Cisco Catalyst 4503-E, Catalyst 4506-E, Catalyst 4500X, Catalyst 4500X-F, Catalyst 4507R+E User Manual
...
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
Cisco Catalyst 4500 Series
Switches (4503-E, 4506-E,
4507R+E, 4510R+E, 4500X and
4500X-F) Running IOS-XE 3.5.2E
Security Target
Revision 1.0
11 March 2014
1
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
Table of Contents
1 Security Target Introduction ................................................................................................... 6
1.1 Security Target and TOE Identification ............................................................... 6
1.2 Acronyms and Abbreviations ............................................................................... 6
1.3 TOE Overview ..................................................................................................... 8
1.3.1 TOE Evaluated Configuration ...................................................................... 8
1.3.2 TOE Type...................................................................................................... 9
1.3.3 Required non-TOE Hardware/Software/Firmware ....................................... 9
1.4 TOE Description ................................................................................................ 10
1.4.1 TOE Architecture and Security Capabilities............................................... 10
1.5 TOE Environment and Configuration ................................................................ 11
1.6 Physical Scope of the TOE................................................................................. 13
1.6.1 USB Console Port ....................................................................................... 23
1.6.2 Network Ports ............................................................................................. 23
1.6.3 Serial Port.................................................................................................... 23
1.6.4 Compact Flash Slot ..................................................................................... 24
1.6.5 Physical Scope of the TOE ......................................................................... 24
1.7 Logical Scope of the TOE .................................................................................. 24
1.7.1 Security Audit ............................................................................................. 25
1.7.2 Cryptographic Support ................................................................................ 25
1.7.3 User Data Protection ................................................................................... 25
1.7.4 Identification and Authentication ............................................................... 26
1.7.5 Security Management ................................................................................. 26
1.7.6 Protection of the TSF .................................................................................. 27
1.7.7 Resource Utilization.................................................................................... 28
1.7.8 TOE Access ................................................................................................ 28
1.7.9 Trusted Path/Channels ................................................................................ 28
1.8 Excluded Functionality ...................................................................................... 28
2 Conformance Claims ............................................................................................................ 30
2.1 Common Criteria Conformance Claim .............................................................. 30
2.2 Protection Profile Conformance Claim .............................................................. 30
2.3 Protection Profile Conformance Claim Rationale .............................................. 30
2.3.1 TOE Appropriateness.................................................................................. 30
2.3.2 TOE Security Problem Definition Conformance ........................................ 30
2.3.3 Statement of Security Objectives Conformance ......................................... 30
2.3.4 Statement of Security Requirements Conformance .................................... 31
3 Security Problem Definition ................................................................................................. 32
3.1 Introduction ........................................................................................................ 32
3.2 External Entities ................................................................................................. 32
3.3 Assets ................................................................................................................. 32
3.3.1 Primary Assets ............................................................................................ 32
3.3.2 Secondary Assets ........................................................................................ 33
3.4 Assumptions ....................................................................................................... 33
2
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
3.5 Threats ................................................................................................................ 34
3.6 Organizational Security Policies ........................................................................ 35
3.6.1 OSPs enforced by TOE ............................................................................... 35
4 Security Objectives ............................................................................................................... 36
4.1 Security Objectives for the TOE ........................................................................ 36
4.2 Security Objectives for the Environment ........................................................... 37
5 Security Requirements .......................................................................................................... 37
5.1 Conventions ........................................................................................................ 38
5.2 TOE Security Functional Requirements ............................................................ 38
5.2.1 Security audit (FAU)................................................................................... 40
5.2.2 Cryptographic Support (FCS) ..................................................................... 43
5.2.3 User data protection (FDP) ......................................................................... 47
5.2.4 Identification and authentication (FIA) ...................................................... 47
5.2.5 Security management (FMT) ...................................................................... 48
5.2.6 Protection of the TSF (FPT) ....................................................................... 49
5.2.7 FRU – Resource Utilization ........................................................................ 50
5.2.8 TOE Access (FTA) ..................................................................................... 51
5.2.9 Trusted Path/Channel (FTP) ....................................................................... 51
5.3 Extended Components Definition ...................................................................... 52
5.4 TOE SFR Dependencies Rationale .................................................................... 54
5.5 Security Assurance Requirements ...................................................................... 56
5.5.1 SAR Requirements...................................................................................... 56
5.5.2 Security Assurance Requirements Rationale .............................................. 57
5.6 Assurance Measures ........................................................................................... 57
6 TOE Summary Specification ................................................................................................ 59
6.1 TOE Security Functional Requirement Measures .............................................. 59
6.2 TOE Bypass and interference/logical tampering Protection Measures .............. 79
7 Rationale ............................................................................................................................... 81
7.1 Rationale for TOE Security Objectives .............................................................. 81
