Page 1
Cisco Aggregation Services Router (ASR) 1000 Series Common Criteria Operational User Guidance And Preparative Procedures Version 0.4 October 27, 2017...
List of Acronyms The following acronyms and abbreviations are used in this document: Table 1: Acronyms Acronyms / Definition Abbreviations Administration, Authorization, and Accounting Advanced Encryption Standard Aggregation Services Router Evaluation Assurance Level FIPS Federal Information Processing Standards HTTPS Hyper-Text Transport Protocol Secure Internet Protocol Network Time Protocol RADIUS...
Page 6
DOCUMENT INTRODUCTION Prepared By: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134 DOCUMENT INTRODUCTION This document provides supporting evidence for an evaluation of a specific Target of Evaluation (TOE), the Aggregation Services Router (ASR) 1000 Series (ASR). This Operational User...
This document is not meant to detail specific actions performed by the administrator but rather is a road map for identifying the appropriate locations within Cisco documentation to get the specific details for configuring and maintaining ASR operations. All security relevant commands to manage the TSF data are provided within this documentation within each functional section.
Page 8
Title Link Using Setup Mode to Configure a http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guid Cisco Networking Device e/cf_setup.html Cisco ASR 1000 Series Aggregation http://www.cisco.com/c/en/us/td/docs/interfaces_modules/shared_port_ Services Routers SIP and SPA adapters/configuration/ASR1000/asr1000-sip-spa-book.html Software Configuration Guide Cisco ASR 1000 Series Aggregation http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/ Services Routers Software chassis/asrswcfg.html Configuration Guide...
ESPr5, ESPr10, ESPr20, ESPr40, ESPr100, ESPr200; Route Processor (RP): RP1, RP2. The network, on which they reside, is considered part of the environment. The software comes pre- installed and is comprised of the Cisco IOS-XE software image Release 16.3.2. 1.5 Operational Environment 1.5.1...
Component Required Usage/Purpose Description for TOE performance NTP Server The TOE supports communications with an NTP server in order to synchronize the date and time on the TOE with the NTP server’s date and time. A solution must be used that supports secure communications with up to a 32 character key. Audit (syslog) This includes any syslog server to which the TOE would transmit syslog Server...
Verify the serial number on the shipping documentation matches the serial number on the separately mailed invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).
Page 12
Step 8 Once the file is downloaded, verify that it was not tampered with by using an SHA-1 utility to compute a SHA-1 hash for the downloaded file and comparing this with the SHA-1 hash for the image listed in Table 6 below. If the SHA-1 hashes do not match, contact Cisco Technical Assistance Center (TAC) https://tools.cisco.com/ServiceRequestTool/create/launch.do.
5 …” [4] Under Configure Click on Configuration Guides System Management Click on Using Setup Mode to Configure a Cisco Networking Device Click on subsection “Using the System Configuration Dialog to Create an Initial Configuration File”...
POST. The same POST self-tests for the cryptographic operations can also be executed manually at any time by the privileged administrator using the command: test crypto self-test [10] Cisco IOS Security Command Reference: Commands S to Z 3.2.4...
<first> <last> [2] and [20] under section “Configuring Virtual Terminal Lines for Remote Console Access” exec-timeout <time> [10] >System Management > Cisco IOS Configuration Fundamentals Command Reference, section D through E line console [19] under section “Configuring Line Password Protection”...
This command disables telnet by only allowing ssh connections for remote administrator access. Steps to configure SSH on router: 3.3.1.1 [10] Cisco IOS Security Command Reference Guides 1. Generate RSA or ECDSA key material– choose a longer modulus length for the evaluated configuration (i.e., 2048 for RSA and 256 or 384 for ECDSA):...
Section 3.3.4 below. 3.3.3 Logging Configuration Logging of command execution must be enabled: [10] Cisco IOS Configuration Fundamentals Command Reference and Cisco IOS Debug Command References Page 20 of 72...
Page 21
1. Logging of command execution must be enabled: TOE-common-criteria(config)#archive TOE-common-criteria(config)#no logging console TOE-common-criteria(config-archive)#log config TOE-common-criteria(config-archive-log-cfg)#logging enable TOE-common-criteria(config-archive-log-cfg)#hidekeys TOE-common-criteria(config-archive-log-cfg)# logging size <1000> ! Increases queue size for messages to be sent to syslogd TOE-common-criteria(config-archive-log-cfg)#notify syslog TOE-common-criteria(config-archive-log-cfg)#exit TOE-common-criteria(config-archive)#exit 2. Add year to the timestamp: TOE-common-criteria(config)# service timestamps log datetime year TOE-common-criteria(config)# service timestamps debug datetime year 3.
30.0.0.1 as the local TOE IPs, and the syslog server running on 40.0.0.1 (a separate interface on the syslog server). For the following commands see the [10] Cisco IOS Configuration Fundamentals Command References, and Cisco IOS Security Command References. TOE-common-criteria# configure terminal TOE-common-criteria(config)#crypto isakmp policy 1...
Page 23
11.1.1.4 as the IPsec peer, 10.1.1.7 and 11.1.1.6 as the local IPs, and the syslog server on the 12.1.1.0 /28 subnet. For the following commands see the [10] Cisco IOS Configuration Fundamentals Command References, and Cisco IOS Security Command References: TOE-common-criteria#configure terminal TOE-common-criteria(config)#crypto isakmp policy 1 TOE-common-criteria(config-isakmp)#encryption aes...
TOE-common-criteria(config-if)#interface g0/0 TOE-common-criteria(config-if)#ip address 11.1.1.6 255.255.255.0 TOE-common-criteria(config-if)#crypto map sample TOE-common-criteria(config-if)#exit TOE-common-criteria(config)#ip route 12.1.1.0 255.255.255.0 11.1.1.4 TOE-common-criteria(config)#access-list 115 permit ip 10.1.1.0 0.0.0.255 12.1.1.0 0.0.0.255 log TOE-common-criteria(config)#logging host 12.1.1.1 3.3.5 Base Firewall Rule set Configuration The Network Device PP VPN Gateway Extended Package (VPNGW EP) contains requirements for the TOE basic packet filtering.
Page 25
o Destination Port Traffic matching is done based on a top-down approach in the access list. The first entry that a packet matches will be the one applied to it. The VPNGW EP requires that the TOE Access control lists (ACLs) are to be configured to drop all packet flows as the default rule and that traffic matching the acl be able to be logged.
MACSEC and MKA Configuration The detailed steps to configure MKA, configure MACsec and MKA on interfaces are listed in [24] - http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-16/macsec-xe- 16-book/wan-macsec-mka-support-enhance.html#d74e990a1635 Note: For 256-bit encryption, the key-string length will be 64-characters. For 128-bit encryption, the key-string length will be 32 characters.
To prevent administrators from choosing insecure passwords, each password must be as follows: See [10] Under Reference Guides Command References Security and VPN See manual Cisco IOS Security Command Reference: Commands A to Z for this section.
Page 28
3. The password obtained by capitalization of the username or username reversed is not accepted. 4. The new password cannot be “cisco”, “ocsic”, or any variant obtained by changing the capitalization of letters therein, or by substituting “1”, “|”, or “!” for i, or by substituting “0”...
Page 29
Use of enable passwords are not necessary, so all administrative passwords can be stored as SHA-256 if enable passwords are not used. Note: Cisco requires that the ‘enable password’ command be used to configure a password for privileged EXEC mode. The password that is entered with the ‘enable password’ command is stored as plain text in the configuration file of the networking device.
Note: Details for the password encryption aes command can be found in the: [10] Under Reference Guides Command References Security and VPN See manual Cisco IOS Security Command Reference: Commands M to R. 4.3 Clock Management Clock management is restricted to the privileged administrator.
Page 31
When a packet matches a permit entry in a particular access list, and the corresponding crypto map entry is tagged as cisco, connections are established, if necessary. If the crypto map entry is tagged as ipsec-isakmp, IPsec is triggered. If there is no SA that the IPsec can use to protect this traffic to the peer, IPsec uses IKE to negotiate with the remote peer to set up the necessary IPsec SAs on behalf of the data flow.
Page 32
Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms, and other settings that can be applied to IPsec-protected traffic. During the IPsec SA negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
Page 33
TOE-common-criteria(config-isakmp)# exit TOE-common-criteria(config)# Crypto isakmp key cisco123!cisco123!CISC address 11.1.1.4 Note: Pre-shared keys on the TOE must be at least 22 characters in length and can be composed of any combination of upper and lower case letters, numbers, and special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”).
Page 34
Note: the authorized administrator must ensure that the keysize for this setting is greater than or equal to the keysize selected for ESP in Section 4.6.2 below. If AES 128 is selected here, then the highest keysize that can be selected on the TOE for ESP is AES 128 (either CBC or GCM).
4.6.2 IPsec Transforms and Lifetimes Regardless of the IKE version selected, the TOE must be configured with the proper transform for IPsec ESP encryption and integrity as well as IPsec lifetimes. TOE-common-criteria(config)# crypto ipsec transform-set example esp-aes 128 esp- sha-hmac Note that this configures IPsec ESP to use HMAC-SHA-1 and AES-CBC-128.
4.6.3 NAT Traversal For successful NAT traversal over an IOS-XE NAT device for an IPsec connection between two IOS-XE peers, the following configuration needs to be used (Also refer to Chapter 7 of [21])– On an IOS NAT device (router between the IPsec endpoints): config terminal ip nat service list <ACL-number>...
Page 38
Certificates are stored to NVRAM by default; however, some routers do not have the required amount of NVRAM to successfully store certificates. All Cisco platforms support NVRAM and flash local storage. Depending on the platform, an authorized administrator may have other supported local storage options including bootflash, slot, disk, USB flash, or USB token.
Page 39
4.6.4.5 Configuring a Revocation Mechanism for PKI Certificate Status Checking Perform this task to set up the certificate revocation mechanism--CRLs or OCSP--that is used to check the status of certificates in a PKI. Use the revocation-check command to specify at least one method (OCSP, CRL, or skip the revocation check) that is to be used to ensure that the certificate of a peer has not been revoked.
Page 40
Use the stop keyword to specify that the certificate is already trusted. This is the default setting. Use the continue keyword to specify that the that the subordinate CA certificate associated with the trustpoint must be validated. The parent-trustpoint argument specifies the name of the parent trustpoint the certificate must be validated against.
TOE-common-criteria (config-isakmp)# authentication ecdsa-sig And for IKEv2 with the commands: TOE-common-criteria (config)#crypto ikev2 profile sample TOE-common-criteria(config-ikev2-profile)#authentication [remote | local] rsa-sig TOE-common-criteria(config-ikev2-profile)#authentication [remote | local] ecdsa-sig If an invalid certificate is loaded, authentication will not succeed. 4.6.4.10 Deleting Certificates If the need arises, certificates that are saved on the router can be deleted. The router saves its own certificates and the certificate of the CA.
The ‘discard’ option is accomplished using access lists with deny entries, which are applied to interfaces within access-groups. Guidance for configuration of IOS Information Flow Policies is located in the [23] Under “IP Access List Overview” The ‘bypassing’ option is accomplished using access lists with deny entries, which are applied to interfaces within crypto maps for IPsec.
4.7 Product Updates Verification of authenticity of updated software is done in the same manner as ensuring that the TOE is running a valid image. See Section 2, steps 7 and 9 above for the method to download and verify an image prior to running it on the TOE. Configure Reference Identifier This section describes configuration of the peer reference identifier which is achieved through a certificate map.
Page 44
match-value—Specifies the name or date to test with the logical operator assigned by match-criteria. Step3 (ca-certificate-map)# exit Exits ca-certificate-map mode. Step4 For IKEv1: Associates the certificate-based ACL defined with the crypto crypto isakmp profile ikev1-profile1 pki certificate map command to the profile. match certificate label For IKEv2: crypto ikev2 profile ikev2-profile1...
5 Security Relevant Events ASR can maintain logs in multiple locations: local storage of the generated audit records, and when configured for a syslog backup will simultaneously offload those events to the external syslog server. ASR administrators should review logs at both locations. The TOE generates an audit record whenever an audited event occurs.
As noted above, the information includes at least all of the required information. Example audit events are included below: Additional Audit Information: As described in Column 3 of Table 7 below. Table 7: Auditable Events Requirement Auditable Additional Audit Sample Record Events Record Contents Secure Channel...
Page 47
Requirement Auditable Additional Audit Sample Record Events Record Contents Jun 20 07:42:26.823: ISAKMP (0): received packet from 100.1.1.5 dport 500 sport 500 Global (N) NEW Session Entire packet establishment contents of packets Jun 20 07:42:26.823: ISAKMP: Created a peer struct with peer transmitted/receive for 100.1.1.5, peer port 500...
Page 48
Requirement Auditable Additional Audit Sample Record Events Record Contents Jun 20 07:42:26.843: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 Jun 20 07:42:26.843: ISAKMP:(0): processing KE payload. message ID = 0 Jun 20 07:42:27.055: ISAKMP:(0): processing NONCE payload. message ID = 0 Jun 20 07:42:27.059: ISAKMP:(0):found peer pre- shared key matching 100.1.1.5 ...
Page 49
Requirement Auditable Additional Audit Sample Record Events Record Contents 132: *Jan 30 2013 05:20:16: %SYS-5-CONFIG_ Configured from console by console 136: *Jan 30 10:54:46.421 IST: crypto_engine IPsec SA 135: *Jan 30 10:54:46.421 IST: crypto engine: IPsec SA :12 171: *Jan 30 2013 05:27:31: %PARSER-5- CFGLOG_LOGGEDCMD: User:console logged command:no crypto map 172: *Jan 30 2013 05:27:42: %PARSER-5-...
Page 50
Record Contents [Source: 100.1.1.5] [localport: 22] at 11:31:35 UTC Mon Jun 18 2012 Feb 8 06:47:17.041: %SSH-5-SSH2_CLOSE: SSH2 Session from 1.1.1.1 (tty = 0) for user 'cisco' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1-96' closed See Audit events in FIA_UAU_EXT.2 FIA_UIA_EXT.
Page 51
Requirement Auditable Additional Audit Sample Record Events Record Contents Mar 24 07:29:59.480: \%SEC_LOGIN-4- LOGIN_FAILED: Login failed [user: admin15] [Source: 10.21.0.101] [localport: 22] [Reason: Login Authentication Failed] at 07:29:59 EDT Tue Mar 24 2015 Unsuccessful Reason for failure 42479: Initiator SPI : 6038B31E75BFF128 - FIA_X509_EXT attempt to Responder SPI : ECB6C134F5652076 Message id: 1...
Page 52
Sample Record Events Record Contents FMT_MOF.1(1)/ Any attempt to None. *Jul 10 11:04:09.179: %PARSER-5- Trusted Update initiate a manual CFGLOG_LOGGEDCMD: User:cisco logged update command:upgrade All management None. FMT_MTD.1 Feb 17 2013 16:34:02: %PARSER-5- activities of TSF CFGLOG_LOGGEDCMD: User:test_admin logged data...
Page 53
Use of the “upgrade” command. FPT_TUD_EXT. Initiation of No additional update. information. *Jul 10 11:04:09.179: %PARSER-5- CFGLOG_LOGGEDCMD: User:cisco logged result of the command:upgrade update attempt *Jul 10 11:04:09.179: %PARSER-5- (success or CFGLOG_LOGGEDCMD: User:cisco logged failure) Page 53 of 72...
Page 54
Requirement Auditable Additional Audit Sample Record Events Record Contents command:copy tftp …. *Jul 10 11:04:09.179: %PARSER-5- CFGLOG_LOGGEDCMD: User:cisco logged command:reload Jan 23 2013 06:53:24.570: %CRYPTO-6- FPT_TST_EXT. Indication that Any additional SELF_TEST_RESULT: Self test info: (Self test TSF self-test was information activated by user: admin) completed.
Requirement Auditable Additional Audit Sample Record Events Record Contents Failure of the trusted channel functions. FTP_TRP.1 Initiation of the Identification of AUDIT: See logs provided by FCS_SSHS_EXT.1. trusted channel. the claimed user identity. Termination of the trusted channel. Failures of the trusted path functions.
Page 56
Requirement Management Action to Sample Log Jan 24 2013 03:10:08.878: %GDOI-5- KS_REKEY_TRANS_2_UNI: Group getvpn transitioned to Unicast Rekey.ip FCS_CKM_EXT.4: Manual key zeroization Feb 17 2013 16:37:27: %PARSER-5- Cryptographic key CFGLOG_LOGGEDCMD: User:test_admin destruction logged command:crypto key zeroize FCS_COP.1(1): None Cryptographic operation (AES data encryption/decryption) FCS_COP.1(2):...
Page 59
FIA_PSK_EXT.1: Extended: Creation of a pre-shared Feb 15 2013 13:12:25.055: %PARSER-5- Pre-Shared Key Composition key. CFGLOG_LOGGEDCMD: User:cisco logged command: crypto isakmp key ***** FIA_UIA_EXT.1: User Jan 17 2013 05:05:49.460: %SEC_LOGIN-5- Logging into TOE. identification and LOGIN_SUCCESS: Login Success [user: ranger]...
Page 60
FMT_SMR.2: Restrictions Configuring administrative Feb 15 2013 13:12:25.055: %PARSER-5- on Security roles users with specified roles. CFGLOG_LOGGEDCMD: User:cisco logged command: username admin 15 FPT_RUL_EXT.1: Packet Configuring packet Oct 15 23:39:50 cc_toe 21698: Oct 15 23:39:50.077: \%PARSER-5- Filtering filtering rules.
Page 61
11:27:52 UTC Tue Feb 5 2013 to 06:28:00 UTC Tue Feb 5 2013, configured from console by admin on console. FPT_TUD_EXT.1: Trusted Software updates Jul 10 2013 11:04:09.179: %PARSER-5- update CFGLOG_LOGGEDCMD: User:cisco logged command:upgrade FPT_TST_EXT.1: TSF None testing FTA_SSL_EXT.1: TSF- Specifying the inactivity Feb 15 2013 13:12:25.055: %PARSER-5-...
6 Network Services and Protocols The table below lists the network services/protocols available on the ASR as a client (initiated outbound) and/or server (listening for inbound connections), all of which run as system-level processes. The table indicates whether each service or protocol is allowed to be used in the certified configuration.
Page 64
TFTP Trivial File Transfer Recommend using SCP instead, or tunneling Protocol through IPsec. Cisco Discovery Follow best practices for the secure usage as Protocol there are no restrictions on use of these protocols Dynamic Trunking Follow best practices for the secure usage as...
Page 65
Service or Description Client Allowed Server Allowed Allowed use in the certified configuration Protocol (initiating) (terminating) HDLC High-Level Data Link Follow best practices for the secure usage as Control there are no restrictions on use of these protocols Layer 2 Forwarding Follow best practices for the secure usage as there are no restrictions on use of these protocols...
Page 66
Service or Description Client Allowed Server Allowed Allowed use in the certified configuration Protocol (initiating) (terminating) EIGRP Enhanced Interior Follow best practices for the secure usage as Gateway Routing there are no restrictions on use of these Protocol protocols Routing Information Follow best practices for the secure usage as Protocol there are no restrictions on use of these...
7 Modes of Operation An IOS router has several modes of operation, these modes are as follows: Booting – while booting, the routers drop all network traffic until the router image and configuration has loaded. This mode of operation automatically progresses to the Normal mode of operation.
Page 68
1 800 553-2447 If necessary, return the TOE to Cisco under guidance of Cisco Technical Assistance. If a software upgrade fails, the ASR will display an error when an authorized administrator tries to boot the system. The ASR will then boot into the rommon prompt.
8 Security Measures for the Operational Environment Proper operation of the TOE requires functionality from the environment. It is the responsibility of the authorized administrator of the TOE to ensure that the Operational Environment provides the necessary functions, and adheres to the environment security objectives listed below.
http://www.cisco.com/ Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. 9.1 World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: http://www.cisco.com http://www-china.cisco.com ...
This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco. Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs.