Validated Product - Cisco Systems Catalyst Switches and Cisco Secure ACS for Windows Server Version 4.1.4.13

Certificate Date: 27 May 2008

Validation Report Number: CCEVS-VR-VID6012-2008

Product Type: Router, Switch

Conformance Claim: EAL3 Augmented with ALC_FLR.1

PP Identifiers: None

CC Testing Lab: Arca CCTL

Subsequent Maintenance Release(s):

  • None
Security Target [PDF]
Validation Report [PDF]
CC Certificate [PDF]

PRODUCT DESCRIPTION

The TOE is the Cisco Systems Catalyst Switches (2900, 3500, 3750, 4500, 4948, 6500) running IOS and a Cisco Secure Access Control Server for Windows Server (ACS).  A Catalyst switch running IOS software loaded on the Supervisor operates as a Layer-2 switch (some of which offer Layer-3 traffic-filtering capabilities). As a Layer-2 switch, it analyzes incoming frames, makes forwarding decisions based on information contained in the frames, and forwards the frames toward the destination. The switches that are part of the TOE that also include Layer-3 capabilities are the 3500s, 3750s, 4500s, 4948s, and 6500s. The Layer-3-enabled switch supports routing of traffic. These devices may create or maintain a table of available routes and their conditions, and use this information. along with distance and cost algorithms, to determine the best route for a given packet. Routing protocols include: BGP, RIP, and OSPF.
 
The TOE also includes ACS, which provides authentication, authorization, and accounting (AAA) services to network devices that function as AAA clients, including switches.
 
Switches that support the TOE have the following common hardware characteristics. These characteristics affect only non-TSF-relevant functions of the switches (such as throughput and amount of storage) and therefore support security equivalency of the switches in terms of hardware:
·          Central processor that supports all system operations
·          Dynamic memory, used by the central processor for all system operations
·          Flash memory (EEPROM), used to store the IOS image (binary program)
·          USB slot, used to connect USB devices to the TOE (not relevant as none of the USB devices are included in the TOE)
·          Non-volatile read-only memory (ROM), used to store the bootstrap program and power-on diagnostic programs
·          Non-volatile random-access memory (NVRAM), used to store switch configuration parameters used to initialize the system at startup
·          Physical network interfaces (minimally two). Some models have a fixed number and/or type of interfaces; some models have slots that accept additional network interfaces.
 
Users of the TOE are Switch and ACS Administrators, who will hereafter be referred to generically as Authorized Administrators, or by the roles of Privileged Administrator (switch), Semi-privileged Administrator (switch), and Authentication Administrator (ACS). Privileged Administrators configure the Cisco switches using the global configuration commands to apply the features that affect the system as a whole. To initiate global configuration mode, the Privileged Administrator enters the configure command at the Privileged EXEC Mode prompt. The user interface is run from either the console port on the switch, or by connecting to the switch using secure shell. The user interface is a Command Line Interface (CLI) running the Command Interpreter (EXEC).
 
The Cisco Systems TOE hardware models are:
 
Switch Series
Switch Models
IOS Version
Switch Type
Catalyst
2940, 2950, 2950RLE, 2955
12.1(22)EA10
Switch
Catalyst
2960, 2970
12.2(25)SEE4
Switch
Catalyst
3550, 3560, 3750, 3750-METRO
12.2(25)SEE4
Switch
Catalyst
CAT4500-SUP2-PLUS, CAT4500-SUP2-PLUS-10GE, CAT4500-SUP2-PLUS-TS, CAT4500-SUP4, CAT4500-SUP5, CAT4500-SUP5-10GE
12.2(31)SG2
Switch Modular
Catalyst
CAT4948, CAT4948-10GE
12.2(31)SG2
Switch
Catalyst
CAT6500-SUP2/MSFC2, CAT6500-SUP32/MSFC2A, CAT6500-SUP720/MSFC3
12.2(18)SXF11
Switch
The 4500, 4948, and 6500 models listed above rely on a supervisor module for security functionality. This supervisor module is part of the TOE.
 

SECURITY EVALUATION SUMMARY

 

The evaluation was carried out in accordance with the Arca Common Criteria Test Laboratory processes and procedures that are compliant with the Common Criteria Evaluation and Validation Scheme (CCEVS). The evaluation demonstrated that the Auditing, Identification and Authentication, Traffic Filtering and Switching (VLAN Processing), Security Management/Access Control (Authorization), and Protection of TSF functions of the Cisco IOSAAA Catalyst Switches met the security requirements contained in the Security Target. The criteria against which the Cisco IOSAAA Catalyst Switches was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2 Part II and Part III. The evaluation team conducted the evaluation using the Common Methodology for Information Technology Security Evaluation, Version 2.2.
 

Arca determined the product to be CC version 2.2 Part 2 and Part 3 conformant, including all Information Technology Security Evaluation Final Interpretations from January 2004 through September 30, 2004, and concluded that the Common Criteria requirements for Evaluation Assurance Level (EAL) 3 have been met with the addition of ALC_FLR.1. The product, configured as outlined in the Secure Installation Guidance, satisfies all of the security functional requirements stated in the Security Target. A Validator, on behalf of the CCEVS Validation Body, monitored the evaluation carried out by Arca. The evaluation was completed in February 2008. Results of the evaluation can be found in the Validation Report prepared by the National Information Assurance Partnership (NIAP) CCEVS.

ENVIRONMENTAL STRENGTHS

 

The TOE consists of one or more physical internetworking devices (switch(es) running IOS software) and one server running ACS software. ACS software runs on a Windows 2000 Server. It should be noted that the Windows PC is not considered part of the TOE, only the ACS software operating on it. The Windows OS leverages its host-based firewall to protect the OS and the ACS. When the TOE-enabled switch is in use, at least two of the network interfaces of the internetworking device will be attached to different networks. The switch configuration will determine how traffic flows received on an interface will be handled. Typically, packet flows are passed through the internetworking device and forwarded to their configured destination. BGP, RIP, and OSPF Routing Protocols are used on the 3500s, 3750s, 4500s, 4948s, and 6500s switch models.
 
The ACS will be connected to the switch either via an internal, protected network or via a crossover cable. The TOE Boundary includes the switch hardware, the IOS software, and the ACS Server software, but not the operating system of the server platform utilized by the ACS. 
 
The TOE can optionally connect to an NTP server on its internal network for time services. Also, if the Catalyst Switch or ACS Server are to be remotely administered, then the management station must be connected to an internal network, SSH must be used to connect to the switch, and SSL must be used to connect to the ACS. The ACS, remote management, and NTP boxes (if used) must all be attached to the internal (protected) network.

Cisco Systems, Inc.

Chris Romeo
919.392.0512
919.392.1790 (Fax)
chromeo@cisco.com

http://www.cisco.com/