cisco 5940 series embedded services router security target · 2011. 12. 15. · cisco 5940 series...
TRANSCRIPT
-
Cisco 5940 Series Embedded Services Router
Security Target
Revision 1.0
May 2011
-
Cisco 5940 Series Embedded Services Router ST May 2011
2
Table of Contents
1 SECURITY TARGET INTRODUCTION ............................................................................. 6
1.1 ST and TOE Reference ........................................................................................ 6
1.2 Acronyms and Abbreviations ............................................................................... 6
1.3 TOE Overview ..................................................................................................... 7
1.3.1 TOE Product Type ........................................................................................ 7
1.3.2 Supported non-TOE Hardware/ Software/ Firmware ................................... 8
1.4 TOE DESCRIPTION ........................................................................................... 9
1.5 Physical Scope of the TOE................................................................................... 9
1.6 Logical Scope of the TOE .................................................................................... 9
1.6.1 Identification and Authentication ............................................................... 10
1.6.2 Secure Management .................................................................................... 10
1.6.3 Information Flow Control ........................................................................... 11
1.6.4 Intrusion Prevention Services ..................................................................... 12
1.6.5 Cryptography .............................................................................................. 12
1.6.6 Secure Auditing .......................................................................................... 13
1.7 TOE Evaluated Configuration ............................................................................ 13
1.7.1 Excluded Functionality ............................................................................... 14 2 Conformance Claims ............................................................................................................. 15
2.1 Common Criteria Conformance Claim .............................................................. 15
2.2 Protection Profile Conformance ......................................................................... 15
2.2.1 Protection Profile Refinements ................................................................... 15
2.2.2 Protection Profile Additions ....................................................................... 15
2.3 Protection Profile Conformance Claim Rationale .............................................. 16
2.3.1 TOE Appropriateness.................................................................................. 16
2.3.2 TOE Security Problem Definition Consistency .......................................... 17
2.3.3 Statement of Security Objectives Consistency ........................................... 18
2.3.4 Statement of Security Requirements Consistency ...................................... 19 3 SECURITY PROBLEM DEFINITION ................................................................................ 22
3.1 Assumptions ....................................................................................................... 22
3.2 Threats ................................................................................................................ 22
3.3 Organizational Security Policies ........................................................................ 24 4 SECURITY OBJECTIVES ................................................................................................... 25
4.1 Security Objectives for the TOE ........................................................................ 25
4.2 Security Objectives for the Environment ........................................................... 26 5 SECURITY REQUIREMENTS ........................................................................................... 27
5.1 Conventions ........................................................................................................ 27
5.2 TOE Security Functional Requirements ............................................................ 27
5.3 SFRs Drawn from pp_fw_tf_br_v1.1................................................................. 28
5.3.1 Security audit (FAU)................................................................................... 28
5.3.2 Cryptographic Support (FCS) ..................................................................... 30
5.3.3 User data protection (FDP) ......................................................................... 30
5.3.4 Identification and authentication (FIA) ...................................................... 32
5.3.5 Security management (FMT) ...................................................................... 33
5.3.6 Protection of the TSF (FPT) ....................................................................... 34
-
Cisco 5940 Series Embedded Services Router ST May 2011
3
5.4 SFRs in addition to the SFRs found in pp_fw_tf_br_v1.1 ................................. 34
5.4.1 Cryptographic Support (FCS) ..................................................................... 34
5.4.2 User data protection (FDP) ......................................................................... 38
5.4.3 Security management (FMT) ...................................................................... 40
5.4.4 Trusted Path/Channel (FTP) ....................................................................... 40
5.4.5 IDS Component Requirements (IDS) ......................................................... 41
5.5 TOE SFR Dependencies Rationale for SFRs Found in pp_fw_tf_br_v1.1........ 43
5.6 TOE SFR Dependencies for SFRs in addition to the SFRs found in
pp_fw_tf_br_v1.1.......................................................................................................... 43
5.7 Security Assurance Requirements ...................................................................... 44
5.7.1 SAR Requirements...................................................................................... 44
5.7.2 Security Assurance Requirements Rationale .............................................. 45
5.8 Assurance Measures ........................................................................................... 45 6 TOE Summary Specification ................................................................................................ 46
6.1 TOE Security Functional Requirement Measures .............................................. 46
6.2 TOE Bypass and interference/logical tampering Protection Measures .............. 53 7 RATIONALE ........................................................................................................................ 55
7.1 Rationale for TOE Security Objectives .............................................................. 55
7.2 Rationale for the Security Objectives for the Environment ............................... 57
7.3 Rationale for requirements/TOE Objectives ...................................................... 57 Annex A: References ..................................................................................................................... 63
-
Cisco 5940 Series Embedded Services Router ST May 2011
4
List of Tables
Table 1: ST and TOE Identification ................................................................................... 6
Table 2: Acronyms .............................................................................................................. 6
Table 3: IT Environment Components ............................................................................... 8
Table 4: TOE Provided Cryptography ............................................................................. 12
Table 5: Excluded Functionality ...................................................................................... 14
Table 6: Protection Profiles .............................................................................................. 15
Table 7: Protection Profile Refinements ........................................................................... 15
Table 8: Protection Profile Threat Additions .................................................................... 17
Table 9: Protection Profile Security Objective Additions ................................................ 18
Table 10: Protection Profile Security Functional Requirement Additions and Refinements
........................................................................................................................................... 19
Table 11: TOE Assumptions ............................................................................................. 22
Table 12: Threats .............................................................................................................. 22
Table 13: Security Objectives for the TOE....................................................................... 25
Table 14: Security Objectives for the Environment ......................................................... 26
Table 15: Security Functional Requirements .................................................................... 27
Table 16: Security Functional Requirements .................................................................... 29
Table 17: System Events ................................................................................................... 41
Table 18: Dependency Rationale ...................................................................................... 43
Table 19: Assurance Measures ......................................................................................... 44
Table 20: Assurance Measures ......................................................................................... 45
Table 21: How TOE SFRs Measures ................................................................................ 46
Table 22: Threat/Policies/Objectives Mappings ............................................................... 55
Table 23: Threat/Policies/TOE Objectives Rationale ....................................................... 55
Table 24: Threats/Environment Objectives Mappings ..................................................... 57
Table 25: Assumptions/Threats/Objectives Rationale ...................................................... 57
Table 26: Objective to Requirements Mappings .............................................................. 58
Table 27: Objectives to Requirements Rationale.............................................................. 59
Table 28: References......................................................................................................... 63
-
Cisco 5940 Series Embedded Services Router ST May 2011
5
DOCUMENT INTRODUCTION
Prepared By:
Cisco Systems, Inc.
170 West Tasman Dr.
San Jose, CA 95134
This document provides the basis for an evaluation of a specific Target of Evaluation
(TOE), the Cisco 5940 Series Embedded Services Router. This Security Target (ST)
defines a set of assumptions about the aspects of the environment, a list of threats that the
product intends to counter, a set of security objectives, a set of security requirements, and
the IT security functions provided by the TOE which meet the set of requirements.
-
Cisco 5940 Series Embedded Services Router ST May 2011
6
1 SECURITY TARGET INTRODUCTION
The Security Target contains the following sections:
♦ Security Target Introduction [Section 1]
♦ Conformance Claims [Section 2]
♦ Security Problem Definition [Section 3]
♦ Security Objectives [Section 4]
♦ IT Security Requirements [Section 5]
♦ TOE Summary Specification [Section 6]
♦ Rationale [Section 7]
The structure and content of this ST comply with the requirements specified in the
Common Criteria (CC), Part 1, Annex A, and Part 3, Chapter 4.
1.1 ST and TOE Reference
This section provides information needed to identify and control this ST and its TOE.
Table 1: ST and TOE Identification
ST Title Cisco 5940 Series Embedded Services Router Security Target
ST Version 1.0
Publication Date May 2011
Vendor and ST Author Cisco Systems, Inc.
