How it Works
Cisco
Loading...
ISR 4000 series
Configuration Manual
66 pgs1.54 Mb0

Cisco ISR 4000 series, ISR-4400 Series Configuration Manual

Cisco Integrated Services Routers (ISR) 4000 Family
CC Configuration Guide
Version 0.2
May 22, 2017
Cisco ISR 4000 Family Routers Administrator Guidance
Page 2 of 66
Table of Contents
1. Introduction 7
1.1 Audience 7
1.2 Purpose 7
1.3 Document References 7
1.4 Supported Hardware and Software 9
1.5 Operational Environment 9
1.5.1 Supported non-TOE Hardware/ Software/ Firmware 9
1.6 Excluded Functionality 10
2. Secure Acceptance of the TOE 11
3. Secure Installation and Configuration 14
3.1 Physical Installation 14
3.2 Initial Setup via Direct Console Connection 14
3.2.1 Options to be chosen during the initial setup of the ISR 4000 Family Routers 14
3.2.2 Saving Configuration 15
3.2.3 Enabling FIPS Mode 15
3.2.4 Administrator Configuration and Credentials 15
3.2.5 Session Termination 16
3.2.6 User Lockout 16
3.3 Network Protocols and Cryptographic Settings 17
3.3.1 Remote Administration Protocols 17
3.3.2 Authentication Server Protocols 19
3.3.3 Logging Configuration 19
3.3.4 Usage of Embedded Event Manager 20
3.3.5 Logging Protection 21
3.3.6 Base Firewall Rule set Configuration 23
3.3.7 Routing Protocols 25
3.3.8 MACSEC and MKA Configuration 25
4. Secure Management 26
4.1 User Roles 26
4.2 Passwords 26
4.3 Clock Management 29
Cisco ISR 4000 Family Routers Administrator Guidance
Page 3 of 66
4.4 Identification and Authentication 29
4.5 Login Banners 29
4.6 Virtual Private Networks (VPN) 29
4.6.1 IPsec Overview 29
4.6.2 IPsec Transforms and Lifetimes 34
4.6.3 NAT Traversal 35
4.6.4 X.509 Certificates 35
4.6.5 Information Flow Policies 40
4.7 Product Updates 40 Configure Reference Identifier 40
5. Security Relevant Events 43
5.1 Deleting Audit Records 57
6. Network Services and Protocols 59
7. Modes of Operation 62
8. Security Measures for the Operational Environment 64
9. Obtaining Documentation and Submitting a Service Request 65
9.1 Documentation Feedback 65
9.2 Obtaining Technical Assistance 65
Cisco ISR 4000 Family Routers Administrator Guidance
Page 4 of 66
List of Tables
Table 1 Acronyms .......................................................................................................................... 5
Table 2 Cisco Documentation ........................................................................................................ 7
Table 3 IT Environment Components............................................................................................ 9
Table 4 Excluded Functionality ................................................................................................... 10
Table 5 TOE External Identification ............................................................................................ 11
Table 6 Evaluated Software Images ............................................................................................ 13
Table 7 General Auditable Events ............................................................................................... 44
Table 8 Auditable Administrative Events .................................................................................... 53
Table 9 Protocols and Services .................................................................................................... 59
Table 10 Operational Environment Security Measures ............................................................... 64
Cisco ISR 4000 Family Routers Administrator Guidance
Page 5 of 66
List of Acronyms
The following acronyms and abbreviations are used in this document:
Table 1 Acronyms
Acronyms /
Abbreviations
Definition
AAA
Administration, Authorization, and Accounting
AES
Advanced Encryption Standard
FIPS
Federal Information Processing Standards
EAL
Evaluation Assurance Level
HTTPS
Hyper-Text Transport Protocol Secure
IP
Internet Protocol
NTP
Network Time Protocol
RADIUS
Remote Authentication Dial In User Service
SFP
Security Function Policy
SSHv2
Secure Shell (version 2)
TCP
Transport Control Protocol
TOE
Target of Evaluation
Cisco ISR 4000 Family Routers Administrator Guidance
Page 6 of 66
DOCUMENT INTRODUCTION
Prepared By:
Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134
DOCUMENT INTRODUCTION
This document provides supporting evidence for an evaluation of a specific Target of Evaluation (TOE), the Cisco Integrated Services Routers (ISR) 4000 (4321, 4331 and 4351) Family. This Operational User Guidance with Preparative Procedures addresses the administration of the TOE software and hardware and describes how to install, configure, and maintain the TOE in the Common Criteria evaluated configuration. Administrators of the TOE will be referred to as administrators, authorized administrators, TOE administrators, semi-privileged administrators, and privileged administrators in this document.
