Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. ASR 1000 Series
  6. Common criteria operational user guidance and preparative procedures

Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures

Aggregation services router
Hide thumbs Also See for ASR 1000 Series:
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual , Manual
Cisco Aggregation Services Router (ASR) 1000 Series
Common Criteria Operational User Guidance
And Preparative Procedures
Version 0.4
October 27, 2017

Advertisement

Table of Contents
loading

Related Manuals for Cisco ASR 1000 Series

Summary of Contents for Cisco ASR 1000 Series

  • Page 1 Cisco Aggregation Services Router (ASR) 1000 Series Common Criteria Operational User Guidance And Preparative Procedures Version 0.4 October 27, 2017...

  • Page 2: Table Of Contents

    Table of Contents Introduction ..........................7 Audience ......................... 7 Purpose ..........................7 Document References ..................... 7 Supported Hardware and Software ................. 9 Operational Environment ....................9 1.5.1 Supported non-TOE Hardware/Software/Firmware ........... 9 Excluded Functionality ....................10 Secure Acceptance of the TOE ..................... 11 Secure Installation and Configuration ..................
  • Page 3 Identification and Authentication ................. 30 Login Banners ....................... 30 Virtual Private Networks (VPN) ................... 30 4.6.1 IPsec Overview ......................30 4.6.2 IPsec Transforms and Lifetimes ................34 4.6.3 NAT Traversal ......................36 4.6.4 X.509 Certificates ..................... 36 4.6.5 Information Flow Policies..................41 4.6.6 IPsec Session Interuption/Recovery .................
  • Page 4 List of Tables Table 1: Acronyms .......................... 5 Table 2: Cisco Documentation....................... 7 Table 3: Operational Environment Components ................9 Table 4: Excluded Functionality ....................10 Table 5: TOE External Identification ..................11 Table 6: Evaluated Software Images ................... 13 Table 7: Auditable Events ......................

  • Page 5: Table 1: Acronyms

    List of Acronyms The following acronyms and abbreviations are used in this document: Table 1: Acronyms Acronyms / Definition Abbreviations Administration, Authorization, and Accounting Advanced Encryption Standard Aggregation Services Router Evaluation Assurance Level FIPS Federal Information Processing Standards HTTPS Hyper-Text Transport Protocol Secure Internet Protocol Network Time Protocol RADIUS...
  • Page 6 DOCUMENT INTRODUCTION Prepared By: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134 DOCUMENT INTRODUCTION This document provides supporting evidence for an evaluation of a specific Target of Evaluation (TOE), the Aggregation Services Router (ASR) 1000 Series (ASR). This Operational User...

  • Page 7: Introduction

    This document is not meant to detail specific actions performed by the administrator but rather is a road map for identifying the appropriate locations within Cisco documentation to get the specific details for configuring and maintaining ASR operations. All security relevant commands to manage the TSF data are provided within this documentation within each functional section.
  • Page 8 Title Link Using Setup Mode to Configure a http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guid Cisco Networking Device e/cf_setup.html Cisco ASR 1000 Series Aggregation http://www.cisco.com/c/en/us/td/docs/interfaces_modules/shared_port_ Services Routers SIP and SPA adapters/configuration/ASR1000/asr1000-sip-spa-book.html Software Configuration Guide Cisco ASR 1000 Series Aggregation http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/ Services Routers Software chassis/asrswcfg.html Configuration Guide...

  • Page 9: Supported Hardware And Software

    ESPr5, ESPr10, ESPr20, ESPr40, ESPr100, ESPr200; Route Processor (RP): RP1, RP2. The network, on which they reside, is considered part of the environment. The software comes pre- installed and is comprised of the Cisco IOS-XE software image Release 16.3.2. 1.5 Operational Environment 1.5.1...

  • Page 10: Excluded Functionality

    Component Required Usage/Purpose Description for TOE performance NTP Server The TOE supports communications with an NTP server in order to synchronize the date and time on the TOE with the NTP server’s date and time. A solution must be used that supports secure communications with up to a 32 character key. Audit (syslog) This includes any syslog server to which the TOE would transmit syslog Server...