TOE Reference Cisco 5940 Series Embedded Services Router
TOE Hardware Models conduction cooled processor module; air cooled processor module
TOE Software Version IOS 15.1(2)GC1
ST Evaluation Status In Evaluation
Keywords Switch, Data Protection, Authentication, Firewall, IDS
1.2 Acronyms and Abbreviations
The following acronyms and abbreviations are used in this Security Target:
Table 2: Acronyms
Acronyms /
Abbreviations
Definition
AAA Administration, Authorization, and Accounting
AES Advanced Encryption Standard
CC Common Criteria for Information Technology Security Evaluation
CEM Common Evaluation Methodology for Information Technology Security
CM Configuration Management
cPCI Compact Peripheral Component Interconnect
DHCP Dynamic Host Configuration Protocol
EAL Evaluation Assurance Level
HTTPS Hyper-Text Transport Protocol Secure
IPS Intrusion Prevention System
ISR Integrated Service Router
IT Information Technology
-
Cisco 5940 Series Embedded Services Router ST May 2011
7
Acronyms /
Abbreviations
Definition
J2 A pin connection type for the backplanes of PCI cards. Not an acronym.
JTAG Joint Test Action Group
OS Operating System
PCI Peripheral Component Interconnect
PP Protection Profile
pp_fw_tf_br_v1.1 U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness
Environments
RJ-45 Registered Jack 45
SHS Secure Hash Standard
SSH Secure Shell
ST Security Target
TCP Transport Control Protocol
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Function
TSP TOE Security Policy
WAN Wide Area Network
WIC WAN Interface Card
1.3 TOE Overview
The Cisco 5940 Series Embedded Services Router TOE is a purpose-built, routing
platform that includes firewall, Intrusion Prevention, and VPN functionality. The firewall
functionality included within the TOE provides the functionality specified in the U.S.
Government Protection Profile for Traffic Filter Firewall in Basic Robustness
Environments. The TOE includes one router module that can operate in any CompactPCI
(cPCI) 3 unit (3U) chassis.
1.3.1 TOE Product Type
The Cisco 5940 Series Embedded Services Router is a router platform that provides
connectivity and security services onto a single, secure device. The flexible, compact
form factor of these routers, complemented by Cisco IOS® Software, provides highly
secure data, voice, and video communications to stationary and mobile network nodes
across wired links.
In support of the routing capabilities, the Cisco 5940 Series Embedded Services Router
provides IPSec connection capabilities for VPN enabled clients connecting through the
Cisco 5940 Series Embedded Services Router. The Cisco 5940 Series Embedded
Services Router is also compatible with the GET VPN (using GDOI).
The Cisco 5940 Series Embedded Services Router also supports firewall capabilities
consistent with the U.S. Government Protection Profile for Traffic Filter Firewall in
Basic Robustness Environments. The Cisco 5940 Series Embedded Services Router is a
3U (cPCI) router module solution for protecting the network. The firewall capabilities
provided by the TOE are provided via a stateful packet filtering firewall. A stateful
packet filtering firewall controls the flow of IP traffic by matching information contained
in the headers of connection-oriented or connection-less IP packets against a set of rules
-
Cisco 5940 Series Embedded Services Router ST May 2011
8
specified by the authorized administrator for firewalls. This header information includes
source and destination host (IP) addresses, source and destination port numbers, and the
transport service application protocol (TSAP) held within the data field of the IP packet.
Depending upon the rule and the results of the match, the firewall either passes or drops
the packet. The stateful firewall remembers the state of the connection from information
gleaned from prior packets flowing on the connection and uses it to regulate current
packets. The packet will be denied if the security policy is violated.
In addition to IP header information, the TOE mediates information flows on the basis of
other information, such as the direction (incoming or outgoing) of the packet on any
given firewall network interface. For connection-oriented transport services, the firewall
either permits connections and subsequent packets for the connection or denies the
connection and subsequent packets associated with the connection.
The TOE also includes on the 5940 Series Embedded Services Router modules a
network-based Intrusion Prevention System that monitors traffic in real-time. It can
analyze both the header and content of each packet. The TOE uses a rule-based expert
system to interrogate the packet information to determine the type of attack, be it simple
or complex.
1.3.2 Supported non-TOE Hardware/ Software/ Firmware
The TOE supports (in some cases optionally) the following hardware, software, and
firmware in its environment:
Table 3: IT Environment Components
Component Required Usage/Purpose Description for TOE performance Router Chassis Yes The host chassis for the router provides the power to the module as
well as directly connected Ethernet interfaces via a standard cPCI
backplane. The chassis selected can be any off –the-shelf chassis that
supports 3U cPCI cards.
Rear Transition
Module (RTM)
Yes The RTM supports Input/Ouput connectors through standard RJ-45
connectors, or any other cPCI compatible network connector. The
RTM can be any off-the-shelf module that is a cPCI form factor. It is
installed in the chassis directly opposite the card with which it is to be
used.
Management
Workstation with
SSH Client
Yes This includes any IT Environment Management workstation with a
SSH client installed that is used by the TOE administrator to support
TOE administration through SSH protected channels. Any SSH client
that supports SSH v2 may be used.
AAA Server Yes This includes any IT environment AAA server that provides single-
use authentication mechanisms. This can be any AAA server that
provides single-use authentication. The TOE correctly leverages the
services provided by this AAA server to provide single-use
authentication to administrators.
VPN Peer No This includes any peer with which the TOE participates in VPN
communications. VPN peers may be any device or software client
that supports IPSec v3 communications. Both VPN clients and VPN
gateways are considered VPN peers by the TOE.
NTP Server No The TOE supports communications with an NTP server. A solution
-
Cisco 5940 Series Embedded Services Router ST May 2011
9
Component Required Usage/Purpose Description for TOE performance must be used that supports MD5 hashing of communications with up
to a 32 character key.
Syslog Server Yes A syslog server with the capability to support TCP syslog
communications over an IPSec tunnel is required for use with the
TOE.
Certificate
Authority (CA)
No This includes any IT Environment Certificate Authority on the TOE
network. This can be used to provide the TOE with a valid certificate
during certificate enrollment for IKE authentication.
1.4 TOE DESCRIPTION
This section provides an overview of the Cisco 5940 Series Embedded Services Router
Target of Evaluation (TOE). The TOE is comprised of a single cPCI router module
running IOS 15.1(2)GC1.
1.5 Physical Scope of the TOE
The TOE is a hardware solution obtained from General Dynamics under OEM contract
running the IOS 15.1(2)GC1 software solution. The image name for the 5940 Series
Embedded Services Router TOE is c59xx-adventerprisek9-mz.SPA. The key components
on the board are:
• Freescale MPC8548E processor
• Marvell 88E1145 quad Ethernet transceiver
• Spansion S29GL01GP flash or Numonyx flash chip
Both an air-cooled and a conduction-cooled board exist. Aside from the differences
outlined below, they differ only in cooling mechanism.
The board provides the following external interfaces:
• Serial port.
o Via a connection on the J2 connector on the cPCI backplane on the conduction-cooled model and via direct access RJ-45 port or the J2
connector on the cPCI backplane on the card on the air-cooled model.
• Four Gigabit Ethernet ports, via connections on the J2 connector on the cPCI
backplane.
• PCI interface connection to the backplane. This PCI interface is used to connect to
the RTM
• PCI bus connection to the backplane. This PCI controller is disabled within the
IOS running on the TOE.
• JTAG header. The JTAG will be connected to the J2 connector on the cPCI
backplane. It is to be disabled in the evaluated configuration and not re-enabled.
1.6 Logical Scope of the TOE
The TOE is comprised of several security features. Each of the security features
identified above consists of several security functionalities, as identified below.
-
Cisco 5940 Series Embedded Services Router ST May 2011
10
1. Identification and Authentication
2. Secure Management
3. VPN and/or Firewall Information Flow Control
4. Intrusion Prevention Services
5. Cryptography
6. Secure Auditing
These features are described in more detail in the subsections below.
1.6.1 Identification and Authentication
The TOE performs two types of authentication: device-level authentication of the remote
device (VPN peers) and user authentication for the administrators of the TOE. Device-
level authentication allows the TOE to establish a secure channel with a trusted peer. The
secure channel is established only after each device authenticates itself. Device-level
authentication is performed via IKE v1/IPSec v3 mutual authentication. The TOE
provides authentication services for all administrators wishing to connect to the TOEs
secure CLI administrative interface. The TOE requires all administrators to authenticate
prior to being granted access to any of the management functionality.
