Cisco ASR 1000 Series, ASR 1001, ASR 1002X, ASR 1001X, ASR 1004 Common Criteria Operational User Guidance And Preparative Procedures

Cisco Aggregation Services Router (ASR) 1000 Series

Common Criteria Operational User Guidance
And Preparative Procedures

Version 0.4

October 27, 2017

Page 2 of 72

Table of Contents

1 Introduction ............................................................................................................................. 7

1.1 Audience ......................................................................................................................... 7

1.2 Purpose ............................................................................................................................ 7

1.3 Document References ..................................................................................................... 7

1.4 Supported Hardware and Software ................................................................................. 9

1.5 Operational Environment ................................................................................................ 9

1.5.1 Supported non-TOE Hardware/Software/Firmware ................................................... 9

1.6 Excluded Functionality ................................................................................................. 10

2 Secure Acceptance of the TOE ............................................................................................. 11

3 Secure Installation and Configuration .................................................................................. 16

3.1 Physical Installation ...................................................................................................... 16

3.2 Initial Setup via Direct Console Connection ................................................................ 16

3.2.1 Options to be chosen during the initial setup of the ASR ......................................... 16

3.2.2 Saving Configuration ................................................................................................ 16

3.2.3 Enabling FIPS Mode ................................................................................................. 17

3.2.4 Administrator Configuration and Credentials ........................................................... 17

3.2.5 Session Termination.................................................................................................. 17

3.2.6 User Lockout ............................................................................................................. 18

3.3 Network Protocols and Cryptographic Settings ............................................................ 19

3.3.1 Remote Administration Protocols ............................................................................. 19

3.3.2 Authentication Server Protocols ............................................................................... 20

3.3.3 Logging Configuration.............................................................................................. 20

3.3.4 Logging Protection.................................................................................................... 22

3.3.5 Base Firewall Rule set Configuration ....................................................................... 24

3.3.6 Routing Protocols...................................................................................................... 26

3.3.7 MACSEC and MKA Configuration.......................................................................... 26

4 Secure Management .............................................................................................................. 27

4.1 User Roles ..................................................................................................................... 27

4.2 Passwords ...................................................................................................................... 27

4.3 Clock Management ....................................................................................................... 30

Page 3 of 72

4.4 Identification and Authentication ................................................................................. 30

4.5 Login Banners ............................................................................................................... 30

4.6 Virtual Private Networks (VPN) ................................................................................... 30

4.6.1 IPsec Overview ......................................................................................................... 30

4.6.2 IPsec Transforms and Lifetimes ............................................................................... 34

4.6.3 NAT Traversal .......................................................................................................... 36

4.6.4 X.509 Certificates ..................................................................................................... 36

4.6.5 Information Flow Policies......................................................................................... 41

4.6.6 IPsec Session Interuption/Recovery ......................................................................... 42

4.7 Product Updates ............................................................................................................ 43

4.8 Configure Reference Identifier ..................................................................................... 43

5 Security Relevant Events ...................................................................................................... 45

5.1 Deleting Audit Records................................................................................................. 62

6 Network Services and Protocols ........................................................................................... 63

7 Modes of Operation .............................................................................................................. 67

8 Security Measures for the Operational Environment............................................................ 70

9 Related Documentation ......................................................................................................... 71

9.1 World Wide Web .......................................................................................................... 71

9.2 Ordering Documentation .............................................................................................. 71

9.3 Documentation Feedback.............................................................................................. 71

10 Obtaining Technical Assistance ............................................................................................ 72

Page 4 of 72

List of Tables

Table 1: Acronyms .......................................................................................................................... 5

Table 2: Cisco Documentation....................................................................................................... 7

Table 3: Operational Environment Components ............................................................................ 9

Table 4: Excluded Functionality .................................................................................................. 10

Table 5: TOE External Identification .......................................................................................... 11

Table 6: Evaluated Software Images ........................................................................................... 13

Table 7: Auditable Events ............................................................................................................. 46

Table 8 Auditable Administrative Events .................................................................................... 55

Table 8: Protocols and Services .................................................................................................... 63

Table 9: Operational Environment Security Measures ................................................................ 70