Cisco ISR 4000 Family Routers Administrator Guidance
Page 7 of 66
1. Introduction
This Operational User Guidance with Preparative Procedures documents the administration of the Cisco Integrated Services Routers (ISR) 4000 Family (4321, 4331 and 4351), the TOE, as it was certified under Common Criteria. The Cisco Integrated Services Routers (ISR) 4000 Family may be referenced below as the ISR 4000 Family Router, TOE, or simply router.
1.1 Audience
This document is written for administrators configuring the TOE. This document assumes that you are familiar with the basic concepts and terminologies used in internetworking, and understand your network topology and the protocols that the devices in your network can use, that you are a trusted individual, and that you are trained to use the operating systems on which you are running your network.
1.2 Purpose
This document is the Operational User Guidance with Preparative Procedures for the Common Criteria evaluation. It was written to highlight the specific TOE configuration and administrator functions and interfaces that are necessary to configure and maintain the TOE in the evaluated configuration. This document is not meant to detail specific actions performed by the administrator but rather is a road map for identifying the appropriate locations within Cisco documentation to get the specific details for configuring and maintaining ISR 4000 operations. All security relevant commands to manage the TSF data are provided within this documentation within each functional section.
1.3 Document References
This document makes reference to several Cisco Systems documents. The documents used are shown below in Table 2. Throughout this document, the guides will be referred to by the #, such as [1].
Table 2 Cisco Documentation
#
Title
Link
[1]
Loading and Managing System Images Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sys-image­mgmt/configuration/xe-16/sysimgmgmt-xe-16-book.html
[2]
Hardware Installation Guide for the Cisco 4000 Series Integrated Services Router
http://www.cisco.com/c/en/us/td/docs/routers/access/440 0/hardware/installation/guide4400-4300/C4400_isr.html
[3]
Configuration Fundamentals Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/fundamentals/configuration/xe-16/fundamentals-xe­16-book.html
Cisco ISR 4000 Family Routers Administrator Guidance
Page 8 of 66
#
Title
Link
[4]
Basic System Management Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/bsm/configuration/xe-16/bsm-xe-16-book.html
[5]
RADIUS Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/sec_usr_rad/configuration/xe-16/sec-usr-rad-xe-16­book.html
[6]
Using Setup Mode to Configure a Cisco Networking Device
http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/fundamentals/configuration/15-s/fundamentals-15-s­book.html
[8]
Cisco IOS Security Command Reference
http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec­a1-cr-book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec­d1-cr-book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/security/m1/sec­m1-cr-book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec­s1-cr-book.html
[9]
Public Key Infrastructure Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/sec_conn_pki/configuration/xe-16/sec-pki-xe-16­book.html
[11]
IPsec Data Plane Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/sec_conn_dplane/configuration/xe-16/sec-ipsec-data­plane-xe-16-book.html
[12]
FlexVPN and Internet Key Exchange Version 2 Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/sec_conn_ike2vpn/configuration/xe-16/sec-flex-vpn­xe-16-book.html
[13]
Cisco IOS Configuration Fundamentals Command Reference
http://www.cisco.com/en/US/docs/ios­xml/ios/fundamentals/command/Cisco_IOS_Configuration_Fu ndamentals_Command_Reference.html
[14]
Release Notes for the Cisco 4000 Series ISRs
http://www.cisco.com/c/en/us/td/docs/routers/access/4400/rele ase/xe-16-rn/isr4k-rel-notes-xe-16_3.html
[15]
Cisco 4000 Series ISRs Software Configuration Guide
http://www.cisco.com/c/en/us/td/docs/routers/access/4400/soft ware/configuration/guide/isr4400swcfg.pdf
Cisco ISR 4000 Family Routers Administrator Guidance
Page 9 of 66
#
Title
Link
[16]
Removed
Removed
[17]
