Cisco ASR 1002 Common Criteria Operational User Guidance And Preparative Procedures

Cisco Aggregation Services Router (ASR) 1000 Series

Common Criteria Operational User Guidance

And Preparative Procedures

Version 0.4

October 27, 2017

Page 2 of 72

Table of Contents

1 Introduction ............................................................................................................................. 7

1.1 Audience ......................................................................................................................... 7

1.2 Purpose ............................................................................................................................ 7

1.3 Document References ..................................................................................................... 7

1.4 Supported Hardware and Software ................................................................................. 9

1.5 Operational Environment ................................................................................................ 9

1.5.1 Supported non-TOE Hardware/Software/Firmware ................................................... 9

1.6 Excluded Functionality ................................................................................................. 10

2 Secure Acceptance of the TOE ............................................................................................. 11

3 Secure Installation and Configuration .................................................................................. 16

3.1 Physical Installation ...................................................................................................... 16

3.2 Initial Setup via Direct Console Connection ................................................................ 16

3.2.1 Options to be chosen during the initial setup of the ASR ......................................... 16

3.2.2 Saving Configuration ................................................................................................ 16

3.2.3 Enabling FIPS Mode ................................................................................................. 17

3.2.4 Administrator Configuration and Credentials ........................................................... 17

3.2.5 Session Termination.................................................................................................. 17

3.2.6 User Lockout ............................................................................................................. 18

3.3 Network Protocols and Cryptographic Settings ............................................................ 19

3.3.1 Remote Administration Protocols ............................................................................. 19

3.3.2 Authentication Server Protocols ............................................................................... 20

3.3.3 Logging Configuration.............................................................................................. 20

3.3.4 Logging Protection.................................................................................................... 22

3.3.5 Base Firewall Rule set Configuration ....................................................................... 24

3.3.6 Routing Protocols...................................................................................................... 26

3.3.7 MACSEC and MKA Configuration.......................................................................... 26

4 Secure Management .............................................................................................................. 27

4.1 User Roles ..................................................................................................................... 27

4.2 Passwords ...................................................................................................................... 27

4.3 Clock Management ....................................................................................................... 30

Page 3 of 72

4.4 Identification and Authentication ................................................................................. 30

4.5 Login Banners ............................................................................................................... 30

4.6 Virtual Private Networks (VPN) ................................................................................... 30

4.6.1 IPsec Overview ......................................................................................................... 30

4.6.2 IPsec Transforms and Lifetimes ............................................................................... 34

4.6.3 NAT Traversal .......................................................................................................... 36

4.6.4 X.509 Certificates ..................................................................................................... 36

4.6.5 Information Flow Policies......................................................................................... 41

4.6.6 IPsec Session Interuption/Recovery ......................................................................... 42

4.7 Product Updates ............................................................................................................ 43

4.8 Configure Reference Identifier ..................................................................................... 43

5 Security Relevant Events ...................................................................................................... 45

5.1 Deleting Audit Records................................................................................................. 62

6 Network Services and Protocols ........................................................................................... 63

7 Modes of Operation .............................................................................................................. 67

8 Security Measures for the Operational Environment............................................................ 70

9 Related Documentation ......................................................................................................... 71

9.1 World Wide Web .......................................................................................................... 71

9.2 Ordering Documentation .............................................................................................. 71

9.3 Documentation Feedback.............................................................................................. 71

10 Obtaining Technical Assistance ............................................................................................ 72

Page 4 of 72

List of Tables

Table 1: Acronyms .......................................................................................................................... 5

Table 2: Cisco Documentation....................................................................................................... 7

Table 3: Operational Environment Components ............................................................................ 9

Table 4: Excluded Functionality .................................................................................................. 10

Table 5: TOE External Identification .......................................................................................... 11

Table 6: Evaluated Software Images ........................................................................................... 13

Table 7: Auditable Events ............................................................................................................. 46

Table 8 Auditable Administrative Events .................................................................................... 55

Table 8: Protocols and Services .................................................................................................... 63

Table 9: Operational Environment Security Measures ................................................................ 70

Page 5 of 72

List of Acronyms

The following acronyms and abbreviations are used in this document:

Table 1: Acronyms

Acronyms /

Abbreviations

Definition

AAA

Administration, Authorization, and Accounting

AES

Advanced Encryption Standard

ASR

Aggregation Services Router

EAL

Evaluation Assurance Level

FIPS

Federal Information Processing Standards

HTTPS

Hyper-Text Transport Protocol Secure

IP

Internet Protocol

NTP

Network Time Protocol

RADIUS

Remote Authentication Dial In User Service

SSHv2

Secure Shell (version 2)

TCP

Transport Control Protocol

TOE

Target of Evaluation

Page 6 of 72

DOCUMENT INTRODUCTION

Prepared By:

Cisco Systems, Inc.

170 West Tasman Dr.

San Jose, CA 95134

DOCUMENT INTRODUCTION

This document provides supporting evidence for an evaluation of a specific Target of Evaluation

(TOE), the Aggregation Services Router (ASR) 1000 Series (ASR). This Operational User

Guidance with Preparative Procedures addresses the administration of the TOE software and

hardware and describes how to install, configure, and maintain the TOE in the Common Criteria

evaluated configuration. Administrators of the TOE will be referred to as administrators,

authorized administrators, TOE administrators, semi-privileged administrators, and privileged

administrators in this document.

Page 7 of 72

1 Introduction

This Operational User Guidance with Preparative Procedures documents the administration of

the Aggregation Services Router (ASR) 1000 Series (ASR), the TOE, as it was certified under

Common Criteria. The Aggregation Services Router (ASR) 1000 Series (ASR ) may be

referenced below as the model number series ex. ASR 1000, TOE, or simply router.

1.1 Audience

This document is written for administrators configuring the TOE. This document assumes that

you are familiar with the basic concepts and terminologies used in internetworking, and

understand your network topology and the protocols that the devices in your network can use,

that you are a trusted individual, and that you are trained to use the operating systems on which

you are running your network.

1.2 Purpose

This document is the Operational User Guidance with Preparative Procedures for the Common

Criteria evaluation. It was written to highlight the specific TOE configuration and administrator

functions and interfaces that are necessary to configure and maintain the TOE in the evaluated

configuration. This document is not meant to detail specific actions performed by the

administrator but rather is a road map for identifying the appropriate locations within Cisco

documentation to get the specific details for configuring and maintaining ASR operations. All

security relevant commands to manage the TSF data are provided within this documentation

within each functional section.

1.3 Document References

This document makes reference to several Cisco Systems documents. The documents used are

shown below in Table 2. Throughout this document, the guides will be referred to by the “#”,

such as [1].

Table 2: Cisco Documentation

#

Title

Link

[1]

Loading and Managing System Images

Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sys-image-

mgmt/configuration/xe-16/sysimgmgmt-xe-16-book.html

[2]

Cisco ASR 1000 Series Router

Hardware Installation Guide, July

2013, OL-13208-11

http://www.cisco.com/c/en/us/td/docs/routers/asr1000/install/guide/asr

1routers/asr1higV8.html

[3]

Configuration Fundamentals

Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/fundamentals/configuration/xe-16/fundamentals-xe-16-

book.html

Page 8 of 72

#

Title

Link

[4]

Using Setup Mode to Configure a

Cisco Networking Device

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guid

e/cf_setup.html

[6]

Cisco ASR 1000 Series Aggregation

Services Routers SIP and SPA

Software Configuration Guide

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/shared_port_

adapters/configuration/ASR1000/asr1000-sip-spa-book.html

[8]

Cisco ASR 1000 Series Aggregation

Services Routers Software

Configuration Guide

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/

chassis/asrswcfg.html

[10]

Cisco IOS Security Command

Reference

http://www.cisco.com/c/en/us/td/docs/ios/fundamentals/command/refer

ence/cf_book.html

[15]

Basic System Management

Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/bsm/configuration/xe-16/bsm-xe-16-book.html

[17]

RADIUS Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/sec_usr_rad/configuration/xe-16/sec-usr-rad-xe-16-book.html

[18]

FlexVPN and Internet Key Exchange

Version 2 Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/sec_conn_ike2vpn/configuration/xe-16/sec-flex-vpn-xe-16-

book.html

[19]

Authentication, Authorization, and

Accounting Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/sec_usr_aaa/configuration/xe-16/sec-usr-aaa-xe-16-book.html

[20]

Cisco ASR 1001-X Router Hardware

Installation Guide

http://www.cisco.com/c/en/us/td/docs/routers/asr1000/install/guide/100

1-x/asr1hig-book.html

[21]

IP Addressing: NAT Configuration

Guide

http://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book.html

[22]

Public Key Infrastructure

Configuration Guide

http://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/sec_conn_pki/configuration/xe-16/sec-pki-xe-16-book.html

[23]

IPsec Data Plane Configuration Guide

https://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/sec_data_acl/configuration/xe-16/sec-data-acl-xe-16-book.html

[24]

MACSEC and MKA Configuration

Guide

http://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/macsec/configuration/xe-16/macsec-xe-16-book.html

Page 9 of 72

1.4 Supported Hardware and Software

Only the hardware and software listed in section 1.5 of the Security Target (ST) is compliant

with the Common Criteria evaluation. Using hardware not specified in the ST invalidates the

secure configuration. Likewise, using any software version other than the evaluated software

listed in the ST will invalidate the secure configuration. The TOE is a hardware and software

solution that makes up the router models as follows: Chassis: ASR 1001, ASR 1001X, ASR

1002, ASR 1002X, ASR 1004, ASR 1006, ASR 1013; Embedded Services Processors (ESPr):

ESPr5, ESPr10, ESPr20, ESPr40, ESPr100, ESPr200; Route Processor (RP): RP1, RP2. The

network, on which they reside, is considered part of the environment. The software comes pre-

installed and is comprised of the Cisco IOS-XE software image Release 16.3.2.

1.5 Operational Environment

1.5.1 Supported non-TOE Hardware/Software/Firmware

The TOE supports (in some cases optionally) the following hardware, software, and firmware in

its environment:

Table 3: Operational Environment Components

Component

Required

Usage/Purpose Description for TOE performance

RADIUS AAA

Server

No

This includes any IT environment RADIUS AAA server that provides single-use

authentication mechanisms. This can be any RADIUS AAA server that provides

single-use authentication. The TOE correctly leverages the services provided by

this RADIUS AAA server to provide single-use authentication to administrators.

Management

Workstation

with SSH client

Yes

This includes any IT Environment Management workstation with a SSH client

installed that is used by the TOE administrator to support TOE administration

through SSH protected channels. Any SSH client that supports SSHv2 may be

used.

Local Console

Yes

This includes any IT Environment Console that is directly connected to the TOE

via the Serial Console Port and is used by the TOE administrator to support TOE

administration.

Certification

Authority (CA)

Yes

This includes any IT Environment Certification Authority on the TOE network.

This can be used to provide the TOE with a valid certificate during certificate

enrollment.

Remote VPN

Gateway/Peer

Yes

This includes any VPN peer with which the TOE participates in VPN

communications. Remote VPN Endpoints may be any device that supports IPsec

VPN communications.

Page 10 of 72

Component

Required

Usage/Purpose Description for TOE performance

NTP Server

No

The TOE supports communications with an NTP server in order to synchronize

the date and time on the TOE with the NTP server’s date and time. A solution

must be used that supports secure communications with up to a 32 character key.

Audit (syslog)

Server

Yes

This includes any syslog server to which the TOE would transmit syslog

messages.

Another

instance of the

TOE

No

Includes “another instance of the TOE” that would be installed in the evaluated

configuration, and likely administered by the same personnel. Used as a VPN

peer.

1.6 Excluded Functionality

Table 4: Excluded Functionality

Excluded Functionality

Exclusion Rationale

Non-FIPS 140-2 mode of operation on the

router.

This mode of operation includes non-FIPS

allowed operations.

These services will be disabled by configuration. The exclusion of this functionality does not

affect compliance to the U.S. Government Protection Profile for Security Requirements for

Network Devices.

Page 11 of 72

2 Secure Acceptance of the TOE

In order to ensure the correct TOE is received, the TOE should be examined to ensure that that is

has not been tampered with during delivery.

Verify that the TOE software and hardware were not tampered with during delivery by

performing the following actions:

Step 1 Before unpacking the TOE, inspect the physical packaging the equipment was delivered

in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs.

If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco

distributor/partner).

Step 2 Verify that the packaging has not obviously been opened and resealed by examining the

tape that seals the package. If the package appears to have been resealed, contact the supplier of

the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems bar coded

label applied to the external cardboard box. If it does not, contact the supplier of the equipment

(Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco

product number, serial number, and other information regarding the contents of the box.

Step 4 Note the serial number of the TOE on the shipping documentation. The serial number

displayed on the white label affixed to the outer box will be that of the device. Verify the serial

number on the shipping documentation matches the serial number on the separately mailed

invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or

an authorized Cisco distributor/partner).

Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment

(Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with

the supplier that they shipped the box with the courier company that delivered the box and that

the consignment note number for the shipment matches that used on the delivery. Also verify

that the serial numbers of the items shipped match the serial numbers of the items delivered. This

verification should be performed by some mechanism that was not involved in the actual

equipment delivery, for example, phone/FAX or other online tracking service.

Step 6 Once the TOE is unpacked, inspect the unit. Verify that the serial number displayed on

the unit itself matches the serial number on the shipping documentation and the invoice. If it

does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco

distributor/partner). Also verify that the unit has the following external identification as

described in Table 5 below.

Table 5: TOE External Identification

Product Name

Model Number

External Identification

ASR Series

1001X

CISCO 1001X

1001HX

CISCO 1001HX

1002X

CISCO 1002X

1002HX

CISCO 1002HX

1004

CISCO 1004

Page 12 of 72

Product Name

Model Number

External Identification

1006

CISCO 1006

1006X

CISCO 1006X

1009X

CISCO 1009X

1013

CISCO 1013

Step 7 Approved methods for obtaining a Common Criteria evaluated software images:

 Download the Common Criteria evaluated software image file from Cisco.com onto a

trusted computer system. Software images are available from Cisco.com at the

following: http://www.cisco.com/cisco/software/navigator.html.

 The TOE ships with the correct software images installed.

Step 8 Once the file is downloaded, verify that it was not tampered with by using an SHA-1

utility to compute a SHA-1 hash for the downloaded file and comparing this with the SHA-1

hash for the image listed in Table 6 below. If the SHA-1 hashes do not match, contact Cisco

Technical Assistance Center (TAC)

https://tools.cisco.com/ServiceRequestTool/create/launch.do.

Step 9 Install the downloaded and verified software image onto your ASR as described in [1]

Under Configure  Click on Configuration Guides  System Management  Click on

Loading and Managing System Images Configuration Guide.

Start your ASR as described in [2] and [20] Cisco ASR 1000 Series Routers Power Up and

Initial Configuration  “Powering Up the Cisco ASR 1000 Series Routers.” Confirm that your

ASR loads the image correctly, completes internal self-checks and displays the cryptographic

export warning on the console.

Step 10 The end-user must confirm once the TOE has booted that they are indeed running the

evaluated version. Use the “show version” command [3] to display the currently running system

image filename and the system software release version. An authorized administrator can verify

the TOE software image through reloading of the TOE or via the ‘verify’ command. See Table 6

below for the detailed hash value that must be checked to ensure the software has not been

modified in any way.

Page 13 of 72

Table 6: Evaluated Software Images

Page 14 of 72

Platform

Image Name

Hash

ASR 1001X

asr1001x-universalk9.16.03.02.SPA.bin

MD5: fa13528532ea51d5f242ecafe200d118

SHA-512:

247cdad2a7bc31940f30379999aab3c225748154ed0881

273f3ec6dbef3cd5aa36501670022d6941b6525e44d946

25a2a714f05a5c56b23b1e0417d935a20c43

ASR 1001HX

asr1000-universalk9.16.03.02.SPA.bin

MD5: 785b1f2089e8b93dcc5db4120c981e66

SHA-512:

fe2c0c0d3899cfe743872050738fcf06cf17dbfc57dade19

769a3f5974cf708f11240673d5f2bef8ef84de6ff59d4b51

a9ff8c756758446f0938ae4f837240c2

ASR 1002X

asr1002x-universalk9.16.03.02.SPA.bin

MD5: 8fca93734b7882cf8a4cf05a783c970a

SHA-512:

1fbd63a356bd7b43cb3f11877e97e882cff78c999b57688

ba044fdf4d70ccc0140a5881dc7591dee0a4595e10120c7

d10518f7040fbfeeff8ef2ee6167bcb20c

ASR 1002HX

asr1000-universalk9.16.03.02.SPA.bin

MD5: 785b1f2089e8b93dcc5db4120c981e66

SHA-512:

fe2c0c0d3899cfe743872050738fcf06cf17dbfc57dade19

769a3f5974cf708f11240673d5f2bef8ef84de6ff59d4b51

a9ff8c756758446f0938ae4f837240c2

ASR 1004

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287

SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10

8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99

21e59866ecf38c5a33d801c11c59367093

ASR 1006

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287

SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10

8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99

21e59866ecf38c5a33d801c11c59367093

ASR 1006X

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287

SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10

8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99

21e59866ecf38c5a33d801c11c59367093

Page 15 of 72

ASR 1009X

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287

SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10

8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99

21e59866ecf38c5a33d801c11c59367093

ASR 1013

asr1000rpx86-universalk9.16.03.02.SPA.bin

MD5: d612372c7dca15859f065c98ef1a3287

SHA-512:

69af51342e562cbd874ec65895c8d9082f514169806ef10

8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99

21e59866ecf38c5a33d801c11c59367093

Page 16 of 72

3 Secure Installation and Configuration

3.1 Physical Installation

Follow the Cisco ASR 1000 Series Router Hardware Installation Guide, [2] and [20] for

hardware installation instructions.

3.2 Initial Setup via Direct Console Connection

The ASR must be given basic configuration via console connection prior to being connected to

any network.

3.2.1 Options to be chosen during the initial setup of the ASR

When you run the “setup” command, or after initially turning on the router you are free to choose

answers that fit your policies with the exception of the following values.

1 – Enable Secret – Must adhere to the password complexity requirements. Note that this setting

can be confirmed after “setup” is complete by examining the configuration file for “enable secret

5 …” [4] Under Configure  Click on Configuration Guides  System Management  Click

on Using Setup Mode to Configure a Cisco Networking Device  Click on subsection “Using

the System Configuration Dialog to Create an Initial Configuration File”

2 – Enable Password - Must adhere to the password complexity requirements. Note that this must

be set to something different than the enable secret during “setup”, however after setup this will

not be used within the evaluated configuration. [10] Under Reference Guides  Command

References  Security and VPN  See manual Cisco IOS Security Command Reference:

Commands D to L.

3 – Virtual Terminal Password - Must adhere to the password complexity requirements. Note

that securing the virtual terminal (or vty) lines with a password in the evaluated configuration is

suggested. This password allows access to the device through only the console port. Later in this

guide steps will be given to allow ssh into the vty lines. [4] Under Configure  Click on

Configuration Guides  System Management  Click on Using Setup Mode to Configure a

Cisco Networking Device  Click on subsection “Using the System Configuration Dialog to

Create an Initial Configuration File”

4 – Configure SNMP Network Management – NO (this is the default). Note that this setting can

be confirmed after “setup” is complete by examining the configuration file to ensure that there is

no “snmp-server” entry. [4] Under Configure Click on Configuration Guides System

Management Click on Using Setup Mode to Configure a Cisco Networking Device Click on

subsection “Using the System Configuration Dialog to Create an Initial Configuration File”

3.2.2 Saving Configuration

IOS uses both a running configuration and a starting configuration. Configuration changes affect

the running configuration, in order to save that configuration the running configuration (held in

memory) must be copied to the startup configuration. This may be achieved by either using the

write memory command [3] or the copy system:running-config nvram:startup-config

command [3] under section “C commands” (Note: A short hand version of the command is copy

run start). These commands should be used frequently when making changes to the

Page 17 of 72

configuration of the Router. If the Router reboots and resumes operation when uncommitted

changes have been made, these changes will be lost and the Router will revert to the last

configuration saved.

3.2.3 Enabling FIPS Mode

The TOE must be run in the FIPS mode of operation. The use of the cryptographic engine in any

other mode was not evaluated nor tested during the CC evaluation of the TOE. This is done by

setting the following in the configuration:

The value of the boot field must be 0x0102. This setting disables break from the console to the

ROM monitor and automatically boots the IOS image. From the ROMMON command line enter

the following:

confreg 0x0102 [3] under section “C commands”

The self-tests for the cryptographic functions in the TOE are run automatically during power-on

as part of the POST. The same POST self-tests for the cryptographic operations can also be

executed manually at any time by the privileged administrator using the command:

test crypto self-test [10] Cisco IOS Security Command Reference: Commands S to Z

3.2.4 Administrator Configuration and Credentials

The ASR must be configured to use a username and password for each administrator and one

password for the enable command. Ensure all passwords are stored encrypted by using the

following command:

service password-encryption [10] Cisco IOS Security Command Reference: Commands

S to Z

Configures local AAA authentication:

aaa authentication login default local [10] Cisco IOS Security Command Reference:

Commands A to C

aaa authorization exec default local [10] Cisco IOS Security Command Reference:

Commands A to C

When creating administrator accounts, all individual accounts are to be set to a privilege level of

one. This is done by using the following commands:

username <name> password <password> [10] Cisco IOS Security Command

Reference: Commands S to Z

to create a new username and password combination, and

username <name> privilege 1 [10] Cisco IOS Security Command Reference:

Commands S to Z

to set the privilege level of <name> to 1.

3.2.5 Session Termination

Inactivity settings must trigger termination of the administrator session. These settings are

configurable by setting

Page 18 of 72

line vty <first> <last> [2] and [20] under section “Configuring Virtual Terminal Lines

for Remote Console Access”

exec-timeout <time> [10] >System Management > Cisco IOS Configuration

Fundamentals Command Reference, section D through E

line console [19] under section “Configuring Line Password Protection”

exec-timeout <time>

To save these configuration settings to the startup configuration:

copy run start [3] under section “C commands”

where first and last are the range of vty lines on the box (i.e. “0 4”), and time is the period of

inactivity after which the session should be terminated. Configuration of these settings is limited

to the privileged administrator (see Section 4.1). These settings are not immediately activated

for the current session. The current line console session must be exited. When the user logs

back in, the inactivity timer will be activated for the new session.

3.2.6 User Lockout

User accounts must be configured to lockout after a specified number of authentication failures

TOE-common-criteria(config)# aaa local authentication attempts max-fail [number of

failures]

where number of failures is the number of consecutive failures that will trigger locking of the

account. Configuration of these settings is limited to the privileged administrator (see Section

4.1).

Related commands:

clear aaa local user fail-attempts

Clears the unsuccessful login

attempts of the user.

clear aaa local user lockout

username [username]

Unlocks the locked-out user.

show aaa local user lockout

Displays a list of all locked-out

users.

Note: this lockout only applies to privilege 14 users and below.

Note: this applies to consecutive failures, and is not affected by the SSH or Telnet session

disconnections after their default number of failures. In other words, if this lockout command is

set to 5 failures, and SSH disconnects after 3 failed attempts, if the user attempts another SSH

session and enters the wrong credentials two additional times, the account will lock.

Page 19 of 72

3.3 Network Protocols and Cryptographic Settings

3.3.1 Remote Administration Protocols

All TOE administration must be performed through an IPsec tunnel. However, it is

recommended that the interactive interface be over SSH. The following method is used to

configure SSH for use in a secure manner.

To only allow ssh for remote administrator sessions, use the transport input ssh command.

This command disables telnet by only allowing ssh connections for remote administrator access.

3.3.1.1 Steps to configure SSH on router: [10] Cisco IOS Security Command Reference

Guides

1. Generate RSA or ECDSA key material– choose a longer modulus length for the

evaluated configuration (i.e., 2048 for RSA and 256 or 384 for ECDSA):

TOE-common-criteria(config)# crypto key generate rsa

How many bits in the modulus [512]: 2048

or

TOE-common-criteria(config)# crypto key generate ec keysize [256 or 384]

RSA and ECDSA keys are generated in pairs—one public key and one private key. This

command is not saved in the router configuration; however, the keys generated by this

command are saved in the private configuration in NVRAM (which is never displayed to

the user or backed up to another device) the next time the configuration is written to

NVRAM.

Note: Only one set of keys can be configured using the crypto key generate command at

a time. Repeating the command overwrites the old keys.

Note: If the configuration is not saved to NVRAM with a “copy run start”, the generated

keys are lost on the next reload of the router.

Note: If the error “% Please define a domain-name first” is received, enter the command

‘ip domain-name [domain name]’.

Note: to delete a key, an administrator may use the crypto key zeroize <label> command.

2. Enable ssh

TOE-common-criteria# ip ssh authentication-retries 2

3. Configure –ssh timeout

TOE-common-criteria# ip ssh time-out 60

4. Set to use SSH v2

TOE-common-criteria# ip ssh version 2

5. Ensure that the product is configured not to support diffie-hellman-group1-sha1 key

exchange using the following command ‘ip ssh dh min size 2048’:

TOE-common-criteria(config)# ip ssh dh min size 2048

Page 20 of 72

6. Configure vty lines to accept ‘ssh’ login services

TOE-common-criteria(config-line)# transport input ssh

7. Configure a SSH client to support only the following specific encryption algorithms:

o AES-CBC-128

o AES-CBC-256

peer#ssh -l cisco -c aes128-cbc 1.1.1.1

peer#ssh -l cisco -c aes256-cbc 1.1.1.1

8. Configure a SSH client to support message authentication. Only the following MACs are

allowed and “None” for MAC is not allowed:

a. hmac-sha1-96

b. hmac-sha1

peer#ssh -l cisco -m hmac-sha1-96 1.1.1.1

9. Configure the SSH rekey time-based rekey and volume-based rekey values (values can be

configured to be lower than the default values if a shorter interval is desired):

a. ip ssh rekey time 60

b. ip ssh rekey volume 1000000

 HTTP and HTTPS servers were not evaluated and must be disabled: no ip http server

no ip http secure-server

 SNMP server was not evaluated and must be disabled: no snmp-server

3.3.2 Authentication Server Protocols

 RADIUS (outbound) for authentication of TOE administrators to remote authentication

servers are disabled by default but should be enabled by administrators in the evaluated

configuration.

o To configure RADIUS refer to [17] Under Configure  Click on Configuration

Guides  Security, Services, and VPN  Click on Securing User Services

Configuration Guide Library  click on Authentication, Authorization, and

Accounting (AAA) Configuration Guide Configuring Authentication  How to

Configure AAA Authentication Methods  Configuring Login Authentication

Using AAA  Login Authentication Using Group RADIUS. Use best practices

for the selection and protection of a key to ensure that the key is not easily

guessable and is not shared with unauthorized users.

This protocol is to be tunneled over an IPsec connection in the evaluated configuration. The

instructions for setting up this communication are the same as those for protecting

communications with a syslog server, detailed in Section 3.3.4 below.

3.3.3 Logging Configuration

Logging of command execution must be enabled: [10] Cisco IOS Configuration Fundamentals

Command Reference and Cisco IOS Debug Command References

Page is loading ...

Cisco ASR 1002 Common Criteria Operational User Guidance And Preparative Procedures

Cisco ASR 1002 Common Criteria Operational User Guidance And Preparative Procedures

Related papers

Other documents