Page 5 of 72

List of Acronyms

The following acronyms and abbreviations are used in this document:

Table 1: Acronyms

Acronyms /

Abbreviations

Definition

AAA

Administration, Authorization, and Accounting

AES

Advanced Encryption Standard

ASR

Aggregation Services Router

EAL

Evaluation Assurance Level

FIPS

Federal Information Processing Standards

HTTPS

Hyper-Text Transport Protocol Secure

IP

Internet Protocol

NTP

Network Time Protocol

RADIUS

Remote Authentication Dial In User Service

SSHv2

Secure Shell (version 2)

TCP

Transport Control Protocol

TOE

Target of Evaluation

Page 6 of 72

DOCUMENT INTRODUCTION

Prepared By:

Cisco Systems, Inc.
170 West Tasman Dr.
San Jose, CA 95134

DOCUMENT INTRODUCTION

This document provides supporting evidence for an evaluation of a specific Target of Evaluation
(TOE), the Aggregation Services Router (ASR) 1000 Series (ASR). This Operational User
Guidance with Preparative Procedures addresses the administration of the TOE software and
hardware and describes how to install, configure, and maintain the TOE in the Common Criteria
evaluated configuration. Administrators of the TOE will be referred to as administrators,
authorized administrators, TOE administrators, semi-privileged administrators, and privileged
administrators in this document.

Page 7 of 72

1 Introduction

This Operational User Guidance with Preparative Procedures documents the administration of
the Aggregation Services Router (ASR) 1000 Series (ASR), the TOE, as it was certified under
Common Criteria. The Aggregation Services Router (ASR) 1000 Series (ASR ) may be
referenced below as the model number series ex. ASR 1000, TOE, or simply router.

1.1 Audience

This document is written for administrators configuring the TOE. This document assumes that
you are familiar with the basic concepts and terminologies used in internetworking, and
understand your network topology and the protocols that the devices in your network can use,
that you are a trusted individual, and that you are trained to use the operating systems on which
you are running your network.

1.2 Purpose

This document is the Operational User Guidance with Preparative Procedures for the Common
Criteria evaluation. It was written to highlight the specific TOE configuration and administrator
functions and interfaces that are necessary to configure and maintain the TOE in the evaluated
configuration. This document is not meant to detail specific actions performed by the
administrator but rather is a road map for identifying the appropriate locations within Cisco
documentation to get the specific details for configuring and maintaining ASR operations. All
security relevant commands to manage the TSF data are provided within this documentation
within each functional section.

1.3 Document References

This document makes reference to several Cisco Systems documents. The documents used are
shown below in Table 2. Throughout this document, the guides will be referred to by the “#”,
such as [1].

Table 2: Cisco Documentation

#

Title

Link

[1]

Loading and Managing System Images
Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sys-image­mgmt/configuration/xe-16/sysimgmgmt-xe-16-book.html

[2]

Cisco ASR 1000 Series Router
Hardware Installation Guide, July
2013, OL-13208-11

http://www.cisco.com/c/en/us/td/docs/routers/asr1000/install/guide/asr
1routers/asr1higV8.html

[3]

Configuration Fundamentals
Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/fundamentals/configuration/xe-16/fundamentals-xe-16­book.html

Page 8 of 72

#

Title

Link

[4]

Using Setup Mode to Configure a
Cisco Networking Device

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guid
e/cf_setup.html

[6]

Cisco ASR 1000 Series Aggregation
Services Routers SIP and SPA
Software Configuration Guide

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/shared_port_
adapters/configuration/ASR1000/asr1000-sip-spa-book.html

[8]

Cisco ASR 1000 Series Aggregation
Services Routers Software
Configuration Guide

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/
chassis/asrswcfg.html

[10]

Cisco IOS Security Command
Reference

http://www.cisco.com/c/en/us/td/docs/ios/fundamentals/command/refer
ence/cf_book.html

[15]

Basic System Management
Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/bsm/configuration/xe-16/bsm-xe-16-book.html

[17]

RADIUS Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/sec_usr_rad/configuration/xe-16/sec-usr-rad-xe-16-book.html

[18]

