Cisco Aggregation Services Router 9000 CC …© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. 1 Cisco Aggregation Services Router 9000 CC Configuration

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

1

Cisco Aggregation Services Router 9000

CC Configuration Guide

Version 1.0

April 2018


2

Table of Contents

1 Introduction ............................................................................................................................. 6 Audience ......................................................................................................................... 6

Purpose ............................................................................................................................ 6 Document References ..................................................................................................... 6 Supported Hardware and Software ................................................................................. 7 Operational Environment ................................................................................................ 7

Supported non-TOE Hardware/ Software/ Firmware ............................................. 7

Excluded Functionality ................................................................................................... 8 2 Secure Acceptance of the TOE ............................................................................................... 9 3 Secure Installation and Configuration .................................................................................. 12

Physical Installation ...................................................................................................... 12 Initial Setup via Direct Console Connection ................................................................ 12

Administrator Configuration and Credentials ....................................................... 12

Saving Configuration ............................................................................................ 13 Enabling FIPS Mode ............................................................................................. 13

Session Termination.............................................................................................. 14 User Lockout ......................................................................................................... 14

Network Protocols and Cryptographic Settings ............................................................ 15

Remote Administration Protocols ......................................................................... 15 Logging Configuration.......................................................................................... 16

Logging Protection................................................................................................ 17 Non-Approved Algorithms and Protocols ............................................................ 17

4 Secure Management .............................................................................................................. 18 User Roles ..................................................................................................................... 18 Passwords ...................................................................................................................... 20

Clock Management ....................................................................................................... 20 Login Banners ............................................................................................................... 21

Product Updates ............................................................................................................ 21 5 Security Relevant Events ...................................................................................................... 21

Deleting Audit Records................................................................................................. 22

Audit Records Description ............................................................................................ 22 Deleting Audit Records................................................................................................. 29

6 MACsec Configuration ......................................................................................................... 30 7 Network Services and Protocols ........................................................................................... 31 8 Modes of Operation .............................................................................................................. 34

9 Security Measures for the Operational Environment............................................................ 36 10 Related Documentation ......................................................................................................... 37

World Wide Web .......................................................................................................... 37 Ordering Documentation .............................................................................................. 37

Documentation Feedback.............................................................................................. 37 11 Obtaining Technical Assistance ............................................................................................ 38

3

List of Tables

Table 1: Acronyms .......................................................................................................................... 4 Table 2 Cisco Documentation and CI List ..................................................................................... 6

Table 3: Operational Environment Components ............................................................................ 7 Table 4 Excluded Functionality .................................................................................................... 8 Table 5 TOE External Identification .............................................................................................. 9 Table 6 Evaluated Software Images ............................................................................................ 11 Table 7 Predefined User and Task Groups ................................................................................... 19

Table 8 Task ID Classes ............................................................................................................... 19 Table 9: Auditable Events (IOS-XR) ............................................................................................ 23 Table 10 Protocols and Services ................................................................................................... 31

Table 11 Operational Environment Security Measures .............................................................. 36


4

List of Acronyms

The following acronyms and abbreviations are used in this document: Table 1: Acronyms

Acronyms /

Abbreviations

Definition

AAA Administration, Authorization, and Accounting

AES Advanced Encryption Standard

CI Configuration Item

FIPS Federal Information Processing Standards

EAL Evaluation Assurance Level

HTTPS Hyper-Text Transport Protocol Secure

IP Internet Protocol

NTP Network Time Protocol

RADIUS Remote Authentication Dial In User Service

SFP Security Function Policy

SSHv2 Secure Shell (version 2)

TACACS+ Terminal Access Controller Access-Control System Plus

TCP Transport Control Protocol

TOE Target of Evaluation

5

DOCUMENT INTRODUCTION

Prepared By:

Cisco Systems, Inc.

170 West Tasman Dr.

San Jose, CA 95134

DOCUMENT INTRODUCTION This document provides supporting evidence for an evaluation of a specific Target of Evaluation

(TOE), the Aggregation Services Router 9000 (ASR 9k). This Operational User Guidance with

Preparative Procedures addresses the administration of the TOE software and hardware and

describes how to install, configure, and maintain the TOE in the Common Criteria evaluated

configuration. Administrators of the TOE will be referred to as administrators, authorized

administrators, TOE administrators, semi-privileged administrators, and privileged

administrators in this document. All administrative actions that are relevant to the Common

Criteria (CC) Evaluation and claimed Protection Profile(s) are described within this document.

This document will include pointers to the official Cisco documentation in order to aid the

administrator in easily identifying the CC relevant administrative commands, including

subcommands, scripts (if relevant), and configuration files, that are related to the configuration

(including enabling or disabling) of the mechanisms implemented in ASR 9k that are necessary

to enforce the requirements specified in the claimed PP(s).


6

1 Introduction This Operational User Guidance with Preparative Procedures documents the administration of

the Aggregation Services Router 9000 (ASR 9k), the TOE, as it was certified under Common

Criteria. The Aggregation Services Router 9000 (ASR 9k ) may be referenced below by the

model number series related acronym ex. ASR 9k, TOE, or simply router.

Audience

This document is written for administrators configuring the TOE. This document assumes that

you are familiar with the basic concepts and terminologies used in internetworking, and

understand your network topology and the protocols that the devices in your network can use,

that you are a trusted individual, and that you are trained to use the operating systems on which

you are running your network.

Purpose

This document is the Operational User Guidance with Preparative Procedures for the Common

Criteria evaluation. It was written to highlight the specific TOE configuration and administrator

functions and interfaces that are necessary to configure and maintain the TOE in the evaluated

configuration. This document is not meant to detail specific actions performed by the

administrator but rather is a road map for identifying the appropriate locations within Cisco

documentation to get the specific details for configuring and maintaining ASR 9k operations.

All security relevant commands to manage the TSF data are provided within this documentation

within each functional section.

Document References

This section lists the Cisco Systems documentation that is also the Common Criteria

Configuration Item (CI) List. The documents used are shown below in Table 2. Throughout this

document, the guides will be referred to by the “#”, such as [1]. Table 2 Cisco Documentation and CI List

# Title Link

[1] Cisco ASR 9000 Series

Aggregation Services Routers

Hardware Installation Guide

http://www.cisco.com/c/en/us/td/docs/iosxr/asr9000/hardware-

install/hig/b-asr9k-hardware-installation-guide.html


Aggregation Services Router

System Security

Command Reference, Release 6.1x

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_

r6-1/security/command/reference/b-syssec-cr-asr9k-61x/b-syssec-cr-

asr9k-61x_chapter_01011.html



System Management

Configuration Guide, Release 6.1.x

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r

6-1/sysman/configuration/guide/b-sysman-cg-asr9k-61x.html



System Security Configuration

Guide, Release 6.1.x


6-1/security/command/reference/b-syssec-cr-asr9k-61x.html

http://www.cisco.com/c/en/us/td/docs/iosxr/asr9000/hardware-install/hig/b-asr9k-hardware-installation-guide.html

http://www.cisco.com/c/en/us/td/docs/iosxr/asr9000/hardware-install/hig/b-asr9k-hardware-installation-guide.html

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r6-1/security/command/reference/b-syssec-cr-asr9k-61x/b-syssec-cr-asr9k-61x_chapter_01011.html



http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r6-1/sysman/configuration/guide/b-sysman-cg-asr9k-61x.html

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r6-1/sysman/configuration/guide/b-sysman-cg-asr9k-61x.html

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r6-1/security/command/reference/b-syssec-cr-asr9k-61x.html

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r6-1/security/command/reference/b-syssec-cr-asr9k-61x.html

7

# Title Link



Getting Started Guide

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/getting

_started/configuration/guide/asr9k.html



Ethernet Line Card Installation

Guide

http://www.cisco.com/c/en/us/td/docs/iosxr/asr9000/hardware-

install/ethernet-line-card-installation-guide/b-asr9k-ethernt-line-card-

install-guide/b-asr9k-ethernt-line-card-install-

guide_chapter_010.html?bookSearch=true

[7] Converting Cisco IOS

Configurations to Cisco IOS XR

Configurations.Guide http://www.cisco.com/c/en/us/td/docs/ios_xr_sw/iosxr_r3-

2/conversion/reference/guide/cnvt32/cn32main.pdf



System Management Command

Reference, Release 6.1.x


6-1/sysman/command/reference/b-sysman-cr-asr9k-61x/b-sysman-cr-

asr9k-61x_preface_00.html

[9] ASR 9k CC Configuration Guide

version .01

Not Applicable

[10] ASR 9k Security Target, version

1.0

Not Applicable

Supported Hardware and Software

Only the hardware and software listed in section 1.5 of the Security Target (ST) is compliant

with the Common Criteria evaluation. Using hardware not specified in the ST invalidates the

secure configuration. Likewise, using any software version other than the evaluated software

listed in the ST will invalidate the secure configuration. The TOE is a hardware and software

solution that makes up the router models as follows: 9010, 9006, 9922, 9912, 9910, 9904. The

network, on which they reside, is considered part of the environment. The software is comprised

of the Cisco IOS-XR software image Release IOS-XR 6.2.1.

Operational Environment

Supported non-TOE Hardware/ Software/ Firmware

The TOE supports (in some cases optionally) the following hardware, software, and firmware in

its environment: Table 3: Operational Environment Components

Component Required Usage/Purpose Description for TOE performance

Management

Workstation with

SSH Client

Yes This includes any Operational Environment Management workstation with a

SSH client installed that is used by the TOE administrator to support TOE

administration through SSH protected channels. Any SSH client that supports

SSHv2 may be used.

Local Console No This includes any IT Environment Console that is directly connected to the

TOE via the Serial Console Port and is used by the TOE administrator to

support TOE administration.

NTP Server No The TOE supports communications with an NTP server.

Syslog Server Yes This includes any syslog server to which the TOE would transmit syslog

messages.

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/getting_started/configuration/guide/asr9k.html

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/getting_started/configuration/guide/asr9k.html

http://www.cisco.com/c/en/us/td/docs/iosxr/asr9000/hardware-install/ethernet-line-card-installation-guide/b-asr9k-ethernt-line-card-install-guide/b-asr9k-ethernt-line-card-install-guide_chapter_010.html?bookSearch=true




http://www.cisco.com/c/en/us/td/docs/ios_xr_sw/iosxr_r3-2/conversion/reference/guide/cnvt32/cn32main.pdf

http://www.cisco.com/c/en/us/td/docs/ios_xr_sw/iosxr_r3-2/conversion/reference/guide/cnvt32/cn32main.pdf

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r6-1/sysman/command/reference/b-sysman-cr-asr9k-61x/b-sysman-cr-asr9k-61x_preface_00.html




8

Excluded Functionality Table 4 Excluded Functionality

Excluded Functionality Exclusion Rationale

Non-FIPS 140-2 mode of operation on the

router. This mode of operation includes non-FIPS

allowed operations.

Telnet for management purposes. Telnet passes authentication credentials in clear

text. SSHv2 is to be used instead.

These services will be disabled by configuration. The exclusion of this functionality does not

affect compliance to the claimed security functions.

9

2 Secure Acceptance of the TOE In order to ensure the correct TOE is received, the TOE should be examined to ensure that that is

has not been tampered with during delivery.

Verify that the TOE software and hardware were not tampered with during delivery by

performing the following actions:

Step 1 Before unpacking the TOE, inspect the physical packaging the equipment was delivered

in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs.

If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco

distributor/partner).

Step 2 Verify that the packaging has not obviously been opened and resealed by examining the

tape that seals the package. If the package appears to have been resealed, contact the supplier of

the equipment (Cisco Systems or an authorized Cisco distributor/partner).

Step 3 Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems bar coded

label applied to the external cardboard box. If it does not, contact the supplier of the equipment

(Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco

product number, serial number, and other information regarding the contents of the box.

Step 4 Note the serial number of the TOE on the shipping documentation. The serial number

displayed on the white label affixed to the outer box will be that of the device. Verify the serial

number on the shipping documentation matches the serial number on the separately mailed

invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or

an authorized Cisco distributor/partner).

Step 5 Verify that the box was indeed shipped from the expected supplier of the equipment

(Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with

the supplier that they shipped the box with the courier company that delivered the box and that

the consignment note number for the shipment matches that used on the delivery. Also verify

that the serial numbers of the items shipped match the serial numbers of the items delivered. This

verification should be performed by some mechanism that was not involved in the actual

equipment delivery, for example, phone/FAX or other online tracking service.

Step 6 Once the TOE is unpacked, inspect the unit. Verify that the serial number displayed on

the unit itself matches the serial number on the shipping documentation and the invoice. If it

does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco

distributor/partner). Also verify that the unit has the following external identification as

described in Table 5 below. Table 5 TOE External Identification

Product Name

Model Number External Identification

ASR 9k Series 9010 Cisco 9010

9006 Cisco 9006

9922 Cisco 9922

9912 Cisco 9912

9910 Cisco 9910

9904 Cisco 9904


10

Step 7 Approved methods for obtaining a Common Criteria evaluated software images:

Download the Common Criteria evaluated software image file from Cisco.com onto a

trusted computer system. Software images are available from Cisco.com at the

following: http://www.cisco.com/cisco/software/navigator.html.

Step 8 Once the file is downloaded, the authorized administrator verifies that it was not tampered

with prior to moving it to the TOE by using an SHA-256 utility to compute a SHA-256 hash for

the downloaded file and comparing this with the SHA-256 hash for the image listed in Table 6

below

Step 9 The software image has been digitally signed and image verification is done on the box

with a SHA-1 hash. Once the image is loaded into flash, to display information related to

software authenticity for a specific image file, use the sam verify command in privileged EXEC

mode. Go to [2] Cisco ASR 9000 Series Aggregation Services Router System Security Command

Reference section “Software Authentication Manager Commands.” The sam verify command

allows you to display the hash value of the software component.

RP/0/RSP0/CPU0:router# sam verify {location | file-system } {SHA}

sam verify disk0: SHA

See Table 6the below table for the detailed hash value that must be checked to ensure the

software has not been modified in anyway.

If the SHA hashes do not match, contact Cisco Technical Assistance Center (TAC)

https://tools.cisco.com/ServiceRequestTool/create/launch.do.

Step 10 Install the downloaded and verified software image onto your ASR 9k as described in

[3] Under Configure Click on Configuration Guides Cisco ASR 9000 Series Aggregation

Services Router System Management Configuration Guide, Release 6.1.x Section "Overview

of Cisco IOS-XR Software Packages"

Verify Package Details Before you activate a package on the router, you can verify the type of upgrade that is required

for the package and whether the package requires a router reload or not. Use the show install

package pie detail command in admin mode.

RP/0/RSP0/CPU0:router(admin)# show install package disk0:asr9k-px-4.x.x.04I.CSCuc66088-

0.0.4.i detail

Activating Packages

Software packages remain inactive until activated with the install activate command. To activate

a package on your router, use the install activate command in administration EXEC mode.

Once the packages have been activated verify that they are installed correctly, using the show

install active command.

RP/0/RSP0/CPU0:router(admin)# show install active

Commit the Active Software

http://www.cisco.com/cisco/software/navigator.html

https://tools.cisco.com/ServiceRequestTool/create/launch.do

11

The active software has to be committed in order for it to be persistent across reloads. When a

package is activated on the router, it becomes part of the current running configuration. To

activate the package, enter the install commit command in administration EXEC mode.

Step 11 The end-user must confirm once the TOE has booted that they are indeed running the

evaluated version. Use the show install active [3] command to display the currently running

system image filename and the system software release version.

When image credentials and hash are matched, the router reboots. If image validation is

unsuccessful, the boot process is interrupted, and the router enters the ROMMON CLI mode.

To verify the hash, run the following command on the TOE:

Sam verify <path to install image> SHA256 <published hash value>

e.g. sam verify asr9k-mini-px.vm-6.2.1 SHA256

34e4d9c41ced6c2e4e004af4aa3c7774b4213774c9e45143d1102ce84d87764c

Table 6 Evaluated Software Images

Software

Version

Image Name SHA-256 hash

IOS-XR

6.2.1

asr9k-mini-px.vm-

6.2.1

34e4d9c41ced6c2e4e004af4aa3c7774b4213774c9e45143d1102ce84d87764c

asr9k-k9sec-px.pie-

6.2.1

baf400c5a120efde694aea7d98ce1c75ac511dcbf737053663d01b8e5ee192c9

asr9k-px-

6.2.1.CSCvd61721-

1.0.0.pie

ec926544c809a508c03bcf98f856b96875cdc418ef896a1467547dabc640e9a6


12

3 Secure Installation and Configuration

Physical Installation

Follow the Cisco ASR 9000 Series Aggregation Services Routers Hardware Installation Guide

[1] for hardware installation instructions.

Initial Setup via Direct Console Connection

The ASR 9k must be given basic configuration via console connection prior to being connected

to any network.

Once the software has been committed, then an authorized administrator needs to connect to the

console port. On first login the username and password for the root-system user will need to be

created. The following example shows the root-system username and password configuration

for a new router, and it shows the initial log in:

RP/0/RSP0/CPU0: Enter root-system username: <username1>

RP/0/RSP0/CPU0: Enter secret:

RP/0/RSP0/CPU0: Enter secret again:

When creating the password, follow the guidance for a secure password in section 4.2.

Note: The secret line in the configuration command script shows that the password is hashed for

obfuscation. When you enter the password during configuration and login, the password is

hidden.

The root system user is the entity authorized to “own” the entire router chassis. The root system

user functions with the highest privileges over all router components and can monitor all secure

domain routers in the system. At least one root system user account must be created during

router setup. Multiple root system users can exist. See the Router System Security

Configuration Guide [3] and Getting Started Guide [5] for more information.

Administrator Configuration and Credentials

The ASR 9k must be configured to use a username and password for each administrator and one

password for the admin command. Ensure all passwords are stored encrypted by using the 7

option with the password command. See [2] Cisco ASR 9000 Series Aggregation Services

Router System Security Command Reference and [4] Cisco ASR 9000 Series Aggregation

Services Router System Security Configuration Guide, chapter "Configuring AAA Services",

section "Configuring Users"

RP/0/RSP0/CPU0:router# configure

RP/0/RSP0/CPU0:router(config)# username user1

RP/0/RSP0/CPU0:router(config-un)# password 7 K$e%y^&*()t@#!s

RP/0/RSP0/CPU0:router(config-un)# commit

RP/0/RSP0/CPU0:router(config-un)# show running-config

Configures local AAA authentication:

13

RP/0/RSP0/CPU0:router(config)# aaa authentication login default local

RP/0/RSP0/CPU0:router(config)# aaa authorization exec default local

Saving Configuration

IOS-XR uses both a running configuration and a starting configuration. Configuration changes

affect the running configuration, in order to save that configuration the running configuration

(held in memory) must be copied to the startup configuration. This may be achieved by using the

copy run command.

RP/0/RSP0/CPU0:router# copy run

disk0:/config/running/alternate_cfg:/router.cfg

Destination file name (control-c to abort): [/router.cfg]?

The destination file already exists. Do you want to overwrite? [no]: yes

This command should be used frequently when making changes to the configuration of the

router. If the router reboots and resumes operation when uncommitted changes have been made,

these changes will be lost and the router will revert to the last configuration saved.

See the Aggregation Services Router Ethernet Line Card Installation Guide [6] for more details

on this command.

Enabling FIPS Mode

An authorized administrator must install and activate the asr9k-k9sec-px.pie file to configure

FIPS. An authorized administrator must be in a user group associated with a task group that

includes the proper task IDs. See section "Installing and Activating the PIE" in the Cisco ASR

9000 Series Aggregation Services Router System Security Configuration Guide, Release 6.1.x

[4]. Note: placing the ASR9k in FIPS-mode automatically configures the router for both the

Common Criteria and FIPS approved algorithms and key sizes.

The TOE must be run in the FIPS mode of operation to meet Common Criteria compliance. This

is configured as follows:


RP/0/RSP0/CPU0:router(config)# crypto fips-mode

RP/0/RSP0/CPU0:router# commit

RP/0/RSP0/CPU0:router# show logging

RP/0/RSP0/CPU0:router# admin

RP/0/RSP0/CPU0:router(admin)# reload location all

Configuring FIPS-compliant Keys

Generate RSA key material – choose a longer modulus length for more secure keys (i.e. 2048 for

RSA):

RP/0/RSP0/CPU0:router# crypto key generate rsa general-keys rsakeypair

RP/0/RSP0/CPU0:router# How many bits in the modulus [512]: 2048

RP/0/RSP0/CPU0:router#show crypto key mypubkey rsa


14

RSA keys are generated in pairs—one public RSA key and one private RSA key. This command

is not saved in the router configuration; however, the RSA keys generated by this command are

saved in the private configuration in NVRAM (which is never displayed to the user or backed up

to another device) the next time the configuration is written to NVRAM.

Note: Only one set of keys can be configured using the crypto key generate command at a time.

Repeating the command overwrites the old keys.

Note: If the configuration is not saved to NVRAM with a “copy run start”, the generated keys

are lost on the next reload of the router.

Note: If the error “% Please define a domain-name first” is received, enter the command ‘ip

domain-name [domain name]’.

Configuring FIPS-compliant Key Chain


RP/0/RSP0/CPU0:router(config)# key chain mykeychain

RP/0/RSP0/CPU0:router(config-mykeychain)# key 1

RP/0/RSP0/CPU0:router(config-mykeychain-1)# cryptographic-algorithm HMAC-SHA1-20

RP/0/RSP0/CPU0: router(config): commit

Self-tests

The self-tests for the cryptographic functions in the TOE are run automatically during power-on

as part of the POST.

If any of the self-tests fail, the TOE transitions into an error state. In the error state, all secure

data transmission is halted and the TOE outputs status information indicating the failure.

Session Termination

Inactivity settings must trigger termination of the administrator session. By default, console, vty,

and tty sessions disconnect after 10 minutes of inactivity. Administrators are advised to maintain

this value at 10 minutes or less but greater than zero. Note: A 0-minute value will prevent

sessions from terminating.

These settings are configurable as follows:


RP/0/RSP0/CPU0:router(config)# line console

RP/0/RSP0/CPU0:router(config-line)# exec-timeout minutes seconds

For more information, see Cisco ASR 9000 Series Aggregation Services Router System

Management Command Reference, Release 6.1.x [2], Chapter "Terminal Services Commands",

section "exec-timeout". The line console setting is not immediately activated for the current

session. The current console session must be exited. When the user logs back in, the inactivity

timer will be activated for the new session. See Converting Cisco IOS Configurations to Cisco

IOS XR Configurations.Guide [7].

User Lockout

User accounts must be configured to lockout after a specified number of authentication failures.

router(config)#aaa password-policy policy

15

router(config-pp)#authen-max-attempts ?

<1-24> Number of attempts, default is 0

router(config-pp)#lockout-time ?

days Number of days

hours Number of hours

minutes Number of minutes

seconds Number of seconds

Network Protocols and Cryptographic Settings

Remote Administration Protocols

Telnet for management purposes is not allowed in the evaluated configuration. The TOE, in FIPS

mode, is configured to only allow the permitted data integrity algorithms and cipher suites. No

configuration is required.

SSHv2 is used for monitoring and for command-line interface (CLI) access. The following steps

configure the TOE to use SSH for remote administration purposes refer to for more details in

chapter "Implementing Secure Shell" of [4] Cisco ASR 9000 Series Aggregation Services Router

System Security Configuration Guide. When SSHv2 is configured using SSH server v2, only

SSHv2 client connections will be accepted.

RP/0/RSP0/CPU0:ASR9K#crypto key gen rsa

The name for the keys will be: the_default Only 2048 bit modulus allowed while in FIPS mode.

Automatically selecting 2048 bit modulus size. Generating RSA keys ... Done w/ crypto generate

keypair [OK]

RP/0/RSP0/CPU0:ASR9K#config terminal

RP/0/RSP0/CPU0:ASR9K(config)#ssh server vrf mgmt

RP/0/RSP0/CPU0:ASR9K(config)#ssh server access-list 170 permit ip 30.0.0.0 0.255.255.255

40.0.0.0 0.255.255.255

RP/0/RSP0/CPU0:ASR9K(config)#ssh server logging

RP/0/RSP0/CPU0:ASR9K(config)#ssh server v2

RP/0/RSP0/CPU0:ASR9K(config)#commit

RP/0/RSP0/CPU0:ASR9K(config)#end

RP/0/RSP0/CPU0:ASR9K(config)#ssh time-out 60

RP/0/RSP0/CPU0:ASR9K(config)#ssh server rekey-time 60

RP/0/RSP0/CPU0:ASR9K(config)#ssh server rekey-volume 1024

The management plane is the logical path of all traffic that is related to the management of a

routing platform. In addition, the management plane is used to manage a device through its

connection to the network. See the Router System Security Configuration Guide [4]

"Implementing Management Plan Protection," section Configuring a Device for Management


16

Plane Protection for an Inband Interface." Configuring the MPP allows an authorized

administrator to add a policy to restrict from where the ASR9k will accept SSHv2 client

connections. Although this specifically is not claimed in the ST, for best practices it is

recommended to limit from where a SSHv2 client connection can come from.

1. RP/0/RSP0/CPU0:router# configure

2. RP/0/RSP0/CPU0:router(config)# control-plane

3. RP/0/RSP0/CPU0:router(config-ctrl)# management-plane

4. RP/0/RSP0/CPU0:router(config-mpp)# inband

5. RP/0/RSP0/CPU0:router(config-mpp-inband)# interface {type instance | all}

Ex. RP/0/RSP0/CPU0:router(config-mpp-inband)# interface GigabitEthernet 0/6/0/1

6. RP/0/RSP0/CPU0:router(config-mpp-inband-Gi0_6_0_1)# allow {protocol | all} [peer]

Ex. RP/0/RSP0/CPU0:router(config-mpp-inband-Gi0_6_0_1)# allow sshv2 [peer]

7. RP/0/RSP0/CPU0:router(config-sshv2-peer)# address ipv4 {peer-ip-address | peer ip-

address/length}

Ex. RP/0/RSP0/CPU0:router(config-telnet-peer)# address ipv4 10.1.0.0/16

8. RP/0/RSP0/CPU0:ASR9K(config)#commit

Logging Configuration

Logging of command execution must be enabled. See chapter "Configuring Logging and

Logging Correlation" in [5] Cisco ASR 9000 Series Aggregation Services Router Getting Started

Guide.

1. RP/0/RSP0/CPU0:router# configure

2. RP/0/RSP0/CPU0:ASR9K(config)#logging trap debugging

3. RP/0/RSP0/CPU0:ASR9K(config)#logging 10.34.0.1 vrf default severity debugging

4. RP/0/RSP0/CPU0:ASR9K(config)#logging hostnameprefix TOE:ASR9K

5. RP/0/RSP0/CPU0:ASR9K(config)#service timestamps log datetime localtime msec

6. RP/0/RSP0/CPU0:ASR9K(config)#service timestamps debug datetime localtime msec

7. RP/0/RSP0/CPU0:ASR9K(config)#commit

8. RP/0/RSP0/CPU0:ASR9K(config)#end

Logging console on/off

This will turn on logging events to be sent to the console. An authorized administrator will see

the audit events display on the console while commands are being entered.


RP/0/RSP0/CPU0:router# (config)# logging console

RP/0/RSP0/CPU0:router# (config)#no logging console

Set logging size

This example shows how to set the maximum log file size to 10 MB:

17

RP/0/RSP0/CPU0:router(config)# logging archive RP/0/RSP0/CPU0:router(config-logging-

arch)# file-size 10

Turn logging on/off

The following example shows how to enable configuration logging:


RP/0/RSP0/CPU0:ASR9K(config)#logging trap debugging

The following example shows how to clear the configuration log by disabling and then re-

enabling the configuration log:


RP/0/RSP0/CPU0:ASR9K(config)#no logging trap debugging

Logging Protection

If an authorized administrator wants to backup the logs to a syslog server, then protection must

be provided for the syslog server communications. The connection to the remote syslog server

will be secured via MACsec. With a syslog server operating as a On an internal network of a

MACsec peer and the records tunneled over that connection. The ASR9k will be configured as a

MACsec peer.

Non-Approved Algorithms and Protocols

This section details the algorithms and protocols that were not evaluated. These algorithms and

protocols are supported by the TOE, but are not to be configured for use in the evaluated

configuration.

DES

3DES

DES MAC

HMAC MD4

HMAC MD5

MD5

NDRNG

RC4

ftp

telnet


18

4 Secure Management

User Roles

The ASR 9k differs from IOS in that IOS-XR controls permissions via a usergroup / taskgroup

model. Cisco IOS-XR software user attributes form the basis of the Cisco IOS-XR software

administrative model. See the [4] Cisco ASR 9000 Series Aggregation Services Router System

Security Configuration Guide, chapter "Configuring AAA Services", section "User, User

Groups, and Task Groups".

Each administrator user is associated with the following attributes:

• User ID - (ASCII string) that identifies the user uniquely across an administrative domain

• Password - Length limitation of 253 characters for passwords and one-way encrypted

secrets

• Group - List of user groups (at least one) of which the user is a member (thereby enabling

attributes such as task IDs). The groups consist of user groups, task groups, and

associated task IDs.

The user group concept in IOS-XR relates to a group of users with common characteristics. An

administrator user that logs in to an IOS-XR router may have one or more user groups assigned

to it. Some user groups exist by default and other custom groups may be configured. Table 7

lists the predefined user and task groups in IOS-XR.

User Administrator Categories:

Router users are classified into the following categories:

• Root system user (complete administrative authority) - The root system user is the entity

authorized to “ own” the entire router chassis. The root system user functions with the

highest privileges over all router components and can monitor all secure domain routers

in the system. At least one root system user account must be created during router setup.

Multiple root system users can exist.

• Root Secure Domain Router (SDR) user (specific SDR administrative authority) - A root

SDR user controls the configuration and monitoring of a particular SDR. The root SDR

user can create users and configure their privileges within the SDR. Multiple root SDR

users can work independently. A single SDR may have more than one root SDR user.

• SDR user (specific SDR user access) - A SDR user has restricted access to an SDR as

determined by the root-system user or root SDR user. The SDR user performs the day-

to-day system and network management activities. The tasks that the secure domain

router user is allowed to perform are determined by the task IDs associated with the user

groups to which the SDR user belongs.

User Groups

A user group defines a collection of users that share a set of attributes, such as access privileges.

Cisco IOS-XR software allows the system administrator to configure groups of users and the job

characteristics that are common in groups of users. Users are not assigned to groups by default

hence the assignment needs to be done explicitly. A user can be assigned to more than one

19

group. Each user may be associated with one or more user groups. User groups have the

following attributes:

• A user group consists of the list of task groups that define the authorization for the

users. All tasks, except cisco-support, are permitted by default for root system users.

• Each user task can be assigned read, write, execute, or debug permission.

Table 7 Predefined User and Task Groups

Note: Custom user and task groups can also be created by an authorized administrator. User Groups / Task Groups Purpose

cisco-support Used by Cisco Support Team. Provides access to troubleshooting commands. /

Cisco support personnel tasks

netadmin Provides the ability to control and monitor all system- and network-related

parameters. / Network administrator tasks

operator Provides very basic user privileges. / Operator day-to-day tasks

root-lr Provides the ability to control and monitor the specific SDR. / Secure domain

router administrator tasks

root-system Provides the ability to control and monitor the entire system. / System-wide

administrator tasks

sysadmin Provides the ability to control and monitor all system parameters but cannot

configure network protocols. / System administrator tasks

serviceadmin Provides the ability to administer session border controllers. / Service

administration tasks, for example, SBC

Task IDs

Each user is associated with one or more user groups. Every user group is associated with one or

more task groups ; in turn, every task group is defined by a set of task IDs. Consequently, a user’

s association with a particular user group links that user to a particular set of task IDs. A user that

is associated with a task ID can execute any operation associated with that task ID.

Table 8 Task ID Classes

Operation Description

Read Specifies a designation that permits only a read

operation.

Write Specifies a designation that permits a change

operation and implicitly allows a read operation.

Execute Specifies a designation that permits an access

operation; for example ping.

Debug Specifies a designation that permits a debug operation.

Refer to the IOS-XR Command Reference Guide for available commands and associated roles

and privilege levels.


20

Passwords

The password complexity is not enforced by the router by default, and must be administratively

set in the configuration. To prevent administrators from choosing insecure passwords, each

password must be. See the [4] Cisco ASR 9000 Series Aggregation Services Router System

Security Configuration Guide, chapter "Configuring AAA Services", section "Configuring

Users".

1. At least 15 characters long. Use the following command to set the minimum length to 15

or greater.


RP/0/RSP0/CPU0:router(config)#aaa password-policy policy

RP/0/RSP0/CPU0:router(config)#min-length 15

Note: Details for the security passwords min-length command can be found in the:

Composed of any combination of characters that includes characters for at least 3 of these

four character sets: upper case letters, lower case letters, numerals, and the following

special characters: “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”. Configure the router to

enforce that complexity requirement by using enabling “special-num”.


RP/0/RSP0/CPU0:router(config)#aaa password-policy policy

RP/0/RSP0/CPU0:router(config)# special-num

To store the passwords securely please use one of the following in order to make the password

unreadable:

RP/0/RSP0/CPU0:router(config-un)# {secret 5 | password 7}

Clock Management

Clock management is restricted to the privileged administrator.

For instructions to set the clock, refer to [5] Cisco ASR 9000 Series Aggregation Services Router

Getting Started Guide, under section “Manually Setting the Router Clock".

Use the clock set command for initial configuration. The clock timezone command should be

entered before the clock is set because it defines the difference between the system time and

Coordinated Universal Time (UTC). When an authorized administrator sets the time, once the

system time is configured, the router uses the clock timezone command setting to translate that

time to UTC. The system internally keeps time in UTC. When you type the show clock

command, the router displays the system time.


RP/0/RSP0/CPU0:router(config)# clock timezone pst -8

RP/0/RSP0/CPU0:router(config-if)# commit

RP/0/RSP0/CPU0:router# clock update-calendar

Note: the clock update-calendar command updates the hardware clock (calendar clock) with the

new clock settings.

21

In order to configure the TOE to use an NTP time server, the following commands should be

used.

RP/0/RSP0/CPU0:router(config)# router

RP/0/RSP0/CPU0:router(config-ntp)#server <IP Address> iburst burst

RP/0/RSP0/CPU0:router(config-ntp)#clock timezone EST -5 0

RP/0/RSP0/CPU0:router(config)#clock summer-time EDT recurring <Start Date>

<End Date> RP/0/RSP0/CPU0:router(config)#commit

RP/0/RSP0/CPU0:router(config)#end

Note: for the NTP server, the timezone may vary from the one specified above. Be sure to verify

the correct time zone to ensure accurate time stamps where the TOE is installed.

Login Banners

The TOE may be configured by the privileged administrators with banners using the banner

login command. This banner is displayed before the username and password prompts. To create

a banner of text “This is a banner” use the command. See each command in the [8] Cisco ASR

9000 Series Aggregation Services Router System Management Command Reference, Release

6.1.x.

RP/0/RSP0/CPU0:ASR9K(config)#banner motd c THIS IS THE MOTD BANNER c

RP/0/RSP0/CPU0:ASR9K(config)#banner exec c THIS IS THE EXEC BANNER c

RP/0/RSP0/CPU0:ASR9K(config)#banner login c THIS IS THE LOGIN BANNER c

RP/0/RSP0/CPU0:ASR9K(config)#commit

RP/0/RSP0/CPU0:ASR9K(config)#end

where c is the delimiting character. The delimiting character may be any character except ?, and

it must not be part of the banner message.

Product Updates

Verification of authenticity of updated software is done in the same manner as ensuring that the

TOE is running a valid image. See Section 2, steps 7 and 9 above for the method to download

and verify an image prior to running it on the TOE.

5 Security Relevant Events The TOE is able to generate audit records that are stored internally within the TOE whenever an

audited event occurs, as well as simultaneously offloaded to an external syslog server. The

details for protection of that communication are covered in sections 3.3.3 and Error! Reference

source not found.above.

The administrator can set the level of the audit records to be stored in a local buffer, displayed on

the console, sent to the syslog server, or all of the above. The details for configuration of these

settings are covered in Section 3.3.2 above.


22

The local log buffer is circular. Newer messages overwrite older messages after the buffer is

full. Administrators are instructed to monitor the log buffer using the show logging privileged

EXEC command to view the audit records. The first message displayed is the oldest message in

the buffer.

When configured for a syslog backup the TOE will simultaneously offload events from a

separate buffer to the external syslog server. This buffer is used to queue events to be sent to the

syslog server if the connection to the server is lost. It is a circular buffer, so when the events

overrun the storage space overwrites older events.

Table 9 below include the security relevant events that are applicable to the TOE.

Deleting Audit Records

The TOE provides the privileged Administrator the ability to delete audit records audit records

stored within the TOE.

This is done with the clear logging command.

RP/0/RSP0/CPU0:router# clear logging Clear logging buffer [confirm] [y/n] :y

Audit Records Description

The TOE generates an audit record whenever an audited event occurs. The types of events that

cause audit records to be generated include, cryptography related events, identification and

authentication related events, and administrative events (the specific events and the contents of

each audit record are listed in the table below). Each of the events is specified in syslog records

in enough detail to identify the user for which the event is associated, when the event occurred,

where the event occurred, the outcome of the event, and the type of event that occurred.

Additionally, the startup and shutdown of the audit functionality is audited.

The local audit trail consists of the individual audit records; one audit record for each event that

occurred. The audit record can contain up to 80 characters and a percent sign (%), which follows

the time-stamp information. The audit fields in each audit event will contain at a minimum the

following:

Example Audit Event: Nov 19 13:55:59: %CRYPTO-6-SELF_TEST_RESULT: Self test info:

(AES encryption/decryption ... passed)

Date: Nov 19

Time: 13:55:59

Type of event: %CRYPTO-6-SELF_TEST_RESULT

Subject identity: Available when the command is run by an authorized TOE administrator user

such as “user: lab”. In cases where the audit event is not associated with an authorized user, an

IP address may be provided for the Non-TOE endpoint and/ or TOE.

Outcome (Success or Failure): Success may be explicitly stated with “success” or “passed”

contained within the audit event or is implicit in that there is not a failure or error message.

More specifically for failed logins, a “Login failed” will appear in the audit event. For

successful logins, a “Login success” will appear in the associated audit event. For failed events

“failure” will be denoted in the audit event. For other audit events a detailed description of the

outcome may be given in lieu of an explicit success or failure.

Additional Audit Information: As described in Column 3 of Table 9 below.

23

As noted above, the information includes at least all of the required information. Example audit

events are included in Table 9 below. The auditable events that result from administrative

actions are included in Table 9 and are designated with ‘Administrative Actions’ within the

Auditable Events column. Table 9: Auditable Events (IOS-XR)

Requirement Auditable

Events

Additional

Audit

Record

Contents

Sample Log

FAU_GEN.1 Start-up and

shutdown of

audit functions.

Note: shutdown

is only when an

administrator

turns off

logging. This

has to be audited

with the

administrator's

userid.

Administrative

Actions:

Changing

logging settings.

Shutdown of

logging

Clearing logs.

None Log Buffer (10000000 bytes):

RP/0/RSP0/CPU0:Jun 12 14:36:03.850 :

config[65757]: %MGBL-CONFIG-6-DB_COMMIT

: Configuration committed by user 'admin'. Use

'show configuration commit changes 1000023676' to

view the changes.

RP/0/RSP0/CPU0:Jun 12 14:36:03.930 :

config[65757]: %MGBL-SYS-5-CONFIG_I :

Configured from console by admin

RP/0/RSP0/CPU0:ASR9K#

FAU_GEN.2 User id listed in

administrator

user actionable

audited events.

No additional

information.

See "Administrative Actions" in this table.

FAU_STG_EXT.1 Administrative

Actions:

Configuration of

syslog export

settings

No additional

information.

RP/0/RSP0/CPU0:Jun 13 22:41:06.441 :



FCS_CKM.1 Administrative

Actions:

Manual key

generation

None Log Buffer (10000000 bytes):

RP/0/RSP0/CPU0:Jun 13 22:41:06.441 :



FCS_CKM_EXT.4 Administrative

Actions:

Manual key

zeroization

None +++ 09:19:38 ASR9K receive +++ crypto key

zeroize rsa the_default % Keys to be removed are

named the_default Do you really want to remove

these keys ?? [yes/no]: yes

FCS_MACSEC_EXT.1 Session Secure RP/0/RSP0/CPU0:macsec-CE2# show macsec mka


24


Events

Additional

Audit

Record

Contents

Sample Log

FCS_MACSEC_EXT.2 Establishment

Creation of

Connectivity

Creation and

Update of

Secure

Associate Key

Channel

Identifier

Connectivity

Association

Key Names

session interface tenGigE 0/3/0/0/1$

=====================================

Interface Local-TxSCI # Peers Status

Key-Server

=====================================

Te0/3/0/0/1.1 001d.e5e9.a3a4/0001 1

Secured YES

FCS_MACSEC_EXT.3

FCS_MACSEC_EXT.4

FCS_MKA_EXT.1

FCS_SSHS_EXT.1 Failure to

establish an SSH

Session.

Establishment/T

ermination of an

SSH Session.

Administrative

Actions:

Configuration of

SSH settings:

including

passwords,

algorithms, host

names, users.

Reason for

failure.

Non-TOE

endpoint of

connection

(IP address)

for both

successes and

failures.

Failure to establish a SSH Session.

o IP address of remote host

o Reason for failure.

RP/0/RSP0/CPU0:Feb 21 09:19:56.113 :

SSHD_[65780]: %SECURITY-SSHD-6-

INFO_GENERAL : Enc name is NULL: client

blowfish-cbc server aes128-ctr,aes192-ctr,aes256-ctr

Establishment of a SSH session

o IP address of remote host

RP/0/RSP0/CPU0:Feb 21 09:19:44.831 :


INFO_SUCCESS : Successfully authenticated user

'admin' from '10.31.0.101' on 'vty0'(cipher 'aes256-

ctr', mac 'hmac-sha1')

Termination of a SSH session.

RP/0/RSP0/CPU0:Feb 21 09:19:56.113 :


INFO_GENERAL : Enc name is NULL: client

blowfish-cbc server aes128-ctr,aes192-ctr,aes256-ctr

Administrative Actions

RP/0/RSP0/CPU0:Feb 21 09:19:42.271 :


INFO_SUCCESS : Successfully authenticated user

'admin' from '10.31.0.101' on 'vty0'(cipher 'aes128-

ctr', mac 'hmac-sha1') RP/0/RSP0/CPU0:Feb 21

09:19:42.510 : SSHD_[65780]: %SECURITY-

SSHD-6-INFO_USER_LOGOUT : User 'admin'

from '10.31.0.101' logged out on 'vty0'

FIA_AFL.1 Administrative

Actions:

Configuring

number of

failures.

Unlocking the

user.

Feb 17 2013 16:14:47: %PARSER-5-

CFGLOG_LOGGEDCMD: User:test_admin logged

command: aaa local authentication attempts max-fail

[number of failures]

Feb 7 2013 02:05:41.953: %AAA-5-

USER_UNLOCKED: User user unlocked by admin

on vty0 (21.0.0.1)

FIA_PMG_EXT.1 Administrative

Actions:

Setting length

None. RP/0/RSP0/CPU0:Mar 8 14:29:26.543 :




25


Events

Additional

Audit

Record

Contents

Sample Log

requirement for

passwords.

view the changes.

RP/0/RSP0/CPU0:Mar 8 14:29:26.622 :



+++ 14:46:27 ASR9K exec +++

show aaa passwordpolicy

Password Policy Name : TOE

Number of Users : 0

Minimum Length : 2

Maximum Length : 253

Special Character Len : 2

Uppercase Character Len : 2

Lowercase Character Len : 0

Numeric Character Len : 2

Policy Life Time :

seconds : 0

minutes : 0

hours : 0

days : 0

months : 2

years : 0

Lockout Time :

seconds : 0

minutes : 5

hours : 0

days : 0

months : 0

years : 0

Character Change Len : 3

Maximum Failure Attempts : 5

RP/0/RSP0/CPU0:ASR9K(config-un)#password-

policy TOE password CcTb

RP/0/RSP0/CPU0:ASR9K(config-un)#commit

% Failed to commit one or more configuration items

during a pseudo-atomic operation. All changes made

have been reverted. Please issue 'show configuration

failed [inheritance]' from this session to view the

errors

FIA_UIA_EXT.1 All use of the

identification

and

authentication

mechanism.

Provided user

identity,

origin of the

attempt (e.g.,

IP address).

See Audit events in FIA_UAU_EXT.2

FIA_UAU_EXT.2 All use of the Origin of the Login as an administrative user at the


26


Events

Additional

Audit

Record

Contents

Sample Log

authentication

mechanism.

Administrative

Actions:

Logging into

TOE.

attempt (e.g.,

IP address). console

RP/0/RSP0/CPU0:Feb 28 15:20:44.566 :

exec[65592]: %SECURITY-LOGIN-6-

AUTHEN_SUCCESS : Successfully authenticated

user 'admin' from 'console' on 'con0_RSP0_CPU0'

RP/0/RSP0/CPU0:Feb 28 15:21:07.164 :




view the changes.

Failed login via the console does not allow

any actions

RP/0/RSP0/CPU0:Feb 28 15:23:04.816 :

exec[65592]: %SECURITY-LOGIN-4-

AUTHEN_FAILED : Failed authentication attempt

by user '<unknown>' from 'console' on

'con0_RSP0_CPU0'

See FCS_SSHS_EXT.1 for remote login audit

events.

FIA_UAU.7 None None Connected to 172.18.153.30.

Escape character is '^]'.

User Access Verification

Username: admin

Password:

${via_console} = ASR9K con0/RSP0/CPU0 is now

available

Press RETURN to get started.

User Access Verification

Username: admin

Password:

FMT_MOF.1 Administrative

Actions:

See all other

rows in table.

None See all other rows in table.

FMT_MTD.1 Administrative

Actions:

See all other

rows in table.


FMT_SMF.1 Administrative

Actions:

See all other

rows in table.


27


Events

Additional

Audit

Record

Contents

Sample Log

FMT_SMR.2 Administrative

Actions:

Configuring

administrative

users with

specified roles.

None RP/0/RSP0/CPU0:Jun 12 14:36:03.850 :

config[65757]: %MGBL-CONFIG-6-

DB_COMMIT : Configuration committed by user

'admin'. Use 'show configuration commit changes

1000023676' to view the changes.

FPT_APW_EXT None None config terminal

RP/0/RSP0/CPU0:ASR9K(config)#username

testuser

RP/0/RSP0/CPU0:ASR9K(config-un)#group

netadmin

RP/0/RSP0/CPU0:ASR9K(config-un)#password 0

Cisco123

--Password stored hashed--

username cisco

group netadmin

group root-system

!

username testuser

group netadmin

password 7 096F471A1A0A464058

FPT_RPL.1 Detected replay

attempt

None

FPT_STM.1 Changes to the

time.

Administrative

Actions:

Manual changes

to the system

time.

Changes to

NTPsettings.

The old and

new values

for the time.

Origin of the

attempt (e.g.,

IP address).

RP/0/RSP0/CPU0:Dec 2

22:22:22.021 : iosclock[65757]:

%INFRA -INFRA_MSG-5-

CLOCK_TIME_UPDATE : User

admin(con0_RSP0_CPU0)

updated clock from Tue Jun 13

15:00:40 2017 to Thu Dec 22

22:22:22 2022

FPT_TST_EXT.1 None No additional

information. Jan 23 2013 06:53:24.570: %CRYPTO-6-

SELF_TEST_RESULT: Self test info: (Self test

activated by user: admin)

Jan 23 2013 06:53:24.670: %CRYPTO-6-

SELF_TEST_RESULT: Self test info: (Software

checksum ... passed)

FPT_TUD_EXT.1 Initiation of No additional Use of the “upgrade” command.


28


Events

Additional

Audit

Record

Contents

Sample Log

update.

Administrative

Actions:

Software

updates

information.

*Jul 10 11:04:09.179: %PARSER-5-

CFGLOG_LOGGEDCMD: User:cisco logged

command:upgrade

*Jul 10 11:04:09.179: %PARSER-5-


command:copy tftp ….

*Jul 10 11:04:09.179: %PARSER-5-


command:reload

FTA_SSL_EXT.1 Any attempts at

unlocking of an

[local]

interactive

session.

Administrative

Actions:

Specifying the

inactivity time

period.

No additional

information.

SLEEP for 62 secs for the idle timer to expire.

FOUND: 'The idle timeout is soon to expire on this

line'

FOUND: 'Username'

PASS: TOE logged out after exec timer expired as

expected

LOGIN output: '

+++ 22:52:07 ASR9K exec +++

show logging | include SECURITY-LOGIN-6-

CLOSE

RP/0/RSP0/CPU0:Jun 13 21:50:18.415 :

exec[65591]: %SECURITY-LOGIN-6-CLOSE :

User 'admin' logged out

FTA_SSL.3 The termination

of a remote

session by the

session locking

mechanism.

Administrative

Actions:

Specifying the

inactivity time

period.

No additional

information.

+++ 22:50:00 ASR9K config +++

config terminal

RP/0/RSP0/CPU0:ASR9K(config)#line console

RP/0/RSP0/CPU0:ASR9K(config-line)#exec-

timeout 0 60

To TCL: ASR9K exec "show logging | include

SECURITY-LOGIN-6-CLOSE"

From TCL: ;list

+++ 22:52:07 ASR9K exec +++

show logging | include SECURITY-LOGIN-6-

CLOSE

RP/0/RSP0/CPU0:Jun 13 21:50:18.415 :



FTA_SSL.4 The termination

of an interactive

session.

Administrative

Action:

No additional

information. Audit record generate when admin logs out of

CONSOLE: RP/0/RSP0/CPU0:Sep 28 15:34:31.194 :



29


Events

Additional

Audit

Record

Contents

Sample Log

Logging out of

TOE.

FTA_TAB.1 Administrative

Action:

Configuring the

banner displayed

prior to

authentication.

None RP/0/RSP0/CPU0:Jun 13 22:07:13.482 :

banner_config[1071]: sysdb_find passed

RP/0/RSP0/CPU0:Jun 13 22:07:13.622 :




view the changes.

RP/0/RSP0/CPU0:Jun 13 22:07:13.702 :



FTP_ITC.1 Initiation of the

trusted channel.

Termination of

the trusted

channel.

Failure of the

trusted channel

functions.

Identification

of the initiator

and target of

failed trusted

channels

establishment

attempt.

AUDIT: See logs provided by

FCS_MACSEC_EXT.1

FTP_TRP.1 Initiation of the

trusted channel.

Termination of

the trusted

channel.

Failures of the

trusted path

functions.

Administrative

Action:

Connecting to

the TOE with

SSH

Identification

of the claimed

user identity.

AUDIT: See logs provided by FCS_SSHS_EXT.1

Deleting Audit Records

The TOE provides the privileged Administrator the ability to delete audit records audit records

stored within the TOE. This is done with the clear logging command.


30

6 MACsec Configuration Media Access Control Security (MACsec) is defined in IEEE 802.1AE-2006 (specification PDF

attached to this note). There are two subsequent amendments:

802.1AEbn-2011 defines the use of AES-256-GCM in the context of MACsec

802.1AEbw-2013 defines the use of Extended Packet Numbering (XPN) with MACsec

(this is dependent on GCM)

To configure the TOE for MACsec, follow the following configuration procedures below.

MACsec Configuration on ASR9k

For additional information, please reference the ASR9k Security Configuration Guide Chapter

"Implementing MACsec Encryption."

Create the MACsec Key Chain 9k

(config)#key chain mac_chain256 macsec

(config-mac_chain-MacSec)#key <key-string>

(config-mac_chain-MacSec)#key-string <keystring> cryptographic-algorithm aes-256-cmac

*Note – Use 64-character key-strings for 256-bit encryption. For 128-bit encryption, the

key-string length will be 32 characters.

(config-mac_chain-MacSec-1234)#lifetime HH:MM:SS DAY MONTH YEAR <duration>

(config-mac_chain-MacSec-1234)#exit

(config-mac_chain-MacSec)#commit

Creating a MACsec Policy 9k

(config)#macsec-policy mac_policy256

(config-macsec-policy)#cipher-suite GCM-AES-256

(config-macsec-policy)#conf-offset CONF-OFFSET-30 >> Can be set for 0, 30, or 50

(config-macsec-policy)#key-server-priority 0

(config-macsec-policy)#security-policy must-secure

(config-macsec-policy)#window-size 64

(config-macsec-policy)#include-icv-indicator

(config-macsec-policy)delay-protection

(config-macsec-policy)#exit

(config)#commit

(config)#exit

#sh run macsec-policy >> To View macsec config

31

Note: When a key has expired, the MACsec session is torn down and running the show

macsec mka session command does not display any information. If you run the show

macsec mka interface and show macsec mka interface detail commands, you can see that

the session is unsecured.

Applying MACsec on a Physical Interface ASR9k

(config)# interface <interface>

(config-if)#macsec psk-keychain mac_chain256 policy mac_policy256

(config-if)#exit

(config)#commit

#show config commit changes all >> To view all commits

Verify Macsec Configuration 9k

Verify the MACsec MKA policy configuration:

#show macsec mka summary

Verify the MACsec policy configuration:

# show macsec policy mac_policy256

7 Network Services and Protocols The table below lists the network services/protocols available on the Aggregation Services

Router 9000 as a client (initiated outbound) and/or server (listening for inbound connections), all

of which run as system-level processes. The table indicates whether each service or protocol is

allowed to be used in the certified configuration.

For more detail about each service, including whether the service is limited by firewall mode

(routed or transparent), or by context (single, multiple, system), refer to the Command

Reference guides listed in Table 2.

Table 10 Protocols and Services

Service or

Protocol

Description Client

(initiating)

Allowed Server

(terminating)

Allowed Allowed use in the

certified configuration

AH Authentication

Header (part

of IPsec)

Yes No Yes No Not permitted in evaluated

configuration.

DHCP Dynamic Host

Configuration

Protocol

Yes Yes Yes Yes No restrictions.

DNS Domain Name

Service

Yes Yes No n/a No restrictions.

ESP Encapsulating

Security

Payload (part

of IPsec)

Yes Yes Yes Yes Configure ESP as described

in section Error! Reference

source not found.of this

document.


32

Service or

Protocol

Description Client

(initiating)

Allowed Server

(terminating)



FTP File Transfer

Protocol

Yes No No n/a Use SCP.

HTTP Hypertext

Transfer

Protocol


configuration.

HTTPS Hypertext

Transfer

Protocol

Secure


ICMP Internet

Control

Message

Protocol


IKE Internet Key

Exchange

Yes Yes Yes Yes As described in the Error!

Reference source not

found.and Error!

Reference source not

found.section of this

document.

IMAP4S Internet

Message

Access

Protocol

Secure version

4

Yes No No No Not permitted in evaluated

configuration.

IPsec Internet

Protocol

Security (suite

of protocols

including IKE,

ESP and AH)


configuration.

Kerberos A ticket-based

authentication

protocol


configuration.

LDAP Lightweight

Directory

Access

Protocol


configuration.

LDAP-over-

SSL

LDAP over

Secure

Sockets Layer


configuration.

MACsec MACsec

secure

connection

between TOE

and peer

No Yes No Yes Documented under Section

6.

33

Service or

Protocol

Description Client

(initiating)

Allowed Server

(terminating)



NT NT domain

authentication


configuration.

NTP Network Time

Protocol

Yes Yes No n/a Any configuration. Use of

key-based authentication is

recommended.

POP3S Post Office

Protocol

version 3 over

TLS


configuration.

RADIUS Remote

Authentication

Dial In User

Service


configuration.

SDI (RSA

SecureID)

RSA SecurID

authentication


configuration.

SMTP Simple Mail

Transfer

Protocol

Yes Yes No n/a Recommended to use

SMTPS instead.

SMTPS SMTP over

TLS


configuration.

SNMP Simple

Network

Management

Protocol

Yes

(snmp-

trap)

No Yes No Not permitted in evaluated

configuration.

SSH Secure Shell Yes Yes Yes Yes As described in the 3.3.1

section of this document.

SSL (not

TLS)

Secure

Sockets Layer


configuration.

TACACS+ Terminal

Access

Controller

Access-

Control

System Plus


configuration.

Telnet A protocol

used for

terminal

emulation

Yes No Yes No Use SSH instead.

TLS Transport

Layer Security


configuration.

TFTP Trivial File

Transfer

Protocol


configuration.

The table above does not include the types of protocols and services listed here:


34

OSI Layer 2 protocols such as CDP, VLAN protocols like 802.11q, Ethernet encapsulation protocols like

PPPoE, etc. The certified configuration places no restrictions on the use of these protocols; however

evaluation of these protocols was beyond the scope of the Common Criteria product evaluation. Follow

best practices for the secure usage of these services.

Routing protocols such as EIGRP, OSPF, and RIP. The certified configuration places no restrictions on the

use of these protocols, however evaluation of these protocols was beyond the scope of the Common

Criteria product evaluation, so follow best practices for the secure usage of these protocols.

Protocol inspection engines that can be enabled with “inspect” commands because inspection engines are

used for filtering traffic, not for initiating or terminating sessions, so they’re not considered network

‘services’ or ‘processes’ in the context of this table. The certified configuration places no restrictions on

the use protocol inspection functionality; however evaluation of this functionality was beyond the scope of

the Common Criteria product evaluation. Follow best practices for the secure usage of these services.

Network protocols that can be proxied through/by the Aggregation Services Router 9000. Proxying of

services by the Aggregation Services Router 9000 does not result in running said service on the

Aggregation Services Router 9000 in any way that would allow the Aggregation Services Router 9000

itself to be remotely accessible via that service, nor does it allow the Aggregation Services Router 9000 to

initiate a connection to a remote server independent of the remote client that has initiated the connection.

The certified configuration places no restrictions on enabling of proxy functionality; however the

evaluation of this functionality was beyond the scope of the Common Criteria product evaluation. Follow

best practices for the secure usage of these services.

8 Modes of Operation An IOS-XR router has several modes of operation, these modes are as follows:

Booting – while booting, the routers drop all network traffic until the router image and

configuration has loaded. This mode of operation automatically progresses to the Normal mode

of operation. During booting, an administrator may press the break key on a console connection

within the first 60 seconds of startup to enter the ROM Monitor mode of operation. This Booting

mode is referred to in the IOS-XR guidance documentation as “ROM Monitor Initialization”.

Additionally if the router does not find a valid operating system image it will enter ROM

Monitor mode and not normal mode therefore protecting the router from booting into an insecure

state.

Normal - The IOS-XR router image and configuration is loaded and the router is operating as

configured. It should be noted that all levels of administrative access occur in this mode and that

all router based security functions are operating. While operating the router have little

interaction with the administrator. However, the configuration of the router can have a

detrimental effect on security. Misconfiguration of the router could result in the unprotected

network having access to the internal/protected network

ROM Monitor – This mode of operation is a maintenance, debugging, and disaster recovery

mode. While the router is in this mode, no network traffic is routed between the network

interfaces. In this state the router may be configured to upload a new boot image from a specified

TFTP server, perform configuration tasks and run various debugging commands.

Note: If nvram is empty and a reload is done, IOS-XR will try to boot automatically from an

image top down that is in the flash directory. Make sure the valid IOS-XR image is listed above

any other other images in flash.

To ensure the correct image is booted on startup use the boot system command:

35

RP/0/RSP0/CPU0:router# system boot-sequence { primary-device [secondary-device] |

disable } [ location { node-id | all } ]

It should be noted that while no administrator password is required to enter ROM monitor mode,

physical access to the router is required; therefore, the router should be stored in a physically

secure location to avoid unauthorized access which may lead to the router being placed in an

insecure state.

Following operational error, the TOE reboots (once power supply is available) and enters

booting mode. The only exception to this is if there is an error during the Power on Startup Test

(POST) during bootup, then the TOE will shutdown. If any component reports failure for the

POST, the system crashes and appropriate information is displayed on the screen, and saved in

the crashinfo file. Within the POST, self-tests for the cryptographic operations are performed.

The same cryptographic POSTs can also be run on-demand as described in section 3.2.3 , and

when the tests are run on-demand after system startup has completed (and the syslog daemon has

started), error messages will be written to the log.

All ports are blocked from moving to forwarding state during the POST. Only when all

components of all modules pass the POST is the system placed in FIPS PASS state and ports are

allowed to forward data traffic.

If any of the POST fail, the following actions should be taken:

If possible, review the crashinfo file. This will provide additional information on the cause of

the crash

Restart the TOE to perform POST and determine if normal operation can be resumed

If the problem persists, contact Cisco Technical Assistance via

http://www.cisco.com/techsupport or 1 800 553-2447

If necessary, return the TOE to Cisco under guidance of Cisco Technical Assistance.

http://www.cisco.com/techsupport


36

9 Security Measures for the Operational Environment

Proper operation of the TOE requires functionality from the environment. It is the responsibility

of the authorized administrator of the TOE to ensure that the Operational Environment provides

the necessary functions, and adheres to the environment security objectives listed below. The

environment security objective identifiers map to the environment security objectives as defined

in the Security Target. Table 11 Operational Environment Security Measures

Environment Security

Objective

Operational Environment

Security Objective Definition

Privileged and Semi-privileged

administrator responsibility

OE.NO_GENERAL_PURPOSE There are no general-purpose

computing capabilities (e.g.,

compilers or user applications)

available on the TOE, other than

those services necessary for the

operation, administration and

support of the TOE.

Administrators will make sure there are

no general-purpose computing

capabilities (e.g., compilers or user

applications) available on the TOE.

OE.PHYSICAL Physical security, commensurate

with the value of the TOE and the

data it contains, is provided by the

environment.

Administrators must ensure the TOE is

installed and maintained within a secure

physical location. This can include a

secured building with key card access or

within the physical control of an

authorized administrator in a mobile

environment.

OE.TRUSTED_ADMIN TOE Administrators are trusted to

follow and apply all administrator

guidance in a trusted manner.

Administrators must be properly trained

in the usage and proper operation of the

TOE and all the provided functionality

per the implementing organization’s

operational security policies. These

administrators must follow the provided

guidance.

37

10 Related Documentation Use this document in conjunction with the IOS-XR 15.1(3)S2 documentation at the

following location:

http://www.cisco.com/

Obtaining Documentation

The following sections provide sources for obtaining documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the

following sites:

http://www.cisco.com

http://www-china.cisco.com

http://www-europe.cisco.com

Ordering Documentation

Cisco documentation is available in the following ways:

Registered Cisco Direct Customers can order Cisco Product documentation from the

Networking Products MarketPlace:

http://www.cisco.com/web/ordering/root/index.html

Registered Cisco.com users can order the Documentation CD-ROM through the online

Subscription Store:

http://www.cisco.com/go/subscription

Non-registered Cisco.com users can order documentation through a local account

representative by calling Cisco corporate headquarters (California, USA) at 408 526-

7208 or, in North America, by calling 800 553-NETS (6387).

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit

technical comments electronically. Click Feedback in the toolbar and select

Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to [email protected].

To submit your comments by mail, for your convenience many documents contain a

response card behind the front cover. Otherwise, you can mail your comments to the

following address:

Cisco Systems, Inc., Document Resource Connection

170 West Tasman Drive

San Jose, CA 95134-9883




http://www-china.cisco.com/

http://www-europe.cisco.com/

http://www.cisco.com/cgi-bin/order/order_root.pl

http://www.cisco.com/cgi-bin/order/order_root.pl



© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco

Public.

38

We appreciate your comments.

11 Obtaining Technical Assistance Cisco provides Cisco.com as a starting point for all technical assistance. Customers and

partners can obtain documentation, troubleshooting tips, and sample configurations from

online tools. For Cisco.com registered users, additional troubleshooting tools are

available from the TAC website.

Cisco.com is the foundation of a suite of interactive, networked services that provides

immediate, open access to Cisco information and resources at anytime, from anywhere in

the world. This highly integrated Internet application is a powerful, easy-to-use tool for

doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners

streamline business processes and improve productivity. Through Cisco.com, you can

find information about Cisco and our networking solutions, services, and programs. In

addition, you can resolve technical issues with online technical support, download and

test software packages, and order Cisco learning materials and merchandise. Valuable

online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized

information and services. Registered users can order products, check on the status of an

order, access technical support, and view benefits specific to their relationships with

Cisco.

To access Cisco.com, go to the following website:

http://www.cisco.com



Documents

Cisco Aggregation Services Router 9000 CC …© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. 1 Cisco Aggregation Services Router 9000 CC Configuration