Cisco ASR 1002 Common Criteria Operational User Guidance And Preparative Procedures

Type
Common Criteria Operational User Guidance And Preparative Procedures
Cisco Aggregation Services Router (ASR) 1000 Series
Common Criteria Operational User Guidance
And Preparative Procedures
Version 0.4
October 27, 2017
Page 2 of 72
Table of Contents
1 Introduction ............................................................................................................................. 7
1.1 Audience ......................................................................................................................... 7
1.2 Purpose ............................................................................................................................ 7
1.3 Document References ..................................................................................................... 7
1.4 Supported Hardware and Software ................................................................................. 9
1.5 Operational Environment ................................................................................................ 9
1.5.1 Supported non-TOE Hardware/Software/Firmware ................................................... 9
1.6 Excluded Functionality ................................................................................................. 10
2 Secure Acceptance of the TOE ............................................................................................. 11
3 Secure Installation and Configuration .................................................................................. 16
3.1 Physical Installation ...................................................................................................... 16
3.2 Initial Setup via Direct Console Connection ................................................................ 16
3.2.1 Options to be chosen during the initial setup of the ASR ......................................... 16
3.2.2 Saving Configuration ................................................................................................ 16
3.2.3 Enabling FIPS Mode ................................................................................................. 17
3.2.4 Administrator Configuration and Credentials ........................................................... 17
3.2.5 Session Termination.................................................................................................. 17
3.2.6 User Lockout ............................................................................................................. 18
3.3 Network Protocols and Cryptographic Settings ............................................................ 19
3.3.1 Remote Administration Protocols ............................................................................. 19
3.3.2 Authentication Server Protocols ............................................................................... 20
3.3.3 Logging Configuration.............................................................................................. 20
3.3.4 Logging Protection.................................................................................................... 22
3.3.5 Base Firewall Rule set Configuration ....................................................................... 24
3.3.6 Routing Protocols...................................................................................................... 26
3.3.7 MACSEC and MKA Configuration.......................................................................... 26
4 Secure Management .............................................................................................................. 27
4.1 User Roles ..................................................................................................................... 27
4.2 Passwords ...................................................................................................................... 27
4.3 Clock Management ....................................................................................................... 30
Page 3 of 72
4.4 Identification and Authentication ................................................................................. 30
4.5 Login Banners ............................................................................................................... 30
4.6 Virtual Private Networks (VPN) ................................................................................... 30
4.6.1 IPsec Overview ......................................................................................................... 30
4.6.2 IPsec Transforms and Lifetimes ............................................................................... 34
4.6.3 NAT Traversal .......................................................................................................... 36
4.6.4 X.509 Certificates ..................................................................................................... 36
4.6.5 Information Flow Policies......................................................................................... 41
4.6.6 IPsec Session Interuption/Recovery ......................................................................... 42
4.7 Product Updates ............................................................................................................ 43
4.8 Configure Reference Identifier ..................................................................................... 43
5 Security Relevant Events ...................................................................................................... 45
5.1 Deleting Audit Records................................................................................................. 62
6 Network Services and Protocols ........................................................................................... 63
7 Modes of Operation .............................................................................................................. 67
8 Security Measures for the Operational Environment............................................................ 70
9 Related Documentation ......................................................................................................... 71
9.1 World Wide Web .......................................................................................................... 71
9.2 Ordering Documentation .............................................................................................. 71
9.3 Documentation Feedback.............................................................................................. 71
10 Obtaining Technical Assistance ............................................................................................ 72
Page 4 of 72
List of Tables
Table 1: Acronyms .......................................................................................................................... 5
Table 2: Cisco Documentation....................................................................................................... 7
Table 3: Operational Environment Components ............................................................................ 9
Table 4: Excluded Functionality .................................................................................................. 10
Table 5: TOE External Identification .......................................................................................... 11
Table 6: Evaluated Software Images ........................................................................................... 13
Table 7: Auditable Events ............................................................................................................. 46
Table 8 Auditable Administrative Events .................................................................................... 55
Table 8: Protocols and Services .................................................................................................... 63
Table 9: Operational Environment Security Measures ................................................................ 70
Page 5 of 72
List of Acronyms
The following acronyms and abbreviations are used in this document:
Table 1: Acronyms
Acronyms /
Abbreviations
Definition
AAA
Administration, Authorization, and Accounting
AES
Advanced Encryption Standard
ASR
Aggregation Services Router
EAL
Evaluation Assurance Level
FIPS
Federal Information Processing Standards
HTTPS
Hyper-Text Transport Protocol Secure
IP
Internet Protocol
NTP
Network Time Protocol
RADIUS
Remote Authentication Dial In User Service
SSHv2
Secure Shell (version 2)
TCP
Transport Control Protocol
TOE
Target of Evaluation
Page 6 of 72
DOCUMENT INTRODUCTION
Prepared By:
Cisco Systems, Inc.