FlexVPN and Internet Key Exchange
Version 2 Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/sec_conn_ike2vpn/configuration/xe-16/sec-flex-vpn-xe-16­book.html

[19]

Authentication, Authorization, and
Accounting Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/sec_usr_aaa/configuration/xe-16/sec-usr-aaa-xe-16-book.html

[20]

Cisco ASR 1001-X Router Hardware
Installation Guide

http://www.cisco.com/c/en/us/td/docs/routers/asr1000/install/guide/100
1-x/asr1hig-book.html

[21]

IP Addressing: NAT Configuration
Guide

http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book.html

[22]

Public Key Infrastructure
Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/sec_conn_pki/configuration/xe-16/sec-pki-xe-16-book.html

[23]

IPsec Data Plane Configuration Guide

https://www.cisco.com/c/en/us/td/docs/ios­xml/ios/sec_data_acl/configuration/xe-16/sec-data-acl-xe-16-book.html

[24]

MACSEC and MKA Configuration
Guide

http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/macsec/configuration/xe-16/macsec-xe-16-book.html

Page 9 of 72

1.4 Supported Hardware and Software

Only the hardware and software listed in section 1.5 of the Security Target (ST) is compliant
with the Common Criteria evaluation. Using hardware not specified in the ST invalidates the
secure configuration. Likewise, using any software version other than the evaluated software
listed in the ST will invalidate the secure configuration. The TOE is a hardware and software
solution that makes up the router models as follows: Chassis: ASR 1001, ASR 1001X, ASR
1002, ASR 1002X, ASR 1004, ASR 1006, ASR 1013; Embedded Services Processors (ESPr):
ESPr5, ESPr10, ESPr20, ESPr40, ESPr100, ESPr200; Route Processor (RP): RP1, RP2. The
network, on which they reside, is considered part of the environment. The software comes pre­installed and is comprised of the Cisco IOS-XE software image Release 16.3.2.

1.5 Operational Environment

1.5.1 Supported non-TOE Hardware/Software/Firmware

The TOE supports (in some cases optionally) the following hardware, software, and firmware in
its environment:

Table 3: Operational Environment Components

Component

Required

Usage/Purpose Description for TOE performance

RADIUS AAA
Server

No

This includes any IT environment RADIUS AAA server that provides single-use
authentication mechanisms. This can be any RADIUS AAA server that provides
single-use authentication. The TOE correctly leverages the services provided by
this RADIUS AAA server to provide single-use authentication to administrators.

Management
Workstation
with SSH client

Yes

This includes any IT Environment Management workstation with a SSH client
installed that is used by the TOE administrator to support TOE administration
through SSH protected channels. Any SSH client that supports SSHv2 may be
used.

Local Console

Yes

This includes any IT Environment Console that is directly connected to the TOE
via the Serial Console Port and is used by the TOE administrator to support TOE
administration.

Certification
Authority (CA)

Yes

This includes any IT Environment Certification Authority on the TOE network.
This can be used to provide the TOE with a valid certificate during certificate
enrollment.

Remote VPN
Gateway/Peer

Yes

This includes any VPN peer with which the TOE participates in VPN
communications. Remote VPN Endpoints may be any device that supports IPsec
VPN communications.

Page 10 of 72

Component

Required

Usage/Purpose Description for TOE performance

NTP Server

No

The TOE supports communications with an NTP server in order to synchronize

the date and time on the TOE with the NTP server’s date and time. A solution

must be used that supports secure communications with up to a 32 character key.
Audit (syslog)

Server

Yes

This includes any syslog server to which the TOE would transmit syslog
messages.

Another
instance of the
TOE

No

Includes “another instance of the TOE” that would be installed in the evaluated

configuration, and likely administered by the same personnel. Used as a VPN
peer.

1.6 Excluded Functionality

Table 4: Excluded Functionality

Excluded Functionality

Exclusion Rationale

Non-FIPS 140-2 mode of operation on the
router.

This mode of operation includes non-FIPS
allowed operations.

These services will be disabled by configuration. The exclusion of this functionality does not
affect compliance to the U.S. Government Protection Profile for Security Requirements for
Network Devices.

Page 11 of 72

2 Secure Acceptance of the TOE

In order to ensure the correct TOE is received, the TOE should be examined to ensure that that is
has not been tampered with during delivery.

Verify that the TOE software and hardware were not tampered with during delivery by
performing the following actions:

Step 1 Before unpacking the TOE, inspect the physical packaging the equipment was delivered
in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs.
If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco
distributor/partner).

Step 2 Verify that the packaging has not obviously been opened and resealed by examining the
tape that seals the package. If the package appears to have been resealed, contact the supplier of
the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems bar coded
label applied to the external cardboard box. If it does not, contact the supplier of the equipment
(Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco
product number, serial number, and other information regarding the contents of the box.

Step 4 Note the serial number of the TOE on the shipping documentation. The serial number
displayed on the white label affixed to the outer box will be that of the device. Verify the serial
number on the shipping documentation matches the serial number on the separately mailed
invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or
an authorized Cisco distributor/partner).

Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment
(Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with
the supplier that they shipped the box with the courier company that delivered the box and that
the consignment note number for the shipment matches that used on the delivery. Also verify
that the serial numbers of the items shipped match the serial numbers of the items delivered. This
verification should be performed by some mechanism that was not involved in the actual
equipment delivery, for example, phone/FAX or other online tracking service.

Step 6 Once the TOE is unpacked, inspect the unit. Verify that the serial number displayed on
the unit itself matches the serial number on the shipping documentation and the invoice. If it
does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco
distributor/partner). Also verify that the unit has the following external identification as
described in Table 5 below.

Table 5: TOE External Identification

Product Name

Model Number

External Identification

ASR Series

1001X

CISCO 1001X

1001HX

CISCO 1001HX

1002X

CISCO 1002X

1002HX

CISCO 1002HX

1004

CISCO 1004

Page 12 of 72

Product Name

Model Number

External Identification

1006

CISCO 1006

1006X

CISCO 1006X

1009X

CISCO 1009X

1013

CISCO 1013

Step 7 Approved methods for obtaining a Common Criteria evaluated software images:

 Download the Common Criteria evaluated software image file from Cisco.com onto a

trusted computer system. Software images are available from Cisco.com at the
following: http://www.cisco.com/cisco/software/navigator.html.

 The TOE ships with the correct software images installed.

Step 8 Once the file is downloaded, verify that it was not tampered with by using an SHA-1
utility to compute a SHA-1 hash for the downloaded file and comparing this with the SHA-1
hash for the image listed in Table 6 below. If the SHA-1 hashes do not match, contact Cisco
Technical Assistance Center (TAC)

https://tools.cisco.com/ServiceRequestTool/create/launch.do.

Step 9 Install the downloaded and verified software image onto your ASR as described in [1]
Under Configure  Click on Configuration Guides  System Management  Click on
Loading and Managing System Images Configuration Guide.

Start your ASR as described in [2] and [20] Cisco ASR 1000 Series Routers Power Up and
Initial Configuration  “Powering Up the Cisco ASR 1000 Series Routers.” Confirm that your
ASR loads the image correctly, completes internal self-checks and displays the cryptographic
export warning on the console.

Step 10 The end-user must confirm once the TOE has booted that they are indeed running the
evaluated version. Use the “show version” command [3] to display the currently running system
image filename and the system software release version. An authorized administrator can verify
the TOE software image through reloading of the TOE or via the ‘verify’ command. See Table 6
below for the detailed hash value that must be checked to ensure the software has not been
modified in any way.

Page 13 of 72

Table 6: Evaluated Software Images

Page 14 of 72

Platform

Image Name

Hash

ASR 1001X

asr1001x-universalk9.16.03.02.SPA.bin

MD5: fa13528532ea51d5f242ecafe200d118
SHA-512:

247cdad2a7bc31940f30379999aab3c225748154ed0881
273f3ec6dbef3cd5aa36501670022d6941b6525e44d946
25a2a714f05a5c56b23b1e0417d935a20c43