The TOE facilitates single-use authentication for all administrators and external IT
entities attempting to connect to the TOE by invoking an external RADIUS AAA (IT
environment) to provide single-use authentication. The TOE provides single use
authentication to external IT entities through the use of IKE/IPSec mutual authentication.
1.6.2 Secure Management
The TOE provides secure administrative services for management of general TOE
configuration and the security functionality provided by the TOE. All TOE
administration occurs either through a secure SSH session, via terminal server (such as a
Cisco 2811), or via a local console connection. The TOE provides the ability to securely
manage all TOE administrators; all identification and authentication; all audit
functionality of the TOE; all TOE cryptographic functionality; the timestamps maintained
by the TOE (including settings for an NTP server, if used as the timestamp source); TOE
configuration backup and recovery, and the information flow control policies enforced by
the TOE. The TOE supports two separate administrative roles that make up the
authorized administrator: non-privileged Administrator and privileged Administrator.
The TOE also supports external IT entities. These external IT entities are peer routers
that pass network control information (e.g., routing tables) to the TOE. Also included are
any other VPN peers with which the TOE exchanges information, including VPN clients
and VPN gateways.
Once a configured threshold of consecutive authentication failures is reached, the TOE
locks-out the administrator (either privileged or non-privileged) or external IT entity
attempting to log into the TOE until another administrator unlocks their account. No
-
Cisco 5940 Series Embedded Services Router ST May 2011
11
administrator can unlock their own account, therefore there should always be at least two
privileged administrators configured on the device.
1.6.3 Information Flow Control
1.6.3.1 Firewall Information Flow Control
The Cisco 5940 Series Embedded Services Router mediate information flows through the
TOE for unauthenticated information flows. The Information Control functionality of the
TOE allows privileged administrators to set up rules between interfaces of the TOE.
These rules control whether a packet is transferred from one interface to another and/or
transferred encrypted based upon:
1. Presumed address of source subject
2. Presumed address of destination subject
3. Service used
4. Transport layer protocol
5. Network interface on which the connection request occurs and is to depart
Packets will be dropped unless a specific rule or policy in an access control list (ACL)
has been set up to allow the packet to pass. The order of Access Control Entries (ACEs)
in an ACL is important. When the TOE decides whether to forward or drop a packet, the
TOE tests the packet against the ACE in the order in which the entries are listed. After a
match is found, no more ACEs are checked such that if the ACE at the beginning of the
ACL explicitly permits all traffic, no further ACEs are checked. Interface ACLs are
applied first before IPsec negotiations occur in the evaluated configuration.
The TOE ensures that all information flows from the TOE do not contain residual
information from previous traffic. Packets are padded with zeroes. Residual data is
never transmitted from the TOE.
1.6.3.2 VPN Information Flow Control
Cisco 5940 Series Embedded Services Router delivers VPN connections to remote
entities. The VPN process includes remote device authentication, negotiation of specific
cryptographic parameters for the session, and providing a secure connection to and from
the remote device. For inbound or outbound connections with external IT entities that are
capable of supporting VPN (e.g., a VPN Peer), the TOE will establish a secure
connection. For other inbound or outbound traffic a secure connection will not be
established.
1.6.3.3 VLAN Information Flow Control
Cisco 5940 Series Embedded Services Router allows VLAN connections to/from remote
entities. The TOE provides the ability to identify the VLAN the network traffic is
associated with. The TOE then permits or denies the network traffic based on the VLANs
-
Cisco 5940 Series Embedded Services Router ST May 2011
12
configured on the interface the network traffic is received /destined. This policy is
applied after the Firewall policy.
1.6.4 Intrusion Prevention Services
The Cisco 5940 Series Embedded Services Router IOS software Intrusion Prevention
System (IPS) operates as an in-line intrusion detection sensor, watching packets and
sessions as they flow through the router and scanning each packet to match any of the
Cisco IOS IPS signatures. When Cisco IOS IPS detects suspicious activity, it responds
before network security can be compromised and logs the event through Cisco IOS
syslog messages stored in the local buffer and then offloaded to an external syslog server.
The privileged administrator can configure Cisco IOS IPS to choose the appropriate
response to various threats. When packets in a session match a signature, Cisco IOS IPS
can take any of the following actions, as appropriate:
• Send an audit record to a syslog server or a management interface
• Drop the packet
• Reset the connection
• Deny traffic from the source IP address of the attacker for a specified amount of
time
• Deny traffic on the connection for which the signature was seen for a specified
amount of time
For inbound packets the IDS processing is done after firewall policies and then VPN
policies have been applied.
1.6.5 Cryptography
The TOE provides cryptography in support of other Cisco 5940 Series Embedded
Services Router security functionality. This cryptography has been validated for
conformance to the requirements of FIPS 140-2 Level 1. Further details regarding the
FIPS validation can be found in Certificate #1639. The TOE provides cryptography in
support of VPN connections and remote administrative management via SSH. The
cryptographic services provided by the TOE include
Table 4: TOE Provided Cryptography
Cryptographic Method Use within the TOE Internet Key Exchange Used to establish initial IPSec session.
ANSI X9.31 PRNG Used in IPSec session establishment.
AES Used to encrypt IPSec session traffic.
Used to encrypt SSH session traffic.
Group Domain of Interpretation Used in IPSec session establishment.
RSA IKE RSA authentication
DSA SSH host authentication, SSH client authentication
SHA256 IKE
-
Cisco 5940 Series Embedded Services Router ST May 2011
13
1.6.6 Secure Auditing
The Cisco 5940 Series Embedded Services Router provides extensive auditing
capabilities. The TOE can audit events related to cryptographic functionality, information
flow control enforcement, intrusion prevention, identification and authentication, and
administrative actions. The Cisco 5940 Series Embedded Services Router generates an
audit record for each auditable event. These events include a timestamp that can be
provided by the TOE or an optional NTP server in the operational environment. The
Cisco 5940 Series Embedded Services Router provides the privileged administrator with
a sorting and searching capability to improve audit analysis. The privileged administrator
configures auditable events, backs-up and manages audit data storage. The TOE provides
the privileged administrator with a local circular audit trail, also referred to as the Event
Store,and allows for configuration of offload of audit data via TCP syslog to a syslog
server in the operational environment so that audit events are not lost when the Event
Store reaches capacity and begins to overwrite old events.
1.7 TOE Evaluated Configuration
The following figure provides a visual depiction of an example TOE deployment. The
TOE boundary is surrounded with a dashed red line.
The previous figure includes the following:
♦ The 5940 TOE Model (both the conduction-cooled and air-cooled models are
pictured.)
-
Cisco 5940 Series Embedded Services Router ST May 2011
14
♦ IT Environment: Chassis and RTM
♦ IT Environment: (2) VPN Peers
♦ IT Environment: Management Workstation
♦ IT Environment: AAA Server
♦ IT Environment: NTP Server
♦ IT Environment: Syslog Server
1.7.1 Excluded Functionality
The following functional is excluded from the evaluation.
Table 5: Excluded Functionality
Excluded Functionality Exclusion Rationale Non-FIPS 140-2 mode of operation on the router. This mode of operation includes non-FIPS allowed
operations.
Telnet for management purposes. Telnet passes authentication credentials in clear
text. SSHv2 is to be used instead.
The exclusion of this functionality does not affect compliance to the U.S. Government
Protection Profile for Traffic Filter Firewall in Basic Robustness Environments.
-
Cisco 5940 Series Embedded Services Router ST May 2011
15
2 CONFORMANCE CLAIMS
2.1 Common Criteria Conformance Claim
The TOE and ST are compliant with the Common Criteria (CC) Version 3.1, Revision 3,
dated: July 2009.
The TOE and ST are EAL2 Augmented with ALC_FLR.2 Part 3 conformant.
The TOE and ST are CC Part 2 extended.