7.2 Rationale for the Security Objectives for the Environment ............................... 83
7.3 Rationale for TOE Security Functional Requirements ...................................... 84
Annex A: References ..................................................................................................................... 88
3
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
List of Tables
TABLE 1 ST AND TOE IDENTIFICATION .............................................................................. 6
TABLE 2 ACRONYMS ........................................................................................................... 6
TABLE 3 EVALUATED CONFIGURATION .............................................................................. 8
TABLE 4 IT ENVIRONMENT COMPONENTS ........................................................................... 9
TABLE 5 CATALYST 4500 SERIES SWITCH CHASSIS FEATURES ......................................... 14
TABLE 6 CATALYST 4500 SERIES SWITCH CHASSIS LINE CARDS ...................................... 16
TABLE 7 EXTERNAL ENTITIES INTERACTING WITH TOE ..................................................... 32
TABLE 8 PRIMARY ASSETS TO BE PROTECTED .................................................................... 32
TABLE 9 SECONDARY ASSETS TO BE PROTECTED ............................................................... 33
TABLE 10 OPERATIONAL ASSUMPTIONS ............................................................................ 33
TABLE 11 THREATS ........................................................................................................... 34
TABLE 12 ORGANIZATIONAL SECURITY POLICIES ............................................................. 35
TABLE 13 SECURITY OBJECTIVES FOR THE TOE ................................................................ 36
TABLE 14 SECURITY OBJECTIVES FOR THE ENVIRONMENT ................................................ 37
TABLE 15 SECURITY FUNCTIONAL REQUIREMENTS ........................................................... 38
TABLE 16: AUDITABLE EVENTS ........................................................................................ 41
TABLE 17: SFR DEPENDENCY RATIONALE (FROM NDPP) ................................................. 54
TABLE 18: ASSURANCE MEASURES ................................................................................... 56
TABLE 19: ASSURANCE MEASURES ................................................................................... 57
TABLE 20: HOW TOE SFRS ARE MET ............................................................................... 59
TABLE 21: THREAT/OBJECTIVES/POLICIES MAPPINGS ....................................................... 81
TABLE 22: THREAT/POLICIES/TOE OBJECTIVES RATIONALE ............................................ 82
TABLE 23: ASSUMPTIONS/ENVIRONMENT OBJECTIVES MAPPINGS .................................... 83
TABLE 24: ASSUMPTIONS/THREATS/OBJECTIVES RATIONALE ........................................... 83
TABLE 25: SECURITY OBJECTIVE TO SECURITY REQUIREMENTS MAPPINGS ...................... 84
TABLE 26: OBJECTIVES TO REQUIREMENTS RATIONALE .................................................... 86
TABLE 27: REFERENCES ..................................................................................................... 88
List of Figures
FIGURE 1 TOE ENVIRONMENT ........................................................................................... 12
FIGURE 2 CATALYST 4500 SERIES SWITCH CHASSIS .......................................................... 14
FIGURE 3 CISCO CATALYST 4500-X SERIES CHASSIS AND MODULES ................................ 21
FIGURE 4 32 X 10 GIGABIT ETHERNET PORT SWITCH WITH OPTIONAL UPLINK MODULE
SLOT .......................................................................................................................... 21
FIGURE 5 16 X 10 GIGABIT ETHERNET PORT SWITCH WITH OPTIONAL UPLINK MODULE
SLOT .......................................................................................................................... 21
FIGURE 6 8 X 10 GIGABIT ETHERNET PORT UPLINK MODULE ......................................... 21
FIGURE 7 FRONT-TO-BACK AIRFLOW REAR VIEW ............................................................. 22
FIGURE 8 BACK-TO-FRONT AIRFLOW REAR VIEW ............................................................. 22
4
Cisco Cat4K NDPP ST 11 March 2014
Prepared By:
Cisco Systems, Inc.
170 West Tasman Dr.
San Jose, CA 95134
EDCS-1228241
DOCUMENT INTRODUCTION
This document provides the basis for an evaluation of a specific Target of Evaluation
(TOE), the Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E,
4500X and 4500X-F) running IOS-XE 3.5.2E. This Security Target (ST) defines a set of
assumptions about the aspects of the environment, a list of threats that the product intends
to counter, a set of security objectives, a set of security requirements, and the IT security
functions provided by the TOE which meet the set of requirements.
5
Cisco Cat4K NDPP ST 11 March 2014
ST Title
Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E,
4500X and 4500X-F) Running IOS-XE 3.5.2E Security Target
ST Version
1.0
Publication Date
11 March 2014
ST Author
Cisco Systems, Inc.
Developer of the TOE
Cisco Systems, Inc.
TOE Reference
Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E,
4500X and 4500X-F) running IOS-XE 3.5.2E
TOE Hardware Models
Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E,
4500X and 4500X-F), including one or more Supervisor cards and one or
more of the line cards as identified in Table 3
TOE Software Version
IOS XE 3.5.2E
Keywords
Audit, Authentication, Encryption, Information Flow, Protection, Switch,
Traffic
Acronyms /
Abbreviations
Definition
AAA
Administration, Authorization, and Accounting
ACL
Access Control List
AES
Advanced Encryption Standard
BGP
Border Gateway Protocol. An exterior gateway protocol. It performs routing
between multiple autonomous systems and exchanges routing and reachability
information with other BGP systems.
EDCS-1228241
1 SECURITY TARGET INTRODUCTION
The Security Target contains the following sections:
Security Target Introduction [Section 1]
Conformance Claims [Section 2]
Security Problem Definition [Section 3]
Security Objectives [Section 4]
IT Security Requirements [Section 5]
TOE Summary Specification [Section 6]
Rationale [Section 7]
The structure and content of this ST comply with the requirements specified in the
Common Criteria (CC), Part 1, Annex A, and Part 3, Chapter 4.
1.1 Security Target and TOE Identification
This section provides information needed to identify and control this ST and its TOE.
Table 1 ST and TOE Identification
1.2 Acronyms and Abbreviations
The following acronyms and abbreviations are used in this Security Target:
Table 2 Acronyms
6
Cisco Cat4K NDPP ST 11 March 2014
Acronyms /
Abbreviations
Definition
CC
Common Criteria for Information Technology Security Evaluation
CEM
Common Evaluation Methodology for Information Technology Security
CLI
Command Line Interface
CM
Configuration Management
DH
Diffie-Hellman
EAL
Evaluation Assurance Level
EEPROM
Electrically erasable programmable read-only memory, specifically the memory
in the switch where the Cisco IOS is stored.
EIGRP
Enhanced Interior Gateway Routing Protocol
FIPS
Federal Information Processing Standard
HMAC
Hashed Message Authentication Code
HTTPS
Hyper-Text Transport Protocol Secure
IEEE
Institute of Electrical and Electronics Engineers
IGMP
Internet Group Management Protocol
IOS
The proprietary operating system developed by Cisco Systems.
IP
Internet Protocol
IPSEC
IP Security
IT
Information Technology
MAC
Media Access Control
NTP
Network Time Protocol
NVRAM
Non-volatile random access memory, specifically the memory in the switch
where the configuration parameters are stored.
OS
Operating System
OSPF
Open Shortest Path First. An interior gateway protocol (routes within a single
autonomous system). A link-state routing protocol which calculates the shortest
path to each node.
Packet
A block of data sent over the network transmitting the identities of the sending
and receiving stations, error-control information, and message.
PP
Protection Profile
PRNG
Pseudo Random Number Generator
PVLAN
Private VLAN
RADIUS
Remote Authentication Dial In User Service
RIP
Routing Information Protocol. An interior gateway protocol (routes within a
single autonomous system). A distance-vector protocol that uses hop count as it’s
metric.