ASR 1001HX

asr1000-universalk9.16.03.02.SPA.bin

MD5: 785b1f2089e8b93dcc5db4120c981e66
SHA-512:

fe2c0c0d3899cfe743872050738fcf06cf17dbfc57dade19
769a3f5974cf708f11240673d5f2bef8ef84de6ff59d4b51
a9ff8c756758446f0938ae4f837240c2

ASR 1002X

asr1002x-universalk9.16.03.02.SPA.bin

MD5: 8fca93734b7882cf8a4cf05a783c970a
SHA-512:

1fbd63a356bd7b43cb3f11877e97e882cff78c999b57688
ba044fdf4d70ccc0140a5881dc7591dee0a4595e10120c7
d10518f7040fbfeeff8ef2ee6167bcb20c

ASR 1002HX

asr1000-universalk9.16.03.02.SPA.bin

MD5: 785b1f2089e8b93dcc5db4120c981e66
SHA-512:

fe2c0c0d3899cfe743872050738fcf06cf17dbfc57dade19
769a3f5974cf708f11240673d5f2bef8ef84de6ff59d4b51
a9ff8c756758446f0938ae4f837240c2

ASR 1004

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287
SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10
8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99
21e59866ecf38c5a33d801c11c59367093

ASR 1006

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287
SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10
8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99
21e59866ecf38c5a33d801c11c59367093

ASR 1006X

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287
SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10
8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99
21e59866ecf38c5a33d801c11c59367093

Page 15 of 72

ASR 1009X

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287
SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10
8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99
21e59866ecf38c5a33d801c11c59367093

ASR 1013

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287
SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10
8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99
21e59866ecf38c5a33d801c11c59367093

Page 16 of 72

3 Secure Installation and Configuration

3.1 Physical Installation

Follow the Cisco ASR 1000 Series Router Hardware Installation Guide, [2] and [20] for
hardware installation instructions.

3.2 Initial Setup via Direct Console Connection

The ASR must be given basic configuration via console connection prior to being connected to
any network.

3.2.1 Options to be chosen during the initial setup of the ASR

When you run the “setup” command, or after initially turning on the router you are free to choose

answers that fit your policies with the exception of the following values.
1 – Enable Secret – Must adhere to the password complexity requirements. Note that this setting

can be confirmed after “setup” is complete by examining the configuration file for “enable secret

5 …” [4] Under Configure  Click on Configuration Guides  System Management  Click
on Using Setup Mode to Configure a Cisco Networking Device  Click on subsection “Using
the System Configuration Dialog to Create an Initial Configuration File”

2 – Enable Password - Must adhere to the password complexity requirements. Note that this must

be set to something different than the enable secret during “setup”, however after setup this will

not be used within the evaluated configuration. [10] Under Reference Guides  Command
References  Security and VPN  See manual Cisco IOS Security Command Reference:
Commands D to L.

3 – Virtual Terminal Password - Must adhere to the password complexity requirements. Note
that securing the virtual terminal (or vty) lines with a password in the evaluated configuration is
suggested. This password allows access to the device through only the console port. Later in this
guide steps will be given to allow ssh into the vty lines. [4] Under Configure  Click on
Configuration Guides  System Management  Click on Using Setup Mode to Configure a

Cisco Networking Device  Click on subsection “Using the System Configuration Dialog to
Create an Initial Configuration File”

4 – Configure SNMP Network Management – NO (this is the default). Note that this setting can
be confirmed after “setup” is complete by examining the configuration file to ensure that there is
no “snmp-server” entry. [4] Under Configure Click on Configuration Guides System

Management Click on Using Setup Mode to Configure a Cisco Networking Device Click on
subsection “Using the System Configuration Dialog to Create an Initial Configuration File”

3.2.2 Saving Configuration

IOS uses both a running configuration and a starting configuration. Configuration changes affect
the running configuration, in order to save that configuration the running configuration (held in
memory) must be copied to the startup configuration. This may be achieved by either using the
write memory command [3] or the copy system:running-config nvram:startup-config
command [3] under section “C commands” (Note: A short hand version of the command is copy
run start). These commands should be used frequently when making changes to the

Page 17 of 72

configuration of the Router. If the Router reboots and resumes operation when uncommitted
changes have been made, these changes will be lost and the Router will revert to the last
configuration saved.