MACSEC and MKA Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/macsec/configuration/xe-16/macsec-xe-16-book.html
[18]
IP Addressing: NAT Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios­xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book.html
1.4 Supported Hardware and Software
Only the hardware and software listed in section 1.5 of the Security Target (ST) is compliant with the Common Criteria evaluation. Using hardware not specified in the ST invalidates the secure configuration. Likewise, using any software version other than the evaluated software listed in the ST will invalidate the secure configuration. The TOE is a hardware and software solution that makes up the Cisco Integrated Services Routers (ISR) 4000 Family (4321, 4331 and 4351) model. The network, on which they reside, is considered part of the environment. The software is pre­installed and is comprised of the Cisco IOS-XE software image Release 16.3.2. In addition, the software image is also downloadable from the Cisco web site.
1.5 Operational Environment
1.5.1 Supported non-TOE Hardware/ Software/ Firmware
The TOE supports (in some cases optionally) the following hardware, software, and firmware in its environment:
Table 3 IT Environment Components
Component
Required
Usage/Purpose Description for TOE performance
RADIUS AAA Server
No
This includes any IT environment RADIUS AAA server that provides single­use authentication mechanisms. This can be any RADIUS AAA server that provides single-use authentication. The TOE correctly leverages the services provided by this RADIUS AAA server to provide single-use authentication to administrators.
Management Workstation with SSH Client
Yes
This includes any IT Environment Management workstation with a SSH client installed that is used by the TOE administrator to support TOE administration through SSH protected channels. Any SSH client that supports SSHv2 may be used.
Local Console
No
This includes any IT Environment Console that is directly connected to the TOE via the Serial Console Port and is used by the TOE administrator to support TOE administration.
Cisco ISR 4000 Family Routers Administrator Guidance
Page 10 of 66
Component
Required
Usage/Purpose Description for TOE performance
Certification Authority
No
This includes any IT Environment Certification Authority on the TOE network. This can be used to provide the TOE with a valid certificate during certificate enrolment.
Remote VPN Endpoint
Yes
This includes any VPN peer or client with which the TOE participates in VPN communications. Remote VPN Endpoints may be any device or software client that supports IPsec VPN communications. Both VPN clients and VPN gateways are considered to be Remote VPN Endpoints by the TOE.
NTP Server
No
The TOE supports communications with an NTP server in order to
synchronize the date and time on the TOE with the NTP server’s date and
time. A solution must be used that supports secure communications with up to a 32 character key.
Syslog Server
Yes
This includes any syslog server to which the TOE would transmit syslog messages.
1.6 Excluded Functionality
The following functionality is excluded from the evaluation.
Table 4 Excluded Functionality
Excluded Functionality
Exclusion Rationale
Non-FIPS 140-2 mode of operation
This mode of operation includes non-FIPS allowed operations.
Telnet for management purposes.
Telnet passes authentication credentials in clear text. SSHv2 is to be used instead.
These services will be disabled by configuration. The exclusion of this functionality does not affect compliance to the U.S. Government Protection Profile for Security Requirements for Network Devices.
Cisco ISR 4000 Family Routers Administrator Guidance
Page 11 of 66
2. Secure Acceptance of the TOE
In order to ensure the correct TOE is received, the TOE should be examined to ensure that that is has not been tampered with during delivery.
Verify that the TOE software and hardware were not tampered with during delivery by performing the following actions:
Step 1 Before unpacking the TOE, inspect the physical packaging the equipment was delivered in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs. If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).