170 West Tasman Dr.
San Jose, CA 95134
DOCUMENT INTRODUCTION
This document provides supporting evidence for an evaluation of a specific Target of Evaluation
(TOE), the Aggregation Services Router (ASR) 1000 Series (ASR). This Operational User
Guidance with Preparative Procedures addresses the administration of the TOE software and
hardware and describes how to install, configure, and maintain the TOE in the Common Criteria
evaluated configuration. Administrators of the TOE will be referred to as administrators,
authorized administrators, TOE administrators, semi-privileged administrators, and privileged
administrators in this document.
Page 7 of 72
1 Introduction
This Operational User Guidance with Preparative Procedures documents the administration of
the Aggregation Services Router (ASR) 1000 Series (ASR), the TOE, as it was certified under
Common Criteria. The Aggregation Services Router (ASR) 1000 Series (ASR ) may be
referenced below as the model number series ex. ASR 1000, TOE, or simply router.
1.1 Audience
This document is written for administrators configuring the TOE. This document assumes that
you are familiar with the basic concepts and terminologies used in internetworking, and
understand your network topology and the protocols that the devices in your network can use,
that you are a trusted individual, and that you are trained to use the operating systems on which
you are running your network.
1.2 Purpose
This document is the Operational User Guidance with Preparative Procedures for the Common
Criteria evaluation. It was written to highlight the specific TOE configuration and administrator
functions and interfaces that are necessary to configure and maintain the TOE in the evaluated
configuration. This document is not meant to detail specific actions performed by the
administrator but rather is a road map for identifying the appropriate locations within Cisco
documentation to get the specific details for configuring and maintaining ASR operations. All
security relevant commands to manage the TSF data are provided within this documentation
within each functional section.
1.3 Document References
This document makes reference to several Cisco Systems documents. The documents used are
shown below in Table 2. Throughout this document, the guides will be referred to by the #,
such as [1].