3.2.3 Enabling FIPS Mode

The TOE must be run in the FIPS mode of operation. The use of the cryptographic engine in any
other mode was not evaluated nor tested during the CC evaluation of the TOE. This is done by
setting the following in the configuration:

The value of the boot field must be 0x0102. This setting disables break from the console to the
ROM monitor and automatically boots the IOS image. From the ROMMON command line enter
the following:

confreg 0x0102 [3] under section “C commands”
The self-tests for the cryptographic functions in the TOE are run automatically during power-on

as part of the POST. The same POST self-tests for the cryptographic operations can also be
executed manually at any time by the privileged administrator using the command:

test crypto self-test [10] Cisco IOS Security Command Reference: Commands S to Z

3.2.4 Administrator Configuration and Credentials

The ASR must be configured to use a username and password for each administrator and one
password for the enable command. Ensure all passwords are stored encrypted by using the
following command:

service password-encryption [10] Cisco IOS Security Command Reference: Commands
S to Z

Configures local AAA authentication:
aaa authentication login default local [10] Cisco IOS Security Command Reference:

Commands A to C
aaa authorization exec default local [10] Cisco IOS Security Command Reference:

Commands A to C

When creating administrator accounts, all individual accounts are to be set to a privilege level of
one. This is done by using the following commands:

username <name> password <password> [10] Cisco IOS Security Command
Reference: Commands S to Z

to create a new username and password combination, and

username <name> privilege 1 [10] Cisco IOS Security Command Reference:
Commands S to Z

to set the privilege level of <name> to 1.

3.2.5 Session Termination

Inactivity settings must trigger termination of the administrator session. These settings are
configurable by setting

Page 18 of 72

line vty <first> <last> [2] and [20] under section “Configuring Virtual Terminal Lines
for Remote Console Access”

exec-timeout <time> [10] >System Management > Cisco IOS Configuration

Fundamentals Command Reference, section D through E

line console [19] under section “Configuring Line Password Protection”
exec-timeout <time>

To save these configuration settings to the startup configuration:

copy run start [3] under section “C commands”

where first and last are the range of vty lines on the box (i.e. “0 4”), and time is the period of
inactivity after which the session should be terminated. Configuration of these settings is limited
to the privileged administrator (see Section 4.1). These settings are not immediately activated
for the current session. The current line console session must be exited. When the user logs
back in, the inactivity timer will be activated for the new session.

3.2.6 User Lockout

User accounts must be configured to lockout after a specified number of authentication failures
TOE-common-criteria(config)# aaa local authentication attempts max-fail [number of

failures]

where number of failures is the number of consecutive failures that will trigger locking of the
account. Configuration of these settings is limited to the privileged administrator (see Section

4.1).
Related commands:

clear aaa local user fail-attempts

Clears the unsuccessful login
attempts of the user.

clear aaa local user lockout
username [username]

Unlocks the locked-out user.

show aaa local user lockout

Displays a list of all locked-out
users.

Note: this lockout only applies to privilege 14 users and below.
Note: this applies to consecutive failures, and is not affected by the SSH or Telnet session

disconnections after their default number of failures. In other words, if this lockout command is
set to 5 failures, and SSH disconnects after 3 failed attempts, if the user attempts another SSH
session and enters the wrong credentials two additional times, the account will lock.

Page 19 of 72

3.3 Network Protocols and Cryptographic Settings

3.3.1 Remote Administration Protocols

All TOE administration must be performed through an IPsec tunnel. However, it is
recommended that the interactive interface be over SSH. The following method is used to
configure SSH for use in a secure manner.

To only allow ssh for remote administrator sessions, use the transport input ssh command.
This command disables telnet by only allowing ssh connections for remote administrator access.

3.3.1.1 Steps to configure SSH on router: [10] Cisco IOS Security Command Reference

Guides

1. Generate RSA or ECDSA key material– choose a longer modulus length for the

evaluated configuration (i.e., 2048 for RSA and 256 or 384 for ECDSA):

TOE-common-criteria(config)# crypto key generate rsa
How many bits in the modulus [512]: 2048
or

TOE-common-criteria(config)# crypto key generate ec keysize [256 or 384]

RSA and ECDSA keys are generated in pairs—one public key and one private key. This
command is not saved in the router configuration; however, the keys generated by this
command are saved in the private configuration in NVRAM (which is never displayed to
the user or backed up to another device) the next time the configuration is written to
NVRAM.