Step 2 Verify that the packaging has not obviously been opened and resealed by examining the tape that seals the package. If the package appears to have been resealed, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).
Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems bar coded label applied to the external cardboard box. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco product number, serial number, and other information regarding the contents of the box.
Step 4 Note the serial number of the TOE on the shipping documentation. The serial number displayed on the white label affixed to the outer box will be that of the device. Verify the serial number on the shipping documentation matches the serial number on the separately mailed invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).
Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with the supplier that they shipped the box with the courier company that delivered the box and that the consignment note number for the shipment matches that used on the delivery. Also verify that the serial numbers of the items shipped match the serial numbers of the items delivered. This verification should be performed by some mechanism that was not involved in the actual equipment delivery, for example, phone/FAX or other online tracking service.
Step 6 Once the TOE is unpacked, inspect the unit. Verify that the serial number displayed on the unit itself matches the serial number on the shipping documentation and the invoice. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). Also verify that the unit has the following external identification as described in Table 5 below.
Table 5 TOE External Identification
Product Name
Model Number
External Identification
Integrated Services Routers (ISR) 4000 Family Routers
4321
ISR 4321
Integrated Services Routers (ISR) 4000 Family Routers
4331
ISR 4331
Integrated Services Routers (ISR) 4000 Family Routers
4351
ISR 4351
Step 7 Approved methods for obtaining a Common Criteria evaluated software images:
Cisco ISR 4000 Family Routers Administrator Guidance
Page 12 of 66
Download the Common Criteria evaluated software image file from Cisco.com onto a
trusted computer system.
Software images are available from Cisco.com at the following:
http://www.cisco.com/cisco/software/navigator.html.
The TOE ships with the correct software images installed, however this may not be the
evaluated version.
Step 8 Once the file is downloaded, copy (via tftp) the downloaded and verified software image from the trusted system as described in [3].
Once the file has been copied, it is recommended that you read and familiarize yourself with the Part 2: Configuration Using Setup and Autoinstall -> Overview – Basic Configuration of a Cisco Networking Device before proceeding with the install [3]. You may also want to familiarize yourself with [8] basic commands, [14] release notes and [15] fundamental Cisco 4000 Series ISR and IOS concepts before proceeding with the installation and configuration of the TOE.
Step 9 To verify the digital signature prior to installation, the show software authenticity file command allows you to display software authentication related information that includes image credential information, key type used for verification, signing information, and other attributes in the signature envelope, for a specific image file. The command handler will extract the signature envelope and its fields from the image file and dump the required information [1] Loading and Maintaining System Images -> Digitally Signed Cisco Software. The show software authenticity file command allows you to display software authentication related information that includes image credential information, key type used for verification, signing information, and other attributes in the signature envelope, for a specific image file. The command handler will extract the signature envelope and its fields from the image file and dump the required information. To display the software public keys that are in the storage with the key types, use the show software authenticity keys command in privileged EXEC mode.
TOE-common-criteria# show software authenticity file {bootflash0:filename |
bootflash1:filename | bootflash:filename | nvram:filename | usbflash0:filename | usbflash1:filename}
To display information related to software authentication for the current ROM monitor (ROMMON), monitor library (monlib), and Cisco IOS image used for booting, use the show
software authenticity running command in privileged EXEC mode.
Step 10 To install and configure the ISR 4000 Family Router follow the instructions as described
in [3] Overview – Basic Configuration of a Cisco Networking Device -> Cisco IOS EX Setup Mode. Depending on your organization and current network environment, at, Where to Go Next
section, select either ‘Using AutoInstall to Remotely Configure Cisco Networking Device’ or
Using Setup Mode to Configure a Cisco Networking Device’. Start your ISR 4000 Family Router as described in [15] and executing associated commands in [8]
and [13]. Confirm that the TOE loads the image correctly, completes internal self-checks and displays the cryptographic export warning on the console.