RNG
Random Number Generator
RSA
Rivest, Shamir and Adleman (algorithm for public-key cryptography)
SM
Service Module
SSH
Secure Shell
SSHv2
Secure Shell (version 2)
ST
Security Target
TACACS
Terminal Access Controller Access Control System
TCP
Transport Control Protocol
TCP/IP
Transmission Control Protocol/Internet Protocol
TDES
Triple Data Encryption Standard
TLS
Transport Layer Security
TOE
Target of Evaluation
TSC
TSF Scope of Control
TSF
TOE Security Function
TSP
TOE Security Policy
EDCS-1228241
7
Cisco Cat4K NDPP ST 11 March 2014
Acronyms /
Abbreviations
Definition
UDP
User Datagram Protocol
VACL
Virtual Access Control List
VLAN
Virtual Local Area Network
VSS
Virtual Switching System
TOE
One or more WS-C4503-E, WS-C4506-E, WS-C4507R+E, WS-C4510R+E,
WS-C4500X-32SFP+, WS-C4500X-F-32SFP+, WS-C4500X-16SFP+, WSC4500X-F-16SFP+, WS-C4500X-24X-ES, 4500X-24X-IPB, or WSC4500X-40X-ES Switch Chassis (Two chassis configured support High
Availability)
One or more supervisors cards (WS-X45-SUP7-E, WS-X45-Sup7L-E) or
dual supervisor cards (WS-X45-SUP7-E, WS-X45-Sup7L-E) per chassis
(Two Supervisor cards in one chassis provides failover), each supervisor
card running IOS XE 3.5.2E (FIPS validated) software
With one or more of the following line cards:
WS-X4748-RJ45V+E
WS-X4712-SFP+E
1
EDCS-1228241
1.3 TOE Overview
The TOE is the Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E,
4510R+E, 4500X and 4500X-F) running IOS XE 3.5.2E (herein after referred to as
Catalyst Switches). The TOE is a purpose-built, switching and routing platform with OSI
Layer2 and Layer3 traffic filtering capabilities.
Cisco IOS is a Cisco-developed highly configurable proprietary operating system that
provides for efficient and effective routing and switching. Although IOS performs many
networking functions, this Security Target only addresses the functions that provide for
the security of the TOE itself as described in Section 1.7 TOE logical scope below.
1.3.1 TOE Evaluated Configuration
The TOE consists of any one of a number of hardware configurations, each running the
same version of IOS XE software. The Catalyst 4500 Series Switches chassis provides
power, cooling, and backplane for the Supervisor Engine, line cards, and service modules
(SM)1. The Supervisor Engines run the IOS XE software. The evaluated configurations
consist of the following components (e.g. at least one of the listed chassis, at least one
supervisor card running IOS-XE 3.5.2E software and at least one line card):
Table 3 Evaluated Configuration
No specific service modules, such as the Firewall Blade, Wireless Service and Network Analysis being
claimed in the evaluated configuration as they require additional license
8
Cisco Cat4K NDPP ST 11 March 2014
WS-X4640-CSFP-E
WS-X4748-UPOE+E
WS-X4748-RJ45-E
Component
Required
Usage/Purpose Description for TOE performance
Authentication
Server
Yes
This includes any authentication server (RADIUS RFC
2865, 2866, 2869 and RFC 3162 (IPv6) and TACACS+
RFC 1492)) that can be leveraged for remote user
authentication. The AAA server needs to be able of acting
as an IPsec peer or as an IPsec endpoint.
Management
Workstation
with SSH
Client
Yes
This includes any IT Environment Management
workstation with a SSH client installed that is used by the
TOE administrator to support TOE administration through
SSH protected channels. Any SSH client that supports
EDCS-1228241
The TOE can optionally connect to an NTP server on its internal network for time
services. If an NTP server is used, it must only be accessible via the internal network (an
internal network isolated from user traffic and intended for use by TOE administrators
only).
If the TOE is to be remotely administered, SSHv2 must be used for that purpose.
The TOE will transmit syslog message to a remote syslog server through an IPsec tunnel.
The TOE can also be configured to use a remote AAA server (RADIUS or TACACS+)
for centralized authentication, and can also connect to those servers through an IPsec
tunnel.
1.3.2 TOE Type
The Cisco Catalyst Switches are a switching and routing platform used to construct IP
networks by interconnecting multiple smaller networks or network segments. As a
Layer2 switch, it performs analysis of incoming frames, makes forwarding decisions
based on information contained in the frames, and forwards the frames toward the
destination. As a Layer3 switch, it supports routing of traffic based on tables identifying
available routes, conditions, distance, and costs to determine the best route for a given
packet. Routing protocols used by the TOE include BGPv4, EIGRP, EIGRPv6 for IPv6,
RIPv2, and OSPFv2. BGPv4, EIGRP, and EIGRPv6 supports routing updates with IPv6
or IPv4, while RIPv2 and OSPFv2 routing protocol support routing updates for IPv4
only. Note, the information flow functionality is not included in the scope of the
evaluation. The evaluated configuration is the configuration of the TOE that satisfies the
requirements as defined in this Security Target (ST).
1.3.3 Required non-TOE Hardware/Software/Firmware
The TOE supports (in some cases optionally) the following hardware, software, and
firmware in its environment:
Table 4 IT Environment Components
9
Cisco Cat4K NDPP ST 11 March 2014
Component
Required
Usage/Purpose Description for TOE performance
SSHv2 and a key size of 2048 bits or greater may be used.
Syslog server
Yes
The syslog audit server is used for remote storage of audit
records that have been generated by and transmitted from
the TOE. The TOE would ensure that messages are
encrypted within an IPsec tunnel as they leave the TOE.
The syslog server needs to be able of acting as an IPsec
peer or as an IPsec endpoint.
NTP Server
No
The TOE supports communications with an NTP server to
receive clock updates. Any server that supports NTPv1
(RFC 1059), NTPv2 (RFC 1119), or NTP v3 (RFC 1305)
may be used.
2
2
EDCS-1228241
1.4 TOE Description
The TOE description explains the TOE in more detail than was provided in the TOE
overview.
1.4.1 TOE Architecture and Security Capabilities
The Cisco Catalyst 4500 Series are network devices that protect themselves by offering
only a minimal logical interface to the network and control of that interface. The Switch
IOS subsystem is special purpose software that runs on the Cisco Catalyst 4500 Series
Switch hardware. The Catalyst Switches have been designed so that all locally
maintained security relevant data can only be manipulated via the secured management
interface, a CLI and provides no general purpose programming capability. There are no
undocumented interfaces for managing the Catalyst switches.
All network traffic to the TOE protected (internal) network passes through Catalyst
Switches. There are no unmediated traffic flows into or out of the TOE. Once network
traffic is received on one of the network ports, it is always subject to the security policy
rules as applied to each traffic flow. Traffic flows characterized as unauthorized are
discarded and not permitted to circumvent the Catalyst Switch. Configuration and
management of the Catalyst Switch is through an SSHv2 session via Management
workstation or via a local console connection. The management interfaces require user
identification and authentication prior to allowing management operations. As described
in Section 6, all management functions are restricted to the authorized administrator of
the TOE. The term “authorized administrator”
administrative user which has been assigned to a privilege level that is permitted to
perform the relevant action; therefore has the appropriate privileges to perform the
requested functions.
is used in this ST to refer to any
Note, the term ‘authorized administrator’ as used in this ST is synonymous with the ‘Security
Administrator’ referenced in the NDPP.
10
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
Protection of the TOE from physical tampering is ensured by its environment. It is
assumed that the switches will remain attached to the physical connections made by an
administrator so that the switch cannot be bypassed. The TOE is completely selfcontained. The hardware, software and firmware provided by Catalyst Switches provide
all of the services necessary to implement the TOE. There are no external interfaces into
the TOE other than the physical ports provided. No general purpose operating system,
user interface, disk storage, or programming interface is provided by the TOE.
The Catalyst Switches that comprise the TOE have common hardware characteristics.
These characteristics affect only non-TSF relevant functions of the switches (such as
throughput, line-card slots, and amount of storage) and therefore support security
equivalency of the switches in terms of hardware:
Central processor that supports all system operations
Dynamic memory, used by the central processor for all system operations
Flash memory (EEPROM), used to store the Cisco IOS image (binary program)
USB slot, used to connect USB devices to the TOE (not relevant as none of the
USB devices are included in the TOE)
Non-volatile read-only memory (ROM) is used to store the bootstrap program and
power-on diagnostic programs
Non-volatile random-access memory (NVRAM) is used to store switch
configuration parameters used to initialize the system at start-up
Physical network interfaces (minimally two) (e.g. RJ45 serial and standard 10/100
Ethernet ports). Some models have a fixed number and/or type of interfaces; some
models have slots that accept additional network interfaces
10 Gigabit Ethernet (GE) uplinks and supports Power over Ethernet Plus (PoE+)
and Universal POEP (UPOE). (Universal POEP is an enhancement to the PoEP
(802.3at) standard to allow powered devices up to 60W to connect over a single
Cat 5e cable. Standard PoEP uses only 2 twisted pairs (out of 4) in the Ethernet
cable. UPOE uses all 4 twisted pairs to deliver 60W to the port.)
Redundant power supplies and fans
Cisco IOS XE is a Cisco-developed highly configurable proprietary operating system that
provides for efficient and effective routing and switching. Although IOS XE performs
many networking functions, this TOE only addresses the functions that provide for the
security of the TOE itself as described in Section 1.7 Logical Scope of the TOE below.
1.5 TOE Environment and Configuration
The TOE consists of one or more physical devices; the Catalyst Switch with Cisco IOS
XE software. The Catalyst Switch has two or more network interfaces and is connected
to at least one internal and one external network. The Cisco IOS configuration determines
how packets are handled to and from the switches’ network interfaces. The switch
configuration will determine how traffic flows received on an interface will be handled.
Typically, packet flows are passed through the network device and forwarded to their
11
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
configured destination. BGPv4, EIGRP, EIGRPv6 for IPv6, RIPv2, and OSPFv2 Routing
protocols are used on all of the Catalyst Switch models.
The TOE can optionally connect to an NTP server on its internal network for time
services. In addition, if the Catalyst Switch is to be remotely administered, then the
management station must be connected to an internal network, SSHv2 must be used to
connect to the switch. A syslog server can also be used to store audit records. A remote
authentication server can also be used for centralized authentication. If these servers are
used, they must be attached to the internal (trusted) network. The internal (trusted)
network is meant to be separated effectively from unauthorized individuals and user
traffic; one that is in a controlled environment where implementation of security policies
can be enforced.
The following figure provides a visual depiction of an example TOE deployment.
Figure 1 TOE environment
12
Cisco Cat4K NDPP ST 11 March 2014
3
Cisco ASR 1006
PWR
STATUS
ASR1000 SIP10
PWR
STATUS
ASR1000 SIP10
PWR
STAT
STBY
ASR1000-ESP20
ACTV
PWR
STAT
STBY
ASR1000-ESP20
ACTV
STAT
ASR1000-RP1
STBY
ACTV
MIN
MAJ
CRIT
A
C 0 CM1
PWR
HD
USB
BF
DISK 1 0
CARRIER
LINK
BITS
CON
AUX
MGMT ETHERNET
CM1
STAT
ASR1000-RP1
STBY
ACTV
MIN
MAJ
CRIT
A C 0
CM1
PWR
HD
USB
BF
DISK 1 0
CARRIER
LINK
BITS
CON
AUX
MGMT ETHERNET
CM1
PWR
STATUS
ASR1000 SIP10
1 0 1
0
2
1
0 2 1 0 P P R
R
Cisco
ETH
ACT
PWR
SLOT 0
0
SLOT 1
0
SLOT 2
0
0K 1 1
1
1700
SERIES
ROUTER
COL
Peer
=
TOE Boundary
Mgt
Workstation
SSH
Connection
Catalyst 4K Switch
Syslog
Server
AAA Server
NTP Server
IPsec
Connection
IPsec
Connection
EDCS-1228241
1.6 Physical Scope of the TOE
The TOE is a hardware and software solution that makes up the following switch models;
Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E, 4500X and
4500X-F) running IOS XE 3.5.2E. The following tables further identify the supported
configurations. The network, on which they reside, is part of the environment.
The Cisco Catalyst Switches, 4503-E, 4506-E, 4507R+E, 4510R+E offers four chassis
options and two supervisor engine options and are extremely flexible and support either 6
Gbps, 24 Gbps, or 48 Gbps per line-card slot. The TOE can optionally support any
other line card or service module (SM)3 that is compatible with the supervisors and
chassis models included in the TOE. These line cards and SMs are not security-relevant
No specific service modules, such as the Firewall Blade, Wireless Service and Network Analysis being
claimed in the evaluated configuration as they require additional license
13
Cisco Cat4K NDPP ST 11 March 2014
Feature
Cisco Catalyst
WS-C4503-E
Chassis
Cisco Catalyst
WS-C4506-E
Chassis
Cisco Catalyst
WS-C4507R+E
Chassis
Cisco Catalyst
WS-C4510R+E
Chassis
Total number of
slots
3 6 7
10
Line-card slots
2 5 5
8
Supervisor
engine slots
14
12
25
26
Dedicated
supervisor
engine slot
numbers
1 1 3 and 4
5 and 6
Supervisor
engine
redundancy
No
No
Yes
Yes (Supervisor
V-10GE, 6-E and
7-E)
Supervisor
engines
Supervisor 7-E
Supervisor 7-E
Supervisor 7-E
Supervisor 7-E
4
5
6
EDCS-1228241
to the CC-evaluated security functional requirements, however the supervisor cards are
security relevant.
Figure 2 Catalyst 4500 Series Switch Chassis
Table 5 Catalyst 4500 Series Switch Chassis Features
Slot 1 is reserved for supervisor engine only; slots 2 and higher are reserved for line cards.
Slots 3 and 4 are reserved for supervisor engines only in Cisco Catalyst 4507R-E and 4507R+E; slots 1-2 and 5-7 are
reserved for line cards.
Slots 5 and 6 are reserved for supervisor engines only in Cisco Catalyst 4510R-E and 4510R+E; slots 1-4 and 7-10 are
reserved for line cards
14
Cisco Cat4K NDPP ST 11 March 2014
Feature
Cisco Catalyst
WS-C4503-E
Chassis
Cisco Catalyst
WS-C4506-E
Chassis
Cisco Catalyst
WS-C4507R+E
Chassis
Cisco Catalyst
WS-C4510R+E
Chassis
supported
Supervisor 7L-E
Supervisor 7L-E
Supervisor 7L-E
Maximum PoE
per slot
1,500W
1,500W
1,500W
1,500W slots 1
and 2,
750W slots
3,4,7-10
Bandwidth
scalability per
line-card slot
Up to 48 Gbps
on all slots
Up to 48 Gbps
on all slots
Up to 48 Gbps
on all slots
7
Up to 48 Gbps
on all slots
5
Number of
power supply
bays
2 2 2
2
AC input power
Yes
Yes
Yes
Yes
DC Input power
Yes
Yes
Yes
Yes
Integrated
Power over
Ethernet
Yes
Yes
Yes
Yes
Minimum
number of
power supplies
1 1 1
1
Power supplies
supported
● 1000W AC
● 1400W AC
● 1300W ACV
● 2800W ACV
● 4200W ACV
● 6000W ACV
● 1400W DC
(triple input)
● 1400W-DC-P
● 1000W AC
● 1400W AC
● 1300W ACV
● 2800W ACV
● 4200W ACV
● 6000W ACV
● 1400W DC
(triple input)
● 1400W-DC-P
● 1000W AC
● 1400W AC
● 1300W ACV
● 2800W ACV
● 4200W ACV
● 6000W ACV
● 1400W DC
(triple input)
● 1400W-DC-P
● 1400W AC
● 2800W ACV
● 4200W ACV
● 6000W ACV
● 1400W DC
(triple input)
● 1400W-DC-P
Number of fantray bays
1 1 1
1
Location of 19inch rack mount
Front
Front
Front
Front
7
EDCS-1228241
WS-C4507R-E and WS-C4510R-E chassis support up to 24G per line-card slot when used with Sup6-E
15
Cisco Cat4K NDPP ST 11 March 2014
Feature
Cisco Catalyst
WS-C4503-E
Chassis
Cisco Catalyst
WS-C4506-E
Chassis
Cisco Catalyst
WS-C4507R+E
Chassis
Cisco Catalyst
WS-C4510R+E
Chassis
Location of 23inch rack mount
Front (option)
Front (option)
Front (option)
Front (option)
Product Number /Description
Cisco Catalyst 4500E Supervisor Cards
Supervisor Engine 7-E
• Performance and capability
– 848 Gbps switching capacity with 250 Mpps of throughput
– 4 nonblocking 10 Gigabit Ethernet uplinks (Small Form-Factor
Pluggable Plus [SFP+])
– SFP support on uplinks to offer flexibility for up to 4 Gigabit
Ethernet ports
– 384 ports of nonblocking 10/100/1000
– PoEP (30W) capabilities on all ports in a line card simultaneously
– UPOE (60W) capabilities on all line-card slots
– Energy Efficient Ethernet (IEEE 802.3az)
– 196 ports of nonblocking Gigabit Ethernet SFP
– 100 ports of 10 Gigabit Ethernet SFP+ (4 uplinks ports + 96 line-
card ports)
– 128,000 FNF entries in hardware
– External USB and Secure Digital (SD) card support for flexible
storage options
– 256,000 routing entries for high-end campus access and
aggregation deployments
– IPv6 support in hardware, providing wire-rate forwarding for IPv6
networks
– Dynamic hardware forwarding-table allocations for ease of IPv4to-IPv6 migration
– Scalable routing (IPv4, IPv6, and multicast) tables, Layer 2 tables,
EDCS-1228241
Cisco Catalyst 4500 Series line cards can be mixed and matched to suit numerous LAN
access, server connectivity, or branch-office deployments. The Cisco Catalyst 4500
Series supports the following supervisor and line cards, by product number:
Table 6 Catalyst 4500 Series Switch Chassis Line Cards
16
Cisco Cat4K NDPP ST 11 March 2014
Product Number /Description
and access-control-list (ACL) and quality-of-service (QoS) entries to
use 8 queues/port and comprehensive security policies per port
• Infrastructure services
– Cisco IOS XE Software, the modular open application platform for
virtualized borderless services
– Maximum resiliency with redundant components, Nonstop
Forwarding/Stateful Switchover (NSF/SSO), and ISSU support
– Network virtualization through Multi-Virtual Route Forwarding
(VRF) and Easy Virtual Networking (EVN) technology for Layer 3
segmentation
– Automation through Embedded Event Manager (EEM), Cisco
Smart Call Home, AutoQoS, and Auto SmartPorts for fast
provisioning, diagnosis, and reporting
• Cisco Borderless Networks Services
– Optimized application performance through deep visibility with
FNF supporting rich Layer 2/3/4 information (MAC, VLAN, and
TCP Flags) and synthetic traffic monitoring with IP service-level
agreement (IP SLA)
– Medianet capabilities to simplify video QoS, monitoring, and
security
– Energy-efficient design with Cisco EnergyWise technology to
manage network, PoEP, and PC
• Investment protection and reduced total cost of ownership (TCO)
– Full backward compatibility with 6-, 24-, and 48-Gbps slot line
cards with no performance degradation
The Cisco Catalyst 4500E Supervisor Engine 7-E is compatible with
classic Cisco Catalyst 4500 line cards and power supplies, providing
full investment protection. The Supervisor Engine 7-E is not
compatible with classic Cisco Catalyst 4500 chassis. When you
deploy the Cisco Catalyst 4500E Supervisor Engine 7-E with classic
line cards, all of the new features except the 24- and 48-Gbps perslot switching capacity are inherited.
Supervisor Engine 7L-E
• Performance and scalability:
– 520-Gbps switching capacity with 225 mpps of throughput
– 2 nonblocking 10 Gigabit Ethernet uplinks (SFP+) or 4
nonblocking 1 Gigabit Ethernet uplinks (SFP)
EDCS-1228241
17
Cisco Cat4K NDPP ST 11 March 2014
Product Number /Description
– Supports 3-, 6-, and 7-slot Cisco Catalyst 4500E chassis
– Supports a maximum of 244 ports of 10/100/1000 Base-T and 400
ports of 1000Base-X (CSFP) in a 7-slot chassis
– Supports up to 124 1GE nonblocking fiber ports or 62 10GE fiber
ports in a 7-slot chassis
– Enables next-generation Universal Power Over Ethernet (UPOE,
WS-X4748-UPOE+E) in addition to backward compatibility with
other PoE standards
– Enables EEE (IEEE 802.3az)
– 128,000 Flexible NetFlow entries in hardware
– External USB and SD card support for flexible storage options
– 10/100/1000 RJ-45 console and management port
– 64,000/32,000 IPv4/IPv6 routing entries for campus access and
aggregation deployments
– IPv6 in hardware, providing wire-rate forwarding for IPv6
networks and support for dual stack with innovative resource usage
– Dynamic hardware forwarding-table allocations for ease of IPv4-
to-IPv6 migration
– Scalable routing (IPv4, IPv6, and multicast) tables, Layer 2 tables,
and access-control-list (ACL) and quality-of-service (QoS) entries to
make use of 8 queues per port and comprehensive security policies
per port
• Infrastructure services:
– Cisco IOS XE Software, the modular open application platform for
virtualized borderless services
– Maximum resiliency with redundant components, Nonstop
Forwarding/Stateful Switchover (NSF/SSO), and In-Service
Software Upgrade (ISSU) support
– Network virtualization through Multi-Virtual Route Forwarding
(VRF) technology for Layer 3 segmentation
– Automation through Embedded Event Manager (EEM), Cisco
Smart Call Home, AutoQoS, and Auto SmartPorts for fast
provisioning, diagnosis, and reporting
• Borderless network services:
– Optimized application performance through deep visibility with
Flexible NetFlow supporting rich Layer 2/3/4 information (MAC,
VLAN, TCP Flags) and synthetic traffic monitoring with IP servicelevel agreement (SLA)
– Medianet capabilities to simplify video quality of service,
monitoring, and security. In addition, multicast features such as
Protocol Independent Multicast (PIM) and Source-Specific
EDCS-1228241
18
Cisco Cat4K NDPP ST 11 March 2014
Product Number /Description
Multicast (SSM) that provide enterprise customers the additional
scalability to support multimedia applications
– Energy-efficient design with Cisco EnergyWise™ technology
• Investment protection and reduced total cost of ownership (TCO):
– Full backward compatibility with 6 G, 24 G, and 48 Gbps slot line
cards with no performance degradation
The Cisco Catalyst 4500E Supervisor Engine 7L-E is compatible
with classic Cisco Catalyst 4500 line cards and power supplies,
providing full investment protection. Supervisor Engine 7L-E is not
compatible with classic Cisco Catalyst 4500 chassis.
Cisco Catalyst 4500E Series Line Cards
WS-X4748-UPOE+E
• 48 ports nonblocking
• 10/100/1000 module (RJ-45)
• Cisco IOS XE Release 3.1.0SG or later
• UPOE: capable of up to 60 W per port up to 1440 W
• Energy Efficient Ethernet 802.3az
• IEEE 802.3af/at and Cisco prestandard PoE, IEEE 802.3x flow
control
• IEEE 802.1AE and Cisco TrustSec capability in hardware
• L2-4 Jumbo Frame support (up to 9216 bytes)
• Capable of up to 30 W of inline power per port on all ports
simultaneously
• Enterprise and commercial: designed to power next-generation IP
phones, wireless base stations, video cameras, virtual desktop
clients, and other PoE/UPOE devices
• Campus and branch applications requiring enhanced performance
for large file transfers and network backups
WS-X4748-RJ45V+E
• 48 ports nonblocking
• 10/100/1000 module (RJ-45)
• Cisco IOS XE Release 3.1.0SG or later
• IEEE 802.3af/at and Cisco prestandard PoE, IEEE 802.3x flow
control
• IEEE 802.1AE and Cisco TrustSec capability in hardware
• L2-4 Jumbo Frame support (up to 9216 bytes)
• Capable of up to 30 W of inline power per port on all ports
simultaneously
• Enterprise and commercial: designed to power next-generation IP
phones, wireless base stations, video cameras, and other PoE
devices
• Campus and branch applications requiring enhanced performance
for large file transfers and network backups
EDCS-1228241
19
Cisco Cat4K NDPP ST 11 March 2014
Product Number /Description
WS-X4748-RJ45-E
• 48 ports nonblocking
• 10/100/1000 module (RJ-45)
• Cisco IOS XE Release 3.1.0SG or later
• Energy Efficient Ethernet 802.3az
• IEEE 802.1AE and Cisco TrustSec capability in hardware
• L2-4 Jumbo Frame support (up to 9216 bytes)
• Enterprise and commercial: designed for data only user access
• Campus and branch applications requiring enhanced performance
for large file transfers and network backups
WS-X4712-SFP+E
• 48 gigabits per-slot capacity
• Bandwidth is allocated across four 3-port groups, providing 12
Gbps per port group (2.5:1)
• Up to 12 ports 10GE SFP+ (10GBASE-R) or 12 ports GE SFP
(1GBASE-X)
• SFP+ and SFP can be used simultaneously on the same line card
without any restrictions
• Cisco IOS XE Release 3.1.0SG or later
• IEEE 802.1AE and Cisco TrustSec capability in hardware
• L2-4 Jumbo Frame support (up to 9216 bytes)
• Enterprise and commercial: designed for high-speed backbone
and switch-to-switch applications
• Service provider: 10GE/GE mix aggregation for
DSLAM/PON/mobile data backhaul
• WS-X4712-SFP+E is not supported on 4507R-E and 4510R-E
chassis
WS-X4640-CSFP-E
• 40 modules of Gigabit SFP line card (1000BaseX), providing 24
gigabits per-slot capacity (SFP optional)
• 40 ports with Gigabit SFP (2:1 oversubscribed)
• 80 ports with Gigabit compact SFP (4:1 oversubscribed)
• Customers can mix and match Gigabit SFP and Gigabit compact
SFPs
• 6E/6LE Supports WS-X4640-CSFP-E with IOS version
15.1.(1)SG
• 7E, 7L-E supports WS-X4640-CSFP-E from 15.0(2)SG1 /
3.2.0SG onwards
• Supported on 3, 6, and 7 slot chassis
• IEEE 802.3, IEEE 802.3ah, IEEE 802.3x flow control
• L2-4 Jumbo Frame support (up to 9216 bytes)
• Inherits supervisor engine QoS capability
• Service Provider: Point-to-Point fiber to the home (FTTH) or
building (FTTB) for residential and business applications
• Enterprise: Providing Fiber to the Desktop (FTTD), for
deployments where non-blocking is not a mandatory requirement
EDCS-1228241
20
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
The Cisco Catalyst 4500 Series has flexible interface types and port densities that allow
network configurations to be mixed and matched to meet the specific needs of the
organizations network.
The Cisco Catalyst 4500-X Series Switch is a fixed aggregation platform that provides
flexibility through two versions of base switches along with optional uplink module. Both
the 32- and 16-port versions can be configured with optional network modules and offer
similar features. The Small Form-Factor Pluggable Plus (SFP+) interface supports both
10 Gigabit Ethernet and 1 Gigabit Ethernet ports, allowing upgrades to 10 Gigabit
Ethernet when organizational demands change. The uplink module is hot swappable.
Deployment Options include:
32 x 10 Gigabit Ethernet Port switch with optional Small Form-Factor Pluggable
Plus (SFP+) models
16 x 10 Gigabit Ethernet Port switch with optional Small Form-Factor Pluggable
Plus (SFP+) models
8 x 10 Gigabit Ethernet SFP+ removable uplink module
Dual-redundant AC/DC power supply and five field-replaceable unit (FRU) fans
The figure below shows the Cisco Catalyst 4500-X Series Switch with and without the
optional 8-port uplink module, front-to-back airflow, and the uplink module.
Figure 3 Cisco Catalyst 4500-X Series Chassis and Modules
Figure 4 32 x 10 Gigabit Ethernet Port Switch with Optional Uplink Module Slot
Figure 5 16 x 10 Gigabit Ethernet Port Switch with Optional Uplink Module Slot
Figure 6 8 x 10 Gigabit Ethernet Port Uplink Module
21
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
Figure 7 Front-to-Back Airflow Rear View
Figure 8 Back-to-Front Airflow Rear View
As described above, the physical boundary of the TOE is the switch hardware and
software. The software of the TOE is IOS and other supporting functionality (e.g., SSH
Server). This physical boundary represents the Switch subsystem of the TOE. The
Switch subsystem processes data packets and accepts a management interface connection
to administer the switch. The management interface is either through a secure SSHv2
session or via a local console connection.
The switches are hardware platforms in which all operations in the TOE scope are
protected from interference and tampering by untrusted subjects. All administration and
configuration operations are performed within the physical boundary of the TOE. Also,
all TOE Security Policy (TSP) enforcement functions must be invoked and succeed prior
to functions within the TOE scope of control (TSC) proceeding.
The TOE includes one or more chassis, one or more supervisor engine cards running the
IOS XE software and one or more line cards. Each switch is a physical device with the
following types of communication interfaces provided by the supervisor engine cards
and/or the line cards:
USB ports,
Network port,
22
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
Serial port, and
Compact Flash Slot
In addition to the communication interfaces above, the TOE includes a number of LEDs
and power connectors. The LEDs are output elements only, and while the power
connectors provide physical input they are not considered TOE interfaces.
1.6.1 USB Console Port
The USB Interface is a physical port on the Supervisor card. The interface allows a
management console to be connected to the TOE as a USB device whereas an
Administrator can authenticate to the TOE and issue commands to the TOEs CLI.
Physical access to the port is protected by operational environment of the switch.
1.6.2 Network Ports
The physical network interfaces to the switch are Ethernet interfaces receiving and
transmitting Internet Protocol datagrams as specified in RFC 0894 [Ethernet], RFC 0791
[IPv4], and RFC 2460 [IPv6]. Over this physical interface network traffic packets are
transferred into and out of the TOE. The physical network interface (ports) can be
located on the supervisor card and/or the line cards.
The network interface is the physical Ethernet interface to the TOE from the internal and
external networks. Within the scope of the evaluation, this interface is used for the
following purposes:
For network traffic entering and leaving the TOE. This could be ‘through traffic’
for example a telnet packet from a user destined from an internal network to an
external network, or ‘to the box traffic’ for example an external ping to the TOE’s
IP address.
To allow a remote Administrator to access the TOE’s CLI over the network using
SSHv2.
To allow the audit log records to be transmitted to the syslog server via IPsec
connection tunnel.
To allow, if configured, time synchronization with the NTP server via secure
transmission (SSHv2, IPsec).
To allow, if configured, the TOE access to the AAA server to authenticate TOE
administrators.
1.6.3 Serial Port
From a directly connected terminal an Administrator can authenticate to the TOE and
issue commands to the TOEs CLI. This interface can also be configured to display
syslog messages to the console.
23
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
The primary serial interface into the TOE uses RS-232 signaling over an RJ45 interface.
The serial port is located on the Supervisor card.
1.6.4 Compact Flash Slot
The Supervisor Engine card in the Catalyst 4500 series provides a slot to accept a
compact flash drive. The TOE can accept 64MB, 128 MB, 256 MB, 512 MB compact
flash drives. The storage provided by these drives is used by the TOE as ordinary long
term storage of configuration files and IOS software images.
Because the TOE treats the compact flash storage as an internal storage medium, this
physical interface is considered internal to the TOE and thus, NOT a TSFI.
1.6.5 Physical Scope of the TOE
The physical scope of the TOE comprises a collection of all hardware, firmware,
software and guidance documentation as follows:
The TOE is a hardware and software solution that uses a combination of chassis,
supervisor engine, and line cards as defined in Section 1.3.1, Table 3: the Cisco
Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E, 4500X and
4500X-F) running IOS XE 3.5.2E on the Supervisor Engine.
Installation and Configuration guidance for the Common Criteria NDPP
Evaluated Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E,
4510R+E, 4500X and 4500X-F) with IOS XE 3.5.2E
Cisco IOS Security Command Reference
Cisco IOS Security Configuration Guide
1.7 Logical Scope of the TOE
The TOE includes the following security features that are relevant to the secure
configuration and operation of the TOE.
1. Security audit
2. Cryptographic support
3. User Data Protection
4. Identification and authentication
5. Secure Management
6. Protection of the TSF
7. Resource Utilization
8. TOE access
9. Trusted Path/Channel
These features are described in more detail in the subsections below.
24
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
1.7.1 Security Audit
The TOE generates a comprehensive set of audit logs that identify specific TOE
operations. For each event, the TOE records the date and time of each event, the type of
event, the subject identity, and the outcome of the event. Auditable events include: failure
on invoking cryptographic functionality; establishment, termination and failure of an
IPsec SA; establishment, termination and failure of an SSH session; modifications to the
group of users that are part of the authorized administrator roles; all use of the user
identification mechanism; any use of the authentication mechanism; any change in the
configuration of the TOE; detection of replay attacks, changes to time, initiation of TOE
update, indication of completion of TSF self-test, maximum sessions being exceeded,
termination of a remote session and attempts to unlock a termination session; and
initiation and termination of a trusted channel.
The TOE is configured to transmit its audit messages to an external syslog server.
Communication with the syslog server is protected using IPsec and the TOE can
determine when communication with the syslog server fails. If that should occur, the
TOE can be configured to block new permit actions.
The logs can be viewed on the TOE using the appropriate IOS commands. The records
include the date/time the event occurred, the event/type of event, the user associated with
the event, and additional information of the event and its success and/or failure. The
TOE does not have an interface to modify audit records, though there is an interface
available for the authorized administrator to clear audit data stored locally on the TOE.
1.7.2 Cryptographic Support
The TOE provides cryptography support for secure communications and protection of
information when configured in FIPS mode of operation. The crypto module is FIPS
140-2 SL2 validated. The cryptographic services provided by the TOE include:
symmetric encryption and decryption using AES; digital signature using RSA;
cryptographic hashing using SHA1; keyed-hash message authentication using HMACSHA1, and IPsec for authentication and encryption services to prevent unauthorized
viewing or modification of data as it travels over the external network. The TOE also
implements SSHv2 secure protocol for secure remote administration. In the evaluated
configuration, the TOE must be operated in FIPS mode of operation per the FIPS
Security Policy (certificate 1940).
1.7.3 User Data Protection
The TOE supports routing protocols including BGPv4, EIGRP, EIGRPv6 for IPv6,
RIPv2, and OSPFv2 to maintain routing tables, or routing tables can configured and
maintained manually (‘static routes’). Since routing tables are used to determine
which egress ACL is applied to the outbound traffic, the authority to modify the
routing tables is restricted to authenticated administrators, and authenticated neighbor
routers. The only aspect of routing protocols that is security relevant in this TOE is
the TOE’s ability to authenticate neighbor routers using shared passwords. Other
25
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
security features and configuration options of routing protocols are beyond the scope
of this Security Target and are described in administrative guidance.
The TOE also ensures that packets transmitted from the TOE do not contain residual
information from previous packets. Packets that are not the required length use zeros
for padding the remainder of the packet so that residual data from previous traffic is
never transmitted from the TOE.
1.7.4 Identification and Authentication
The TOE performs local authentication, using Cisco IOS platform authentication
mechanisms, to authenticate access to user EXEC and privileged EXEC command
modes. All users wanting to use TOE services are identified and authenticated prior to
being allowed access to any of the services. Once a user attempts to access the
management functionality of the TOE (via EXEC mode), the TOE prompts the user for a
user name and password. Only after the administrative user presents the correct
identification and authentication credentials will access to the TOE functionality be
granted.
The TOE also supports use of a remote AAA server (RADIUS and TACACS+) as the
enforcement point for identifying and authenticating users attempting to connect to the
TOE’s CLI. Note the remote authentication server is not included within the scope of the
TOE evaluated configuration, it is considered to be provided by the operational
environment.
The TOE can be configured to display an advisory banner when administrators log in and
also to terminate administrator sessions after a configured period of inactivity.
The TOE also supports authentication of other routers using router authentication
supported by BGPv4, EIGRP, EIGRPv6 for IPv6, RIPv2, and OSPFv2. Each of these
protocols supports authentication by transmission of MD5-hashed password strings,
which each neighbor router uses to authenticate others. For additional security, it is
recommended router protocol traffic also be isolated to separate VLANs.
1.7.5 Security Management
The TOE provides secure administrative services for management of general TOE
configuration and the security functionality provided by the TOE. All TOE
administration occurs either through a secure session via SSHv2, or a local console
connection (serial port). The TOE provides the ability to perform the following actions:
allows authorized administrators to add new administrators,
start-up and shutdown the device,
create, modify, or delete configuration items,
create, modify, or delete information flow policies,
create, modify, or delete a routing table,
modify and set session inactivity thresholds,
modify and set the time and date,
26
Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
and create, delete, empty, and review the audit trail
All of these management functions are restricted to authorized administrators of the TOE.
The TOE switch platform maintains administrative privilege levels and supports nonadministrative connections. Non-administrative connections are established with
authenticated neighbor routers for the ability to transmit and receive routing table updates
per the information flow rules. No other access nor management functionality is
associated with non-administrative connections. The administrative privilege levels
include:
Administrators are assigned to privilege levels 0 and 1. Privilege levels 0 and 1
are defined by default and are customizable. These levels have a very limited
scope and access to CLI commands that include basic functions such as login,
show running system information, turn on/off privileged commands, logout.
Semi-privileged administrators equate to any privilege level that has a subset of
the privileges assigned to level 15; levels 2-14. These levels are undefined by
default and are customizable.
Privileged administrators are equivalent to full administrative access to the CLI,
which is the default access for IOS privilege level 15.
All management functions are restricted to the authorized administrator of the TOE. The
term “authorized administrator” is used in this ST to refer to any user account that has
been assigned to a privilege level that is permitted to perform the relevant action;
therefore has the appropriate privileges to perform the requested functions.
1.7.6 Protection of the TSF
The TOE protects against interference and tampering by untrusted subjects by
implementing identification, authentication and access controls to limit configuration to
authorized administrators. Additionally Cisco IOS is not a general-purpose operating
system and access to Cisco IOS memory space is restricted to only Cisco IOS functions.
The TOE provides secure transmission when TSF data is transmitted between the TOE
and other IT entities, such as remote administration via SSH and secure transmission of
audit logs to a syslog server via IPsec.
The TOE is also able to detect replay of information received via secure channels (e.g.
SSH, or IPsec). The detection applied to network packets that terminate at the TOE, such
as trusted communications between the administrators and the TOE, or between an IT
entity (e.g., authentication server) and the TOE. If replay is detected, the packets are
discarded.
In addition, the TOE internally maintains the date and time. This date and time is used as
the timestamp that is applied to audit records generated by the TOE. Administrators can
update the TOE’s clock manually, or can configure the TOE to use NTP to synchronize
27
Loading...