.

Normal - The IOS router image and configuration is loaded and the router is operating as configured. It should be noted that all levels of administrative access occur in this mode and that all router based security functions are operating. While operating the router have little interaction with the administrator. However, the configuration of the router can have a detrimental effect on security. Misconfiguration of the router could result in the unprotected network having access to the internal/protected network

ROM Monitor (ROMMON) – This mode of operation is a maintenance, debugging, and disaster recovery mode. While the router is in this mode, no network traffic is routed between the network interfaces. In this state the router may be configured to upload a new boot image from a specified TFTP server, perform configuration tasks, and run various debugging commands.

To return to EXEC mode from ROM monitor mode, use the “continue” command in ROM monitor mode.

rommon 1> continue Router#

It should be noted that while no administrator password is required to enter ROM monitor mode, physical access to the router is required; therefore, the router should be stored in a physically secure location to avoid unauthorized access which may lead to the router being placed in an insecure state.

Following operational error, the router reboots (once power supply is available) and enters booting mode. The only exception to this is if there is an error during the Power on Startup Test (POST) during bootup, then the TOE will shutdown. If any component reports failure for the POST, the system crashes and appropriate information is displayed on the screen, and saved in the crashinfo file. Within the POST, self-tests for the cryptographic operations are performed. The same cryptographic POSTs can also be run on-demand as described in section 3.2.3 . If an error occurs it will be written to the log.

Page 68 of 72

All ports are blocked from moving to forwarding state during the POST. Only when all components of all modules pass the POST is the system placed in FIPS PASS state and ports are allowed to forward data traffic.

 If any of the POST fail, the following actions should be taken:  If possible, review the crashinfo file. This will provide additional information on the

cause of the crash

 Restart the TOE to perform POST and determine if normal operation can be resumed

 If the problem persists, contact Cisco Technical Assistance via

http://www.cisco.com/techsupport or 1 800 553-2447

 If necessary, return the TOE to Cisco under guidance of Cisco Technical Assistance. If a software upgrade fails, the ASR will display an error when an authorized

administrator tries to boot the system. The ASR will then boot into the rommon prompt.

Directory an_image.bin not found Unable to locate an_image.bin directory Unable to load an_image.bin boot: error executing "boot harddisk:an_image.bin" autoboot: boot failed, restarting

Autoboot has been enabled by using the config-register 0x2102 command. The following error message is displayed when the router restarts automatically:

no valid BOOT image found Final autoboot attempt from default boot device... Located l2tp_rmcd_alg Image size 10271 inode num 12, bks cnt 3 blk size 8*512 # Boot image size = 10271 (0x281f) bytes . . . Boot image size = 11262 (0x2bfe) bytes Unknown image structure Located test Image size 11506 inode num 63, bks cnt 3 blk size 8*512

Pressing the Break key or running the “break” command will cause the ASR to enter rommon mode.

Please see the list of the TOE’s POST error codes below –

 Software self-integrity test  DES encryption/decryption  3DES encryption/decryption  SHA hashing  SHA256 hashing  SHA384 hashing  SHA512 hashing

Page 69 of 72

 AES encryption/decryption  AES CFB encryption/description  AES ECB encryption/decryption  AES CMAC encryption/decryption  AES GCM encryption/decryption/GMAC  HMAC-SHA  HMAC-SHA256  HMAC-SHA384  HMAC-SHA512  3DES Crypto-C encryption/decryption  SHA Crypto-C hashing  SHA256 Crypto-C hashing  SHA384 Crypto-C hashing  SHA512 Crypto-C hashing  AES Crypto-C encryption/decryption  3DES SSH2 encryption/decryption  DH self test  ECDH P256 self test  EC primitive z self test  SP 800-90 DRBG  RSA Signature test  ECDSA Signature test  KAS FCC Primitive Z computation

See the Hardware Installation Guide [2] Appendix C section Troubleshooting the Upgrade for more information.

Page 70 of 72

8 Security Measures for the Operational Environment

Proper operation of the TOE requires functionality from the environment. It is the responsibility of the authorized administrator of the TOE to ensure that the Operational Environment provides the necessary functions, and adheres to the environment security objectives listed below. The environment security objective identifiers map to the environment security objectives as defined in the Security Target.

Table 10: Operational Environment Security Measures

Environment

Security Objective

Operational Environment

Security Objective

Definition

Privileged and Semi-

privileged

administrator

responsibility

OE.NO_GENERAL_PURPO SE

There are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE.

Administrators will make sure there are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE.

OE.PHYSICAL

Physical security, commensurate with the value of the TOE and the data it contains, is provided by the environment.

Administrators must ensure the TOE is installed and maintained within a secure physical location. This can include a secured building with key card access or within the physical control of an authorized administrator in a mobile environment.

OE.TRUSTED_ADMIN

TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner.

Administrators must be properly trained in the usage and proper operation of the TOE and all the provided functionality per the

implementing organization’s

operational security policies. These administrators must follow the provided guidance.

OE.CONNECTIONS

TOE administrators will ensure that the TOE is installed in a manner that will allow the TOE to effectively enforce its policies on network traffic flowing among attached networks.

Administrators must ensure that the TOE can enforce its security policies on the network traffic and not allowed to be ineffective due to faulty installation.

Page 71 of 72

9 Related Documentation

Use this document in conjunction with documentation at the following location:

 http://www.cisco.com/

Obtaining Documentation

The following sections provide sources for obtaining documentation from Cisco Systems.

9.1 World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following sites:

 http://www.cisco.com  http://www-china.cisco.com  http://www-europe.cisco.com

9.2 Ordering Documentation

Cisco documentation is available in the following ways: Registered Cisco Direct Customers can order Cisco Product documentation from the

Networking Products MarketPlace:

http://www.cisco.com/web/ordering/root/index.html

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

Non-registered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 5267208 or, in North America, by calling 800 553-NETS (6387).

9.3 Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com. To submit your comments by mail, for your convenience many documents contain a

response card behind the front cover. Otherwise, you can mail your comments to the following address:

Page 72 of 72

Cisco Systems, Inc., Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

10 Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

To access Cisco.com, go to the following website:

http://www.cisco.com

Cisco ASR 1000 Series, ASR 1001, ASR 1002X, ASR 1001X, ASR 1004 Common Criteria Operational User Guidance And Preparative Procedures

Specifications and Main Features

Frequently Asked Questions

User Manual