Cisco ISR 4000 Family Routers Administrator Guidance
Page 13 of 66
Step 11 The end-user must confirm once the TOE has booted that they are indeed running the evaluated version. Use the “show version” command [8] to display the currently running system image filename and the system software release version. It is also recommended the license level be verified and activated as described in [15]. An authorized administrator can verify the TOE software image through reloading of the TOE or via the ‘verify’ command. It is assumed the end- user has acquired a permanent license is valid for the lifetime of the system on which it is installed.
Table 6 Evaluated Software Images
Platform
Image Name
Hash
4321
isr4300-universalk9.16.03.02.SPA.bin
MD5: 4559bae68571648d40bdcb7c8387b393
SHA-256:
14503889e9ebc7b6d869924d72c8062a1452688bd6e280 08bb09f8ebcfd9ff071e9218f4ea1513d3ddb20ba78d471 9fbf26714c3ead9393ad4c5566f9c25b929
4331
isr4300-universalk9.16.03.02.SPA.bin
MD5: 4559bae68571648d40bdcb7c8387b393
SHA-256:
14503889e9ebc7b6d869924d72c8062a1452688bd6e280 08bb09f8ebcfd9ff071e9218f4ea1513d3ddb20ba78d471 9fbf26714c3ead9393ad4c5566f9c25b929
4351
isr4300-universalk9.16.03.02.SPA.bin
MD5: 4559bae68571648d40bdcb7c8387b393
SHA-256:
14503889e9ebc7b6d869924d72c8062a1452688bd6e280 08bb09f8ebcfd9ff071e9218f4ea1513d3ddb20ba78d471 9fbf26714c3ead9393ad4c5566f9c25b929
When updates, including PSIRTS (bug fixes) to the evaluated image are posted, customers are notified that updates are available (if they have purchased continuing support), information provided how to download updates and how to verify the updates. This information is the same as described above for installing the software image.
Cisco ISR 4000 Family Routers Administrator Guidance
Page 14 of 66
3. Secure Installation and Configuration
3.1 Physical Installation
Follow the Cisco Hardware Installation Guide for the Cisco Integrated Services Routers (ISR) 4000 Family [2] for hardware installation instructions.
3.2 Initial Setup via Direct Console Connection
The Integrated Services Routers (ISR) 4000 Family must be given basic configuration via console connection prior to being connected to any network.
3.2.1 Options to be chosen during the initial setup of the ISR 4000 Family Routers
The setup starts automatically when a device has no configuration file in NVRAM. When setup completes, it presents the System Configuration Dialog. This dialog guides the administrator through the initial configuration with prompts for basic information about the TOE and network and then creates an initial configuration file. After the file is created, an authorized administrator can use the CLI to perform additional configuration. Performing Basic System Management in [6] describes how to use Setup to build a basic configuration and to make configuration changes. The following items must be noted during setup:
It should be noted that the account created during the initial installation of the TOE is considered the privileged administrator and has been granted access to all commands on the TOE.
The term “authorized administrator” is used in this document to refer to any administrator that has
successfully authenticated to the switch and has access to the appropriate privileges to perform the requested functions.
Refer to the IOS Command Reference Guide for available commands, associated roles and privilege levels as used in the example above [3] [6] [8] [13].
1 – Enable Secret – The password must adhere to the password complexity requirements as described in the relevant section below in this document. This command ensures that the enable password is not stored in plain text. To configure, use the enable secret 5 as described in Cisco IOS Security Command Reference: Commands D to L -> E -> enable secret -> [8], Note that this setting can be confirmed after initial configuration is complete by examining the configuration file and looking for “enable secret 5”.