2.2 Protection Profile Conformance
This ST claims compliance to the following Common Criteria validated Protection Profiles:
Table 6: Protection Profiles
Protection Profile Version Date U.S. Government Protection Profile for Traffic Filter Firewall in Basic
Robustness Environments (pp_fw_tf_br_v1.1)
1.1 July 25, 2007
2.2.1 Protection Profile Refinements
The following table identifies the refinements made to the Protection Profile and provides
rationale for the refinement:
Table 7: Protection Profile Refinements
Refinement Rationale FAU_GEN.1 Refined to refer to the correct table number and to add an
additional event to the audit table.
FAU_SAR.1 Refined to clarify that privileged administrators are affected.
FMT_SMR.1 Refined to also address External IT entities and to clarify that both
privileged and non-privileged administrators are included.
FIA_ATD.1 Refined to also address External IT entities
FMT_MSA.3(1) Refined to specify the privileged administrator.
FMT_MOF.1 Refined to specify the privileged administrator and what a non-
privileged administrator is able to access.
The names of all of the Objectives on the Environment were changed from O.XXXXX to
OE.XXXXX in this ST.
2.2.2 Protection Profile Additions
The following threats were added to the TOE:
♦ T.UNAUTHORIZED_PEER
♦ T.EAVESDROP
♦ T.VPNMEDIAT
♦ T.VLAN
♦ T.NOHALT
♦ T.FALACT
♦ T.FALREC
-
Cisco 5940 Series Embedded Services Router ST May 2011
16
♦ T.FALASC
♦ T.MISUSE
♦ T.INADVE
♦ T.MISACT
♦ T.INTEGRITY
The following objectives were added to the TOE:
♦ O.CRYPTOGRAPHIC_ FUNCTIONS
♦ O.PEER_AUTHENTICATION
♦ O.INTEGRITY
♦ O.VPNMEDIAT
♦ O.VLAN
♦ O.IDSENS
♦ O.IDANLZ
♦ O.RESPON
The following requirements were added to the set of SFRs on the TOE:
♦ FCS_CKM.4
♦ FCS_COP_(EXT).1
♦ FCS_GDOI_(EXT).1
♦ FCS_IKE_(EXT).1
♦ FDP_IFC.1(2)
♦ FDP_IFF.1(2)
♦ FDP_IFC.1(3)
♦ FDP_IFF.1(3)
♦ FMT_MSA.3(2)
♦ FMT_MSA.3(3)
♦ FMT_SMF.1
♦ FTP_ITC.1
♦ FTP_TRP.1
♦ IDS_SDC_(EXT).1
♦ IDS_ANL_(EXT).1
♦ IDS_RCT_(EXT).1
♦ IDS_RDR_(EXT).1
♦ IDS_STG_(EXT).1
♦ IDS_STG_(EXT).2
2.3 Protection Profile Conformance Claim Rationale
2.3.1 TOE Appropriateness
The TOE provides all of the Traffic Filter Firewall functionality at a level of security
commensurate with that identified in the U.S. Government Protection Profile:
• U.S. Government Protection Profile for Traffic Filter Firewall in Basic
Robustness Environments (pp_fw_tf_br_v1.1)
-
Cisco 5940 Series Embedded Services Router ST May 2011
17
2.3.2 TOE Security Problem Definition Consistency
The Assumptions, Threats, and Organization Security Policies included in the Security
Target represent the Assumptions, Threats, and Organization Security Policies specified
in the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness
Environments for which conformance is claimed verbatim. Several additional Threats are
also included. All concepts covered in the Protection Profile Security Problem Definition
are included in the Security Target. None of the additional Threats contradicts the
functionality specified in the Protection Profile. The additional Threats augment the
firewall functionality specified in the Protection Profiles and discuss additional TOE
functionality that is not addressed in the Protection Profile. The following table identifies
each additional Threat included in the ST and provides rationale for its inclusion in the
Security Target with regards to the claims Protection Profiles.
Table 8: Protection Profile Threat Additions
Threat/OSP Rationale T.UNAUTHORIZED_PEER This threat is associated with VPN functionality. The PP addresses
firewall functionality and not VPN functionality. This VPN
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
T.EAVESDROP This threat is associated with VPN functionality. The PP addresses
firewall functionality and not VPN functionality. This VPN
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
T.VPNMEDIAT This threat is associated with VPN functionality. The PP addresses
firewall functionality and not VPN functionality. This VPN
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
T.VLAN This threat is associated with VLAN functionality. The PP addresses
firewall functionality and not VLAN functionality. This VLAN
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
T.NOHALT
This threat is associated with IDS functionality. The PP addresses
firewall functionality and not IDS functionality. This IDS
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
T.FALACT This threat is associated with IDS functionality. The PP addresses
firewall functionality and not IDS functionality. This IDS
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
T.FALREC This threat is associated with IDS functionality. The PP addresses
firewall functionality and not IDS functionality. This IDS
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
T.FALASC This threat is associated with IDS functionality. The PP addresses
firewall functionality and not IDS functionality. This IDS
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
T.MISUSE This threat is associated with IDS functionality. The PP addresses
firewall functionality and not IDS functionality. This IDS
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
-
Cisco 5940 Series Embedded Services Router ST May 2011
18
Threat/OSP Rationale T.INADVE This threat is associated with IDS functionality. The PP addresses
firewall functionality and not IDS functionality. This IDS
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
T.MISACT This threat is associated with IDS functionality. The PP addresses
firewall functionality and not IDS functionality. This IDS
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
T.INTEGRITY This threat is associated with VPN functionality. The PP addresses
firewall functionality and not VPN functionality. This VPN
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is claimed.
2.3.3 Statement of Security Objectives Consistency
The Security Objectives included in the Security Target represent the Security Objectives
specified in the U.S. Government Protection Profile for Traffic Filter Firewall in Basic
Robustness Environments for which conformance is claimed verbatim. Several additional
Security Objectives are also included. All concepts covered in the Protection Profile’s
Statement of Security Objectives are included in the Security Target. None of the
additional Security Objectives contradicts the functionality specified in the Protection
Profile. The additional Security Objectives augment the firewall functionality specified
in the Protection Profiles and discuss additional TOE functionality that is not addressed
in the Protection Profile. The following table identifies each additional Security Objective
included in the ST and provides rationale for its inclusion in the Security Target with
regards to the claims Protection Profiles.
Table 9: Protection Profile Security Objective Additions
Security Objective Rationale O.CRYPTOGRAPHIC_ FUNCTIONS This Security Objective augments the cryptographic functionality
discussed in the PP for which conformance is claimed. This policy
does not introduce any functionality that is inconsistent with the
cryptography specified in the PP for which conformance is claimed.
O.PEER_AUTHENTICATION This Security Objective is associated with VPN functionality. The PP
addresses firewall functionality and not VPN functionality. This VPN
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is
claimed.
O.INTEGRITY This Security Objective is associated with VPN functionality. The PP
addresses firewall functionality and not VPN functionality. This VPN
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is
claimed.
O.VPNMEDIAT This Security Objective is associated with VPN functionality. The PP
addresses firewall functionality and not VPN functionality. This VPN
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is
claimed.
O.VLAN This Security Objective is associated with VLAN functionality. The
PP addresses firewall functionality and not VLAN functionality. This
VLAN functionality provided to counter this threat does not contradict
-
Cisco 5940 Series Embedded Services Router ST May 2011
19
Security Objective Rationale any of the functionality required by the PP for which conformance is
claimed.
O.IDSENS
This Security Objective is associated with IPS functionality. The PP
addresses firewall functionality and not IPS functionality. This IPS
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is
claimed.
O.IDANLZ
This Security Objective is associated with IPS functionality. The PP
addresses firewall functionality and not IPS functionality. This IPS
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is
claimed.
O.RESPON
This Security Objective is associated with IPS functionality. The PP
addresses firewall functionality and not IPS functionality. This IPS
functionality provided to counter this threat does not contradict any of
the functionality required by the PP for which conformance is
claimed.
2.3.4 Statement of Security Requirements Consistency
The Security Functional Requirements included in the Security Target represent the
Security Functional Requirements specified in the U.S. Government Protection Profile
for Traffic Filter Firewall in Basic Robustness Environments for which conformance is
claimed verbatim. Several additional Security Functional Requirements are also included.
