Cisco Cat4K NDPP ST
11 March 2014
EDCS-1228241
26
security features and configuration options of routing protocols are beyond the scope
of this Security Target and are described in administrative guidance.
The TOE also ensures that packets transmitted from the TOE do not contain residual
information from previous packets. Packets that are not the required length use zeros
for padding
the remainder of the packet
so that residual data from previous traffic is
never transmitted from the TOE.
1.7.4 Identification and Authentication
The TOE performs local authentication, using Cisco IOS platform authentication
mechanisms, to authenticate access to user EXEC and privileged EXEC command
modes. All users wanting to use TOE services are identified and authenticated prior to
being allowed access to any of the services. Once a user attempts to access the
management functionality of the TOE (via EXEC mode), the TOE prompts the user for a
user name and password. Only after the administrative user presents the correct
identification and authentication credentials will access to the TOE functionality be
granted.
The TOE also supports use of a remote AAA server (RADIUS and ) as the
enforcement point for identifying and authenticating users attempting to connect to the
TOE’s CLI. Note the remote authentication server is not included within the scope of the
TOE evaluated configuration, it is considered to be provided by the operational
environment.
The TOE can be configured to display an advisory banner when administrators log in and
also to terminate administrator sessions after a configured period of inactivity.
The TOE also supports authentication of other routers using router authentication
supported by BGPv4, EIGRP, EIGRPv6 for IPv6, RIPv2, and OSPFv2. Each of these
protocols supports authentication by transmission of MD5-hashed password strings,
which each neighbor router uses to authenticate others. For additional security, it is
recommended router protocol traffic also be isolated to separate VLANs.
1.7.5 Security Management
The TOE provides secure administrative services for management of general TOE
configuration and the security functionality provided by the TOE. All TOE
administration occurs either through a secure session via SSHv2, or a local console
connection (serial port). The TOE provides the ability to perform the following actions:
allows authorized administrators to add new administrators,
start-up and shutdown the device,
create, modify, or delete configuration items,
create, modify, or delete information flow policies,
create, modify, or delete a routing table,
modify and set session inactivity thresholds,
modify and set the time and date,