Note: Only one set of keys can be configured using the crypto key generate command at
a time. Repeating the command overwrites the old keys.

Note: If the configuration is not saved to NVRAM with a “copy run start”, the generated
keys are lost on the next reload of the router.

Note: If the error “% Please define a domain-name first” is received, enter the command
‘ip domain-name [domain name]’.

Note: to delete a key, an administrator may use the crypto key zeroize <label> command.

2. Enable ssh

TOE-common-criteria# ip ssh authentication-retries 2

3. Configure –ssh timeout

TOE-common-criteria# ip ssh time-out 60

4. Set to use SSH v2

TOE-common-criteria# ip ssh version 2

5. Ensure that the product is configured not to support diffie-hellman-group1-sha1 key

exchange using the following command ‘ip ssh dh min size 2048’:

TOE-common-criteria(config)# ip ssh dh min size 2048

Page 20 of 72

6. Configure vty lines to accept ‘ssh’ login services

TOE-common-criteria(config-line)# transport input ssh

7. Configure a SSH client to support only the following specific encryption algorithms:

o AES-CBC-128
o AES-CBC-256

peer#ssh -l cisco -c aes128-cbc 1.1.1.1
peer#ssh -l cisco -c aes256-cbc 1.1.1.1

8. Configure a SSH client to support message authentication. Only the following MACs are

allowed and “None” for MAC is not allowed:

a. hmac-sha1-96
b. hmac-sha1
peer#ssh -l cisco -m hmac-sha1-96 1.1.1.1

9. Configure the SSH rekey time-based rekey and volume-based rekey values (values can be

configured to be lower than the default values if a shorter interval is desired):

a. ip ssh rekey time 60
b. ip ssh rekey volume 1000000

 HTTP and HTTPS servers were not evaluated and must be disabled: no ip http server

no ip http secure-server

 SNMP server was not evaluated and must be disabled: no snmp-server

3.3.2 Authentication Server Protocols

 RADIUS (outbound) for authentication of TOE administrators to remote authentication

servers are disabled by default but should be enabled by administrators in the evaluated
configuration.

o To configure RADIUS refer to [17] Under Configure  Click on Configuration

Guides  Security, Services, and VPN  Click on Securing User Services

Configuration Guide Library  click on Authentication, Authorization, and
Accounting (AAA) Configuration Guide Configuring Authentication  How to

Configure AAA Authentication Methods  Configuring Login Authentication
Using AAA  Login Authentication Using Group RADIUS. Use best practices
for the selection and protection of a key to ensure that the key is not easily
guessable and is not shared with unauthorized users.

This protocol is to be tunneled over an IPsec connection in the evaluated configuration. The
instructions for setting up this communication are the same as those for protecting
communications with a syslog server, detailed in Section 3.3.4 below.

3.3.3 Logging Configuration

Logging of command execution must be enabled: [10] Cisco IOS Configuration Fundamentals

Command Reference and Cisco IOS Debug Command References

Page 21 of 72

1. Logging of command execution must be enabled:

TOE-common-criteria(config)#archive
TOE-common-criteria(config)#no logging console

TOE-common-criteria(config-archive)#log config
TOE-common-criteria(config-archive-log-cfg)#logging enable
TOE-common-criteria(config-archive-log-cfg)#hidekeys
TOE-common-criteria(config-archive-log-cfg)# logging size <1000> ! Increases queue
size for messages to be sent to syslogd
TOE-common-criteria(config-archive-log-cfg)#notify syslog
TOE-common-criteria(config-archive-log-cfg)#exit
TOE-common-criteria(config-archive)#exit

2. Add year to the timestamp:

TOE-common-criteria(config)# service timestamps log datetime year
TOE-common-criteria(config)# service timestamps debug datetime year

3. Enable any required debugging. Debugging is needed for radius (if used), isakmp (if

using ikev1), ipsec, ikev2 (if using ikev2), and ntp to generate the events required in the
Security Target, however administrators should use discretion when enabling a large
number of debugs on an on-going basis:
TOE-common-criteria# debug radius authentication

TOE-common-criteria# debug crypto isakmp
TOE-common-criteria# debug crypto ipsec
TOE-common-criteria# debug crypto ikev2
TOE-common-criteria# debug ntp all
TOE-common-criteria# debug crypto pki server

4. Set the size and severity of the local logging buffer. The local logging buffer size can be

configured from a range of 4096 (default) to 2,148,483,647 bytes. It is noted to not make
the buffer size too large because the TOE could run out of memory for other tasks. It is
recommended to set it to at least 150000000:
TOE-common-criteria(config)# logging buffer 150000000
TOE-common-criteria(config)# logging buffer debug

5. To generate logging messages for failed and successful login attempts in the evaluated

configuration, issue the login on-failure and login on-success commands:
TOE-common-criteria(config)#login on-failure log
TOE-common-criteria(config)#login on-success log

6. To configure the logs to be sent to a syslog server:

TOE-common-criteria(config)# logging host <ip address of syslog server>
Ex. TOE-common-criteria(config)# logging host 192.168.202.169

7. To specify the severity level for logging to the syslog host, use the logging trap

command. Level 7 will send all logs required in the evaluation up to the debug level logs
(as enabled in step 3 above) to the syslog server:
TOE-common-criteria(config)# logging trap 7

Page 22 of 72

WARNING: this setting has the ability to generate a large number of events that could
affect the performance of your device, network, and syslog host.

3.3.4 Logging Protection

If an authorized administrator wants to backup the logs to a syslog server, then protection must
be provided for the syslog server communications. This can be provided in one of two ways:

1. With a syslog server operating as an IPsec peer of the TOE and the records tunneled over

that connection, or

2. With a syslog server is not directly co-located with the TOE, but is adjacent to an IPsec

peer within a trusted facility, and the records are tunneled over the public network.

3.3.4.1 Syslog Server Running on an IPsec Endpoint

For deployments where the syslog server is able to operate as an IPsec peer of the TOE, the
IPsec tunnel will protect events as they are sent to the server. When an audit event is generated, it
is simultaneously sent to both the external server and the local store. Examples of products that
can be installed on a syslog server to allow it to be an IPsec peer include the Racoon tool that is
part of the IPsec Tools on many Linux systems, strongSwan, Openswan, and FreeS/WAN.

Following are sample instructions to configure the TOE to support an IPsec tunnel with aes
encryption, with 10.10.10.101 as the IPsec peer IP on the syslog server, 10.10.10.110 and

30.0.0.1 as the local TOE IPs, and the syslog server running on 40.0.0.1 (a separate interface on
the syslog server). For the following commands see the [10] Cisco IOS Configuration

Fundamentals Command References, and Cisco IOS Security Command References.

TOE-common-criteria# configure terminal
TOE-common-criteria(config)#crypto isakmp policy 1
TOE-common-criteria(config-isakmp)#encryption aes
TOE-common-criteria(config-isakmp)#authentication pre-share
TOE-common-criteria(config-isakmp)#group 14
TOE-common-criteria(config-isakmp)#lifetime 28800
TOE-common-criteria(config)#crypto isakmp key [insert 22 character preshared key]
address 10.10.10.101
TOE-common-criteria(config)#crypto isakmp key [insert 22 character preshared key]
address 40.0.0.1
TOE-common-criteria(config)#crypto ipsec transform-set sampleset esp-aes esp-sha-

hmac

TOE-common-criteria(cfg-crypto-trans)#mode tunnel
TOE-common-criteria(config)#crypto map sample 19 ipsec-isakmp
TOE-common-criteria(config-crypto-map)#set peer 10.10.10.101
TOE-common-criteria(config-crypto-map)#set transform-set sampleset
TOE-common-criteria(config-crypto-map)#set pfs group14

TOE-common-criteria(config-crypto-map)#match address 170
TOE-common-criteria(config-crypto-map)#exit
TOE-common-criteria(config)#interface g0/0