All concepts covered the Protection Profile’s Statement of Security Requirements are
included in the Security Target. Additionally, the Security Assurance Requirements
included in the Security Target are identical to the Security Assurance Requirements
included in each of the Protection Profiles. None of the additional Security Functional
Requirements contradicts the functionality specified in the Protection Profile. The
additional Security Functional Requirements augment the firewall functionality specified
in the Protection Profiles and discuss additional TOE functionality that is not addressed
in the Protection Profile. The following table identifies each additional Security
Functional Requirement included in the ST and provides rationale for its inclusion in the
Security Target with regards to the claims Protection Profiles.
Table 10: Protection Profile Security Functional Requirement Additions and Refinements
SFR Rationale FAU_GEN.1 This SFR was refined to add an additional event type to be audited and to refer
to the correct table within the requirement wording. This does not contradict
any claims in the PP or weaken the claimed security functionality.
FAU_SAR.1 This SFR was refined to clarify that this instance of “authorized
administrators” applies to privileged administrators. This does not contradict
any claims in the PP or weaken the claimed security functionality.
FMT_SMR.1 This SFR was refined to add a role used elsewhere in the PP SFRS: external
IT entities. This does not contradict any claims in the PP or weaken the
claimed security functionality.
FIA_ATD.1 This SFR was refined to add the authentication attributes for external IT
entities. This does not contradict any claims in the PP or weaken the claimed
security functionality.
FMT_MSA.3(1) This SFR was refined to clarify that this instance of “authorized
administrators” applies to only privileged administrators. This does not
-
Cisco 5940 Series Embedded Services Router ST May 2011
20
SFR Rationale contradict any claims in the PP or weaken the claimed security functionality.
FMT_MOF.1 This SFR was refined to clarify that this instance of “authorized
administrators” applies to privileged administrators. This does not contradict
any claims in the PP or weaken the claimed security functionality.
FCS_CKM.4 This SFR discusses the cryptographic key destruction. This functionality is not
discussed in the Protection Profile for which conformance is claimed.
Cryptographic key destruction does not contradict any of the cryptographic
functionality included in the PP.
FCS_COP_(EXT).1 This SFR discusses random number generation. This functionality is not
discussed in the Protection Profile for which conformance is claimed. Random
number generation does not contradict any of the cryptographic functionality
included in the PP.
FCS_GDOI_(EXT).1 This SFR discusses Group Domain of Interpretation. This functionality is not
discussed in the Protection Profile for which conformance is claimed. Group
Domain of Interpretation does not contradict any of the cryptographic
functionality included in the PP.
FCS_IKE_(EXT).1 This SFR discusses IKE Key establishment. This functionality is not discussed
in the Protection Profile for which conformance is claimed. IKE Key
Establishment does not contradict any of the cryptographic functionality
included in the PP.
FDP_IFC.1(2) This SFR discusses VPN functionality. This functionality is not discussed in
the Protection Profile for which conformance is claimed. VPN functionality
does not contradict any of the information flow control included in the PP.
FDP_IFF.1(2) This SFR discusses VPN functionality. This functionality is not discussed in
the Protection Profile for which conformance is claimed. VPN functionality
does not contradict any of the information flow control included in the PP.
FDP_IFC.1(3) This SFR discusses VLAN functionality. This functionality is not discussed in
the Protection Profile for which conformance is claimed. VLAN functionality
does not contradict any of the information flow control included in the PP.
FDP_IFF.1(3) This SFR discusses VLAN functionality. This functionality is not discussed in
the Protection Profile for which conformance is claimed. VLAN functionality
does not contradict any of the information flow control included in the PP.
FMT_MSA.3(2) This SFR discusses the required security attribute management associated with
VPN controls. The PP for which conformance is claimed does not address
VPN information flow. Therefore it does not address the management of the
security attributes associated with VPNs. This management functionality does
not contradict any of the functionality described in the PP for which
conformance is claimed.
FMT_SMF.1 This SFR discusses the overall security functions associated with secure
management of the TOE. While the PP does not include this SFR, the CCTL
requested its inclusion for consistency with other Security Target.
FTP_ITC.1 This SFR discusses protected communications between a remote syslog and
the TOE. This SFR complements the cryptographic requirements already
included in the SFR for management communications with the TOE. This SFR
does not introduce any functionality that is conflicting with the functionality
required by the PP for which conformance is claimed.
FTP_TRP.1 This SFR discusses trusted paths between a remote workstation and the TOE.
This SFR complements the cryptographic requirements already included in the
SFR for management communications with the TOE. This SFR does not
introduce any functionality that is conflicting with the functionality required
by the PP for which conformance is claimed.
IDS_SDC_(EXT).1 This SFR discusses IDS functionality on the TOE. This SFR does not
introduce any functionality that is conflicting with the functionality required
by the PP for which conformance is claimed.
-
Cisco 5940 Series Embedded Services Router ST May 2011
21
SFR Rationale IDS_ANL_(EXT).1 This SFR discusses IDS functionality on the TOE. This SFR does not
introduce any functionality that is conflicting with the functionality required
by the PP for which conformance is claimed.
IDS_RCT_(EXT).1 This SFR discusses IDS functionality on the TOE. This SFR does not
introduce any functionality that is conflicting with the functionality required
by the PP for which conformance is claimed.
IDS_RDR_(EXT).1 This SFR discusses IDS functionality on the TOE. This SFR does not
introduce any functionality that is conflicting with the functionality required
by the PP for which conformance is claimed.
IDS_STG_(EXT).1 This SFR discusses IDS functionality on the TOE. This SFR does not
introduce any functionality that is conflicting with the functionality required
by the PP for which conformance is claimed.
IDS_STG_(EXT).2 This SFR discusses IDS functionality on the TOE. This SFR does not
introduce any functionality that is conflicting with the functionality required
by the PP for which conformance is claimed.
-
Cisco 5940 Series Embedded Services Router ST May 2011
22
3 SECURITY PROBLEM DEFINITION This chapter identifies the following:
♦ Significant assumptions about the TOE’s operational environment
♦ IT related threats to the organization countered by the TOE
♦ Environmental threats requiring controls to provide sufficient protection
♦ Organizational security policies for the TOE as appropriate.
This document identifies assumptions as A.assumption with “assumption” specifying a
unique name. Threats are identified as T.threat with “threat” specifying a unique name.
3.1 Assumptions
The specific conditions listed in the following subsections are assumed to exist in the
TOE’s environment. These assumptions include both practical realities in the
development of the TOE security requirements and the essential environmental
conditions on the use of the TOE.
Table 11: TOE Assumptions
Assumption Assumption Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness
Environments
A.PHYSEC The TOE is physically secure.
A.LOWEXP The threat of malicious attacks aimed at discovering exploitable vulnerabilities is
considered low.
A.GENPUR There are no general-purpose computing capabilities (e.g., the ability to execute arbitrary
code or applications) and storage repository capabilities on the TOE.
A.PUBLIC The TOE does not host public data.
A.NOEVIL Authorized administrators are non-hostile and follow all administrator guidance; however,
they are capable of error.
A.SINGEN Information can not flow among the internal and external networks unless it passes through
the TOE.
A.DIRECT Human users within the physically secure boundary protecting the TOE may attempt to
access the TOE from some direct connection (e.g., a console port) if the connection is part
of the TOE.
A.NOREMO Human users who are not authorized administrators can not access the TOE remotely from
the internal or external networks.
A.REMACC Authorized administrators may access the TOE remotely from the internal and external
networks.
3.2 Threats
The following table lists the threats addressed by the TOE and the IT Environment. The
assumed level of expertise of the attacker for all the threats identified below is
unsophisticated.
Table 12: Threats
Threat Threat Definition
Threats addressed by the TOE
-
Cisco 5940 Series Embedded Services Router ST May 2011
23
Threat Threat Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness
Environments
T.NOAUTH An unauthorized person may attempt to bypass the security of the TOE so as to
access and use security functions and/or non-security functions provided by the
TOE.
T.REPEAT An unauthorized person may repeatedly try to guess authentication data in order
to use this information to launch attacks on the TOE.
T.REPLAY An unauthorized person may use valid identification and authentication data
obtained to access functions provided by the TOE.
T.ASPOOF An unauthorized person may carry out spoofing in which information flow
through the TOE into a connected network by using a spoofed source address.
T.MEDIAT An unauthorized person may send impermissible information through the TOE
which results in the exploitation of resources on the internal network.
T.OLDINF Because of a flaw in the TOE functioning, an unauthorized person may gather
residual information from a previous information flow or internal TOE data by
monitoring the padding of the information flows from the TOE.
T.PROCOM An unauthorized person or unauthorized external IT entity may be able to view,
modify, and/or delete security related information that is sent between a
remotely located authorized administrator and the TOE
T.AUDACC Persons may not be accountable for the actions that they conduct because the
audit records are not reviewed, thus allowing an attacker to escape detection.
T.SELPRO An unauthorized person may read, modify, or destroy security critical TOE
configuration data.
T.AUDFUL An unauthorized person may cause audit records to be lost or prevent future
records from being recorded by taking actions to exhaust audit storage capacity,
thus masking an attackers actions.
In addition to what is included in the U.S. Government Protection Profile for Traffic Filter Firewall in
Basic Robustness Environments
T.UNAUTHORIZED_PEER An unauthorized IT entity may attempt to establish a security association with
the TOE.
T.EAVESDROP A malicious user or process may observe or modify user or TSF data
transmitted to and from the TOE.
T.VPNMEDIAT An unauthorized person may send or receive unauthorized IPSec traffic through
the TOE which results in the exploitation of resources on the internal network.
T.VLAN An attacker may force a packet destined for one VLAN to cross into another
VLAN for which it is not authorized compromising the confidentiality and
integrity of information.
T.NOHALT
An unauthorized user may attempt to compromise the continuity of the System's
collection and analysis functions by halting execution of the TOE.
T.FALACT The TOE may fail to react to identified or suspected vulnerabilities or
inappropriate activity.
T.FALREC The TOE may fail to recognize vulnerabilities or inappropriate activity based on
IDS data received from each data source.
T.FALASC The TOE may fail to identify vulnerabilities or inappropriate activity based on
association of IDS data received from all data sources.
T.MISUSE Unauthorized accesses and activity indicative of misuse may occur on an IT
System the TOE monitors.
T.INADVE Inadvertent activity and access may occur on an IT System the TOE monitors.
T.MISACT Malicious activity, such as introductions of Trojan horses and viruses, may
occur on an IT System the TOE monitors.
T.INTEGRITY An attacker may compromise the integrity of IPSec traffic sent to/from the
TOE.
Threats addressed by the environment
-
Cisco 5940 Series Embedded Services Router ST May 2011
24
Threat Threat Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness
Environments
T.TUSAGE The TOE may be inadvertently configured, used and administered in an
insecure manner by either authorized or unauthorized persons.
3.3 Organizational Security Policies
An organizational security policy is a set of rules, practices, and procedures imposed by
an organization to address its security needs. This ST contains no claims for organizational security policies.
-
Cisco 5940 Series Embedded Services Router ST May 2011
25
4 SECURITY OBJECTIVES
This Chapter identifies the security objectives of the TOE and the IT Environment. The
security objectives identify the responsibilities of the TOE and the TOE’s IT environment
in meeting the security needs.
♦ This document identifies objectives of the TOE as O.objective with objective
specifying a unique name. Objectives that apply to the IT environment are
designated as OE.objective with objective specifying a unique name.
4.1 Security Objectives for the TOE
The following table, Security Objectives for the TOE, identifies the security objectives of
the TOE. These security objectives reflect the stated intent to counter identified threats
and/or comply with any security policies identified. An explanation of the relationship
between the objectives and the threats/policies is provided in the rationale section of this
document.
Table 13: Security Objectives for the TOE
TOE Objective TOE Security Objective Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness
Environments
O.IDAUTH The TOE must uniquely identify and authenticate the claimed identity of all
users, before granting a user access to TOE functions.
O.SINUSE The TOE must prevent the reuse of authentication data for users attempting to
authenticate at the TOE from a connected network.
O.MEDIAT The TOE must mediate the flow of all information from users on a connected
network to users on another connected network, and must ensure that residual
information from a previous information flow is not transmitted in any way.
O.SECSTA Upon initial start-up of the TOE or recovery from an interruption in TOE
service, the TOE must not compromise its resources or those of any connected
network.
O.ENCRYP The TOE must protect the confidentiality of its dialogue with an authorized
administrator through encryption, if the TOE allows administration to occur
remotely from a connected network.
O.SELPRO The TOE must protect itself against attempts by unauthorized users to bypass,
deactivate, or tamper with TOE security functions.
O.AUDREC The TOE must provide a means to record a readable audit trail of security-
related events, with accurate dates and times, and a means to search and sort
the audit trail based on relevant attributes.
O.ACCOUN The TOE must provide user accountability for information flows through the
TOE and for authorized administrator use of security functions related to audit.
O.SECFUN The TOE must provide functionality that enables an authorized administrator
to use the TOE security functions, and must ensure that only authorized
administrators are able to access such functionality.
O.LIMEXT The TOE must provide the means for an authorized administrator to control
and limit access to TOE security functions by an authorized external IT entity.
In addition to what is included in the U.S. Government Protection Profile for Traffic Filter Firewall in
Basic Robustness Environments
O.CRYPTOGRAPHIC_
FUNCTIONS
The TOE shall provide cryptographic functions to provide confidentiality for
TSF data that is transmitted to and from the TOE.
-
Cisco 5940 Series Embedded Services Router ST May 2011
26
TOE Objective TOE Security Objective Definition O.PEER_AUTHENTICATION The TOE will authenticate each peer TOE that attempts to establish a security
association with the TOE.
O.INTEGRITY The TOE must be able to protect the integrity of data transmitted to a peer via
encryption and provide IPSec authentication for such data. Upon receipt of
data from a peer, the TOE must be able to decrypt the data and verify that the
received data accurately represents the data that was originally transmitted.
O.VPNMEDIAT The TOE must mediate the flow of all IPSec traffic through the TOE and must
ensure that residual information from a previous IPSec traffic flow is not
transmitted in any way.
O.VLAN The TOE must provide a means for the logical separation of Virtual LANs to
ensure that packets flows are restricted to their authorized Virtual LANs
ensuring VLAN separation is achieved.
O.IDSENS
The Sensor must collect and store information about all events that are
indicative of inappropriate activity that may have resulted from misuse, access,
or malicious activity of IT System assets and the IDS.
O.IDANLZ The Analyzer must accept data from IDS Sensors and then apply analytical
processes and information to derive conclusions about intrusions (past, present,
or future).
O.RESPON The TOE must respond appropriately to analytical conclusions.
4.2 Security Objectives for the Environment
All of the assumptions stated in section 3.1 are considered to be security objectives for
the environment. The following are the Protection Profile non-IT security objectives,
which, in addition to those assumptions, are to be satisfied without imposing technical
requirements on the TOE. That is, they will not require the implementation of functions
in the TOE hardware and/or software. Thus, they will be satisfied largely through
application of procedural or administrative measures.
Table 14: Security Objectives for the Environment
Environment
Security Objective
IT Environment Security Objective Definition
Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness
Environments
A.PHYSEC The TOE is physically secure.
A.LOWEXP The threat of malicious attacks aimed at discovering exploitable vulnerabilities is
considered low.
A.GENPUR There are no general-purpose computing capabilities (e.g., the ability to execute
arbitrary code or applications) and storage repository capabilities on the TOE.
A.PUBLIC The TOE does not host public data.
A.NOEVIL Authorized administrators are non-hostile and follow all administrator guidance;
however, they are capable of error.
A.SINGEN Information can not flow among the internal and external networks unless it passes
through the TOE.
A.DIRECT Human users within the physically secure boundary protecting the TOE may
attempt to access the TOE from some direct connection (e.g., a console port) if the
connection is part of the TOE.
A.NOREMO Human users who are not authorized administrators can not access the TOE
remotely from the internal or external networks.
A.REMACC Authorized administrators may access the TOE remotely from the internal and
external networks.
-
Cisco 5940 Series Embedded Services Router ST May 2011
27
Environment
Security Objective
IT Environment Security Objective Definition
OE.GUIDAN The TOE must be delivered, installed, administered, and operated in a manner that
maintains security.
OE.ADMTRA Authorized administrators are trained as to establishment and maintenance of
security policies and practices.
In addition to what is included in the U.S. Government Protection Profile for Traffic Filter Firewall in
Basic Robustness Environments
OE.NTP The IT environment may be configured with an NTP server that is able to provide
reliable time to the TOE. The communications must be protected using MD5
hashing with up to a 32 character key.
OE.SYSLOG The IT environment must supply a syslog server capable of receiving TCP syslog
information over an IPSec tunnel.
5 SECURITY REQUIREMENTS
This section identifies the Security Functional Requirements for the TOE. The Security
Functional Requirements included in this section are derived from Part 2 of the Common Criteria
for Information Technology Security Evaluation, Version 3.1, Revision 3, dated: July 2009.
5.1 Conventions The CC defines operations on Security Functional Requirements: assignments, selections,
assignments within selections and refinements. This document uses the following font
conventions to identify the operations defined by the CC:
• Assignment: Indicated by showing the value in square brackets, [ assignment_value ];
• Refinement made by PP author: Indicated with bold text and strikethroughs, if necessary;
• Refinement made by ST author: Indicated with bold italicized text and strikethroughs, if
necessary;
• Selection: Indicated with italicized text;
• Iteration: Indicated by appending the iteration number in parenthesis, e.g., (1), (2), (3).
Explicitly stated SFRs are identified by having a label ‘(EXT)’ after the requirement name for
TOE SFRs.
5.2 TOE Security Functional Requirements
This section identifies the Security Functional Requirements for the TOE. The TOE Security
Functional Requirements that appear in the following table are described in more detail in the
following subsections.
Table 15: Security Functional Requirements
Functional Component
SFR Component ID Component Name Security Functional Requirements Drawn from pp_fw_tf_br_v1.1
FMT_SMR.1 Security roles
FIA_ATD.1 User attribute definition
FIA_UID.2 User identification before any action
-
Cisco 5940 Series Embedded Services Router ST May 2011
28
Functional Component FIA_UAU.1 Timing of authentication
FIA_AFL.1 Authentication failure handling
FIA_UAU.4 Single-use authentication mechanisms
FDP_IFC.1 (1) Subset information flow control
FDP_IFF.1 (1) Simple security attributes
FMT_MSA.3 (1) Static attribute initialization
FDP_RIP.1 Subset residual information protection
FCS_COP.1 Cryptographic operation
FAU_GEN.1 Audit data generation
FAU_SAR.1 Audit review
FAU_SAR.3 Selectable audit review
FAU_STG.1 Protected audit trail storage
FAU_STG.4 Prevention of audit data loss
FMT_MOF.1 Management of security functions behavior
FPT_STM.1 Reliable time stamps
SFRs in addition to the SFRs found in pp_fw_tf_br_v1.1
FCS_CKM.4 Cryptographic Key Destruction
FCS_COP_(EXT).1 Explicit: Random Number Generation
FCS_GDOI_(EXT).1 Group Domain of Interpretation
FCS_IKE_(EXT).1 Internet Key Exchange
FDP_IFC.1 (2) Subset information flow control
FDP_IFF.1 (2) Simple security attributes
FDP_IFC.1 (3) Subset information flow control
FDP_IFF.1 (3) Simple security attributes
FMT_MSA.3 (2) Static attribute initialization
FMT_MSA.3 (3) Static attribute initialization
FMT_SMF.1 Specification of Management Functions
FTP_ITC.1 Inter-TSF trusted channel
FTP_TRP.1 Trusted path
IDS_SDC_(EXT).1 System data collection
IDS_ANL_(EXT).1 Analyzer analysis
IDS_RCT_(EXT).1 Analyzer react
IDS_RDR_(EXT).1 Restricted data review
IDS_STG_(EXT).1 Guarantee of system data availability
IDS_STG_(EXT).2 Prevention of system data loss
5.3 SFRs Drawn from pp_fw_tf_br_v1.1
5.3.1 Security audit (FAU)
FAU_GEN.1 Audit data generation
FAU_GEN.1.1 - Refinement: The TSF shall be able to generate an audit record of the
following auditable events:
a) Start-up and shutdown of the audit functions;
b) All relevant auditable events for the minimal or basic level of audit specified in
Table 5.2; and
c) [the event in the following tTable 5.2 listed at the "extended" level].
-
Cisco 5940 Series Embedded Services Router ST May 2011
29
FAU_GEN.1.2 - Refinement: The TSF shall record within each audit record at least the
following information:
a) Date and time of the event, type of event, subjects identities, outcome (success or
failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the
functional components included in the PP/ST, [information specified in column
four of the following tTable 5.2].
Table 16: Security Functional Requirements
SFR Level Auditable Event Additional Contents FMT_SMR.1 minimal Modifications to the group of users
that are part of the authorized
administrator role.
The identity of the authorized
administrator performing the
modification and the user identity
being associated with the authorized
administrator role.
FIA_UID.2 basic All use of the user identification
mechanism
The user identities provided to the
TOE
FIA_UAU.1 basic Any use of the authentication mechanism. The user identities provided to the
TOE
FIA_AFL.1 minimal The reaching of the threshold for
unsuccessful authentication attempts and
the subsequent restoration by the
authorized administrator of the user’s
capability to authenticate.
The identity of the offending user and
the authorized administrator
FDP_IFF.1(1
)
basic All decisions on requests for information
flow.
The presumed addresses of the source
and destination subject.
FDP_IFF.1(
2)
minimal Errors during IPSec processing, errors
during TLS processing
The presumed addresses of the
source and destination subject.
FCS_COP.1 minimal Success and failure, and the type of
cryptographic operation
The identity of the external IT entity
attempting to perform the
cryptographic operation
FPT_STM.1 minimal Changes to the time. The identity of the authorized
administrator performing the
operation.
FMT_MOF.1 extended Use of the functions listed in this
requirement pertaining to audit.
The identity of the authorized
administrator performing the
operation.
FAU_SAR.1 Audit review
FAU_SAR.1.1 - Refinement: The TSF shall provide [an authorized administrator
(privileged)] with the capability to read [all audit trail data] from the audit records.
FAU_SAR.1.2 - The TSF shall provide the audit records in a manner suitable for the user
to interpret the information.
FAU_SAR.3 Selectable audit review
-
Cisco 5940 Series Embedded Services Router ST May 2011
30
FAU_SAR.3.1 - The TSF shall provide the ability to perform searches and sorting of
audit data based on:
a) [presumed subject address;
b) ranges of dates;
c) ranges of times;
d) ranges of addresses].
FAU_STG.1 Protected audit trail storage
FAU_STG.1.1 - The TSF shall protect the stored audit records from unauthorized
deletion.
FAU_STG.1.2 - The TSF shall be able to prevent modifications to the audit records.
FAU_STG.4 Prevention of audit data loss
FAU_STG.4.1 - The TSF shall prevent auditable events, except those taken by the
authorized administrator and [shall limit the number of audit records lost] if the audit
trail is full.
5.3.2 Cryptographic Support (FCS)
FCS_COP.1 Cryptographic operation
FCS_COP.1.1 - The TSF shall perform [encryption of remote authorized administrator
sessions] in accordance with a specified cryptographic algorithm:
• [AES (Advanced Encryption Standard as specified in FIPS 197) encryption (as
specified in SP 800-67)] and cryptographic key sizes [that are at least 128 binary digits in
length] that meet the following: [FIPS PUB 140-2 (Level 1)].
5.3.3 User data protection (FDP)
FDP_IFC.1(1) Subset information flow control
FDP_IFC.1.1(1) - The TSF shall enforce the [UNAUTHENTICATED SFP] on:
a) [subjects: unauthenticated external IT entities that send and receive information
through the TOE to one another;
b) information: traffic sent through the TOE from one subject to another;
c) operation: pass information].
FDP_IFF.1(1) Simple security attributes
FDP_IFF.1.1(1) - The TSF shall enforce the [UNAUTHENTICATED SFP] based on at
least the following types of subject and information security attributes:
a) [subject security attributes:
• presumed address;
-
Cisco 5940 Series Embedded Services Router ST May 2011
31
• [configured zone];
b) information security attributes:
• presumed address of source subject;
• presumed address of destination subject;
• transport layer protocol;
• TOE interface on which traffic arrives and departs;
• service;
• [No other attributes].
FDP_IFF.1.2(1) - The TSF shall permit an information flow between a controlled subject
and another controlled subject via a controlled operation if the following rules hold:
a) [Subjects on an internal network can cause information to flow through the TOE
to another connected network if:
• all the information security attribute values are unambiguously permitted
by the information flow security policy rules, where such rules may be
composed from all possible combinations of the values of the information
flow security attributes, created by the authorized administrator;
• the presumed address of the source subject, in the information, translates
to an internal network address;
• and the presumed address of the destination subject, in the information,
translates to an address on the other connected network.
b) Subjects on the external network can cause information to flow through the TOE
to another connected network if:
• all the information security attribute values are unambiguously permitted
by the information flow security policy rules, where such rules may be
composed from all possible combinations of the values of the information
flow security attributes, created by the authorized administrator;
• the presumed address of the source subject, in the information, translates
to an external network address;
• and the presumed address of the destination subject, in the information,
translates to an address on the other connected network.]
FDP_IFF.1.3(1) - The TSF shall enforce the [none].
FDP_IFF.1.4(1) - The TSF shall provide the following [none].
FDP_IFF.1.5(1) - The TSF shall explicitly authorize an information flow based on the
following rules: [none].
FDP_IFF.1.6(1) - The TSF shall explicitly deny an information flow based on the
following rules:
a) [The TOE shall reject requests for access or services where the information
arrives on an external TOE interface, and the presumed address of the source
subject is an external IT entity on an internal network;
-
Cisco 5940 Series Embedded Services Router ST May 2011
32
b) The TOE shall reject requests for access or services where the information arrives
on an internal TOE interface, and the presumed address of the source subject is an
external IT entity on the external network;
c) The TOE shall reject requests for access or services where the information arrives
on either an internal or external TOE interface, and the presumed address of the
source subject is an external IT entity on a broadcast network;
d) The TOE shall reject requests for access or services where the information arrives
on either an internal or external TOE interface, and the presumed address of the
source subject is an external IT entity on the loopback network.]
FDP_RIP.1 Subset residual information protection
FDP_RIP.1.1 - The TSF shall ensure that any previous information content of a resource
is made unavailable upon the allocation of the resource to the following objects:
[resources that are used by the subjects of the TOE to communicate through the TOE to
other subjects].
5.3.4 Identification and authentication (FIA)
FIA_ATD.1 User attribute definition
FIA_ATD.1.1 - Refinement: The TSF shall maintain the following list of security
attributes belonging to individual users:
a) [For TOE administrators a. identity;
b. association of a human user with the authorized administrator role;
c. User Password
b) For External IT entities a. subject identity (IP address/Host Name);
b. IKE Security Attributes].
.
FIA_UID.2 User identification before any action
FIA_UID.2.1 -The TSF shall require each user to identify itself before allowing any other
TSF-mediated actions on behalf of that user.
FIA_UAU.1 Timing of authentication
FIA_UAU.1.1 - The TSF shall allow [identification as stated in FIA_UID.2] on behalf of
the authorized administrator or authorized external IT entity accessing the TOE to be
performed before the authorized administrator or authorized external IT entity is
authenticated.
-
Cisco 5940 Series Embedded Services Router ST May 2011
33
FIA_UAU.1.2 - The TSF shall require each authorized administrator or authorized
external IT entity to be successfully authenticated before allowing any other TSF-
mediated actions on behalf of that authorized administrator or authorized IT entity.
FIA_AFL.1 Authentication failure handling
FIA_AFL.1.1 - The TSF shall detect when [a settable, non-zero number between 1 and
25] of unsuccessful authentication attempts occur related to [external IT entities
attempting to authenticate from an internal or external network.]
FIA_AFL.1.2 - When the defined number of unsuccessful authentication attempts has
been met or surpassed, the TSF shall [prevent the offending external IT entity from
successfully authenticating until an authorized administrator takes some action to make
authentication possible for the external IT entity in question.]
FIA_UAU.4 Single-use authentication mechanisms
FIA_UAU.4.1 - The TSF shall prevent reuse of authentication data related to
[authentication attempts from either an internal or external network by:
a) authorized administrators;
b) authorized external IT entities].
5.3.5 Security management (FMT)
FMT_SMR.1 Security roles
FMT_SMR.1.1 - Refinement: The TSF shall maintain the role [authorized
(privileged/non-privileged) administrator, External IT entities].
FMT_SMR.1.2 - The TSF shall be able to associate human users with the authorized
administrator role.
FMT_MSA.3(1) Static attribute initialization
FMT_MSA.3.1(1) - The TSF shall enforce the [UNAUTHENTICATED SFP] to provide
restrictive default values for information flow security attributes that are used to enforce
the SFP.
FMT_MSA.3.2(1) - Refinement: The TSF shall allow the [authorized privileged
administrator] to specify alternative initial values to override the default values when an
object or information is created.
FMT_MOF.1 Management of security functions behavior
FMT_MOF.1.1 - Refinement: The TSF shall restrict the ability to perform the
functions:
a) [start-up and shutdown;
-
Cisco 5940 Series Embedded Services Router ST May 2011
34
b) create, delete, modify, and view information flow security policy rules that permit
or deny information flows;
c) create, delete, modify, and view user attribute values defined in FIA_ATD.1;
d) enable and disable single-use authentication mechanisms in FIA_UAU.4 (if the
TOE supports authorized IT entities and/or remote administration from either an
internal or external network);
e) modify and set the threshold for the number of permitted authentication attempt
failures (if the TOE supports authorized IT entities and/or remote administration
from either an internal or external network);
f) restore authentication capabilities for users that have met or exceeded the
threshold for permitted authentication attempt failures (if the TOE supports
authorized IT entities and/or remote administration from either an internal or
external network);
g) enable and disable external IT entities from communicating to the TOE (if the
TOE supports authorized external IT entities);
h) modify and set the time and date;
i) archive, create, delete, empty, and review the audit trail;
j) backup of user attribute values, information flow security policy rules, and audit
trail data, where the backup capability shall be supported by automated tools;
k) recover to the state following the last backup;
l) additionally, if the TSF supports remote administration from either an internal or
external network:
• enable and disable remote administration from internal and external
networks;
• restrict addresses from which remote administration can be performed;
m) [manipulate the security attributes referenced in the VPN information flow
polices;
n) manipulate the security attributes referenced in the VLAN information flow
polices
o) enable, disable, and modify the IPS settings on the box]].
to [an authorized privileged administrator].
5.3.6 Protection of the TSF (FPT)
FPT_STM.1 Reliable time stamps
FPT_STM.1.1 - The TSF shall be able to provide reliable time stamps for its own use.
5.4 SFRs in addition to the SFRs found in pp_fw_tf_br_v1.1
5.4.1 Cryptographic Support (FCS)
FCS_CKM.4 Cryptographic Key Destruction
FCS_CKM.4.1 - The TSF shall destroy cryptographic keys in accordance with specified
cryptographic key destruction method [zeroization] that meets the following: [Key
-
Cisco 5940 Series Embedded Services Router ST May 2011
35
zeroization requirements of FIPS PUB 140-2, “Security Requirements for Cryptographic
Modules”].
FCS_COP_(EXT).1 Explicit: Random Number Generation
FCS_COP_(EXT).1.1 - The TSF shall perform all Random Number Generation used by
the cryptographic functionality of the TSF using a FIPS-approved Random Number
Generator implemented in a FIPS-approved crypto module running in a FIPS-approved
mode.
Extended Requirements Rationale – FCS_COP_(EXT).1:
A. Class – The FCS class of SFRs id