Cisco Cisco IOS Software Release 12.4(23)
6. TOE Summary Specification
Document Organization
27
Security Target For Cisco IOS IPSec
Interactive CLI connections (console or telnet) require user authentication. The TOE shall be configured
to require an access password, which provides unprivileged access and an enable password which
provides privileged management access. The unprivileged administrator can only query the TOE
configuration. After successful authentication via the CLI interface, an authorized user can upload or
download configuration files to/from a TFTP server.
to require an access password, which provides unprivileged access and an enable password which
provides privileged management access. The unprivileged administrator can only query the TOE
configuration. After successful authentication via the CLI interface, an authorized user can upload or
download configuration files to/from a TFTP server.
The privileged administrator has control over all TOE functions, attributes, and data, either by executing
commands, viewing status and configuration, or editing the TOE configuration settings. The default
configuration will be secure so that packet flows will not occur. The privileged administrator has the
right to change from the default to allow packet flows.
commands, viewing status and configuration, or editing the TOE configuration settings. The default
configuration will be secure so that packet flows will not occur. The privileged administrator has the
right to change from the default to allow packet flows.
The TOE will conduct self-tests upon startup to verify that it is operating correctly.
CONFIG.3 - Management of Time
The TOE maintains real time using a reliable software clock that interfaces to an internal hardware clock,
or the Network Time Protocol (NTP).
or the Network Time Protocol (NTP).
6.1.4 Key Management
To support the authentication of one TOE to another TOE, the TOE supports the use of public key
cryptography.
cryptography.
KEYMGT.1 - Key Management
The TOE generates secure RSA public/private keys (512 and 1024 bit key lengths) for use with a Public
Key Infrastructure (PKI). The TOE interacts with a certificate authority using the Simple Certificate
Enrollment Protocol (SCEP) to download a certificate authority’s digital certificate and to request and
download a digital certificate for the TOE itself. The TOE can destroy keys it creates by overwriting
them.
Key Infrastructure (PKI). The TOE interacts with a certificate authority using the Simple Certificate
Enrollment Protocol (SCEP) to download a certificate authority’s digital certificate and to request and
download a digital certificate for the TOE itself. The TOE can destroy keys it creates by overwriting
them.
Table 12
Mapping Summary Specifications to Functional Requirements
TSS Reference
IT Security Function
Function Component
Functional Requirement
IPSEC.1
IPSec Internet Key
Exchange (IKE
Exchange (IKE
FCS_CKM.1(2)
FTP_ITC.1
FMT_MSA.2
Cryptographic key
generation (Diffie Hellman)
generation (Diffie Hellman)
Inter-TSF trusted channel
Secure security attributes
IPSEC.2
IPSec Encapsulating
Security Payload
(ESP)
Security Payload
(ESP)
FCO_NRO.2
FCS_COP.1 (1)
FCS_COP.1 (2)
FDP_UCT.1
FDP_UIT.1
FTP_ITC.1
Enforced proof of origin
Cryptographic operation
(Encryption)
(Encryption)
Cryptographic operation
(Signing)
(Signing)
Basic data exchange
confidentiality
confidentiality
Data exchange integrity
Inter-TSF trusted channel