  • Page 11: Secure Acceptance Of The Toe

    Verify the serial number on the shipping documentation matches the serial number on the separately mailed invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).
  • Page 12 Step 8 Once the file is downloaded, verify that it was not tampered with by using an SHA-1 utility to compute a SHA-1 hash for the downloaded file and comparing this with the SHA-1 hash for the image listed in Table 6 below. If the SHA-1 hashes do not match, contact Cisco Technical Assistance Center (TAC) https://tools.cisco.com/ServiceRequestTool/create/launch.do.

  • Page 13: Table 6: Evaluated Software Images

    Table 6: Evaluated Software Images Page 13 of 72...
  • Page 14 Platform Image Name Hash ASR 1001X asr1001x-universalk9.16.03.02.SPA.bin MD5: fa13528532ea51d5f242ecafe200d118 SHA-512: 247cdad2a7bc31940f30379999aab3c225748154ed0881 273f3ec6dbef3cd5aa36501670022d6941b6525e44d946 25a2a714f05a5c56b23b1e0417d935a20c43 ASR 1001HX asr1000-universalk9.16.03.02.SPA.bin MD5: 785b1f2089e8b93dcc5db4120c981e66 SHA-512: fe2c0c0d3899cfe743872050738fcf06cf17dbfc57dade19 769a3f5974cf708f11240673d5f2bef8ef84de6ff59d4b51 a9ff8c756758446f0938ae4f837240c2 ASR 1002X asr1002x-universalk9.16.03.02.SPA.bin MD5: 8fca93734b7882cf8a4cf05a783c970a SHA-512: 1fbd63a356bd7b43cb3f11877e97e882cff78c999b57688 ba044fdf4d70ccc0140a5881dc7591dee0a4595e10120c7 d10518f7040fbfeeff8ef2ee6167bcb20c ASR 1002HX asr1000-universalk9.16.03.02.SPA.bin MD5: 785b1f2089e8b93dcc5db4120c981e66 SHA-512: fe2c0c0d3899cfe743872050738fcf06cf17dbfc57dade19 769a3f5974cf708f11240673d5f2bef8ef84de6ff59d4b51 a9ff8c756758446f0938ae4f837240c2 ASR 1004 asr1000rpx86-universalk9.16.03.02.SPA.bin MD5: d612372c7dca15859f065c98ef1a3287...
  • Page 15 ASR 1009X asr1000rpx86-universalk9.16.03.02.SPA.bin MD5: d612372c7dca15859f065c98ef1a3287 SHA-512: 69af51342e562cbd874ec65895c8d9082f514169806ef10 8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99 21e59866ecf38c5a33d801c11c59367093 ASR 1013 asr1000rpx86-universalk9.16.03.02.SPA.bin MD5: d612372c7dca15859f065c98ef1a3287 SHA-512: 69af51342e562cbd874ec65895c8d9082f514169806ef10 8f027eccd8f129b4c1dc265608bcb9dcbe7086eed123c99 21e59866ecf38c5a33d801c11c59367093 Page 15 of 72...

  • Page 16: Secure Installation And Configuration

    5 …” [4] Under Configure  Click on Configuration Guides  System Management  Click on Using Setup Mode to Configure a Cisco Networking Device  Click on subsection “Using the System Configuration Dialog to Create an Initial Configuration File”...

  • Page 17: Enabling Fips Mode

    POST. The same POST self-tests for the cryptographic operations can also be executed manually at any time by the privileged administrator using the command: test crypto self-test [10] Cisco IOS Security Command Reference: Commands S to Z 3.2.4...

  • Page 18: User Lockout

    <first> <last> [2] and [20] under section “Configuring Virtual Terminal Lines for Remote Console Access” exec-timeout <time> [10] >System Management > Cisco IOS Configuration Fundamentals Command Reference, section D through E line console [19] under section “Configuring Line Password Protection”...

  • Page 19: Network Protocols And Cryptographic Settings

    This command disables telnet by only allowing ssh connections for remote administrator access. Steps to configure SSH on router: 3.3.1.1 [10] Cisco IOS Security Command Reference Guides 1. Generate RSA or ECDSA key material– choose a longer modulus length for the evaluated configuration (i.e., 2048 for RSA and 256 or 384 for ECDSA):...