2 – Enable Password – The password must adhere to the password complexity requirements as described in the relevant section below in this document. This command is used to control access to various privilege levels. See above how access is controlled when this command has been configured. Note that this password should be set to something different than the enable secret password. To configure refer to Cisco IOS Security Command Reference: Commands D to L -> E
-> enable password [8] 3 – Virtual Terminal Password - Must adhere to the password complexity requirements. Note that
securing the virtual terminal (or vty) lines with a password in the evaluated configuration is suggested, though not a requirement for the evaluated configuration. This password allows access to the device through only the console port. Later in this guide, steps will be given to allow ssh
Cisco ISR 4000 Family Routers Administrator Guidance
Page 15 of 66
into the vty lines. Reference password (line configuration) in Cisco IOS Security Command Reference: Commands M to R -> pac key through port-misuse -> password (line configuration) [8]
4 – Configure SNMP Network Management – No (this is the default). Note that this setting can be confirmed after configuration is complete by examining the configuration file to ensure that there
is no “snmp-server” entry. To ensure there is no snmp server agent running, use the “no snmp­server’ command as described in Configuring SNMP -> Disabling the SNMP Agent [3] Note, in
the evaluated configuration, SNMP should remain disabled.
3.2.2 Saving Configuration
IOS uses both a running configuration and a starting configuration. Configuration changes affect the running configuration, in order to save that configuration the running configuration (held in memory) must be copied to the startup configuration. This may be achieved by either using the write memory command or the copy system:running-config nvram:startup-config command. These commands should be used frequently when making changes to the configuration of the Router. If the Router reboots and resumes operation when uncommitted changes have been made, these changes will be lost and the Router will revert to the last configuration saved.
3.2.3 Enabling FIPS Mode
The TOE must be run in the FIPS mode of operation. The use of the cryptographic engine in any other mode was not evaluated nor tested during the CC evaluation of the TOE. This is done by setting the following in the configuration:
The value of the boot field must be 0x0102. This setting disables break from the console to the ROM monitor and automatically boots the IOS image. From the ROMMON command line enter the following:
confreg 0x0102
The self-tests for the cryptographic functions in the TOE are run automatically during power-on as part of the POST. The same POST self-tests for the cryptographic operations can also be executed manually at any time by the privileged administrator using the command:
test crypto self-test If any of the self-tests fail, the TOE transitions into an error state. In the error state, all secure data
transmission is halted and the TOE outputs status information indicating the failure.
3.2.4 Administrator Configuration and Credentials
The ISR-4400 must be configured to use a username and password for each administrator and one password for the enable command. Ensure all passwords are stored encrypted by using the following command:
TOE-common-criteria(config)# service password-encryption Configures local AAA authentication:
TOE-common-criteria(config)# aaa authentication login default local TOE-common-criteria(config)# aaa authorization exec default local
Cisco ISR 4000 Family Routers Administrator Guidance
Page 16 of 66
When creating administrator accounts, all individual accounts are to be set to a privilege level of one. This is done by using the following commands:
TOE-common-criteria(config)# username <name> password <password> to create a new username and password combination, and TOE-common-criteria(config)# username <name> privilege 1 to set the privilege level of <name> to 1.
3.2.5 Session Termination
Inactivity settings must trigger termination of the administrator session. These settings are configurable by setting
TOE-common-criteria(config)# line vty <first> <last>
TOE-common-criteria(config-line)# exec-timeout <time> TOE-common-criteria(config-line)# line console TOE-common-criteria(config)# exec-timeout <time>
To save these configuration settings to the startup configuration:
copy run start
where first and last are the range of vty lines on the box (i.e. “0 4”), and time is the period of
inactivity after which the session should be terminated. Configuration of these settings is limited to the privileged administrator (see Section 4.1).
The line console setting is not immediately activated for the current session. The current console session must be exited. When the user logs back in, the inactivity timer will be activated for the new session.
3.2.6 User Lockout
User accounts must be configured to lockout after a specified number of authentication failures TOE-common-criteria(config)# aaa local authentication attempts max-fail [number of failures] where number of failures is the number of consecutive failures that will trigger locking of the
account. Configuration of these settings is limited to the privileged administrator (see Section 4.1). Related commands:
clear aaa local user fail-attempts [username username | all]
Clears the unsuccessful login attempts of the user.
clear aaa local user lockout username [username]
Unlocks the locked-out user.
show aaa local user lockout
Displays a list of all locked-out users.
Cisco ISR 4000 Family Routers Administrator Guidance
Page 17 of 66
Note: this lockout only applies to privilege 14 users and below. Note: this applies to consecutive failures, and is not affected by the SSH or Telnet session
disconnections after their default number of failures. In other words, if this lockout command is set to 5 failures, and SSH disconnects after 3 failed attempts, if the user attempts another SSH session and enters the wrong credentials two additional times, the account will lock.
3.3 Network Protocols and Cryptographic Settings
Telnet for management purposes is enabled by default and must be disabled in the evaluated configuration. To only allow ssh for remote administrator sessions, use the transport input ssh command. This command disables telnet by only allowing ssh connections for remote administrator access.
3.3.1 Remote Administration Protocols
3.3.1.1 Steps to configure SSH on router
1. Generate RSA key material – choose a longer modulus length for more secure keys (i.e.,
1024); ex.
TOE-common-criteria# crypto key generate rsa TOE-common-criteria# How many bits in the modulus [512]: 2048 RSA keys are generated in pairsone public RSA key and one private RSA key. This
command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.
Note: If the configuration is not saved to NVRAM, the generated keys are lost on the next
reload of the router.
Note: to delete a key, an administrator may use the crypto key zeroize <label> command.
2. Enable ssh TOE-common-criteria# ip ssh authentication-retries 2
3. Configure –ssh timeout TOE-common-criteria# ip ssh time-out 60
4. Set to use SSH v2 TOE-common-criteria# ip ssh version 2
5. Ensure that the product is configured not to support diffie-hellman-group1-sha1 key
exchange using the following command ‘ip ssh dh min size 2048:
TOE-common-criteria# ip ssh dh min size 2048
Cisco ISR 4000 Family Routers Administrator Guidance
Page 18 of 66
In addition, configure your ssh client for dh-group-14. In Putty, configure the SSH client to support only diffie-hellman-group14-sha1 key exchange. To configure Putty, do the following:
Go into Putty Configuration Select > Connection > SSH > Kex; Under Algorithm selection policy: move Diffie-Hellman group 14 to the top of the
list;
Move the “warn below here” option to right below DH group14
6. Configure vty lines to accept ‘ssh’ login services
TOE-common-criteria(config-line)# transport input ssh
7. Configure a SSH client to support only the following specific encryption algorithms:
AES-CBC-128 AES-CBC-256
peer#ssh -l cisco -c aes128-cbc 1.1.1.1 peer#ssh -l cisco -c aes256-cbc 1.1.1.1
8. Configure a SSH client to support message authentication. Only the following MACs are
allowed and “None” for MAC is not allowed:
a. hmac-sha1 b. hmac-sha1-96
peer#ssh -l cisco -m hmac-sha1-160 1.1.1.1 peer#ssh -l cisco -m hmac-sha1-96 1.1.1.1
9. To verify the proper encryption algorithms are used for established connections, use the
show ssh sessions command:
TOE-common-criteria# show ssh sessions
Note: To disconnect SSH sessions, use the ssh disconnect command:
TOE-common-criteria# ssh disconnect
10. Configure the SSH rekey time-based rekey and volume-based rekey values (values can be
configured to be lower than the default values if a shorter interval is desired):
a. ip ssh rekey time 60 b. ip ssh rekey volume 1000000
11. HTTP and HTTPS servers were not evaluated and must be disabled:
TOE-common-criteria(config)# no ip http server TOE-common-criteria(config)# no ip http secure-server
12. SNMP server was not evaluated and must be disabled:
TOE-common-criteria(config)# no snmp-server
Cisco ISR 4000 Family Routers Administrator Guidance
Page 19 of 66
Recovery from an event where the connection is unintentionally broken is to follow the steps to establish a connection as listed above.
3.3.2 Authentication Server Protocols
RADIUS (outbound) for authentication of TOE administrators to remote authentication servers are disabled by default but should be enabled by administrators in the evaluated configuration.
To configure RADIUS refer to [5]. Use best practices for the selection and protection of a key to ensure that the key is not easily guessable and is not shared with unauthorized users.
These protocols are to be tunneled over an IPSec connection in the evaluated configuration. The instructions for setting up this communication are the same as those for protecting communications with a syslog server, detailed in Section 3.3.5below.
3.3.3 Logging Configuration
1. Logging of command execution must be enabled:
TOE-common-criteria(config)#archive TOE-common-criteria(config)#no logging console TOE-common-criteria(config-archive)#log config TOE-common-criteria(config-archive-log-cfg)#logging enable TOE-common-criteria(config-archive-log-cfg)#hidekeys TOE-common-criteria(config-archive-log-cfg)#notify syslog TOE-common-criteria(config-archive-log-cfg)#exit TOE-common-criteria(config-archive)#exit
2. Add year to the timestamp:
3. TOE-common-criteria(config)# service timestamps log datetime year
4. Enable any required debugging. Debugging is needed for radius (if used), isakmp (if using
ikev1), ipsec, ikev2 (if using ikev2), and ntp to generate the events required in the Security Target, however administrators should use discretion when enabling a large number of debugs on an on-going basis:
5. TOE-common-criteria# debug radius authentication
TOE-common-criteria# debug crypto isakmp TOE-common-criteria# debug crypto ipsec TOE-common-criteria# debug crypto ikev2 TOE-common-criteria# debug ntp all
6. Set the size of the logging buffer. It is recommended to set it to at least 150000000:
7. TOE-common-criteria(config)# logging buffer 150000000
Cisco ISR 4000 Family Routers Administrator Guidance
Page 20 of 66
8. To generate logging messages for failed and successful login attempts in the evaluated
configuration, issue the login on-failure and login on-success commands: TOE-common-criteria(config)#login on-failure log TOE-common-criteria(config)#login on-success log
9. To configure the logs to be sent to a syslog server:
TOE-common-criteria(config)#logging host<ip address of syslog server> Ex. TOE-common-criteria(config)#logging host192.168.202.169
10. To specify the severity level for logging to the syslog host, use the logging trap command.
Level 7 will send all logs required in the evaluation up to the debug level logs (as enabled in step 3 above) to the syslog server:
TOE-common-criteria(config)# logging trap 7 WARNING: this setting has the ability to generate a large number of events that could
affect the performance of your device, network, and syslog host.
11. To configure the syslog history table use the logging history command. The severity level
are numbered 0 through 7, with 0 being the highest severity level and 7 being the lowest severity level (that is, the lower the number, the more critical the message). Specifying a level causes messages at that severity level and numerically lower levels to be stored in the router's history table. To change the number of syslog messages stored in the router's history table, use the logging history size global configuration command. The range of messages that can be stored is 1-500. When the history table is full (that is, it contains the maximum number of message entries specified with the logging history size command), the oldest message entry is deleted from the table to allow the new message entry to be stored.
TOE-common-criteria(config)# logging history <level> TOE-common-criteria(config)# logging history size <number>
3.3.4 Usage of Embedded Event Manager
In order to ensure that all commands executed by a level 15 user are captured in a syslog record, the following Cisco Embedded Event Manager script can be used. Enter it at the CLI as follows:
Switch(config)#event manager applet cli_log Switch(config-applet)#event cli pattern ".*" sync yes Switch(config-applet)#action 1.0 info type routername Switch(config-applet)#action 2.0 if $_cli_privilege gt "0" Switch(config-applet)#action 3.0 syslog msg "host[$_info_routername]
user[$_cli_username] port[$_cli_tty] exec_lvl[$_cli_privilege] command[$_cli_msg] Executed"
Switch(config-applet)#action 4.0 end Switch(config-applet)#action 5.0 set _exit_status "1"
Loading...
+ 46 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use