Upload
vuongkhanh
View
223
Download
1
Embed Size (px)
Citation preview
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
1
Cisco Aggregation Services Router 9000
CC Configuration Guide
Version 1.0
April 2018
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
2
Table of Contents
1 Introduction ............................................................................................................................. 6 Audience ......................................................................................................................... 6
Purpose ............................................................................................................................ 6 Document References ..................................................................................................... 6 Supported Hardware and Software ................................................................................. 7 Operational Environment ................................................................................................ 7
Supported non-TOE Hardware/ Software/ Firmware ............................................. 7
Excluded Functionality ................................................................................................... 8 2 Secure Acceptance of the TOE ............................................................................................... 9 3 Secure Installation and Configuration .................................................................................. 12
Physical Installation ...................................................................................................... 12 Initial Setup via Direct Console Connection ................................................................ 12
Administrator Configuration and Credentials ....................................................... 12
Saving Configuration ............................................................................................ 13 Enabling FIPS Mode ............................................................................................. 13
Session Termination.............................................................................................. 14 User Lockout ......................................................................................................... 14
Network Protocols and Cryptographic Settings ............................................................ 15
Remote Administration Protocols ......................................................................... 15 Logging Configuration.......................................................................................... 16
Logging Protection................................................................................................ 17 Non-Approved Algorithms and Protocols ............................................................ 17
4 Secure Management .............................................................................................................. 18 User Roles ..................................................................................................................... 18 Passwords ...................................................................................................................... 20
Clock Management ....................................................................................................... 20 Login Banners ............................................................................................................... 21
Product Updates ............................................................................................................ 21 5 Security Relevant Events ...................................................................................................... 21
Deleting Audit Records................................................................................................. 22
Audit Records Description ............................................................................................ 22 Deleting Audit Records................................................................................................. 29
6 MACsec Configuration ......................................................................................................... 30 7 Network Services and Protocols ........................................................................................... 31 8 Modes of Operation .............................................................................................................. 34
9 Security Measures for the Operational Environment............................................................ 36 10 Related Documentation ......................................................................................................... 37
World Wide Web .......................................................................................................... 37 Ordering Documentation .............................................................................................. 37
Documentation Feedback.............................................................................................. 37 11 Obtaining Technical Assistance ............................................................................................ 38
3
List of Tables
Table 1: Acronyms .......................................................................................................................... 4 Table 2 Cisco Documentation and CI List ..................................................................................... 6
Table 3: Operational Environment Components ............................................................................ 7 Table 4 Excluded Functionality .................................................................................................... 8 Table 5 TOE External Identification .............................................................................................. 9 Table 6 Evaluated Software Images ............................................................................................ 11 Table 7 Predefined User and Task Groups ................................................................................... 19
Table 8 Task ID Classes ............................................................................................................... 19 Table 9: Auditable Events (IOS-XR) ............................................................................................ 23 Table 10 Protocols and Services ................................................................................................... 31
Table 11 Operational Environment Security Measures .............................................................. 36
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
4
List of Acronyms
The following acronyms and abbreviations are used in this document: Table 1: Acronyms
Acronyms /
Abbreviations
Definition
AAA Administration, Authorization, and Accounting
AES Advanced Encryption Standard
CI Configuration Item
FIPS Federal Information Processing Standards
EAL Evaluation Assurance Level
HTTPS Hyper-Text Transport Protocol Secure
IP Internet Protocol
NTP Network Time Protocol
RADIUS Remote Authentication Dial In User Service
SFP Security Function Policy
SSHv2 Secure Shell (version 2)
TACACS+ Terminal Access Controller Access-Control System Plus
TCP Transport Control Protocol
TOE Target of Evaluation
5
DOCUMENT INTRODUCTION
Prepared By:
Cisco Systems, Inc.
170 West Tasman Dr.
San Jose, CA 95134
DOCUMENT INTRODUCTION This document provides supporting evidence for an evaluation of a specific Target of Evaluation
(TOE), the Aggregation Services Router 9000 (ASR 9k). This Operational User Guidance with
Preparative Procedures addresses the administration of the TOE software and hardware and
describes how to install, configure, and maintain the TOE in the Common Criteria evaluated
configuration. Administrators of the TOE will be referred to as administrators, authorized
administrators, TOE administrators, semi-privileged administrators, and privileged
administrators in this document. All administrative actions that are relevant to the Common
Criteria (CC) Evaluation and claimed Protection Profile(s) are described within this document.
This document will include pointers to the official Cisco documentation in order to aid the
administrator in easily identifying the CC relevant administrative commands, including
subcommands, scripts (if relevant), and configuration files, that are related to the configuration
(including enabling or disabling) of the mechanisms implemented in ASR 9k that are necessary
to enforce the requirements specified in the claimed PP(s).
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
6
1 Introduction This Operational User Guidance with Preparative Procedures documents the administration of
the Aggregation Services Router 9000 (ASR 9k), the TOE, as it was certified under Common
Criteria. The Aggregation Services Router 9000 (ASR 9k ) may be referenced below by the
model number series related acronym ex. ASR 9k, TOE, or simply router.
Audience
This document is written for administrators configuring the TOE. This document assumes that
you are familiar with the basic concepts and terminologies used in internetworking, and
understand your network topology and the protocols that the devices in your network can use,
that you are a trusted individual, and that you are trained to use the operating systems on which
you are running your network.
Purpose
This document is the Operational User Guidance with Preparative Procedures for the Common
Criteria evaluation. It was written to highlight the specific TOE configuration and administrator
functions and interfaces that are necessary to configure and maintain the TOE in the evaluated
configuration. This document is not meant to detail specific actions performed by the
administrator but rather is a road map for identifying the appropriate locations within Cisco
documentation to get the specific details for configuring and maintaining ASR 9k operations.
All security relevant commands to manage the TSF data are provided within this documentation
within each functional section.
Document References
This section lists the Cisco Systems documentation that is also the Common Criteria
Configuration Item (CI) List. The documents used are shown below in Table 2. Throughout this
document, the guides will be referred to by the “#”, such as [1]. Table 2 Cisco Documentation and CI List
# Title Link
[1] Cisco ASR 9000 Series
Aggregation Services Routers
Hardware Installation Guide
http://www.cisco.com/c/en/us/td/docs/iosxr/asr9000/hardware-
install/hig/b-asr9k-hardware-installation-guide.html
[2] Cisco ASR 9000 Series
Aggregation Services Router
System Security
Command Reference, Release 6.1x
https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_
r6-1/security/command/reference/b-syssec-cr-asr9k-61x/b-syssec-cr-
asr9k-61x_chapter_01011.html
[3] Cisco ASR 9000 Series
Aggregation Services Router
System Management
Configuration Guide, Release 6.1.x
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r
6-1/sysman/configuration/guide/b-sysman-cg-asr9k-61x.html
[4] Cisco ASR 9000 Series
Aggregation Services Router
System Security Configuration
Guide, Release 6.1.x
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r
6-1/security/command/reference/b-syssec-cr-asr9k-61x.html
7
# Title Link
[5] Cisco ASR 9000 Series
Aggregation Services Router
Getting Started Guide
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/getting
_started/configuration/guide/asr9k.html
[6] Cisco ASR 9000 Series
Aggregation Services Router
Ethernet Line Card Installation
Guide
http://www.cisco.com/c/en/us/td/docs/iosxr/asr9000/hardware-
install/ethernet-line-card-installation-guide/b-asr9k-ethernt-line-card-
install-guide/b-asr9k-ethernt-line-card-install-
guide_chapter_010.html?bookSearch=true
[7] Converting Cisco IOS
Configurations to Cisco IOS XR
Configurations.Guide http://www.cisco.com/c/en/us/td/docs/ios_xr_sw/iosxr_r3-
2/conversion/reference/guide/cnvt32/cn32main.pdf
[8] Cisco ASR 9000 Series
Aggregation Services Router
System Management Command
Reference, Release 6.1.x
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r
6-1/sysman/command/reference/b-sysman-cr-asr9k-61x/b-sysman-cr-
asr9k-61x_preface_00.html
[9] ASR 9k CC Configuration Guide
version .01
Not Applicable
[10] ASR 9k Security Target, version
1.0
Not Applicable
Supported Hardware and Software
Only the hardware and software listed in section 1.5 of the Security Target (ST) is compliant
with the Common Criteria evaluation. Using hardware not specified in the ST invalidates the
secure configuration. Likewise, using any software version other than the evaluated software
listed in the ST will invalidate the secure configuration. The TOE is a hardware and software
solution that makes up the router models as follows: 9010, 9006, 9922, 9912, 9910, 9904. The
network, on which they reside, is considered part of the environment. The software is comprised
of the Cisco IOS-XR software image Release IOS-XR 6.2.1.
Operational Environment
Supported non-TOE Hardware/ Software/ Firmware
The TOE supports (in some cases optionally) the following hardware, software, and firmware in
its environment: Table 3: Operational Environment Components
Component Required Usage/Purpose Description for TOE performance
Management
Workstation with
SSH Client
Yes This includes any Operational Environment Management workstation with a
SSH client installed that is used by the TOE administrator to support TOE
administration through SSH protected channels. Any SSH client that supports
SSHv2 may be used.
Local Console No This includes any IT Environment Console that is directly connected to the
TOE via the Serial Console Port and is used by the TOE administrator to
support TOE administration.
NTP Server No The TOE supports communications with an NTP server.
Syslog Server Yes This includes any syslog server to which the TOE would transmit syslog
messages.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
8
Excluded Functionality Table 4 Excluded Functionality
Excluded Functionality Exclusion Rationale
Non-FIPS 140-2 mode of operation on the
router. This mode of operation includes non-FIPS
allowed operations.
Telnet for management purposes. Telnet passes authentication credentials in clear
text. SSHv2 is to be used instead.
These services will be disabled by configuration. The exclusion of this functionality does not
affect compliance to the claimed security functions.
9
2 Secure Acceptance of the TOE In order to ensure the correct TOE is received, the TOE should be examined to ensure that that is
has not been tampered with during delivery.
Verify that the TOE software and hardware were not tampered with during delivery by
performing the following actions:
Step 1 Before unpacking the TOE, inspect the physical packaging the equipment was delivered
in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs.
If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco
distributor/partner).
Step 2 Verify that the packaging has not obviously been opened and resealed by examining the
tape that seals the package. If the package appears to have been resealed, contact the supplier of
the equipment (Cisco Systems or an authorized Cisco distributor/partner).
Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems bar coded
label applied to the external cardboard box. If it does not, contact the supplier of the equipment
(Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco
product number, serial number, and other information regarding the contents of the box.
Step 4 Note the serial number of the TOE on the shipping documentation. The serial number
displayed on the white label affixed to the outer box will be that of the device. Verify the serial
number on the shipping documentation matches the serial number on the separately mailed
invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or
an authorized Cisco distributor/partner).
Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment
(Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with
the supplier that they shipped the box with the courier company that delivered the box and that
the consignment note number for the shipment matches that used on the delivery. Also verify
that the serial numbers of the items shipped match the serial numbers of the items delivered. This
verification should be performed by some mechanism that was not involved in the actual
equipment delivery, for example, phone/FAX or other online tracking service.
Step 6 Once the TOE is unpacked, inspect the unit. Verify that the serial number displayed on
the unit itself matches the serial number on the shipping documentation and the invoice. If it
does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco
distributor/partner). Also verify that the unit has the following external identification as
described in Table 5 below. Table 5 TOE External Identification
Product Name
Model Number External Identification
ASR 9k Series 9010 Cisco 9010
9006 Cisco 9006
9922 Cisco 9922
9912 Cisco 9912
9910 Cisco 9910
9904 Cisco 9904
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
10
Step 7 Approved methods for obtaining a Common Criteria evaluated software images:
Download the Common Criteria evaluated software image file from Cisco.com onto a
trusted computer system. Software images are available from Cisco.com at the
following: http://www.cisco.com/cisco/software/navigator.html.
Step 8 Once the file is downloaded, the authorized administrator verifies that it was not tampered
with prior to moving it to the TOE by using an SHA-256 utility to compute a SHA-256 hash for
the downloaded file and comparing this with the SHA-256 hash for the image listed in Table 6
below
Step 9 The software image has been digitally signed and image verification is done on the box
with a SHA-1 hash. Once the image is loaded into flash, to display information related to
software authenticity for a specific image file, use the sam verify command in privileged EXEC
mode. Go to [2] Cisco ASR 9000 Series Aggregation Services Router System Security Command
Reference section “Software Authentication Manager Commands.” The sam verify command
allows you to display the hash value of the software component.
RP/0/RSP0/CPU0:router# sam verify {location | file-system } {SHA}
sam verify disk0: SHA
See Table 6the below table for the detailed hash value that must be checked to ensure the
software has not been modified in anyway.
If the SHA hashes do not match, contact Cisco Technical Assistance Center (TAC)
https://tools.cisco.com/ServiceRequestTool/create/launch.do.
Step 10 Install the downloaded and verified software image onto your ASR 9k as described in
[3] Under Configure Click on Configuration Guides Cisco ASR 9000 Series Aggregation
Services Router System Management Configuration Guide, Release 6.1.x Section "Overview
of Cisco IOS-XR Software Packages"
Verify Package Details Before you activate a package on the router, you can verify the type of upgrade that is required
for the package and whether the package requires a router reload or not. Use the show install
package pie detail command in admin mode.
RP/0/RSP0/CPU0:router(admin)# show install package disk0:asr9k-px-4.x.x.04I.CSCuc66088-
0.0.4.i detail
Activating Packages
Software packages remain inactive until activated with the install activate command. To activate
a package on your router, use the install activate command in administration EXEC mode.
Once the packages have been activated verify that they are installed correctly, using the show
install active command.
RP/0/RSP0/CPU0:router(admin)# show install active
Commit the Active Software
11
The active software has to be committed in order for it to be persistent across reloads. When a
package is activated on the router, it becomes part of the current running configuration. To
activate the package, enter the install commit command in administration EXEC mode.
Step 11 The end-user must confirm once the TOE has booted that they are indeed running the
evaluated version. Use the show install active [3] command to display the currently running
system image filename and the system software release version.
When image credentials and hash are matched, the router reboots. If image validation is
unsuccessful, the boot process is interrupted, and the router enters the ROMMON CLI mode.
To verify the hash, run the following command on the TOE:
Sam verify <path to install image> SHA256 <published hash value>
e.g. sam verify asr9k-mini-px.vm-6.2.1 SHA256
34e4d9c41ced6c2e4e004af4aa3c7774b4213774c9e45143d1102ce84d87764c
Table 6 Evaluated Software Images
Software
Version
Image Name SHA-256 hash
IOS-XR
6.2.1
asr9k-mini-px.vm-
6.2.1
34e4d9c41ced6c2e4e004af4aa3c7774b4213774c9e45143d1102ce84d87764c
asr9k-k9sec-px.pie-
6.2.1
baf400c5a120efde694aea7d98ce1c75ac511dcbf737053663d01b8e5ee192c9
asr9k-px-
6.2.1.CSCvd61721-
1.0.0.pie
ec926544c809a508c03bcf98f856b96875cdc418ef896a1467547dabc640e9a6
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
12
3 Secure Installation and Configuration
Physical Installation
Follow the Cisco ASR 9000 Series Aggregation Services Routers Hardware Installation Guide
[1] for hardware installation instructions.
Initial Setup via Direct Console Connection
The ASR 9k must be given basic configuration via console connection prior to being connected
to any network.
Once the software has been committed, then an authorized administrator needs to connect to the
console port. On first login the username and password for the root-system user will need to be
created. The following example shows the root-system username and password configuration
for a new router, and it shows the initial log in:
RP/0/RSP0/CPU0: Enter root-system username: <username1>
RP/0/RSP0/CPU0: Enter secret:
RP/0/RSP0/CPU0: Enter secret again:
When creating the password, follow the guidance for a secure password in section 4.2.
Note: The secret line in the configuration command script shows that the password is hashed for
obfuscation. When you enter the password during configuration and login, the password is
hidden.
The root system user is the entity authorized to “own” the entire router chassis. The root system
user functions with the highest privileges over all router components and can monitor all secure
domain routers in the system. At least one root system user account must be created during
router setup. Multiple root system users can exist. See the Router System Security
Configuration Guide [3] and Getting Started Guide [5] for more information.
Administrator Configuration and Credentials
The ASR 9k must be configured to use a username and password for each administrator and one
password for the admin command. Ensure all passwords are stored encrypted by using the 7
option with the password command. See [2] Cisco ASR 9000 Series Aggregation Services
Router System Security Command Reference and [4] Cisco ASR 9000 Series Aggregation
Services Router System Security Configuration Guide, chapter "Configuring AAA Services",
section "Configuring Users"
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# username user1
RP/0/RSP0/CPU0:router(config-un)# password 7 K$e%y^&*()t@#!s
RP/0/RSP0/CPU0:router(config-un)# commit
RP/0/RSP0/CPU0:router(config-un)# show running-config
Configures local AAA authentication:
13
RP/0/RSP0/CPU0:router(config)# aaa authentication login default local
RP/0/RSP0/CPU0:router(config)# aaa authorization exec default local
Saving Configuration
IOS-XR uses both a running configuration and a starting configuration. Configuration changes
affect the running configuration, in order to save that configuration the running configuration
(held in memory) must be copied to the startup configuration. This may be achieved by using the
copy run command.
RP/0/RSP0/CPU0:router# copy run
disk0:/config/running/alternate_cfg:/router.cfg
Destination file name (control-c to abort): [/router.cfg]?
The destination file already exists. Do you want to overwrite? [no]: yes
This command should be used frequently when making changes to the configuration of the
router. If the router reboots and resumes operation when uncommitted changes have been made,
these changes will be lost and the router will revert to the last configuration saved.
See the Aggregation Services Router Ethernet Line Card Installation Guide [6] for more details
on this command.
Enabling FIPS Mode
An authorized administrator must install and activate the asr9k-k9sec-px.pie file to configure
FIPS. An authorized administrator must be in a user group associated with a task group that
includes the proper task IDs. See section "Installing and Activating the PIE" in the Cisco ASR
9000 Series Aggregation Services Router System Security Configuration Guide, Release 6.1.x
[4]. Note: placing the ASR9k in FIPS-mode automatically configures the router for both the
Common Criteria and FIPS approved algorithms and key sizes.
The TOE must be run in the FIPS mode of operation to meet Common Criteria compliance. This
is configured as follows:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# crypto fips-mode
RP/0/RSP0/CPU0:router# commit
RP/0/RSP0/CPU0:router# show logging
RP/0/RSP0/CPU0:router# admin
RP/0/RSP0/CPU0:router(admin)# reload location all
Configuring FIPS-compliant Keys
Generate RSA key material – choose a longer modulus length for more secure keys (i.e. 2048 for
RSA):
RP/0/RSP0/CPU0:router# crypto key generate rsa general-keys rsakeypair
RP/0/RSP0/CPU0:router# How many bits in the modulus [512]: 2048
RP/0/RSP0/CPU0:router#show crypto key mypubkey rsa
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
14
RSA keys are generated in pairs—one public RSA key and one private RSA key. This command
is not saved in the router configuration; however, the RSA keys generated by this command are
saved in the private configuration in NVRAM (which is never displayed to the user or backed up
to another device) the next time the configuration is written to NVRAM.
Note: Only one set of keys can be configured using the crypto key generate command at a time.
Repeating the command overwrites the old keys.
Note: If the configuration is not saved to NVRAM with a “copy run start”, the generated keys
are lost on the next reload of the router.
Note: If the error “% Please define a domain-name first” is received, enter the command ‘ip
domain-name [domain name]’.
Configuring FIPS-compliant Key Chain
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# key chain mykeychain
RP/0/RSP0/CPU0:router(config-mykeychain)# key 1
RP/0/RSP0/CPU0:router(config-mykeychain-1)# cryptographic-algorithm HMAC-SHA1-20
RP/0/RSP0/CPU0: router(config): commit
Self-tests
The self-tests for the cryptographic functions in the TOE are run automatically during power-on
as part of the POST.
If any of the self-tests fail, the TOE transitions into an error state. In the error state, all secure
data transmission is halted and the TOE outputs status information indicating the failure.
Session Termination
Inactivity settings must trigger termination of the administrator session. By default, console, vty,
and tty sessions disconnect after 10 minutes of inactivity. Administrators are advised to maintain
this value at 10 minutes or less but greater than zero. Note: A 0-minute value will prevent
sessions from terminating.
These settings are configurable as follows:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# line console
RP/0/RSP0/CPU0:router(config-line)# exec-timeout minutes seconds
For more information, see Cisco ASR 9000 Series Aggregation Services Router System
Management Command Reference, Release 6.1.x [2], Chapter "Terminal Services Commands",
section "exec-timeout". The line console setting is not immediately activated for the current
session. The current console session must be exited. When the user logs back in, the inactivity
timer will be activated for the new session. See Converting Cisco IOS Configurations to Cisco
IOS XR Configurations.Guide [7].
User Lockout
User accounts must be configured to lockout after a specified number of authentication failures.
router(config)#aaa password-policy policy
15
router(config-pp)#authen-max-attempts ?
<1-24> Number of attempts, default is 0
router(config-pp)#lockout-time ?
days Number of days
hours Number of hours
minutes Number of minutes
seconds Number of seconds
Network Protocols and Cryptographic Settings
Remote Administration Protocols
Telnet for management purposes is not allowed in the evaluated configuration. The TOE, in FIPS
mode, is configured to only allow the permitted data integrity algorithms and cipher suites. No
configuration is required.
SSHv2 is used for monitoring and for command-line interface (CLI) access. The following steps
configure the TOE to use SSH for remote administration purposes refer to for more details in
chapter "Implementing Secure Shell" of [4] Cisco ASR 9000 Series Aggregation Services Router
System Security Configuration Guide. When SSHv2 is configured using SSH server v2, only
SSHv2 client connections will be accepted.
RP/0/RSP0/CPU0:ASR9K#crypto key gen rsa
The name for the keys will be: the_default Only 2048 bit modulus allowed while in FIPS mode.
Automatically selecting 2048 bit modulus size. Generating RSA keys ... Done w/ crypto generate
keypair [OK]
RP/0/RSP0/CPU0:ASR9K#config terminal
RP/0/RSP0/CPU0:ASR9K(config)#ssh server vrf mgmt
RP/0/RSP0/CPU0:ASR9K(config)#ssh server access-list 170 permit ip 30.0.0.0 0.255.255.255
40.0.0.0 0.255.255.255
RP/0/RSP0/CPU0:ASR9K(config)#ssh server logging
RP/0/RSP0/CPU0:ASR9K(config)#ssh server v2
RP/0/RSP0/CPU0:ASR9K(config)#commit
RP/0/RSP0/CPU0:ASR9K(config)#end
RP/0/RSP0/CPU0:ASR9K(config)#ssh time-out 60
RP/0/RSP0/CPU0:ASR9K(config)#ssh server rekey-time 60
RP/0/RSP0/CPU0:ASR9K(config)#ssh server rekey-volume 1024
The management plane is the logical path of all traffic that is related to the management of a
routing platform. In addition, the management plane is used to manage a device through its
connection to the network. See the Router System Security Configuration Guide [4]
"Implementing Management Plan Protection," section Configuring a Device for Management
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
16
Plane Protection for an Inband Interface." Configuring the MPP allows an authorized
administrator to add a policy to restrict from where the ASR9k will accept SSHv2 client
connections. Although this specifically is not claimed in the ST, for best practices it is
recommended to limit from where a SSHv2 client connection can come from.
1. RP/0/RSP0/CPU0:router# configure
2. RP/0/RSP0/CPU0:router(config)# control-plane
3. RP/0/RSP0/CPU0:router(config-ctrl)# management-plane
4. RP/0/RSP0/CPU0:router(config-mpp)# inband
5. RP/0/RSP0/CPU0:router(config-mpp-inband)# interface {type instance | all}
Ex. RP/0/RSP0/CPU0:router(config-mpp-inband)# interface GigabitEthernet 0/6/0/1
6. RP/0/RSP0/CPU0:router(config-mpp-inband-Gi0_6_0_1)# allow {protocol | all} [peer]
Ex. RP/0/RSP0/CPU0:router(config-mpp-inband-Gi0_6_0_1)# allow sshv2 [peer]
7. RP/0/RSP0/CPU0:router(config-sshv2-peer)# address ipv4 {peer-ip-address | peer ip-
address/length}
Ex. RP/0/RSP0/CPU0:router(config-telnet-peer)# address ipv4 10.1.0.0/16
8. RP/0/RSP0/CPU0:ASR9K(config)#commit
Logging Configuration
Logging of command execution must be enabled. See chapter "Configuring Logging and
Logging Correlation" in [5] Cisco ASR 9000 Series Aggregation Services Router Getting Started
Guide.
1. RP/0/RSP0/CPU0:router# configure
2. RP/0/RSP0/CPU0:ASR9K(config)#logging trap debugging
3. RP/0/RSP0/CPU0:ASR9K(config)#logging 10.34.0.1 vrf default severity debugging
4. RP/0/RSP0/CPU0:ASR9K(config)#logging hostnameprefix TOE:ASR9K
5. RP/0/RSP0/CPU0:ASR9K(config)#service timestamps log datetime localtime msec
6. RP/0/RSP0/CPU0:ASR9K(config)#service timestamps debug datetime localtime msec
7. RP/0/RSP0/CPU0:ASR9K(config)#commit
8. RP/0/RSP0/CPU0:ASR9K(config)#end
Logging console on/off
This will turn on logging events to be sent to the console. An authorized administrator will see
the audit events display on the console while commands are being entered.
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router# (config)# logging console
RP/0/RSP0/CPU0:router# (config)#no logging console
Set logging size
This example shows how to set the maximum log file size to 10 MB:
17
RP/0/RSP0/CPU0:router(config)# logging archive RP/0/RSP0/CPU0:router(config-logging-
arch)# file-size 10
Turn logging on/off
The following example shows how to enable configuration logging:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:ASR9K(config)#logging trap debugging
The following example shows how to clear the configuration log by disabling and then re-
enabling the configuration log:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:ASR9K(config)#no logging trap debugging
Logging Protection
If an authorized administrator wants to backup the logs to a syslog server, then protection must
be provided for the syslog server communications. The connection to the remote syslog server
will be secured via MACsec. With a syslog server operating as a On an internal network of a
MACsec peer and the records tunneled over that connection. The ASR9k will be configured as a
MACsec peer.
Non-Approved Algorithms and Protocols
This section details the algorithms and protocols that were not evaluated. These algorithms and
protocols are supported by the TOE, but are not to be configured for use in the evaluated
configuration.
DES
3DES
DES MAC
HMAC MD4
HMAC MD5
MD5
NDRNG
RC4
ftp
telnet
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
18
4 Secure Management
User Roles
The ASR 9k differs from IOS in that IOS-XR controls permissions via a usergroup / taskgroup
model. Cisco IOS-XR software user attributes form the basis of the Cisco IOS-XR software
administrative model. See the [4] Cisco ASR 9000 Series Aggregation Services Router System
Security Configuration Guide, chapter "Configuring AAA Services", section "User, User
Groups, and Task Groups".
Each administrator user is associated with the following attributes:
• User ID - (ASCII string) that identifies the user uniquely across an administrative domain
• Password - Length limitation of 253 characters for passwords and one-way encrypted
secrets
• Group - List of user groups (at least one) of which the user is a member (thereby enabling
attributes such as task IDs). The groups consist of user groups, task groups, and
associated task IDs.
The user group concept in IOS-XR relates to a group of users with common characteristics. An
administrator user that logs in to an IOS-XR router may have one or more user groups assigned
to it. Some user groups exist by default and other custom groups may be configured. Table 7
lists the predefined user and task groups in IOS-XR.
User Administrator Categories:
Router users are classified into the following categories:
• Root system user (complete administrative authority) - The root system user is the entity
authorized to “ own” the entire router chassis. The root system user functions with the
highest privileges over all router components and can monitor all secure domain routers
in the system. At least one root system user account must be created during router setup.
Multiple root system users can exist.
• Root Secure Domain Router (SDR) user (specific SDR administrative authority) - A root
SDR user controls the configuration and monitoring of a particular SDR. The root SDR
user can create users and configure their privileges within the SDR. Multiple root SDR
users can work independently. A single SDR may have more than one root SDR user.
• SDR user (specific SDR user access) - A SDR user has restricted access to an SDR as
determined by the root-system user or root SDR user. The SDR user performs the day-
to-day system and network management activities. The tasks that the secure domain
router user is allowed to perform are determined by the task IDs associated with the user
groups to which the SDR user belongs.
User Groups
A user group defines a collection of users that share a set of attributes, such as access privileges.
Cisco IOS-XR software allows the system administrator to configure groups of users and the job
characteristics that are common in groups of users. Users are not assigned to groups by default
hence the assignment needs to be done explicitly. A user can be assigned to more than one
19
group. Each user may be associated with one or more user groups. User groups have the
following attributes:
• A user group consists of the list of task groups that define the authorization for the
users. All tasks, except cisco-support, are permitted by default for root system users.
• Each user task can be assigned read, write, execute, or debug permission.
Table 7 Predefined User and Task Groups
Note: Custom user and task groups can also be created by an authorized administrator. User Groups / Task Groups Purpose
cisco-support Used by Cisco Support Team. Provides access to troubleshooting commands. /
Cisco support personnel tasks
netadmin Provides the ability to control and monitor all system- and network-related
parameters. / Network administrator tasks
operator Provides very basic user privileges. / Operator day-to-day tasks
root-lr Provides the ability to control and monitor the specific SDR. / Secure domain
router administrator tasks
root-system Provides the ability to control and monitor the entire system. / System-wide
administrator tasks
sysadmin Provides the ability to control and monitor all system parameters but cannot
configure network protocols. / System administrator tasks
serviceadmin Provides the ability to administer session border controllers. / Service
administration tasks, for example, SBC
Task IDs
Each user is associated with one or more user groups. Every user group is associated with one or
more task groups ; in turn, every task group is defined by a set of task IDs. Consequently, a user’
s association with a particular user group links that user to a particular set of task IDs. A user that
is associated with a task ID can execute any operation associated with that task ID.
Table 8 Task ID Classes
Operation Description
Read Specifies a designation that permits only a read
operation.
Write Specifies a designation that permits a change
operation and implicitly allows a read operation.
Execute Specifies a designation that permits an access
operation; for example ping.
Debug Specifies a designation that permits a debug operation.
Refer to the IOS-XR Command Reference Guide for available commands and associated roles
and privilege levels.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
20
Passwords
The password complexity is not enforced by the router by default, and must be administratively
set in the configuration. To prevent administrators from choosing insecure passwords, each
password must be. See the [4] Cisco ASR 9000 Series Aggregation Services Router System
Security Configuration Guide, chapter "Configuring AAA Services", section "Configuring
Users".
1. At least 15 characters long. Use the following command to set the minimum length to 15
or greater.
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)#aaa password-policy policy
RP/0/RSP0/CPU0:router(config)#min-length 15
Note: Details for the security passwords min-length command can be found in the:
Composed of any combination of characters that includes characters for at least 3 of these
four character sets: upper case letters, lower case letters, numerals, and the following
special characters: “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”. Configure the router to
enforce that complexity requirement by using enabling “special-num”.
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)#aaa password-policy policy
RP/0/RSP0/CPU0:router(config)# special-num
To store the passwords securely please use one of the following in order to make the password
unreadable:
RP/0/RSP0/CPU0:router(config-un)# {secret 5 | password 7}
Clock Management
Clock management is restricted to the privileged administrator.
For instructions to set the clock, refer to [5] Cisco ASR 9000 Series Aggregation Services Router
Getting Started Guide, under section “Manually Setting the Router Clock".
Use the clock set command for initial configuration. The clock timezone command should be
entered before the clock is set because it defines the difference between the system time and
Coordinated Universal Time (UTC). When an authorized administrator sets the time, once the
system time is configured, the router uses the clock timezone command setting to translate that
time to UTC. The system internally keeps time in UTC. When you type the show clock
command, the router displays the system time.
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# clock timezone pst -8
RP/0/RSP0/CPU0:router(config-if)# commit
RP/0/RSP0/CPU0:router# clock update-calendar
Note: the clock update-calendar command updates the hardware clock (calendar clock) with the
new clock settings.
21
In order to configure the TOE to use an NTP time server, the following commands should be
used.
RP/0/RSP0/CPU0:router(config)# router
RP/0/RSP0/CPU0:router(config-ntp)#server <IP Address> iburst burst
RP/0/RSP0/CPU0:router(config-ntp)#clock timezone EST -5 0
RP/0/RSP0/CPU0:router(config)#clock summer-time EDT recurring <Start Date>
<End Date> RP/0/RSP0/CPU0:router(config)#commit
RP/0/RSP0/CPU0:router(config)#end
Note: for the NTP server, the timezone may vary from the one specified above. Be sure to verify
the correct time zone to ensure accurate time stamps where the TOE is installed.
Login Banners
The TOE may be configured by the privileged administrators with banners using the banner
login command. This banner is displayed before the username and password prompts. To create
a banner of text “This is a banner” use the command. See each command in the [8] Cisco ASR
9000 Series Aggregation Services Router System Management Command Reference, Release
6.1.x.
RP/0/RSP0/CPU0:ASR9K(config)#banner motd c THIS IS THE MOTD BANNER c
RP/0/RSP0/CPU0:ASR9K(config)#banner exec c THIS IS THE EXEC BANNER c
RP/0/RSP0/CPU0:ASR9K(config)#banner login c THIS IS THE LOGIN BANNER c
RP/0/RSP0/CPU0:ASR9K(config)#commit
RP/0/RSP0/CPU0:ASR9K(config)#end
where c is the delimiting character. The delimiting character may be any character except ?, and
it must not be part of the banner message.
Product Updates
Verification of authenticity of updated software is done in the same manner as ensuring that the
TOE is running a valid image. See Section 2, steps 7 and 9 above for the method to download
and verify an image prior to running it on the TOE.
5 Security Relevant Events The TOE is able to generate audit records that are stored internally within the TOE whenever an
audited event occurs, as well as simultaneously offloaded to an external syslog server. The
details for protection of that communication are covered in sections 3.3.3 and Error! Reference
source not found.above.
The administrator can set the level of the audit records to be stored in a local buffer, displayed on
the console, sent to the syslog server, or all of the above. The details for configuration of these
settings are covered in Section 3.3.2 above.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
22
The local log buffer is circular. Newer messages overwrite older messages after the buffer is
full. Administrators are instructed to monitor the log buffer using the show logging privileged
EXEC command to view the audit records. The first message displayed is the oldest message in
the buffer.
When configured for a syslog backup the TOE will simultaneously offload events from a
separate buffer to the external syslog server. This buffer is used to queue events to be sent to the
syslog server if the connection to the server is lost. It is a circular buffer, so when the events
overrun the storage space overwrites older events.
Table 9 below include the security relevant events that are applicable to the TOE.
Deleting Audit Records
The TOE provides the privileged Administrator the ability to delete audit records audit records
stored within the TOE.
This is done with the clear logging command.
RP/0/RSP0/CPU0:router# clear logging Clear logging buffer [confirm] [y/n] :y
Audit Records Description
The TOE generates an audit record whenever an audited event occurs. The types of events that
cause audit records to be generated include, cryptography related events, identification and
authentication related events, and administrative events (the specific events and the contents of
each audit record are listed in the table below). Each of the events is specified in syslog records
in enough detail to identify the user for which the event is associated, when the event occurred,
where the event occurred, the outcome of the event, and the type of event that occurred.
Additionally, the startup and shutdown of the audit functionality is audited.
The local audit trail consists of the individual audit records; one audit record for each event that
occurred. The audit record can contain up to 80 characters and a percent sign (%), which follows
the time-stamp information. The audit fields in each audit event will contain at a minimum the
following:
Example Audit Event: Nov 19 13:55:59: %CRYPTO-6-SELF_TEST_RESULT: Self test info:
(AES encryption/decryption ... passed)
Date: Nov 19
Time: 13:55:59
Type of event: %CRYPTO-6-SELF_TEST_RESULT
Subject identity: Available when the command is run by an authorized TOE administrator user
such as “user: lab”. In cases where the audit event is not associated with an authorized user, an
IP address may be provided for the Non-TOE endpoint and/ or TOE.
Outcome (Success or Failure): Success may be explicitly stated with “success” or “passed”
contained within the audit event or is implicit in that there is not a failure or error message.
More specifically for failed logins, a “Login failed” will appear in the audit event. For
successful logins, a “Login success” will appear in the associated audit event. For failed events
“failure” will be denoted in the audit event. For other audit events a detailed description of the
outcome may be given in lieu of an explicit success or failure.
Additional Audit Information: As described in Column 3 of Table 9 below.
23
As noted above, the information includes at least all of the required information. Example audit
events are included in Table 9 below. The auditable events that result from administrative
actions are included in Table 9 and are designated with ‘Administrative Actions’ within the
Auditable Events column. Table 9: Auditable Events (IOS-XR)
Requirement Auditable
Events
Additional
Audit
Record
Contents
Sample Log
FAU_GEN.1 Start-up and
shutdown of
audit functions.
Note: shutdown
is only when an
administrator
turns off
logging. This
has to be audited
with the
administrator's
userid.
Administrative
Actions:
Changing
logging settings.
Shutdown of
logging
Clearing logs.
None Log Buffer (10000000 bytes):
RP/0/RSP0/CPU0:Jun 12 14:36:03.850 :
config[65757]: %MGBL-CONFIG-6-DB_COMMIT
: Configuration committed by user 'admin'. Use
'show configuration commit changes 1000023676' to
view the changes.
RP/0/RSP0/CPU0:Jun 12 14:36:03.930 :
config[65757]: %MGBL-SYS-5-CONFIG_I :
Configured from console by admin
RP/0/RSP0/CPU0:ASR9K#
FAU_GEN.2 User id listed in
administrator
user actionable
audited events.
No additional
information.
See "Administrative Actions" in this table.
FAU_STG_EXT.1 Administrative
Actions:
Configuration of
syslog export
settings
No additional
information.
RP/0/RSP0/CPU0:Jun 13 22:41:06.441 :
config[65757]: %MGBL-SYS-5-CONFIG_I :
Configured from console by admin
FCS_CKM.1 Administrative
Actions:
Manual key
generation
None Log Buffer (10000000 bytes):
RP/0/RSP0/CPU0:Jun 13 22:41:06.441 :
config[65757]: %MGBL-SYS-5-CONFIG_I :
Configured from console by admin
FCS_CKM_EXT.4 Administrative
Actions:
Manual key
zeroization
None +++ 09:19:38 ASR9K receive +++ crypto key
zeroize rsa the_default % Keys to be removed are
named the_default Do you really want to remove
these keys ?? [yes/no]: yes
FCS_MACSEC_EXT.1 Session Secure RP/0/RSP0/CPU0:macsec-CE2# show macsec mka
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
24
Requirement Auditable
Events
Additional
Audit
Record
Contents
Sample Log
FCS_MACSEC_EXT.2 Establishment
Creation of
Connectivity
Creation and
Update of
Secure
Associate Key
Channel
Identifier
Connectivity
Association
Key Names
session interface tenGigE 0/3/0/0/1$
=====================================
Interface Local-TxSCI # Peers Status
Key-Server
=====================================
Te0/3/0/0/1.1 001d.e5e9.a3a4/0001 1
Secured YES
FCS_MACSEC_EXT.3
FCS_MACSEC_EXT.4
FCS_MKA_EXT.1
FCS_SSHS_EXT.1 Failure to
establish an SSH
Session.
Establishment/T
ermination of an
SSH Session.
Administrative
Actions:
Configuration of
SSH settings:
including
passwords,
algorithms, host
names, users.
Reason for
failure.
Non-TOE
endpoint of
connection
(IP address)
for both
successes and
failures.
Failure to establish a SSH Session.
o IP address of remote host
o Reason for failure.
RP/0/RSP0/CPU0:Feb 21 09:19:56.113 :
SSHD_[65780]: %SECURITY-SSHD-6-
INFO_GENERAL : Enc name is NULL: client
blowfish-cbc server aes128-ctr,aes192-ctr,aes256-ctr
Establishment of a SSH session
o IP address of remote host
RP/0/RSP0/CPU0:Feb 21 09:19:44.831 :
SSHD_[65780]: %SECURITY-SSHD-6-
INFO_SUCCESS : Successfully authenticated user
'admin' from '10.31.0.101' on 'vty0'(cipher 'aes256-
ctr', mac 'hmac-sha1')
Termination of a SSH session.
RP/0/RSP0/CPU0:Feb 21 09:19:56.113 :
SSHD_[65780]: %SECURITY-SSHD-6-
INFO_GENERAL : Enc name is NULL: client
blowfish-cbc server aes128-ctr,aes192-ctr,aes256-ctr
Administrative Actions
RP/0/RSP0/CPU0:Feb 21 09:19:42.271 :
SSHD_[65780]: %SECURITY-SSHD-6-
INFO_SUCCESS : Successfully authenticated user
'admin' from '10.31.0.101' on 'vty0'(cipher 'aes128-
ctr', mac 'hmac-sha1') RP/0/RSP0/CPU0:Feb 21
09:19:42.510 : SSHD_[65780]: %SECURITY-
SSHD-6-INFO_USER_LOGOUT : User 'admin'
from '10.31.0.101' logged out on 'vty0'
FIA_AFL.1 Administrative
Actions:
Configuring
number of
failures.
Unlocking the
user.
Feb 17 2013 16:14:47: %PARSER-5-
CFGLOG_LOGGEDCMD: User:test_admin logged
command: aaa local authentication attempts max-fail
[number of failures]
Feb 7 2013 02:05:41.953: %AAA-5-
USER_UNLOCKED: User user unlocked by admin
on vty0 (21.0.0.1)
FIA_PMG_EXT.1 Administrative
Actions:
Setting length
None. RP/0/RSP0/CPU0:Mar 8 14:29:26.543 :
config[65874]: %MGBL-CONFIG-6-DB_COMMIT
: Configuration committed by user 'admin'. Use
'show configuration commit changes 1000018738' to
25
Requirement Auditable
Events
Additional
Audit
Record
Contents
Sample Log
requirement for
passwords.
view the changes.
RP/0/RSP0/CPU0:Mar 8 14:29:26.622 :
config[65874]: %MGBL-SYS-5-CONFIG_I :
Configured from console by admin
+++ 14:46:27 ASR9K exec +++
show aaa passwordpolicy
Password Policy Name : TOE
Number of Users : 0
Minimum Length : 2
Maximum Length : 253
Special Character Len : 2
Uppercase Character Len : 2
Lowercase Character Len : 0
Numeric Character Len : 2
Policy Life Time :
seconds : 0
minutes : 0
hours : 0
days : 0
months : 2
years : 0
Lockout Time :
seconds : 0
minutes : 5
hours : 0
days : 0
months : 0
years : 0
Character Change Len : 3
Maximum Failure Attempts : 5
RP/0/RSP0/CPU0:ASR9K(config-un)#password-
policy TOE password CcTb
RP/0/RSP0/CPU0:ASR9K(config-un)#commit
% Failed to commit one or more configuration items
during a pseudo-atomic operation. All changes made
have been reverted. Please issue 'show configuration
failed [inheritance]' from this session to view the
errors
FIA_UIA_EXT.1 All use of the
identification
and
authentication
mechanism.
Provided user
identity,
origin of the
attempt (e.g.,
IP address).
See Audit events in FIA_UAU_EXT.2
FIA_UAU_EXT.2 All use of the Origin of the Login as an administrative user at the
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
26
Requirement Auditable
Events
Additional
Audit
Record
Contents
Sample Log
authentication
mechanism.
Administrative
Actions:
Logging into
TOE.
attempt (e.g.,
IP address). console
RP/0/RSP0/CPU0:Feb 28 15:20:44.566 :
exec[65592]: %SECURITY-LOGIN-6-
AUTHEN_SUCCESS : Successfully authenticated
user 'admin' from 'console' on 'con0_RSP0_CPU0'
RP/0/RSP0/CPU0:Feb 28 15:21:07.164 :
config[65780]: %MGBL-CONFIG-6-DB_COMMIT
: Configuration committed by user 'admin'. Use
'show configuration commit changes 1000017905' to
view the changes.
Failed login via the console does not allow
any actions
RP/0/RSP0/CPU0:Feb 28 15:23:04.816 :
exec[65592]: %SECURITY-LOGIN-4-
AUTHEN_FAILED : Failed authentication attempt
by user '<unknown>' from 'console' on
'con0_RSP0_CPU0'
See FCS_SSHS_EXT.1 for remote login audit
events.
FIA_UAU.7 None None Connected to 172.18.153.30.
Escape character is '^]'.
User Access Verification
Username: admin
Password:
${via_console} = ASR9K con0/RSP0/CPU0 is now
available
Press RETURN to get started.
User Access Verification
Username: admin
Password:
FMT_MOF.1 Administrative
Actions:
See all other
rows in table.
None See all other rows in table.
FMT_MTD.1 Administrative
Actions:
See all other
rows in table.
None See all other rows in table.
FMT_SMF.1 Administrative
Actions:
See all other
rows in table.
None See all other rows in table.
27
Requirement Auditable
Events
Additional
Audit
Record
Contents
Sample Log
FMT_SMR.2 Administrative
Actions:
Configuring
administrative
users with
specified roles.
None RP/0/RSP0/CPU0:Jun 12 14:36:03.850 :
config[65757]: %MGBL-CONFIG-6-
DB_COMMIT : Configuration committed by user
'admin'. Use 'show configuration commit changes
1000023676' to view the changes.
FPT_APW_EXT None None config terminal
RP/0/RSP0/CPU0:ASR9K(config)#username
testuser
RP/0/RSP0/CPU0:ASR9K(config-un)#group
netadmin
RP/0/RSP0/CPU0:ASR9K(config-un)#password 0
Cisco123
--Password stored hashed--
username cisco
group netadmin
group root-system
!
username testuser
group netadmin
password 7 096F471A1A0A464058
FPT_RPL.1 Detected replay
attempt
None
FPT_STM.1 Changes to the
time.
Administrative
Actions:
Manual changes
to the system
time.
Changes to
NTPsettings.
The old and
new values
for the time.
Origin of the
attempt (e.g.,
IP address).
RP/0/RSP0/CPU0:Dec 2
22:22:22.021 : iosclock[65757]:
%INFRA -INFRA_MSG-5-
CLOCK_TIME_UPDATE : User
admin(con0_RSP0_CPU0)
updated clock from Tue Jun 13
15:00:40 2017 to Thu Dec 22
22:22:22 2022
FPT_TST_EXT.1 None No additional
information. Jan 23 2013 06:53:24.570: %CRYPTO-6-
SELF_TEST_RESULT: Self test info: (Self test
activated by user: admin)
Jan 23 2013 06:53:24.670: %CRYPTO-6-
SELF_TEST_RESULT: Self test info: (Software
checksum ... passed)
FPT_TUD_EXT.1 Initiation of No additional Use of the “upgrade” command.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
28
Requirement Auditable
Events
Additional
Audit
Record
Contents
Sample Log
update.
Administrative
Actions:
Software
updates
information.
*Jul 10 11:04:09.179: %PARSER-5-
CFGLOG_LOGGEDCMD: User:cisco logged
command:upgrade
*Jul 10 11:04:09.179: %PARSER-5-
CFGLOG_LOGGEDCMD: User:cisco logged
command:copy tftp ….
*Jul 10 11:04:09.179: %PARSER-5-
CFGLOG_LOGGEDCMD: User:cisco logged
command:reload
FTA_SSL_EXT.1 Any attempts at
unlocking of an
[local]
interactive
session.
Administrative
Actions:
Specifying the
inactivity time
period.
No additional
information.
SLEEP for 62 secs for the idle timer to expire.
FOUND: 'The idle timeout is soon to expire on this
line'
FOUND: 'Username'
PASS: TOE logged out after exec timer expired as
expected
LOGIN output: '
+++ 22:52:07 ASR9K exec +++
show logging | include SECURITY-LOGIN-6-
CLOSE
RP/0/RSP0/CPU0:Jun 13 21:50:18.415 :
exec[65591]: %SECURITY-LOGIN-6-CLOSE :
User 'admin' logged out
FTA_SSL.3 The termination
of a remote
session by the
session locking
mechanism.
Administrative
Actions:
Specifying the
inactivity time
period.
No additional
information.
+++ 22:50:00 ASR9K config +++
config terminal
RP/0/RSP0/CPU0:ASR9K(config)#line console
RP/0/RSP0/CPU0:ASR9K(config-line)#exec-
timeout 0 60
To TCL: ASR9K exec "show logging | include
SECURITY-LOGIN-6-CLOSE"
From TCL: ;list
+++ 22:52:07 ASR9K exec +++
show logging | include SECURITY-LOGIN-6-
CLOSE
RP/0/RSP0/CPU0:Jun 13 21:50:18.415 :
exec[65591]: %SECURITY-LOGIN-6-CLOSE :
User 'admin' logged out
FTA_SSL.4 The termination
of an interactive
session.
Administrative
Action:
No additional
information. Audit record generate when admin logs out of
CONSOLE: RP/0/RSP0/CPU0:Sep 28 15:34:31.194 :
exec[65592]: %SECURITY-LOGIN-6-CLOSE :
User 'admin' logged out
29
Requirement Auditable
Events
Additional
Audit
Record
Contents
Sample Log
Logging out of
TOE.
FTA_TAB.1 Administrative
Action:
Configuring the
banner displayed
prior to
authentication.
None RP/0/RSP0/CPU0:Jun 13 22:07:13.482 :
banner_config[1071]: sysdb_find passed
RP/0/RSP0/CPU0:Jun 13 22:07:13.622 :
config[65757]: %MGBL-CONFIG-6-DB_COMMIT
: Configuration committed by user 'admin'. Use
'show configuration commit changes 1000023788' to
view the changes.
RP/0/RSP0/CPU0:Jun 13 22:07:13.702 :
config[65757]: %MGBL-SYS-5-CONFIG_I :
Configured from console by admin
FTP_ITC.1 Initiation of the
trusted channel.
Termination of
the trusted
channel.
Failure of the
trusted channel
functions.
Identification
of the initiator
and target of
failed trusted
channels
establishment
attempt.
AUDIT: See logs provided by
FCS_MACSEC_EXT.1
FTP_TRP.1 Initiation of the
trusted channel.
Termination of
the trusted
channel.
Failures of the
trusted path
functions.
Administrative
Action:
Connecting to
the TOE with
SSH
Identification
of the claimed
user identity.
AUDIT: See logs provided by FCS_SSHS_EXT.1
Deleting Audit Records
The TOE provides the privileged Administrator the ability to delete audit records audit records
stored within the TOE. This is done with the clear logging command.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
30
6 MACsec Configuration Media Access Control Security (MACsec) is defined in IEEE 802.1AE-2006 (specification PDF
attached to this note). There are two subsequent amendments:
802.1AEbn-2011 defines the use of AES-256-GCM in the context of MACsec
802.1AEbw-2013 defines the use of Extended Packet Numbering (XPN) with MACsec
(this is dependent on GCM)
To configure the TOE for MACsec, follow the following configuration procedures below.
MACsec Configuration on ASR9k
For additional information, please reference the ASR9k Security Configuration Guide Chapter
"Implementing MACsec Encryption."
Create the MACsec Key Chain 9k
(config)#key chain mac_chain256 macsec
(config-mac_chain-MacSec)#key <key-string>
(config-mac_chain-MacSec)#key-string <keystring> cryptographic-algorithm aes-256-cmac
*Note – Use 64-character key-strings for 256-bit encryption. For 128-bit encryption, the
key-string length will be 32 characters.
(config-mac_chain-MacSec-1234)#lifetime HH:MM:SS DAY MONTH YEAR <duration>
(config-mac_chain-MacSec-1234)#exit
(config-mac_chain-MacSec)#commit
Creating a MACsec Policy 9k
(config)#macsec-policy mac_policy256
(config-macsec-policy)#cipher-suite GCM-AES-256
(config-macsec-policy)#conf-offset CONF-OFFSET-30 >> Can be set for 0, 30, or 50
(config-macsec-policy)#key-server-priority 0
(config-macsec-policy)#security-policy must-secure
(config-macsec-policy)#window-size 64
(config-macsec-policy)#include-icv-indicator
(config-macsec-policy)delay-protection
(config-macsec-policy)#exit
(config)#commit
(config)#exit
#sh run macsec-policy >> To View macsec config
31
Note: When a key has expired, the MACsec session is torn down and running the show
macsec mka session command does not display any information. If you run the show
macsec mka interface and show macsec mka interface detail commands, you can see that
the session is unsecured.
Applying MACsec on a Physical Interface ASR9k
(config)# interface <interface>
(config-if)#macsec psk-keychain mac_chain256 policy mac_policy256
(config-if)#exit
(config)#commit
#show config commit changes all >> To view all commits
Verify Macsec Configuration 9k
Verify the MACsec MKA policy configuration:
#show macsec mka summary
Verify the MACsec policy configuration:
# show macsec policy mac_policy256
7 Network Services and Protocols The table below lists the network services/protocols available on the Aggregation Services
Router 9000 as a client (initiated outbound) and/or server (listening for inbound connections), all
of which run as system-level processes. The table indicates whether each service or protocol is
allowed to be used in the certified configuration.
For more detail about each service, including whether the service is limited by firewall mode
(routed or transparent), or by context (single, multiple, system), refer to the Command
Reference guides listed in Table 2.
Table 10 Protocols and Services
Service or
Protocol
Description Client
(initiating)
Allowed Server
(terminating)
Allowed Allowed use in the
certified configuration
AH Authentication
Header (part
of IPsec)
Yes No Yes No Not permitted in evaluated
configuration.
DHCP Dynamic Host
Configuration
Protocol
Yes Yes Yes Yes No restrictions.
DNS Domain Name
Service
Yes Yes No n/a No restrictions.
ESP Encapsulating
Security
Payload (part
of IPsec)
Yes Yes Yes Yes Configure ESP as described
in section Error! Reference
source not found.of this
document.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
32
Service or
Protocol
Description Client
(initiating)
Allowed Server
(terminating)
Allowed Allowed use in the
certified configuration
FTP File Transfer
Protocol
Yes No No n/a Use SCP.
HTTP Hypertext
Transfer
Protocol
Yes No Yes No Not permitted in evaluated
configuration.
HTTPS Hypertext
Transfer
Protocol
Secure
Yes Yes Yes Yes No restrictions.
ICMP Internet
Control
Message
Protocol
Yes Yes Yes Yes No restrictions.
IKE Internet Key
Exchange
Yes Yes Yes Yes As described in the Error!
Reference source not
found.and Error!
Reference source not
found.section of this
document.
IMAP4S Internet
Message
Access
Protocol
Secure version
4
Yes No No No Not permitted in evaluated
configuration.
IPsec Internet
Protocol
Security (suite
of protocols
including IKE,
ESP and AH)
Yes No Yes No Not permitted in evaluated
configuration.
Kerberos A ticket-based
authentication
protocol
Yes No No No Not permitted in evaluated
configuration.
LDAP Lightweight
Directory
Access
Protocol
Yes No No No Not permitted in evaluated
configuration.
LDAP-over-
SSL
LDAP over
Secure
Sockets Layer
Yes No No No Not permitted in evaluated
configuration.
MACsec MACsec
secure
connection
between TOE
and peer
No Yes No Yes Documented under Section
6.
33
Service or
Protocol
Description Client
(initiating)
Allowed Server
(terminating)
Allowed Allowed use in the
certified configuration
NT NT domain
authentication
Yes No No No Not permitted in evaluated
configuration.
NTP Network Time
Protocol
Yes Yes No n/a Any configuration. Use of
key-based authentication is
recommended.
POP3S Post Office
Protocol
version 3 over
TLS
Yes No No No Not permitted in evaluated
configuration.
RADIUS Remote
Authentication
Dial In User
Service
Yes No No No Not permitted in evaluated
configuration.
SDI (RSA
SecureID)
RSA SecurID
authentication
Yes No No No Not permitted in evaluated
configuration.
SMTP Simple Mail
Transfer
Protocol
Yes Yes No n/a Recommended to use
SMTPS instead.
SMTPS SMTP over
TLS
Yes No No No Not permitted in evaluated
configuration.
SNMP Simple
Network
Management
Protocol
Yes
(snmp-
trap)
No Yes No Not permitted in evaluated
configuration.
SSH Secure Shell Yes Yes Yes Yes As described in the 3.3.1
section of this document.
SSL (not
TLS)
Secure
Sockets Layer
Yes No No No Not permitted in evaluated
configuration.
TACACS+ Terminal
Access
Controller
Access-
Control
System Plus
Yes No No No Not permitted in evaluated
configuration.
Telnet A protocol
used for
terminal
emulation
Yes No Yes No Use SSH instead.
TLS Transport
Layer Security
Yes No No No Not permitted in evaluated
configuration.
TFTP Trivial File
Transfer
Protocol
Yes No No No Not permitted in evaluated
configuration.
The table above does not include the types of protocols and services listed here:
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
34
OSI Layer 2 protocols such as CDP, VLAN protocols like 802.11q, Ethernet encapsulation protocols like
PPPoE, etc. The certified configuration places no restrictions on the use of these protocols; however
evaluation of these protocols was beyond the scope of the Common Criteria product evaluation. Follow
best practices for the secure usage of these services.
Routing protocols such as EIGRP, OSPF, and RIP. The certified configuration places no restrictions on the
use of these protocols, however evaluation of these protocols was beyond the scope of the Common
Criteria product evaluation, so follow best practices for the secure usage of these protocols.
Protocol inspection engines that can be enabled with “inspect” commands because inspection engines are
used for filtering traffic, not for initiating or terminating sessions, so they’re not considered network
‘services’ or ‘processes’ in the context of this table. The certified configuration places no restrictions on
the use protocol inspection functionality; however evaluation of this functionality was beyond the scope of
the Common Criteria product evaluation. Follow best practices for the secure usage of these services.
Network protocols that can be proxied through/by the Aggregation Services Router 9000. Proxying of
services by the Aggregation Services Router 9000 does not result in running said service on the
Aggregation Services Router 9000 in any way that would allow the Aggregation Services Router 9000
itself to be remotely accessible via that service, nor does it allow the Aggregation Services Router 9000 to
initiate a connection to a remote server independent of the remote client that has initiated the connection.
The certified configuration places no restrictions on enabling of proxy functionality; however the
evaluation of this functionality was beyond the scope of the Common Criteria product evaluation. Follow
best practices for the secure usage of these services.
8 Modes of Operation An IOS-XR router has several modes of operation, these modes are as follows:
Booting – while booting, the routers drop all network traffic until the router image and
configuration has loaded. This mode of operation automatically progresses to the Normal mode
of operation. During booting, an administrator may press the break key on a console connection
within the first 60 seconds of startup to enter the ROM Monitor mode of operation. This Booting
mode is referred to in the IOS-XR guidance documentation as “ROM Monitor Initialization”.
Additionally if the router does not find a valid operating system image it will enter ROM
Monitor mode and not normal mode therefore protecting the router from booting into an insecure
state.
Normal - The IOS-XR router image and configuration is loaded and the router is operating as
configured. It should be noted that all levels of administrative access occur in this mode and that
all router based security functions are operating. While operating the router have little
interaction with the administrator. However, the configuration of the router can have a
detrimental effect on security. Misconfiguration of the router could result in the unprotected
network having access to the internal/protected network
ROM Monitor – This mode of operation is a maintenance, debugging, and disaster recovery
mode. While the router is in this mode, no network traffic is routed between the network
interfaces. In this state the router may be configured to upload a new boot image from a specified
TFTP server, perform configuration tasks and run various debugging commands.
Note: If nvram is empty and a reload is done, IOS-XR will try to boot automatically from an
image top down that is in the flash directory. Make sure the valid IOS-XR image is listed above
any other other images in flash.
To ensure the correct image is booted on startup use the boot system command:
35
RP/0/RSP0/CPU0:router# system boot-sequence { primary-device [secondary-device] |
disable } [ location { node-id | all } ]
It should be noted that while no administrator password is required to enter ROM monitor mode,
physical access to the router is required; therefore, the router should be stored in a physically
secure location to avoid unauthorized access which may lead to the router being placed in an
insecure state.
Following operational error, the TOE reboots (once power supply is available) and enters
booting mode. The only exception to this is if there is an error during the Power on Startup Test
(POST) during bootup, then the TOE will shutdown. If any component reports failure for the
POST, the system crashes and appropriate information is displayed on the screen, and saved in
the crashinfo file. Within the POST, self-tests for the cryptographic operations are performed.
The same cryptographic POSTs can also be run on-demand as described in section 3.2.3 , and
when the tests are run on-demand after system startup has completed (and the syslog daemon has
started), error messages will be written to the log.
All ports are blocked from moving to forwarding state during the POST. Only when all
components of all modules pass the POST is the system placed in FIPS PASS state and ports are
allowed to forward data traffic.
If any of the POST fail, the following actions should be taken:
If possible, review the crashinfo file. This will provide additional information on the cause of
the crash
Restart the TOE to perform POST and determine if normal operation can be resumed
If the problem persists, contact Cisco Technical Assistance via
http://www.cisco.com/techsupport or 1 800 553-2447
If necessary, return the TOE to Cisco under guidance of Cisco Technical Assistance.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
36
9 Security Measures for the Operational Environment
Proper operation of the TOE requires functionality from the environment. It is the responsibility
of the authorized administrator of the TOE to ensure that the Operational Environment provides
the necessary functions, and adheres to the environment security objectives listed below. The
environment security objective identifiers map to the environment security objectives as defined
in the Security Target. Table 11 Operational Environment Security Measures
Environment Security
Objective
Operational Environment
Security Objective Definition
Privileged and Semi-privileged
administrator responsibility
OE.NO_GENERAL_PURPOSE There are no general-purpose
computing capabilities (e.g.,
compilers or user applications)
available on the TOE, other than
those services necessary for the
operation, administration and
support of the TOE.
Administrators will make sure there are
no general-purpose computing
capabilities (e.g., compilers or user
applications) available on the TOE.
OE.PHYSICAL Physical security, commensurate
with the value of the TOE and the
data it contains, is provided by the
environment.
Administrators must ensure the TOE is
installed and maintained within a secure
physical location. This can include a
secured building with key card access or
within the physical control of an
authorized administrator in a mobile
environment.
OE.TRUSTED_ADMIN TOE Administrators are trusted to
follow and apply all administrator
guidance in a trusted manner.
Administrators must be properly trained
in the usage and proper operation of the
TOE and all the provided functionality
per the implementing organization’s
operational security policies. These
administrators must follow the provided
guidance.
37
10 Related Documentation Use this document in conjunction with the IOS-XR 15.1(3)S2 documentation at the
following location:
http://www.cisco.com/
Obtaining Documentation
The following sections provide sources for obtaining documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at the
following sites:
http://www.cisco.com
http://www-china.cisco.com
http://www-europe.cisco.com
Ordering Documentation
Cisco documentation is available in the following ways:
Registered Cisco Direct Customers can order Cisco Product documentation from the
Networking Products MarketPlace:
http://www.cisco.com/web/ordering/root/index.html
Registered Cisco.com users can order the Documentation CD-ROM through the online
Subscription Store:
http://www.cisco.com/go/subscription
Non-registered Cisco.com users can order documentation through a local account
representative by calling Cisco corporate headquarters (California, USA) at 408 526-
7208 or, in North America, by calling 800 553-NETS (6387).
Documentation Feedback
If you are reading Cisco product documentation on the World Wide Web, you can submit
technical comments electronically. Click Feedback in the toolbar and select
Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to [email protected].
To submit your comments by mail, for your convenience many documents contain a
response card behind the front cover. Otherwise, you can mail your comments to the
following address:
Cisco Systems, Inc., Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco
Public.
38
We appreciate your comments.
11 Obtaining Technical Assistance Cisco provides Cisco.com as a starting point for all technical assistance. Customers and
partners can obtain documentation, troubleshooting tips, and sample configurations from
online tools. For Cisco.com registered users, additional troubleshooting tools are
available from the TAC website.
Cisco.com is the foundation of a suite of interactive, networked services that provides
immediate, open access to Cisco information and resources at anytime, from anywhere in
the world. This highly integrated Internet application is a powerful, easy-to-use tool for
doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners
streamline business processes and improve productivity. Through Cisco.com, you can
find information about Cisco and our networking solutions, services, and programs. In
addition, you can resolve technical issues with online technical support, download and
test software packages, and order Cisco learning materials and merchandise. Valuable
online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized
information and services. Registered users can order products, check on the status of an
order, access technical support, and view benefits specific to their relationships with
Cisco.
To access Cisco.com, go to the following website:
http://www.cisco.com