  • Page 20: Authentication Server Protocols

    Section 3.3.4 below. 3.3.3 Logging Configuration Logging of command execution must be enabled: [10] Cisco IOS Configuration Fundamentals Command Reference and Cisco IOS Debug Command References Page 20 of 72...
  • Page 21 1. Logging of command execution must be enabled: TOE-common-criteria(config)#archive TOE-common-criteria(config)#no logging console TOE-common-criteria(config-archive)#log config TOE-common-criteria(config-archive-log-cfg)#logging enable TOE-common-criteria(config-archive-log-cfg)#hidekeys TOE-common-criteria(config-archive-log-cfg)# logging size <1000> ! Increases queue size for messages to be sent to syslogd TOE-common-criteria(config-archive-log-cfg)#notify syslog TOE-common-criteria(config-archive-log-cfg)#exit TOE-common-criteria(config-archive)#exit 2. Add year to the timestamp: TOE-common-criteria(config)# service timestamps log datetime year TOE-common-criteria(config)# service timestamps debug datetime year 3.

  • Page 22: Logging Protection

    30.0.0.1 as the local TOE IPs, and the syslog server running on 40.0.0.1 (a separate interface on the syslog server). For the following commands see the [10] Cisco IOS Configuration Fundamentals Command References, and Cisco IOS Security Command References. TOE-common-criteria# configure terminal TOE-common-criteria(config)#crypto isakmp policy 1...
  • Page 23 11.1.1.4 as the IPsec peer, 10.1.1.7 and 11.1.1.6 as the local IPs, and the syslog server on the 12.1.1.0 /28 subnet. For the following commands see the [10] Cisco IOS Configuration Fundamentals Command References, and Cisco IOS Security Command References: TOE-common-criteria#configure terminal TOE-common-criteria(config)#crypto isakmp policy 1 TOE-common-criteria(config-isakmp)#encryption aes...

  • Page 24: Base Firewall Rule Set Configuration

    TOE-common-criteria(config-if)#interface g0/0 TOE-common-criteria(config-if)#ip address 11.1.1.6 255.255.255.0 TOE-common-criteria(config-if)#crypto map sample TOE-common-criteria(config-if)#exit TOE-common-criteria(config)#ip route 12.1.1.0 255.255.255.0 11.1.1.4 TOE-common-criteria(config)#access-list 115 permit ip 10.1.1.0 0.0.0.255 12.1.1.0 0.0.0.255 log TOE-common-criteria(config)#logging host 12.1.1.1 3.3.5 Base Firewall Rule set Configuration The Network Device PP VPN Gateway Extended Package (VPNGW EP) contains requirements for the TOE basic packet filtering.
  • Page 25 o Destination Port Traffic matching is done based on a top-down approach in the access list. The first entry that a packet matches will be the one applied to it. The VPNGW EP requires that the TOE Access control lists (ACLs) are to be configured to drop all packet flows as the default rule and that traffic matching the acl be able to be logged.

  • Page 26: Routing Protocols

    MACSEC and MKA Configuration The detailed steps to configure MKA, configure MACsec and MKA on interfaces are listed in [24] - http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-16/macsec-xe- 16-book/wan-macsec-mka-support-enhance.html#d74e990a1635 Note: For 256-bit encryption, the key-string length will be 64-characters. For 128-bit encryption, the key-string length will be 32 characters.

  • Page 27: Secure Management

    To prevent administrators from choosing insecure passwords, each password must be as follows: See [10] Under Reference Guides  Command References  Security and VPN  See manual Cisco IOS Security Command Reference: Commands A to Z for this section.
  • Page 28 3. The password obtained by capitalization of the username or username reversed is not accepted. 4. The new password cannot be “cisco”, “ocsic”, or any variant obtained by changing the capitalization of letters therein, or by substituting “1”, “|”, or “!” for i, or by substituting “0”...
  • Page 29 Use of enable passwords are not necessary, so all administrative passwords can be stored as SHA-256 if enable passwords are not used. Note: Cisco requires that the ‘enable password’ command be used to configure a password for privileged EXEC mode. The password that is entered with the ‘enable password’ command is stored as plain text in the configuration file of the networking device.

  • Page 30: Clock Management

    Note: Details for the password encryption aes command can be found in the: [10] Under Reference Guides  Command References  Security and VPN  See manual Cisco IOS Security Command Reference: Commands M to R. 4.3 Clock Management Clock management is restricted to the privileged administrator.
  • Page 31 When a packet matches a permit entry in a particular access list, and the corresponding crypto map entry is tagged as cisco, connections are established, if necessary. If the crypto map entry is tagged as ipsec-isakmp, IPsec is triggered. If there is no SA that the IPsec can use to protect this traffic to the peer, IPsec uses IKE to negotiate with the remote peer to set up the necessary IPsec SAs on behalf of the data flow.
  • Page 32 Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms, and other settings that can be applied to IPsec-protected traffic. During the IPsec SA negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
  • Page 33 TOE-common-criteria(config-isakmp)# exit TOE-common-criteria(config)# Crypto isakmp key cisco123!cisco123!CISC address 11.1.1.4 Note: Pre-shared keys on the TOE must be at least 22 characters in length and can be composed of any combination of upper and lower case letters, numbers, and special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”).
  • Page 34 Note: the authorized administrator must ensure that the keysize for this setting is greater than or equal to the keysize selected for ESP in Section 4.6.2 below. If AES 128 is selected here, then the highest keysize that can be selected on the TOE for ESP is AES 128 (either CBC or GCM).

  • Page 35: Ipsec Transforms And Lifetimes

    4.6.2 IPsec Transforms and Lifetimes Regardless of the IKE version selected, the TOE must be configured with the proper transform for IPsec ESP encryption and integrity as well as IPsec lifetimes. TOE-common-criteria(config)# crypto ipsec transform-set example esp-aes 128 esp- sha-hmac Note that this configures IPsec ESP to use HMAC-SHA-1 and AES-CBC-128.

  • Page 36: Nat Traversal

    4.6.3 NAT Traversal For successful NAT traversal over an IOS-XE NAT device for an IPsec connection between two IOS-XE peers, the following configuration needs to be used (Also refer to Chapter 7 of [21])– On an IOS NAT device (router between the IPsec endpoints): config terminal ip nat service list <ACL-number>...
  • Page 37 5. Configure subject-name settings for the certificate: subject-name CN=hostname.domain.com,OU=OU-name Device (ca-trustpoint)#subject-name CN=asrTOE.cisco.com,OU=TAC 6. Set revocation check method: revocation-check crl Device (ca-trustpoint)#revocation-check crl Device (ca-trustpoint)#exit 7. Create the certificate signing request: crypto pki enroll trustpoint-name Device (config)#crypto pki enroll ciscotest 4.6.4.2...
  • Page 38 Certificates are stored to NVRAM by default; however, some routers do not have the required amount of NVRAM to successfully store certificates. All Cisco platforms support NVRAM and flash local storage. Depending on the platform, an authorized administrator may have other supported local storage options including bootflash, slot, disk, USB flash, or USB token.
  • Page 39 4.6.4.5 Configuring a Revocation Mechanism for PKI Certificate Status Checking Perform this task to set up the certificate revocation mechanism--CRLs or OCSP--that is used to check the status of certificates in a PKI. Use the revocation-check command to specify at least one method (OCSP, CRL, or skip the revocation check) that is to be used to ensure that the certificate of a peer has not been revoked.
  • Page 40  Use the stop keyword to specify that the certificate is already trusted. This is the default setting.  Use the continue keyword to specify that the that the subordinate CA certificate associated with the trustpoint must be validated.  The parent-trustpoint argument specifies the name of the parent trustpoint the certificate must be validated against.

  • Page 41: Information Flow Policies

    TOE-common-criteria (config-isakmp)# authentication ecdsa-sig And for IKEv2 with the commands: TOE-common-criteria (config)#crypto ikev2 profile sample TOE-common-criteria(config-ikev2-profile)#authentication [remote | local] rsa-sig TOE-common-criteria(config-ikev2-profile)#authentication [remote | local] ecdsa-sig If an invalid certificate is loaded, authentication will not succeed. 4.6.4.10 Deleting Certificates If the need arises, certificates that are saved on the router can be deleted. The router saves its own certificates and the certificate of the CA.

  • Page 42: Ipsec Session Interuption/Recovery

     The ‘discard’ option is accomplished using access lists with deny entries, which are applied to interfaces within access-groups. Guidance for configuration of IOS Information Flow Policies is located in the [23] Under “IP Access List Overview”  The ‘bypassing’ option is accomplished using access lists with deny entries, which are applied to interfaces within crypto maps for IPsec.

  • Page 43: Product Updates

    4.7 Product Updates Verification of authenticity of updated software is done in the same manner as ensuring that the TOE is running a valid image. See Section 2, steps 7 and 9 above for the method to download and verify an image prior to running it on the TOE. Configure Reference Identifier This section describes configuration of the peer reference identifier which is achieved through a certificate map.
  • Page 44  match-value—Specifies the name or date to test with the logical operator assigned by match-criteria. Step3 (ca-certificate-map)# exit Exits ca-certificate-map mode. Step4 For IKEv1: Associates the certificate-based ACL defined with the crypto crypto isakmp profile ikev1-profile1 pki certificate map command to the profile. match certificate label For IKEv2: crypto ikev2 profile ikev2-profile1...

  • Page 45: Security Relevant Events

    5 Security Relevant Events ASR can maintain logs in multiple locations: local storage of the generated audit records, and when configured for a syslog backup will simultaneously offload those events to the external syslog server. ASR administrators should review logs at both locations. The TOE generates an audit record whenever an audited event occurs.

  • Page 46: Table 7: Auditable Events

    As noted above, the information includes at least all of the required information. Example audit events are included below: Additional Audit Information: As described in Column 3 of Table 7 below. Table 7: Auditable Events Requirement Auditable Additional Audit Sample Record Events Record Contents Secure Channel...
  • Page 47 Requirement Auditable Additional Audit Sample Record Events Record Contents Jun 20 07:42:26.823: ISAKMP (0): received packet from 100.1.1.5 dport 500 sport 500 Global (N) NEW Session Entire packet establishment contents of packets Jun 20 07:42:26.823: ISAKMP: Created a peer struct with peer transmitted/receive for 100.1.1.5, peer port 500...
  • Page 48 Requirement Auditable Additional Audit Sample Record Events Record Contents Jun 20 07:42:26.843: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 Jun 20 07:42:26.843: ISAKMP:(0): processing KE payload. message ID = 0 Jun 20 07:42:27.055: ISAKMP:(0): processing NONCE payload. message ID = 0 Jun 20 07:42:27.059: ISAKMP:(0):found peer pre- shared key matching 100.1.1.5 ...
  • Page 49 Requirement Auditable Additional Audit Sample Record Events Record Contents 132: *Jan 30 2013 05:20:16: %SYS-5-CONFIG_ Configured from console by console 136: *Jan 30 10:54:46.421 IST: crypto_engine IPsec SA 135: *Jan 30 10:54:46.421 IST: crypto engine: IPsec SA :12 171: *Jan 30 2013 05:27:31: %PARSER-5- CFGLOG_LOGGEDCMD: User:console logged command:no crypto map 172: *Jan 30 2013 05:27:42: %PARSER-5-...
  • Page 50 Record Contents [Source: 100.1.1.5] [localport: 22] at 11:31:35 UTC Mon Jun 18 2012 Feb 8 06:47:17.041: %SSH-5-SSH2_CLOSE: SSH2 Session from 1.1.1.1 (tty = 0) for user 'cisco' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1-96' closed  See Audit events in FIA_UAU_EXT.2 FIA_UIA_EXT.
  • Page 51 Requirement Auditable Additional Audit Sample Record Events Record Contents Mar 24 07:29:59.480: \%SEC_LOGIN-4- LOGIN_FAILED: Login failed [user: admin15] [Source: 10.21.0.101] [localport: 22] [Reason: Login Authentication Failed] at 07:29:59 EDT Tue Mar 24 2015 Unsuccessful Reason for failure 42479: Initiator SPI : 6038B31E75BFF128 - FIA_X509_EXT attempt to Responder SPI : ECB6C134F5652076 Message id: 1...
  • Page 52 Sample Record Events Record Contents FMT_MOF.1(1)/ Any attempt to None. *Jul 10 11:04:09.179: %PARSER-5- Trusted Update initiate a manual CFGLOG_LOGGEDCMD: User:cisco logged update command:upgrade All management None. FMT_MTD.1 Feb 17 2013 16:34:02: %PARSER-5- activities of TSF CFGLOG_LOGGEDCMD: User:test_admin logged data...
  • Page 53  Use of the “upgrade” command. FPT_TUD_EXT. Initiation of No additional update. information. *Jul 10 11:04:09.179: %PARSER-5- CFGLOG_LOGGEDCMD: User:cisco logged result of the command:upgrade update attempt *Jul 10 11:04:09.179: %PARSER-5- (success or CFGLOG_LOGGEDCMD: User:cisco logged failure) Page 53 of 72...
  • Page 54 Requirement Auditable Additional Audit Sample Record Events Record Contents command:copy tftp …. *Jul 10 11:04:09.179: %PARSER-5- CFGLOG_LOGGEDCMD: User:cisco logged command:reload Jan 23 2013 06:53:24.570: %CRYPTO-6- FPT_TST_EXT. Indication that Any additional SELF_TEST_RESULT: Self test info: (Self test TSF self-test was information activated by user: admin) completed.

  • Page 55: Table 8 Auditable Administrative Events

    Requirement Auditable Additional Audit Sample Record Events Record Contents Failure of the trusted channel functions. FTP_TRP.1 Initiation of the Identification of AUDIT: See logs provided by FCS_SSHS_EXT.1. trusted channel. the claimed user identity. Termination of the trusted channel. Failures of the trusted path functions.
  • Page 56 Requirement Management Action to Sample Log Jan 24 2013 03:10:08.878: %GDOI-5- KS_REKEY_TRANS_2_UNI: Group getvpn transitioned to Unicast Rekey.ip FCS_CKM_EXT.4: Manual key zeroization Feb 17 2013 16:37:27: %PARSER-5- Cryptographic key CFGLOG_LOGGEDCMD: User:test_admin destruction logged command:crypto key zeroize FCS_COP.1(1): None Cryptographic operation (AES data encryption/decryption) FCS_COP.1(2):...
  • Page 57 Requirement Management Action to Sample Log *Mar 13 11:56:16.407: \%PARSER-5- CFGLOG_LOGGEDCMD: User:script logged command:permit icmp 10.21.0.0 0.0.0.255 10.22.05.0 0.0.0.255 *Mar 13 11:56:16.690: \%PARSER-5- CFGLOG_LOGGEDCMD: User:script logged command:crypto ipsec transform-set set_1 esp- gcm 128 *Mar 13 11:56:16.779: \%PARSER-5- CFGLOG_LOGGEDCMD: User:script logged command:mode tunnel *Mar 13 11:56:18.195: \%PARSER-5- CFGLOG_LOGGEDCMD: User:script logged...
  • Page 58 Requirement Management Action to Sample Log *Mar 13 11:56:21.344: \%PARSER-5- CFGLOG_LOGGEDCMD: User:script logged command:set peer 10.22.0.2 *Mar 13 11:56:21.471: \%PARSER-5- CFGLOG_LOGGEDCMD: User:script logged command:set transform-set set_1 *Mar 13 11:56:21.737: \%PARSER-5- CFGLOG_LOGGEDCMD: User:script logged command:match address acl_ASR1001X *Mar 13 11:56:22.512: \%PARSER-5- CFGLOG_LOGGEDCMD: User:script logged command:ip route 10.22.05.0 255.255.255.0 10.22.0.2...
  • Page 59 FIA_PSK_EXT.1: Extended: Creation of a pre-shared Feb 15 2013 13:12:25.055: %PARSER-5- Pre-Shared Key Composition key. CFGLOG_LOGGEDCMD: User:cisco logged command: crypto isakmp key ***** FIA_UIA_EXT.1: User Jan 17 2013 05:05:49.460: %SEC_LOGIN-5- Logging into TOE. identification and LOGIN_SUCCESS: Login Success [user: ranger]...
  • Page 60 FMT_SMR.2: Restrictions Configuring administrative Feb 15 2013 13:12:25.055: %PARSER-5- on Security roles users with specified roles. CFGLOG_LOGGEDCMD: User:cisco logged command: username admin 15 FPT_RUL_EXT.1: Packet Configuring packet Oct 15 23:39:50 cc_toe 21698: Oct 15 23:39:50.077: \%PARSER-5- Filtering filtering rules.
  • Page 61 11:27:52 UTC Tue Feb 5 2013 to 06:28:00 UTC Tue Feb 5 2013, configured from console by admin on console. FPT_TUD_EXT.1: Trusted Software updates Jul 10 2013 11:04:09.179: %PARSER-5- update CFGLOG_LOGGEDCMD: User:cisco logged command:upgrade FPT_TST_EXT.1: TSF None testing FTA_SSL_EXT.1: TSF- Specifying the inactivity Feb 15 2013 13:12:25.055: %PARSER-5-...

  • Page 62: Deleting Audit Records

    Management Action to Sample Log FTA_SSL.3: TSF-initiated Specifying the inactivity Feb 15 2013 13:12:25.055: %PARSER-5- termination time period. CFGLOG_LOGGEDCMD: User:cisco logged command: exec-timeout 60 FTA_SSL.4: User-initiated Logging out of TOE. Feb 15 2013 13:12:25.055: %PARSER-5- termination CFGLOG_LOGGEDCMD: User:cisco logged command: exit FTA_TAB.1: Default TOE...

  • Page 63: Network Services And Protocols

    6 Network Services and Protocols The table below lists the network services/protocols available on the ASR as a client (initiated outbound) and/or server (listening for inbound connections), all of which run as system-level processes. The table indicates whether each service or protocol is allowed to be used in the certified configuration.
  • Page 64 TFTP Trivial File Transfer Recommend using SCP instead, or tunneling Protocol through IPsec. Cisco Discovery Follow best practices for the secure usage as Protocol there are no restrictions on use of these protocols Dynamic Trunking Follow best practices for the secure usage as...
  • Page 65 Service or Description Client Allowed Server Allowed Allowed use in the certified configuration Protocol (initiating) (terminating) HDLC High-Level Data Link Follow best practices for the secure usage as Control there are no restrictions on use of these protocols Layer 2 Forwarding Follow best practices for the secure usage as there are no restrictions on use of these protocols...
  • Page 66 Service or Description Client Allowed Server Allowed Allowed use in the certified configuration Protocol (initiating) (terminating) EIGRP Enhanced Interior Follow best practices for the secure usage as Gateway Routing there are no restrictions on use of these Protocol protocols Routing Information Follow best practices for the secure usage as Protocol there are no restrictions on use of these...

  • Page 67: Modes Of Operation

    7 Modes of Operation An IOS router has several modes of operation, these modes are as follows: Booting – while booting, the routers drop all network traffic until the router image and configuration has loaded. This mode of operation automatically progresses to the Normal mode of operation.
  • Page 68 1 800 553-2447  If necessary, return the TOE to Cisco under guidance of Cisco Technical Assistance. If a software upgrade fails, the ASR will display an error when an authorized administrator tries to boot the system. The ASR will then boot into the rommon prompt.
  • Page 69  AES encryption/decryption  AES CFB encryption/description  AES ECB encryption/decryption  AES CMAC encryption/decryption  AES GCM encryption/decryption/GMAC  HMAC-SHA  HMAC-SHA256  HMAC-SHA384  HMAC-SHA512  3DES Crypto-C encryption/decryption  SHA Crypto-C hashing  SHA256 Crypto-C hashing  SHA384 Crypto-C hashing ...

  • Page 70: Security Measures For The Operational Environment

    8 Security Measures for the Operational Environment Proper operation of the TOE requires functionality from the environment. It is the responsibility of the authorized administrator of the TOE to ensure that the Operational Environment provides the necessary functions, and adheres to the environment security objectives listed below.

  • Page 71: Related Documentation

     http://www.cisco.com/ Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. 9.1 World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites:  http://www.cisco.com  http://www-china.cisco.com ...

  • Page 72: Obtaining Technical Assistance

    This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco. Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs.

This manual is also suitable for:

Asr 1001Asr 1002xAsr 1004Asr 1006Asr 1013Asr 1001hx ... Show all

Table of Contents