Table 2: Cisco Documentation
#
Title
Link
[1]
Loading and Managing System Images
Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sys-image-
mgmt/configuration/xe-16/sysimgmgmt-xe-16-book.html
[2]
Cisco ASR 1000 Series Router
Hardware Installation Guide, July
2013, OL-13208-11
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/install/guide/asr
1routers/asr1higV8.html
[3]
Configuration Fundamentals
Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/fundamentals/configuration/xe-16/fundamentals-xe-16-
book.html
Page 8 of 72
#
Title
Link
[4]
Using Setup Mode to Configure a
Cisco Networking Device
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guid
e/cf_setup.html
[6]
Cisco ASR 1000 Series Aggregation
Services Routers SIP and SPA
Software Configuration Guide
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/shared_port_
adapters/configuration/ASR1000/asr1000-sip-spa-book.html
[8]
Cisco ASR 1000 Series Aggregation
Services Routers Software
Configuration Guide
http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/
chassis/asrswcfg.html
[10]
Cisco IOS Security Command
Reference
http://www.cisco.com/c/en/us/td/docs/ios/fundamentals/command/refer
ence/cf_book.html
[15]
Basic System Management
Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/bsm/configuration/xe-16/bsm-xe-16-book.html
[17]
RADIUS Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_usr_rad/configuration/xe-16/sec-usr-rad-xe-16-book.html
[18]
FlexVPN and Internet Key Exchange
Version 2 Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_conn_ike2vpn/configuration/xe-16/sec-flex-vpn-xe-16-
book.html
[19]
Authentication, Authorization, and
Accounting Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_usr_aaa/configuration/xe-16/sec-usr-aaa-xe-16-book.html
[20]
Cisco ASR 1001-X Router Hardware
Installation Guide
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/install/guide/100
1-x/asr1hig-book.html
[21]
IP Addressing: NAT Configuration
Guide
http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book.html
[22]
Public Key Infrastructure
Configuration Guide
http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_conn_pki/configuration/xe-16/sec-pki-xe-16-book.html
[23]
IPsec Data Plane Configuration Guide
https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_data_acl/configuration/xe-16/sec-data-acl-xe-16-book.html
[24]
MACSEC and MKA Configuration
Guide
http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/macsec/configuration/xe-16/macsec-xe-16-book.html
Page 9 of 72
1.4 Supported Hardware and Software
Only the hardware and software listed in section 1.5 of the Security Target (ST) is compliant
with the Common Criteria evaluation. Using hardware not specified in the ST invalidates the
secure configuration. Likewise, using any software version other than the evaluated software
listed in the ST will invalidate the secure configuration. The TOE is a hardware and software
solution that makes up the router models as follows: Chassis: ASR 1001, ASR 1001X, ASR
1002, ASR 1002X, ASR 1004, ASR 1006, ASR 1013; Embedded Services Processors (ESPr):
ESPr5, ESPr10, ESPr20, ESPr40, ESPr100, ESPr200; Route Processor (RP): RP1, RP2. The
network, on which they reside, is considered part of the environment. The software comes pre-
installed and is comprised of the Cisco IOS-XE software image Release 16.3.2.
1.5 Operational Environment
1.5.1 Supported non-TOE Hardware/Software/Firmware
The TOE supports (in some cases optionally) the following hardware, software, and firmware in
its environment:
Table 3: Operational Environment Components
Component
Required
RADIUS AAA
Server
No
Management
Workstation
with SSH client
Yes
Local Console
Yes
Certification
Authority (CA)
Yes
Remote VPN
Gateway/Peer
Yes
Page 10 of 72
Component
Required
NTP Server
No
Audit (syslog)
Server
Yes
Another
instance of the
TOE
No
1.6 Excluded Functionality
Table 4: Excluded Functionality
Excluded Functionality
Exclusion Rationale
Non-FIPS 140-2 mode of operation on the
router.
This mode of operation includes non-FIPS
allowed operations.
These services will be disabled by configuration. The exclusion of this functionality does not
affect compliance to the U.S. Government Protection Profile for Security Requirements for
Network Devices.
Page 11 of 72
2 Secure Acceptance of the TOE
In order to ensure the correct TOE is received, the TOE should be examined to ensure that that is
has not been tampered with during delivery.
Verify that the TOE software and hardware were not tampered with during delivery by
performing the following actions:
Step 1 Before unpacking the TOE, inspect the physical packaging the equipment was delivered
in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs.
If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco
distributor/partner).
Step 2 Verify that the packaging has not obviously been opened and resealed by examining the
tape that seals the package. If the package appears to have been resealed, contact the supplier of
the equipment (Cisco Systems or an authorized Cisco distributor/partner).
Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems bar coded
label applied to the external cardboard box. If it does not, contact the supplier of the equipment
(Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco
product number, serial number, and other information regarding the contents of the box.
Step 4 Note the serial number of the TOE on the shipping documentation. The serial number
displayed on the white label affixed to the outer box will be that of the device. Verify the serial
number on the shipping documentation matches the serial number on the separately mailed
invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or
an authorized Cisco distributor/partner).
Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment
(Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with
the supplier that they shipped the box with the courier company that delivered the box and that
the consignment note number for the shipment matches that used on the delivery. Also verify
that the serial numbers of the items shipped match the serial numbers of the items delivered. This
verification should be performed by some mechanism that was not involved in the actual
equipment delivery, for example, phone/FAX or other online tracking service.
Step 6 Once the TOE is unpacked, inspect the unit. Verify that the serial number displayed on
the unit itself matches the serial number on the shipping documentation and the invoice. If it
does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco
distributor/partner). Also verify that the unit has the following external identification as
described in Table 5 below.
Table 5: TOE External Identification
Product Name
Model Number
External Identification
ASR Series
1001X
CISCO 1001X
1001HX
CISCO 1001HX
1002X
CISCO 1002X
1002HX
CISCO 1002HX
1004
CISCO 1004
Page 12 of 72
Product Name
Model Number
External Identification
1006
CISCO 1006
1006X
CISCO 1006X
1009X
CISCO 1009X
1013
CISCO 1013
Step 7 Approved methods for obtaining a Common Criteria evaluated software images:
Download the Common Criteria evaluated software image file from Cisco.com onto a
trusted computer system. Software images are available from Cisco.com at the
following: http://www.cisco.com/cisco/software/navigator.html.
The TOE ships with the correct software images installed.
Step 8 Once the file is downloaded, verify that it was not tampered with by using an SHA-1
utility to compute a SHA-1 hash for the downloaded file and comparing this with the SHA-1
hash for the image listed in Table 6 below. If the SHA-1 hashes do not match, contact Cisco
Technical Assistance Center (TAC)
https://tools.cisco.com/ServiceRequestTool/create/launch.do.
Step 9 Install the downloaded and verified software image onto your ASR as described in [1]
Under Configure Click on Configuration Guides System Management Click on
Loading and Managing System Images Configuration Guide.
Start your ASR as described in [2] and [20] Cisco ASR 1000 Series Routers Power Up and
Initial Configuration “Powering Up the Cisco ASR 1000 Series Routers. Confirm that your
ASR loads the image correctly, completes internal self-checks and displays the cryptographic
export warning on the console.
Step 10 The end-user must confirm once the TOE has booted that they are indeed running the
evaluated version. Use the “show version” command [3] to display the currently running system
image filename and the system software release version. An authorized administrator can verify
the TOE software image through reloading of the TOE or via theverify’ command. See Table 6
below for the detailed hash value that must be checked to ensure the software has not been
modified in any way.
Page 13 of 72
Table 6: Evaluated Software Images
Page 14 of 72
Platform
Image Name
Hash
ASR 1001X
asr1001x-universalk9.16.03.02.SPA.bin
MD5: fa13528532ea51d5f242ecafe200d118
SHA-512:
247cdad2a7bc31940f30379999aab3c225748154ed0881
273f3ec6dbef3cd5aa36501670022d6941b6525e44d946
25a2a714f05a5c56b23b1e0417d935a20c43
ASR 1001HX
asr1000-universalk9.16.03.02.SPA.bin
MD5: 785b1f2089e8b93dcc5db4120c981e66
SHA-512:
fe2c0c0d3899cfe743872050738fcf06cf17dbfc57dade19
769a3f5974cf708f11240673d5f2bef8ef84de6ff59d4b51
a9ff8c756758446f0938ae4f837240c2
ASR 1002X
asr1002x-universalk9.16.03.02.SPA.bin
MD5: 8fca93734b7882cf8a4cf05a783c970a
SHA-512:
1fbd63a356bd7b43cb3f11877e97e882cff78c999b57688
ba044fdf4d70ccc0140a5881dc7591dee0a4595e10120c7
d10518f7040fbfeeff8ef2ee6167bcb20c
ASR 1002HX
asr1000-universalk9.16.03.02.SPA.bin
MD5: 785b1f2089e8b93dcc5db4120c981e66
SHA-512:
fe2c0c0d3899cfe743872050738fcf06cf17dbfc57dade19
769a3f5974cf708f11240673d5f2bef8ef84de6ff59d4b51
a9ff8c756758446f0938ae4f837240c2
ASR 1004
asr1000rpx86-universalk9.16.03.02.SPA.bin
MD5: d612372c7dca15859f065c98ef1a3287
SHA-512:
69af51342e562cbd874ec65895c8d9082f514169806ef10
8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99
21e59866ecf38c5a33d801c11c59367093
ASR 1006
asr1000rpx86-universalk9.16.03.02.SPA.bin
MD5: d612372c7dca15859f065c98ef1a3287
SHA-512:
69af51342e562cbd874ec65895c8d9082f514169806ef10
8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99
21e59866ecf38c5a33d801c11c59367093
ASR 1006X
asr1000rpx86-universalk9.16.03.02.SPA.bin
MD5: d612372c7dca15859f065c98ef1a3287
SHA-512:
69af51342e562cbd874ec65895c8d9082f514169806ef10
8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99
21e59866ecf38c5a33d801c11c59367093
Page 15 of 72
ASR 1009X
asr1000rpx86-universalk9.16.03.02.SPA.bin
MD5: d612372c7dca15859f065c98ef1a3287
SHA-512:
69af51342e562cbd874ec65895c8d9082f514169806ef10
8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99
21e59866ecf38c5a33d801c11c59367093
ASR 1013
asr1000rpx86-universalk9.16.03.02.SPA.bin
MD5: d612372c7dca15859f065c98ef1a3287
SHA-512:
69af51342e562cbd874ec65895c8d9082f514169806ef10
8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99
21e59866ecf38c5a33d801c11c59367093
Page 16 of 72
3 Secure Installation and Configuration
3.1 Physical Installation
Follow the Cisco ASR 1000 Series Router Hardware Installation Guide, [2] and [20] for
hardware installation instructions.
3.2 Initial Setup via Direct Console Connection
The ASR must be given basic configuration via console connection prior to being connected to
any network.
3.2.1 Options to be chosen during the initial setup of the ASR
When you run the “setup” command, or after initially turning on the router you are free to choose
answers that fit your policies with the exception of the following values.
1 Enable Secret Must adhere to the password complexity requirements. Note that this setting
can be confirmed after “setup” is complete by examining the configuration file for “enable secret
5 …” [4] Under Configure Click on Configuration Guides System Management Click
on Using Setup Mode to Configure a Cisco Networking Device Click on subsection Using
the System Configuration Dialog to Create an Initial Configuration File”
2 Enable Password - Must adhere to the password complexity requirements. Note that this must
be set to something different than the enable secret during “setup”, however after setup this will
not be used within the evaluated configuration. [10] Under Reference Guides Command
References Security and VPN See manual Cisco IOS Security Command Reference:
Commands D to L.
3 Virtual Terminal Password - Must adhere to the password complexity requirements. Note
that securing the virtual terminal (or vty) lines with a password in the evaluated configuration is
suggested. This password allows access to the device through only the console port. Later in this
guide steps will be given to allow ssh into the vty lines. [4] Under Configure Click on
Configuration Guides System Management Click on Using Setup Mode to Configure a
Cisco Networking Device Click on subsection Using the System Configuration Dialog to
Create an Initial Configuration File”
4 Configure SNMP Network Management NO (this is the default). Note that this setting can
be confirmed after “setup” is complete by examining the configuration file to ensure that there is
no “snmp-server” entry. [4] Under Configure Click on Configuration Guides System
Management Click on Using Setup Mode to Configure a Cisco Networking Device Click on
subsection Using the System Configuration Dialog to Create an Initial Configuration File”
3.2.2 Saving Configuration
IOS uses both a running configuration and a starting configuration. Configuration changes affect
the running configuration, in order to save that configuration the running configuration (held in
memory) must be copied to the startup configuration. This may be achieved by either using the
write memory command [3] or the copy system:running-config nvram:startup-config
command [3] under section “C commands” (Note: A short hand version of the command is copy
run start). These commands should be used frequently when making changes to the
Page 17 of 72
configuration of the Router. If the Router reboots and resumes operation when uncommitted
changes have been made, these changes will be lost and the Router will revert to the last
configuration saved.
3.2.3 Enabling FIPS Mode
The TOE must be run in the FIPS mode of operation. The use of the cryptographic engine in any
other mode was not evaluated nor tested during the CC evaluation of the TOE. This is done by
setting the following in the configuration:
The value of the boot field must be 0x0102. This setting disables break from the console to the
ROM monitor and automatically boots the IOS image. From the ROMMON command line enter
the following:
confreg 0x0102 [3] under section “C commands”
The self-tests for the cryptographic functions in the TOE are run automatically during power-on
as part of the POST. The same POST self-tests for the cryptographic operations can also be
executed manually at any time by the privileged administrator using the command:
test crypto self-test [10] Cisco IOS Security Command Reference: Commands S to Z
3.2.4 Administrator Configuration and Credentials
The ASR must be configured to use a username and password for each administrator and one
password for the enable command. Ensure all passwords are stored encrypted by using the
following command:
service password-encryption [10] Cisco IOS Security Command Reference: Commands
S to Z
Configures local AAA authentication:
aaa authentication login default local [10] Cisco IOS Security Command Reference:
Commands A to C
aaa authorization exec default local [10] Cisco IOS Security Command Reference:
Commands A to C
When creating administrator accounts, all individual accounts are to be set to a privilege level of
one. This is done by using the following commands:
username <name> password <password> [10] Cisco IOS Security Command
Reference: Commands S to Z
to create a new username and password combination, and
username <name> privilege 1 [10] Cisco IOS Security Command Reference:
Commands S to Z
to set the privilege level of <name> to 1.
3.2.5 Session Termination
Inactivity settings must trigger termination of the administrator session. These settings are
configurable by setting
Page 18 of 72
line vty <first> <last> [2] and [20] under section “Configuring Virtual Terminal Lines
for Remote Console Access”
exec-timeout <time> [10] >System Management > Cisco IOS Configuration
Fundamentals Command Reference, section D through E
line console [19] under section “Configuring Line Password Protection”
exec-timeout <time>
To save these configuration settings to the startup configuration:
copy run start [3] under section “C commands”
where first and last are the range of vty lines on the box (i.e. “0 4”), and time is the period of
inactivity after which the session should be terminated. Configuration of these settings is limited
to the privileged administrator (see Section 4.1). These settings are not immediately activated
for the current session. The current line console session must be exited. When the user logs
back in, the inactivity timer will be activated for the new session.
3.2.6 User Lockout
User accounts must be configured to lockout after a specified number of authentication failures
TOE-common-criteria(config)# aaa local authentication attempts max-fail [number of
failures]
where number of failures is the number of consecutive failures that will trigger locking of the
account. Configuration of these settings is limited to the privileged administrator (see Section
4.1).
Related commands:
clear aaa local user fail-attempts
Clears the unsuccessful login
attempts of the user.
clear aaa local user lockout
username [username]
Unlocks the locked-out user.
show aaa local user lockout
Displays a list of all locked-out
users.
Note: this lockout only applies to privilege 14 users and below.
Note: this applies to consecutive failures, and is not affected by the SSH or Telnet session
disconnections after their default number of failures. In other words, if this lockout command is
set to 5 failures, and SSH disconnects after 3 failed attempts, if the user attempts another SSH
session and enters the wrong credentials two additional times, the account will lock.
Page 19 of 72
3.3 Network Protocols and Cryptographic Settings
3.3.1 Remote Administration Protocols
All TOE administration must be performed through an IPsec tunnel. However, it is
recommended that the interactive interface be over SSH. The following method is used to
configure SSH for use in a secure manner.
To only allow ssh for remote administrator sessions, use the transport input ssh command.
This command disables telnet by only allowing ssh connections for remote administrator access.
3.3.1.1 Steps to configure SSH on router: [10] Cisco IOS Security Command Reference
Guides
1. Generate RSA or ECDSA key material choose a longer modulus length for the
evaluated configuration (i.e., 2048 for RSA and 256 or 384 for ECDSA):
TOE-common-criteria(config)# crypto key generate rsa
How many bits in the modulus [512]: 2048
or
TOE-common-criteria(config)# crypto key generate ec keysize [256 or 384]
RSA and ECDSA keys are generated in pairsone public key and one private key. This
command is not saved in the router configuration; however, the keys generated by this
command are saved in the private configuration in NVRAM (which is never displayed to
the user or backed up to another device) the next time the configuration is written to
NVRAM.
Note: Only one set of keys can be configured using the crypto key generate command at
a time. Repeating the command overwrites the old keys.
Note: If the configuration is not saved to NVRAM with a “copy run start, the generated
keys are lost on the next reload of the router.
Note: If the error “% Please define a domain-name first” is received, enter the command
ip domain-name [domain name].
Note: to delete a key, an administrator may use the crypto key zeroize <label> command.
2. Enable ssh
TOE-common-criteria# ip ssh authentication-retries 2
3. Configure ssh timeout
TOE-common-criteria# ip ssh time-out 60
4. Set to use SSH v2
TOE-common-criteria# ip ssh version 2
5. Ensure that the product is configured not to support diffie-hellman-group1-sha1 key
exchange using the following command ‘ip ssh dh min size 2048’:
TOE-common-criteria(config)# ip ssh dh min size 2048
Page 20 of 72
6. Configure vty lines to accept ‘ssh’ login services
TOE-common-criteria(config-line)# transport input ssh
7. Configure a SSH client to support only the following specific encryption algorithms:
o AES-CBC-128
o AES-CBC-256
peer#ssh -l cisco -c aes128-cbc 1.1.1.1
peer#ssh -l cisco -c aes256-cbc 1.1.1.1
8. Configure a SSH client to support message authentication. Only the following MACs are
allowed and “None” for MAC is not allowed:
a. hmac-sha1-96
b. hmac-sha1
peer#ssh -l cisco -m hmac-sha1-96 1.1.1.1
9. Configure the SSH rekey time-based rekey and volume-based rekey values (values can be
configured to be lower than the default values if a shorter interval is desired):
a. ip ssh rekey time 60
b. ip ssh rekey volume 1000000
HTTP and HTTPS servers were not evaluated and must be disabled: no ip http server
no ip http secure-server
SNMP server was not evaluated and must be disabled: no snmp-server
3.3.2 Authentication Server Protocols
RADIUS (outbound) for authentication of TOE administrators to remote authentication
servers are disabled by default but should be enabled by administrators in the evaluated
configuration.
o To configure RADIUS refer to [17] Under Configure Click on Configuration
Guides Security, Services, and VPN Click on Securing User Services
Configuration Guide Library click on Authentication, Authorization, and
Accounting (AAA) Configuration Guide Configuring Authentication How to
Configure AAA Authentication Methods Configuring Login Authentication
Using AAA Login Authentication Using Group RADIUS. Use best practices
for the selection and protection of a key to ensure that the key is not easily
guessable and is not shared with unauthorized users.
This protocol is to be tunneled over an IPsec connection in the evaluated configuration. The
instructions for setting up this communication are the same as those for protecting
communications with a syslog server, detailed in Section 3.3.4 below.
3.3.3 Logging Configuration
Logging of command execution must be enabled: [10] Cisco IOS Configuration Fundamentals
Command Reference and Cisco IOS Debug Command References
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72

Cisco ASR 1002 Common Criteria Operational User Guidance And Preparative Procedures

Type
Common Criteria Operational User Guidance And Preparative Procedures

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI