Cisco ISR 4000 Family Routers Administrator Guidance Table of Contents Introduction Audience Purpose Document References Supported Hardware and Software Operational Environment 1.5.1 Supported non-TOE Hardware/ Software/ Firmware Excluded Functionality Secure Acceptance of the TOE Secure Installation and Configuration Physical Installation Initial Setup via Direct Console Connection 3.2.1 Options to be chosen during the initial setup of the ISR 4000 Family Routers...
Cisco ISR 4000 Family Routers Administrator Guidance List of Acronyms The following acronyms and abbreviations are used in this document: Table 1 Acronyms Acronyms / Definition Abbreviations Administration, Authorization, and Accounting Advanced Encryption Standard FIPS Federal Information Processing Standards Evaluation Assurance Level...
Page 6
This document provides supporting evidence for an evaluation of a specific Target of Evaluation (TOE), the Cisco Integrated Services Routers (ISR) 4000 (4321, 4331 and 4351) Family. This Operational User Guidance with Preparative Procedures addresses the administration of the TOE software and hardware and describes how to install, configure, and maintain the TOE in the Common Criteria evaluated configuration.
This Operational User Guidance with Preparative Procedures documents the administration of the Cisco Integrated Services Routers (ISR) 4000 Family (4321, 4331 and 4351), the TOE, as it was certified under Common Criteria. The Cisco Integrated Services Routers (ISR) 4000 Family may be referenced below as the ISR 4000 Family Router, TOE, or simply router.
Page 8
Cisco ISR 4000 Family Routers Administrator Guidance Title Link Basic System Management http://www.cisco.com/c/en/us/td/docs/ios- Configuration Guide xml/ios/bsm/configuration/xe-16/bsm-xe-16-book.html RADIUS Configuration http://www.cisco.com/c/en/us/td/docs/ios- xml/ios/sec_usr_rad/configuration/xe-16/sec-usr-rad-xe-16- Guide book.html Using Setup Mode to http://www.cisco.com/c/en/us/td/docs/ios- Configure a Cisco xml/ios/fundamentals/configuration/15-s/fundamentals-15-s- Networking Device book.html Cisco IOS Security http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec- Command Reference a1-cr-book.html...
ST will invalidate the secure configuration. The TOE is a hardware and software solution that makes up the Cisco Integrated Services Routers (ISR) 4000 Family (4321, 4331 and 4351) model. The network, on which they reside, is considered part of the environment. The software is pre- installed and is comprised of the Cisco IOS-XE software image Release 16.3.2.
Cisco ISR 4000 Family Routers Administrator Guidance Required Usage/Purpose Description for TOE performance Component Certification This includes any IT Environment Certification Authority on the TOE Authority network. This can be used to provide the TOE with a valid certificate during certificate enrolment.
Step 1 Before unpacking the TOE, inspect the physical packaging the equipment was delivered in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs. If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).
Page 12
Step 10 To install and configure the ISR 4000 Family Router follow the instructions as described in [3] Overview – Basic Configuration of a Cisco Networking Device -> Cisco IOS EX Setup Mode. Depending on your organization and current network environment, at, Where to Go Next section, select either ‘Using AutoInstall to Remotely Configure Cisco Networking Device’...
Cisco ISR 4000 Family Routers Administrator Guidance Step 11 The end-user must confirm once the TOE has booted that they are indeed running the evaluated version. Use the “show version” command [8] to display the currently running system image filename and the system software release version. It is also recommended the license level be verified and activated as described in [15].
This command ensures that the enable password is not stored in plain text. To configure, use the enable secret 5 as described in Cisco IOS Security Command Reference: Commands D to L -> E -> enable secret -> [8], Note that this setting can be confirmed after initial configuration is complete by examining the configuration file and looking for “enable secret 5”.
Cisco ISR 4000 Family Routers Administrator Guidance into the vty lines. Reference password (line configuration) in Cisco IOS Security Command Reference: Commands M to R -> pac key through port-misuse -> password (line configuration) 4 – Configure SNMP Network Management – No (this is the default). Note that this setting can be confirmed after configuration is complete by examining the configuration file to ensure that there is no “snmp-server”...
Cisco ISR 4000 Family Routers Administrator Guidance When creating administrator accounts, all individual accounts are to be set to a privilege level of one. This is done by using the following commands: TOE-common-criteria(config)# username <name> password <password> to create a new username and password combination, and TOE-common-criteria(config)# username <name>...
Cisco ISR 4000 Family Routers Administrator Guidance Note: this lockout only applies to privilege 14 users and below. Note: this applies to consecutive failures, and is not affected by the SSH or Telnet session disconnections after their default number of failures. In other words, if this lockout command is set to 5 failures, and SSH disconnects after 3 failed attempts, if the user attempts another SSH session and enters the wrong credentials two additional times, the account will lock.
Page 18
Cisco ISR 4000 Family Routers Administrator Guidance In addition, configure your ssh client for dh-group-14. In Putty, configure the SSH client to support only diffie-hellman-group14-sha1 key exchange. To configure Putty, do the following: Go into Putty Configuration Select > Connection > SSH > Kex;...
Cisco ISR 4000 Family Routers Administrator Guidance Recovery from an event where the connection is unintentionally broken is to follow the steps to establish a connection as listed above. 3.3.2 Authentication Server Protocols RADIUS (outbound) for authentication of TOE administrators to remote authentication servers are disabled by default but should be enabled by administrators in the evaluated configuration.
In order to ensure that all commands executed by a level 15 user are captured in a syslog record, the following Cisco Embedded Event Manager script can be used. Enter it at the CLI as follows: Switch(config)#event manager applet cli_log Switch(config-applet)#event cli pattern ".*"...
Cisco ISR 4000 Family Routers Administrator Guidance Switch(config-applet)#end https://supportforums.cisco.com/community/netpro/network-infrastructure/eem for more information on EEM scripting. 3.3.5 Logging Protection If an authorized administrator wants to backup the logs to a syslog server, then protection must be provided for the syslog server communications. This can be provided in one of two ways: 1.
Cisco ISR 4000 Family Routers Administrator Guidance TOE-common-criteria(config-if)#crypto map sample TOE-common-criteria(config-if)#exit TOE-common-criteria(config)#ip route 12.1.1.0 255.255.255.0 11.1.1.4 TOE-common-criteria(config)#access-list 115 permit ip 10.1.1.0 0.0.0.255 12.1.1.0 0.0.0.255 log TOE-common-criteria(config)#logging host 12.1.1.1 Recovery from an event where the connection is unintentionally broken is to follow the steps to establish a connection as listed above.
Page 24
Cisco ISR 4000 Family Routers Administrator Guidance o Source Port o Destination Port Traffic matching is done based on a top-down approach in the access list. The first entry that a packet matches will be the one applied to it. The VPNGW EP requires that the TOE Access control lists (ACLs) are to be configured to drop all packet flows as the default rule and that traffic matching the acl be able to be logged.
Cisco ISR 4000 Family Routers Administrator Guidance Note: Logging of all traffic hitting the default deny acl can generate a large number of logs, and a determination should be made whether it is necessary prior to entering this at the end of all access lists.
Cisco ISR 4000 Family Routers Administrator Guidance Secure Management User Roles The ISR 4000 Family Routers have both privileged and semi-privileged administrator roles as well as non-administrative access. Non-administrative access is granted to authenticated neighbor routers for the ability to receive updated routing tables per the information flow rules. There is no other access or functions associated with non-administrative access.
Page 27
3. The password obtained by capitalization of the username or username reversed is not accepted. 4. The new password cannot be “cisco”, “ocsic”, or any variant obtained by changing the capitalization of letters therein, or by substituting “1”, “|”, or “!” for i, or by substituting “0”...
Page 28
Use of enable passwords are not necessary, so all administrative passwords can be stored as SHA- 256 if enable passwords are not used. Note: Cisco no longer recommends that the ‘enable password’ command be used to configure a password for privileged EXEC mode. The password that is entered with the ‘enable password’...
Cisco ISR 4000 Family Routers Administrator Guidance Clock Management Clock management is restricted to the privileged administrator. For instructions to set the clock, refer to [4] Under Configure Click on Configuration Guides Network Management Click on Network Management Configuration Guide Library ...
Page 30
When a packet matches a permit entry in a particular access list, and the corresponding crypto map entry is tagged as cisco, connections are established, if necessary. If the crypto map entry is tagged as ipsec-isakmp, IPsec is triggered. If there is no SA that the IPsec can use to protect this traffic to the peer, IPsec uses IKE to negotiate with the remote peer to set up the necessary IPsec SAs on behalf of the data flow.
Page 31
Cisco ISR 4000 Family Routers Administrator Guidance Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms, and other settings that can be applied to IPsec-protected traffic. During the IPsec SA negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
Page 32
Cisco ISR 4000 Family Routers Administrator Guidance This configures IPsec to use pre-shared keys. X.509 v3 certificates are also supported for authentication of IPsec peers. See Section 4.6.3 below for additional information. TOE-common-criteria(config-isakmp)# Crypto isakmp key cisco123!cisco123!CISC address 11.1.1.4 Note: Pre-shared keys on the TOE must be at least 22 characters in length and can be composed of any combination of upper and lower case letters, numbers, and special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“,...
Page 33
Cisco ISR 4000 Family Routers Administrator Guidance Note: the authorized administrator must ensure that the keysize for this setting is greater than or equal to the keysize selected for ESP in Section 4.6.2 below. If AES 128 is selected here, then the highest keysize that can be selected on the TOE for ESP is AES 128 (either CBC or GCM).
Cisco ISR 4000 Family Routers Administrator Guidance Note: The configuration above is not a complete IKE v2 configuration, and that additional settings will be needed. See [18] Configuring Internet Key Exchange Version 2 (IKEv2) for additional information on IKE v2 configuration.
Cisco ISR 4000 Family Routers Administrator Guidance Additional information regarding configuration of IPsec can be found in the [8]. The IPSEC commands are dispersed within the Security Command References. This functionality is available to the Privileged Administrator. Configuration of VPN settings is restricted to the privileged administrator.
Page 36
Cisco ISR 4000 Family Routers Administrator Guidance 4. Configure an enrollment method: enrollment [terminal, url url] Device (ca-trustpoint)#enrollment url http://192.168.2.137:80 5. Configure subject-name settings for the certificate: subject-name CN=hostname.domain.com,OU=OU-name Device (ca-trustpoint)#subject-name CN=asrTOE.cisco.com,OU=TAC 6. Set revocation check method: revocation-check crl Device (ca-trustpoint)#revocation-check crl Device (ca-trustpoint)#exit 7.
Page 37
Certificates are stored to NVRAM by default; however, some routers do not have the required amount of NVRAM to successfully store certificates. All Cisco platforms support NVRAM and flash local storage. Depending on the platform, an authorized administrator may have other supported local storage options including bootflash, slot, disk, USB flash, or USB token.
Page 38
Cisco ISR 4000 Family Routers Administrator Guidance Use the revocation-check command to specify at least one method (OCSP, CRL, or skip the revocation check) that is to be used to ensure that the certificate of a peer has not been revoked. For multiple methods, the order in which the methods are applied is determined by the order specified via this command.
Page 39
Cisco ISR 4000 Family Routers Administrator Guidance trust point associated with the root CA, an error message will be displayed and the chain validation will revert to the default chain-validation command setting. 7. Exit: TOE-common-criteria(ca-trustpoint)# exit 4.6.4.8 Setting X.509 for use with IKE Once X.509v3 keys are installed on the TOE, they can be set for use with IKEv1 with the...
