Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Table of Contents Security Target Introduction ....................6 Security Target and TOE Identification ............... 6 Acronyms and Abbreviations ................6 TOE Overview ..................... 8 1.3.1 TOE Evaluated Configuration ..............8 1.3.2 TOE Type...................... 9 1.3.3...
Page 3
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Threats ........................ 34 Organizational Security Policies ................ 35 3.6.1 OSPs enforced by TOE ................35 Security Objectives ....................... 36 Security Objectives for the TOE ................ 36 Security Objectives for the Environment ............37 Security Requirements ......................
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 List of Tables 1 ST TOE I ................6 ABLE DENTIFICATION ......................6 ABLE CRONYMS ................8 ABLE VALUATED ONFIGURATION 4 IT E ................9 ABLE NVIRONMENT OMPONENTS 4500 S ......... 14...
Page 5
San Jose, CA 95134 This document provides the basis for an evaluation of a specific Target of Evaluation (TOE), the Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E, 4500X and 4500X-F) running IOS-XE 3.5.2E. This Security Target (ST) defines a set of...
Security Target and TOE Identification This section provides information needed to identify and control this ST and its TOE. Table 1 ST and TOE Identification Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E, ST Title 4500X and 4500X-F) Running IOS-XE 3.5.2E Security Target...
Page 7
Command Line Interface Configuration Management Diffie-Hellman Evaluation Assurance Level EEPROM Electrically erasable programmable read-only memory, specifically the memory in the switch where the Cisco IOS is stored. EIGRP Enhanced Interior Gateway Routing Protocol FIPS Federal Information Processing Standard HMAC Hashed Message Authentication Code...
Virtual Switching System TOE Overview The TOE is the Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E, 4500X and 4500X-F) running IOS XE 3.5.2E (herein after referred to as Catalyst Switches). The TOE is a purpose-built, switching and routing platform with OSI Layer2 and Layer3 traffic filtering capabilities.
1.3.2 TOE Type The Cisco Catalyst Switches are a switching and routing platform used to construct IP networks by interconnecting multiple smaller networks or network segments. As a Layer2 switch, it performs analysis of incoming frames, makes forwarding decisions based on information contained in the frames, and forwards the frames toward the destination.
The Switch IOS subsystem is special purpose software that runs on the Cisco Catalyst 4500 Series Switch hardware. The Catalyst Switches have been designed so that all locally maintained security relevant data can only be manipulated via the secured management interface, a CLI and provides no general purpose programming capability.
TOE itself as described in Section 1.7 Logical Scope of the TOE below. 1.5 TOE Environment and Configuration The TOE consists of one or more physical devices; the Catalyst Switch with Cisco IOS XE software. The Catalyst Switch has two or more network interfaces and is connected to at least one internal and one external network.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 configured destination. BGPv4, EIGRP, EIGRPv6 for IPv6, RIPv2, and OSPFv2 Routing protocols are used on all of the Catalyst Switch models. The TOE can optionally connect to an NTP server on its internal network for time services.
1.6 Physical Scope of the TOE The TOE is a hardware and software solution that makes up the following switch models; Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E, 4500X and 4500X-F) running IOS XE 3.5.2E. The following tables further identify the supported configurations.
Slot 1 is reserved for supervisor engine only; slots 2 and higher are reserved for line cards. Slots 3 and 4 are reserved for supervisor engines only in Cisco Catalyst 4507R-E and 4507R+E; slots 1-2 and 5-7 are reserved for line cards.
Page 16
Location of 23- inch rack mount Cisco Catalyst 4500 Series line cards can be mixed and matched to suit numerous LAN access, server connectivity, or branch-office deployments. The Cisco Catalyst 4500 Series supports the following supervisor and line cards, by product number:...
Page 17
(ACL) and quality-of-service (QoS) entries to use 8 queues/port and comprehensive security policies per port • Infrastructure services – Cisco IOS XE Software, the modular open application platform for virtualized borderless services – Maximum resiliency with redundant components, Nonstop Forwarding/Stateful Switchover (NSF/SSO), and ISSU support –...
Page 18
8 queues per port and comprehensive security policies per port • Infrastructure services: – Cisco IOS XE Software, the modular open application platform for virtualized borderless services – Maximum resiliency with redundant components, Nonstop Forwarding/Stateful Switchover (NSF/SSO), and In-Service Software Upgrade (ISSU) support –...
Page 19
The Cisco Catalyst 4500E Supervisor Engine 7L-E is compatible with classic Cisco Catalyst 4500 line cards and power supplies, providing full investment protection. Supervisor Engine 7L-E is not compatible with classic Cisco Catalyst 4500 chassis.
Page 20
• Cisco IOS XE Release 3.1.0SG or later • Energy Efficient Ethernet 802.3az • IEEE 802.1AE and Cisco TrustSec capability in hardware • L2-4 Jumbo Frame support (up to 9216 bytes) • Enterprise and commercial: designed for data only user access •...
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 The Cisco Catalyst 4500 Series has flexible interface types and port densities that allow network configurations to be mixed and matched to meet the specific needs of the organizations network. The Cisco Catalyst 4500-X Series Switch is a fixed aggregation platform that provides flexibility through two versions of base switches along with optional uplink module.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Figure 7 Front-to-Back Airflow Rear View Figure 8 Back-to-Front Airflow Rear View As described above, the physical boundary of the TOE is the switch hardware and software. The software of the TOE is IOS and other supporting functionality (e.g., SSH Server).
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Serial port, and Compact Flash Slot In addition to the communication interfaces above, the TOE includes a number of LEDs and power connectors. The LEDs are output elements only, and while the power connectors provide physical input they are not considered TOE interfaces.
The TOE is a hardware and software solution that uses a combination of chassis, supervisor engine, and line cards as defined in Section 1.3.1, Table 3: the Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E, 4500X and 4500X-F) running IOS XE 3.5.2E on the Supervisor Engine.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 1.7.1 Security Audit The TOE generates a comprehensive set of audit logs that identify specific TOE operations. For each event, the TOE records the date and time of each event, the type of event, the subject identity, and the outcome of the event.
TOE. 1.7.4 Identification and Authentication The TOE performs local authentication, using Cisco IOS platform authentication mechanisms, to authenticate access to user EXEC and privileged EXEC command modes. All users wanting to use TOE services are identified and authenticated prior to being allowed access to any of the services.
Additionally Cisco IOS is not a general-purpose operating system and access to Cisco IOS memory space is restricted to only Cisco IOS functions. The TOE provides secure transmission when TSF data is transmitted between the TOE and other IT entities, such as remote administration via SSH and secure transmission of audit logs to a syslog server via IPsec.
NTP server and external authentication server using IPsec. 1.8 Excluded Functionality The Cisco IOS contains a collection of features that build on the core components of the system. Those features that are not within the scope of the evaluated configuration include: Features that must remain disabled in the evaluated configuration: ...
Page 29
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 configuration. Including this feature would not meet the security policies as defined in the Security Target. The exclusion of this feature has no effect on the operation of the TOE. Telnet server sends authentication data in the clear. This feature is enabled by default and must be disabled in the evaluated configuration.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 ONFORMANCE LAIMS 2.1 Common Criteria Conformance Claim The ST and the TOE it describes are conformant with the following CC package specifications: Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Components, Version 3.1, Revision 3, July 2009...
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 2.3.4 Statement of Security Requirements Conformance The Security Functional Requirements included in the Security Target represent the Security Functional Requirements specified in the U.S. Government Protection Profile for Security Requirements for Network Devices for which conformance is claimed verbatim.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 ECURITY ROBLEM EFINITION The security problem definition (SPD) defines the security problem that is to be addressed. This document identifies assumptions as A.assumption with “assumption” specifying a unique name. Threats are identified as T.threat with “threat” specifying a unique name.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Asset Asset Description The data which is provided by the TOE during security audit logging. Security properties to be maintained by the TOE: confidentiality, availability, integrity. 3.3.2 Secondary Assets The owner of the TOE presumably places value upon the following secondary entities.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Assumption Assumption Definition those services necessary for the operation, administration and support of the TOE. A.PHYSICAL Physical security, commensurate with the value of the TOE and the data it contains, is assumed to be provided by the environment.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Organizational Security Policies Organizational security policies (OSPs) are security rules, procedures, or guidelines enforced by the TOE, its operational environment, or a combination of the two. 3.6.1 OSPs enforced by TOE The following security rules, procedures, or guidelines are enforced by the TOE.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 ECURITY BJECTIVES The security objectives are a concise and abstract statement of the intended solution to the security problem defined by the SPD. This document identifies objectives of the TOE as O.objective with objective specifying a unique name.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE Objective TOE Security Objective Definition O.RESOURCE_AVAILABILITY The TOE shall provide mechanisms that mitigate user attempts to exhaust TOE resources (e.g., persistent storage). O.SESSION_LOCK The TOE shall provide mechanisms that mitigate the risk of unattended sessions being hijacked.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Conventions The CC defines operations on Security Functional Requirements: assignments, selections, assignments within selections and refinements. This document uses the following font conventions to identify the operations defined by the CC: Where operations were completed in the NDPP itself, the formatting used in the NDPP has been retained;...
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Table 16: Auditable Events Requirement Auditable Events Additional Audit Record Contents FAU_GEN.1 None. FAU_GEN.2 None. FAU_STG_EXT.1 None. FAU_STG_EXT.3 Loss of connectivity. No additional information. FCS_CKM.1 Failure on invoking No additional information. functionality.
Page 42
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Requirement Auditable Events Additional Audit Record Contents FMT_MTD.1 None. FMT_SMF.1 None. FMT_SMR.1 None. FPT_ITT.1(1) None. FPT_ITT.1(2) None. FPT_PTD_EXT.1(1) None. FPT_PTD_EXT.1(2) None. FPT_RPL.1 Detected replay attacks. Origin of the attempt (e.g., IP address).
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Requirement Auditable Events Additional Audit Record Contents FTP_TRP.1(1) Initiation of the trusted Identification of the channel. claimed user identity. Termination of the trusted channel. Failures of the trusted path functions. FTP_TRP.1(2) Initiation of the trusted Identification of the channel.
Page 44
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 ANSI X9.80 (3 January 2000), “Prime Number Generation, Primality Testing, Primality Certificates” using random integers with deterministic tests, or constructive generation methods Generated key strength shall be equivalent to, or greater than, a symmetric key strength of 112 bits using conservative estimates.
Page 45
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 SHA 256, SHA-512] and message digest sizes [160, 256, 512] bits that meet the following: FIPS Pub 180-3 “Secure Hash Standard.” 5.2.2.6 FCS_COP.1(4): Cryptographic operation (for keyed-hash message authentication) FCS_COP.1.1(4) The TSF shall perform [keyed-hash message authentication] in...
Page 46
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 FCS_IPSEC_EXT.1.3 The TSF shall ensure that IKEv1 SA lifetimes are able to be limited to 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs. FCS_IPSEC_EXT.1.4 The TSF shall ensure that IKEv1 SA lifetimes are able to be limited to [an administratively configurable number of kilobytes including the range from 100 –...
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 FCS_SSH_EXT.1.7 The TSF shall ensure that the SSH transport implementation uses SSH_RSA and [no other public key algorithms] as its public key algorithm(s). FCS_SSH_EXT.1.8 The TSF shall ensure that data integrity algorithms used in the SSH transport connection is [hmac-sha1, hmac-sha1-96, hmac-md5-96].
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 5.2.4.2 FIA_UIA_EXT.1: User identification and authentication FIA_UIA_EXT.1.1 The TSF shall allow [no services] on behalf of the user to be performed before the user is identified and authenticated. FIA_UIA_EXT.1.2 The TSF shall require each user to be successfully identified and authenticated before allowing any other TSF-mediated actions on behalf of that user.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Ability to update the TOE, and to verify the updates using the digital signature capability (FCS_COP.1(2)) and [no other functions] Ability to manage the cryptographic functionality Ability to manage the audit logs and functions ...
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 5.2.6.4 FPT_PTD_EXT.1(2): Management of TSF data (for reading of all symmetric keys) FPT_PTD_EXT.1.1(2) The TSF shall prevent reading of all pre-shared keys, symmetric key, and private keys. 5.2.6.5 FPT_RPL.1: Replay detection FPT_RPL.1.1 The TSF shall detect replay for the following entities: [network packets terminated at the TOE].
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 5.2.8 TOE Access (FTA) 5.2.8.1 FTA_SSL_EXT.1: TSF-initiated session locking FTA_SSL_EXT.1.1 The TSF shall, for local interactive sessions, [terminate the session] after a Security Administrator-specified time period of inactivity. 5.2.8.2 FTA_SSL.3: TSF-initiated termination FTA_SSL.3.1 The TSF shall terminate a remote interactive session after a...
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 FTP_ITC.1.3(2) The TSF shall initiate communication via the trusted channel for [all authentication functions, [IPSec]]. 5.2.9.3 FTP_TRP.1(1): Trusted path FTP_TRP.1.1(1) Refinement: The TSF shall provide a communication path between itself and remote administrators using [SSH as specified in FCS_SSH_EXT.1 to access the CLI] that is logically distinct...
Page 53
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 The dependencies for each extended component are identified in the TOE SFR Dependencies section of this ST below. D. The management requirements, if any, associated with the extended SFRs are incorporated into the Security management SFRs defined in this ST.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 This SFR was taken from NDPP – where it is defined as a requirement for specific password composition and aging constraints.. FIA_UAU_EXT.5: This SFR was taken from NDPP – where it is defined as a requirement allowing the identification of required external authentication services.
Page 55
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Dependency Rationale FAU_GEN.1 FPT_STM.1 Met by FPT_STM.1 FAU_GEN.2 FAU_GEN.1 Met by FAU_GEN. FIA_UID.1 Met by FIA_UIA_EXT.1 FAU_STG_EXT.1 FAU_GEN.1 Met by FAU_GEN.1 FAU_STG_EXT.3 FAU_STG_EXT.1 Met by FAU_STG_EXT.1 FCS_CKM.1 FCS_CKM.2 or Met by FCS_COP.1(2), (3), and FCS_COP.1...
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Dependency Rationale FMT_SMF.1 No dependencies FIA_UID.1 Met by FIA_UIA_EXT.1 FMT_SMR.1 FPT_ITT.1(1) No dependencies FPT_ITT.1(2) No dependencies FPT_PTD_EXT.1(1) No dependencies FPT_PTD_EXT.1(2) No dependencies FPT_RPL.1 No dependencies FPT_STM.1 No dependencies FPT_TUD_EXT.1 No dependencies FPT_TST_EXT.1 No dependencies FRU_RSA.1...
Assurance Measures The TOE satisfies the identified assurance requirements. This section identifies the Assurance Measures applied by Cisco to satisfy the assurance requirements. The table below lists the details. Table 19: Assurance Measures Component How requirement will be met ADV_FSP.1...
Page 58
This includes details on what changes are tracked, how potential changes are incorporated, and the degree to which automation is used to reduce the scope for error. ATE_IND.1 Cisco will provide the TOE for testing. AVA_VAN.1 Cisco will provide the TOE for testing.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 6 TOE S UMMARY PECIFICATION TOE Security Functional Requirement Measures This section identifies and describes how the Security Functional Requirements identified above are met by the TOE. Table 20: How TOE SFRs are Met...
Page 60
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met The log buffer is circular, so newer messages overwrite older messages after the buffer is full. Administrators are instructed to monitor the log buffer using the show logging privileged EXEC command to view the audit records.
Page 61
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met in the log record. Any use of the Events will be generated for authentication attempted identification/ mechanism. authentication, and the username attempting to authenticate will be included...
Page 62
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met and failure related to trusted channel sessions with peer/neighbor routers and or the remote administration console FAU_GEN.2 The TOE shall ensure that each auditable event is associated with the user that triggered the event and as a result, they are traceable to a specific user.
Page 63
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met exchanged and entered electronically. Persistent keys are entered by the privileged administrator via the console port CLI, transient keys are generated or established and stored in DRAM. If present, a VSS link can export all DRAM and NVRAM keys to another switch over a secure connection for high availability purposes.
Page 64
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met server key Overwritt en with: 0x0d ANSI 16 bytes This is the seed DRAM Zeroized Seed X9.31 ANSI (plainte upon Append X9.31 RNG power cycle the...
Page 65
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met Overwritt en with: 0x00 HMAC 160-bits This is the SSH DRAM Automati session SHA-1 session (plainte cally authentica authentication when tion key session terminate 1024/1536/...
Page 66
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met MACsec secret 128/256 Used to verify MACse Automati bits integrity c PHY cally (plainte when authenticity of session MPDUs expires SESA “no fips SESA 128 bits...
Page 67
BGPv4 uses MD5 for authentication of routing updates as defined in RFC 2385 (Protection of BGP Sessions via TCP MD5 Signature Option). EIGRP and EIGRPv6 (Cisco proprietary) uses MD5 for authentication of routing updates. RIPv2 uses MD5 for authentication of routing updates as defined in Section 2.4 of RFC 2453.
Page 68
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met The TOE implements a NIST-approved AES-CTR Deterministic Random Bit Generator (DRBG), as specified in SP 800-90. The entropy source used to seed the Deterministic Random Bit Generator (e.g.
Page 69
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met methods. FCS_IPSEC_EXT.1 The TOE implements IPsec to provide authentication and encryption services to prevent unauthorized viewing or modification of data as it travels over the external network. The...
Page 70
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met allowed to flow for a given IPsec SA using the following command, ‘crypto ipsec security-association lifetime’ as specified for the evaluated configuration. The default amount is 2560KB, which is the minimum configurable value.
Page 71
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met connected console or remotely through an SSHv2 connection, the TOE prompts the user for a user name and password. Only after the administrative user presents the correct authentication credentials will access to the TOE administrative functionality be granted.
Page 72
System Administrator (level 15) will be required to enter their current password prior to entering a new password. See the Cisco Catalyst 4500 Series Switches (4503-E, 4506-E, 4507R+E, 4510R+E, 4500X and 4500X-F) Running IOS-XE 3.5.2E Common Criteria Operational User Guidance and Preparative Procedures for details and configuration settings.
Page 73
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met Ability to manage routing tables - allows the authorized administrator the ability to create, modify, and delete the routing tables to control the routed network traffic ...
Page 74
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met For level 0, there are five commands associated with privilege level 0: disable, enable, exit, help, and logout. However, the level could be configured to allow a user to have access to the ‘show’...
Page 75
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met staff that are usually not allowed to run all of the commands available in privileged EXEC mode (privilege level 15) on a networking device. They are prevented from running commands...
Page 76
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met Step 3 clear counters The clear counters command clears the interface counters. This command has been changed from privilege level 15 to privilege level 7.
Page 77
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met returns to privilege level 1. Router# disable Step 8 show privilege Displays the privilege level of the current CLI session Router> show privilege Current privilege level is 1 The term “authorized administrator”...
Page 78
(i.e., public hashes) are used to verify software/firmware update files (to ensure they have not been modified from the originals distributed by Cisco) before they are used to actually update the applicable TOE components. As a FIPS 140-2 validated product, the TOE runs a suite of self- FPT_TST_EXT.1...
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 TOE SFRs How the SFR is Met The allowable range is from 1 to 65535 seconds. The TOE displays a privileged Administrator specified banner on FTA_TAB.1 the CLI management interface prior to allowing any administrative access to the TOE.
Page 80
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 plane allows the ability to forward network traffic; the control plane allows the ability to route traffic correctly; and the management plane allows the ability to manage network elements. There is no opportunity for unaccounted traffic flows to flow into or out of the TOE.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 ATIONALE This section describes the rationale for the Security Objectives and Security Functional Requirements as defined within this Security Target. The following matrix is the typical display that is drawn from the information presented in Sections 2 and 3 of the NDPP.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Table 22: Threat/Policies/TOE Objectives Rationale Objective Rationale Security Objectives Drawn from NDPP O.PROTECTED_COMMUNICATIONS This security objective is necessary to counter the threat: T.UNAUTHORIZED_ACCESS and T.UNAUTHORIZED_UPDATE to ensure the communications with the TOE is not compromised.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Objective Rationale ensure accounts cannot be compromised and used by an attacker that does not otherwise have access to the TOE. O.TSF_SELF_TEST This security objective is necessary to counter the threat T.TSF_FAILURE to ensure failure of mechanisms do not lead to a compromise in the TSF.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Environment Objective Rationale the assumption A.TRUSTED_ADMIN by ensuring the administrators are non-hostile and follow all administrator guidance. Rationale for TOE Security Functional Requirements The security requirements are derived according to the general model presented in Part 1 of the Common Criteria.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 FRU_RSA.1 FTA_SSL_EXT.1 FTA_SSL.3 FTA_TAB.1 FTP_ITC.1(1) FTP_ITC.1(2) FTP_TRP.1(1) FTP_TRP.1(2) Table 26: Objectives to Requirements Rationale Objective Rationale Security Functional Requirements Drawn from Security Requirements for NDPP O.PROTECTED_COMMUNICA The SFRs, FAU_STG_EXT.3, FCS_CKM.1, TIONS FCS_CKM_EXT.4, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_RBG_EXT.1,...
Page 87
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 Objective Rationale FCS_COP.1(3) meet this objective by ensuring the update was downloaded via secure communications, is from a trusted source, and the update can be verified by cryptographic mechanisms prior to installation.
Cisco Cat4K NDPP ST 11 March 2014 EDCS-1228241 A: R NNEX EFERENCES The following documentation was used to prepare this ST: Table 27: References Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and [CC_PART1] general model, dated July 2009, version 3.1, Revision 3 Common Criteria for Information Technology Security Evaluation –...