Cisco ISR 4000 Family Routers Administrator Guidance 4.6.5 Information Flow Policies The TOE may be configured by the privileged administrators for information flow control/ firewall rules as well as VPN capabilities using the access control functionality. Configuration of information flow policies is restricted to the privileged administrator.
Page 41
Cisco ISR 4000 Family Routers Administrator Guidance Step2 (ca-certificate-map)# field-name match- In ca-certificate-map mode, you specify one or more criteria match-value certificate fields together with their matching criteria and the value to match. field-name—Specifies one of the following case- insensitive name strings or a date: –subject-name...
Page 42
Cisco ISR 4000 Family Routers Administrator Guidance (ca-certificate-map)# subject-name co c=US (ca-certificate-map)#exit (config)# crypto isakmp profile ike1-profile-match-cert match certificate cert-map-match-all Page 42 of 66...
Cisco ISR 4000 Family Routers Administrator Guidance Security Relevant Events The TOE is able to generate audit records that are stored internally within the TOE whenever an audited event occurs, as well as simultaneously offloaded to an external syslog server. The details for protection of that communication are covered in section 3.3.5 above.
Cisco ISR 4000 Family Routers Administrator Guidance Outcome (Success or Failure): Success may be explicitly stated with “success” or “passed” contained within the audit event or is implicit in that there is not a failure or error message. As noted above, the information includes at least all of the required information. Example audit...
Page 45
Cisco ISR 4000 Family Routers Administrator Guidance Requirement Auditable Events Additional Sample Record Audit Record Contents AuditSessionID 000000000000000D001C2D92, CKN 24AA15376050334AE1EA9BE8A 1D0894B000000000000000000000 00000000000 FCS_MACSEC_EX Creation Creation For SAK (Security Association T.3.1 update of Secure update times Key) creation- Association Key Mar 15 2016 12:54:49.937 IST: MKA-...
Page 46
Cisco ISR 4000 Family Routers Administrator Guidance Requirement Auditable Events Additional Sample Record Audit Record Contents Jun 20 07:42:26.823: ISAKMP:(0):Input IKE_MESG_FROM_PEER, IKE_MM_EXCH Jun 20 07:42:26.823: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 … Jun 20 07:42:26.823: ISAKMP:(0):found peer pre-shared key matching 100.1.1.5 Jun 20 07:42:26.823: ISAKMP:(0): local...
Page 48
Login Success [user: ranger] [Source: 100.1.1.5] [localport: 22] at 11:31:35 UTC Mon Jun 18 2012 06:47:17.041: %SSH-5- SSH2_CLOSE: SSH2 Session from 1.1.1.1 (tty = 0) for user 'cisco' using crypto cipher 'aes256-cbc', hmac 'hmac- sha1-96' closed FIA_UIA_EXT.1 All use of the Provided user See Audit events in FIA_UAU_EXT.2...
Page 49
Cisco ISR 4000 Family Routers Administrator Guidance Requirement Auditable Events Additional Sample Record Audit Record Contents Login failed [user: auditperson] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed] at 23:45:43 a Sat Apr 25 2009 See FCS_SSH_EXT.1 for remote login audit events.
Page 50
Cisco ISR 4000 Family Routers Administrator Guidance Requirement Auditable Events Additional Sample Record Audit Record Contents 19:10:18.621: %PKI-3- CERTIFICATE_REVOKED: Certificate chain validation failed. certificate (SN: 04) is revoked FMT_MOF.1(1)/Ad Modification None. Feb 17 2013 16:34:02: %PARSER-5- minAct the behaviour of CFGLOG_LOGGEDCMD: the TSF.
Page 51
Cisco ISR 4000 Family Routers Administrator Guidance Requirement Auditable Events Additional Sample Record Audit Record Contents FPT_STM.1 Changes to the The old and Local Clock Update: CLOCKUPDATE: new values for System clock has been updated from time. the time. 06:11:37 EDT Mon Dec 20 2010 to...
Page 52
Cisco ISR 4000 Family Routers Administrator Guidance Requirement Auditable Events Additional Sample Record Audit Record Contents invalid ID: 147461 (syslogd) app_name: ssl certificate) Process: syslogd None. FTA_SSL_EXT.1 Any attempts at In the TOE this is represented by login unlocking of an...
Cisco ISR 4000 Family Routers Administrator Guidance Requirement Auditable Events Additional Sample Record Audit Record Contents FTP_TRP.1 Initiation of the Identification AUDIT: logs provided of the claimed trusted channel. FCS_SSH_EXT.1 user identity. Termination of the trusted channel. Failures trusted path functions.
Page 54
Cisco ISR 4000 Family Routers Administrator Guidance Requirement Management Action to Sample Log Jan 24 2013 03:10:08.878: %GDOI-5- KS_REKEY_TRANS_2_UNI: Group getvpn transitioned to Unicast Rekey.ip FCS_CKM_EXT.4: Manual key zeroization Feb 17 2013 16:37:27: %PARSER-5- Cryptographic key CFGLOG_LOGGEDCMD: zeroization User:test_admin logged command:crypto key zeroize FCS_COP.1(1):...
Page 55
Cisco ISR 4000 Family Routers Administrator Guidance Requirement Management Action to Sample Log FDP_RIP.2: Full residual None information protection FIA_AFL.1 Configuring number of Feb 17 2013 16:14:47: %PARSER-5- failures. CFGLOG_LOGGEDCMD: User:test_admin logged command: aaa Unlocking the user. local authentication attempts max-fail [number of failures] Feb 7 2013 02:05:41.953: %AAA-5-...
Page 56
Cisco ISR 4000 Family Routers Administrator Guidance Requirement Management Action to Sample Log FMT_MOF.1: Management See all other rows in of Security Functions table. Behavior FMT_MTD.1: Management See all other rows in of TSF data (for general TSF table. data) FMT_SMF.1: Specification...
Network Services and Protocols The table below lists the network services/protocols available on the TOE as a client (initiated outbound) and/or server (listening for inbound connections), all of which run as system-level processes. The table indicates whether each service or protocol is allowed to be used in the certified configuration.
Page 60
Cisco ISR 4000 Family Routers Administrator Guidance Service or Description Client Allowed Server Allowed Allowed use in the certified configuration Protocol (initiating) (terminating) Internet Key Exchange As described in Section 4.6.1 of this document. IMAP4S Internet Message Access Over TLS No restrictions.
Page 61
Cisco ISR 4000 Family Routers Administrator Guidance Service or Description Client Allowed Server Allowed Allowed use in the certified configuration Protocol (initiating) (terminating) SSL (not Secure Sockets Layer Use TLS instead. Protocol is not considered part of the TLS) evaluation.
Cisco ISR 4000 Family Routers Administrator Guidance Modes of Operation An IOS router has several modes of operation, these modes are as follows: Booting – while booting, the routers drop all network traffic until the router image and configuration has loaded. This mode of operation automatically progresses to the Normal mode of operation.
Page 63
Restart the TOE to perform POST and determine if normal operation can be resumed If problem persists, contact Cisco Technical Assistance http://www.cisco.com/techsupport or 1 800 553-2447 If necessary, return the TOE to Cisco under guidance of Cisco Technical Assistance. Page 63 of 66...
Cisco ISR 4000 Family Routers Administrator Guidance Security Measures for the Operational Environment Proper operation of the TOE requires functionality from the environment. It is the responsibility of the authorized administrator of the TOE to ensure that the Operational Environment provides the necessary functions, and adheres to the environment security objectives listed below.
Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0. You can access the most current Cisco documentation on the World Wide Web at the following sites: ...
Page 66
This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco. Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs.