cisco isr & asr - security procedures - ncsc site · pdf filesecurity procedures cisco...
TRANSCRIPT
October 2015 Issue No: 2.1
Security Procedures
Cisco ISR Series Cisco ASR Series
Customers can continue to use this guidance. The content remains current, although may contain references to legacy SPF policy and classifications.
Security Procedures
Cisco ISR/ASR Series
Issue No: 2.1 October 2015
This document describes the manner in which this product should be implemented to ensure it complies with the requirements of the CPA SC that it was assessed against. The intended audience for this document is HMG implementers, and as such they should have access to the documents referenced within. If you do not have access to these documents but believe that you have an HMG focused business need, please contact CESG Enquiries.
Document History
Version Date Comment
1.0 February 2012 First issue
2.0 March 2013 Second issue
2.1 October 2015 First public release
Page 1
CISCO ISR Series CISCO ASR Series
About this document These CESG Security Procedures are intended for System Designers, Risk Managers and Accreditors. You should establish whether any departmental or local standards, which may be more rigorous than national policy, should be followed in preference to those given in these Security Procedures.
Related documents The CISCO ISR/ASR series should be deployed in accordance with a Risk Management and Accreditation Documentation Set (RMADS). The documents listed in the References section are also relevant to this deployment. For detailed information about device operation and configuration, refer to the Cisco product documentation.
Points of contact For additional hard copies of this document and general queries, please contact CESG using the following details.
CESG Enquiries
Hubble Road Cheltenham GL51 0EX United Kingdom
[email protected] Tel: 01242-709141
CESG welcomes feedback and encourages readers to inform CESG of their experiences, good or bad in this document. Please email [email protected]
Page 2
CISCO ISR Series CISCO ASR Series
Contents:
Chapter 1 - Introduction ........................................................................................... 3
Outline Description .................................................................................................. 3
Product Versions ..................................................................................................... 3 Hardware Supply ..................................................................................................... 4 Component Descriptions ......................................................................................... 4 Certificates and Keys ............................................................................................... 4
Chapter 2 - Security Operation ................................................................................ 5
Procedures .............................................................................................................. 5 Secure Installation and Configuration ...................................................................... 5
User Accounts ......................................................................................................... 6 Device Management ................................................................................................ 6 System Logs ............................................................................................................ 6 Crash Files .............................................................................................................. 6
Location ................................................................................................................... 6 Connectivity to Networks ......................................................................................... 7 Storage Media ......................................................................................................... 7
Movement of Equipment .......................................................................................... 7
Chapter 3 - Security Incidents ................................................................................. 8
Tampering and Other Compromises ....................................................................... 8 Reporting Comsec Incidents .................................................................................... 8
Chapter 4 - Disposal and Destruction ..................................................................... 9
Disposal and Destruction of Key Material ................................................................ 9
Routine Destruction of equipment ........................................................................... 9 Emergency Destruction ........................................................................................... 9
Glossary .................................................................................................................. 11
Page 3
CISCO ISR Series CISCO ASR Series
Chapter 1 - Introduction
Outline Description
1. The Cisco 800, 1900, 2900, 3900 series Integrated Service Routers (ISR) and Cisco 1000 series Aggregation Service Routers (ASR) can be used to protect the confidentiality and integrity of sensitive data through an Internet Key Exchange (IKE) mutually-authenticated IPsec encrypted overlay network.
2. The ISR/ASR range has been approved to secure sensitive data when configured with the PSN Interim IPsec Profile. This comprises:
Module Description
Encryption AES128 – CBC mode
PRF SHA-1
Diffie-Hellman Group Group 5 (1536 bits)
Signature RSA with X.509v3 certificate
Table 1 - PSN Interim IPsec Profile
3. Data that does not originate from a protected interface will be routed externally without any additional cryptographic protection.
4. The assurance work performed by CESG meets both the CPA Foundation Grade Security Characteristic for IPsec Gateways, and the PEPAS requirements for PSN. To use the ISR/ASR range within PSN, please consult Chapter 4 of the PSN: Cryptographic Framework, Assurance Requirements for IPsec devices, which is available from http://www.cabinetoffice.gov.uk.
5. The ISR/ASR range can be used to provide an Impact Level (IL) 3 overlay network across a CAS(T) assured IL224 bearer network, for the protection of IL2 information on an unprotected bearer network, or for other situations where a Foundation Grade level of assurance is appropriate.
6. Both primary use cases outlined in the CPA Foundation Grade Security Characteristics (that is, client-to-gateway and gateway-to-gateway) are supported.
Product Versions
7. CESG has assessed the ISR/ASR range operating Cisco IOS version 15.1(4)M3 and IOS-XE 3.4S. Later versions are automatically covered by this document. CESG will re-assess the ISR/ASR range when major releases (concerning security features) are issued.
8. Any software updates and patches from Cisco Systems should be applied in a timely fashion. Modules or updates that have not been developed by Cisco Systems should not be installed.
Page 4
CISCO ISR Series CISCO ASR Series
9. For software images that are not cryptographically signed, the MD5 and/or the SHA1 hash values published by Cisco Systems must be verified. Check the hash values when loading new software images onto the device and as part of its routine maintenance.
Hardware Supply
10. Ensure hardware is manufactured by (and branded) Cisco Systems, and acquired through a Cisco Systems authorised reseller/distributor.
Component Descriptions
11. The following table summarises the components of the ISR/ASR range and their protective markings.
Device Description Protective marking
ISR/ASR range (including processor cards)
After configuration and keys have been generated.
Highest protective marking of data which the device has (or will) handle.
After using the command ‘crypto key zeroize’.
Not Protectively Marked (NPM).
Table 2 - Summary of devices and their protective markings
12. Configuration files for the ISR/ASR series does not attract a protective marking, unless:
They contain any (non-revoked) private keys, or
They contain any traffic encryption keys, or
They contain any device passwords (or hashed passwords)
13. If none of the above are present, then the files should be given the protective marking of the highest classification data that the device is used to protect (normally RESTRICTED).
14. Note also that if none of the above are present, then the configuration files are NPM.
Certificates and Keys
15. The ISR/ASR series requires IKE mutual authentication to protect data. For this they require:
The main root Certificate Authority (CA) certificate
A client certificate signed by an authority trusted by the above CA
16. The devices do not require any key material originating from CESG - entropy is generated locally by the device. The validity period of the ISR/ASR certificates must not exceed one year.
Page 5
CISCO ISR Series CISCO ASR Series
Chapter 2 - Security Operation
Procedures
17. Before installing the ISR/ASR range, the following steps should be taken:
Access to the device should be limited to those personnel with the appropriate authority
Management access to the device should be limited to protected management network locations, or via the local console port. Management through an encrypted overlay (either the customer overlay network or a dedicated management VPN) is allowed after the initial setup and configuration process is completed
System services that rely on weak encryption or vulnerable key exchanges (such as FTP, Finger, Telnet, TFTP and any other non-encrypted service) should be disabled
The Administrator password hashing algorithm must be set to SHA-1 or better where available (DES and MD5 are not permitted)
Secure Installation and Configuration
18. The ISR/ASR range should be configured as illustrated in Figure 1, which shows separate physical LAN interfaces to be reserved for protected and unprotected networks.
Cisco ASR/ISR Device
Protected Network
Unprotected Network
Physical Interface
Physical Interface
Physical Interface
Bearer Network
ENCRYPTION
Unprotected Routed TrafficProtected Traffic
Figure 1 – Example Configuration
19. The designated protected interface(s) will always encrypt data, before routing it to an appropriate peer device. The unprotected interface(s) will always route traffic without any encryption.
20. Logical separation of security domains with different classifications (e.g. VLAN tagging) should not be used to produce a single connection to the service gateway.
Page 6
CISCO ISR Series CISCO ASR Series
User Accounts
21. User accounts can be created with different permissions. Create user accounts with different permissions for routine administration tasks. Integration of administrative user accounts into existing management infrastructures, such as Terminal Access Controller Access-Control System (TACACS), should follow local procedures. Password complexity can be set within Cisco IOS to help prevent weak passwords for any user account.
Device Management
22. Where possible, the ISR/ASR range should be managed outside the standard communications channels (out-of-band) by using the management console port. If in-band management has to be used (i.e. using the same communications channel as data), ensure that only SSH, SNMP v3 or HTTPS are used. All other protocols must be disabled.
System Logs
23. The device-generated system logs do not need to be routinely deleted or ‘cleaned’, but should be regularly backed up to an off-device location (e.g. via Syslog). To ensure that the timestamps within the ISR/ASR logs coincide with other systems’ logs, the ISR/ASR range should sync with an appropriate time source over NTP. Ensure that the time server is the same for the ISR/ASR range and any other management infrastructure devices.
Crash Files
24. The devices can generate two types of crash files in the result of an exception:
Crashinfo files, which contain CPU registers, stack traces, stack frame pointers and other items of information relating to the current running process
Crash dumps, which is a full dump of the information stored in memory
25. The files are useful when trying to debug exceptional events on the device, and
may need to be shared with the manufacturer to aid in the resolution of problems.
26. Unless there is confidence that such files cannot contain protectively marked data (that is, they were generated before the device had access to any such information), the files should be given the protective marking of the highest classification data that the device is used to protect (normally RESTRICTED). As an added precaution, if the files are going to be shared, CESG recommend that any private keys associated with the generating device are revoked.
Location
27. The ISR/ASR range has not been TEMPEST certified and should only be deployed in an environment where the TEMPEST and/or Electromagnetic Security threat level has been assessed as negligible or low. If there are plans
Page 7
CISCO ISR Series CISCO ASR Series
to deploy an ISR/ASR device in an environment where the threat level is assessed as moderate or above, then seek advice from CESG.
Connectivity to Networks
28. Reverse tunnelling is a configuration where a lower impact level network is tunnelled across a higher impact level network, isolating the lower impact level traffic. CESG assessment does not include reverse tunnelling and the ISR/ASR range should not be deployed in this configuration.
Storage Media
29. The ISR series contain non-removable storage media and therefore attracts a protective marking, see Table 2. Long-term secrets must be deleted manually, as described in Chapter 4.
30. Although the ASR series contain removable storage media, the configurations and RSA keys are stored on non-removable storage and therefore attract a protective marking, see Table 2. Long-term secrets are also stored in non-removable storage, and must be deleted manually deleted, as described in Chapter 4.
Movement of Equipment
31. Since no special preparatory configuration changes are required before transporting, an ISR/ASR device can be moved in line with appropriate security precautions.
Page 8
CISCO ISR Series CISCO ASR Series
Chapter 3 - Security Incidents
Tampering and Other Compromises
32. If evidence of actual or suspected tampering (or other compromise) is found, withdraw the ISR/ASR device whilst the incident is investigated. If the equipment may have been compromised, isolate the device from any network and quarantine to preserve potential evidence, and return it to CESG for further analysis.
Reporting Comsec Incidents
33. Organisations should establish internal processes to manage any incidents with these products in line with the product specific Security Procedures.
34. In the first instance, incidents involving CPA/CC Foundation Grade products should be reported to the product vendor. Where the incident is assessed to have resulted in the compromise of information or data, the organisation’s local IT security incident management policy should ensure that the Department Security Officer (DSO) or equivalent is informed. Depending on the severity of the incident, the DSO, at their discretion, should also ensure that GovCertUK is informed. If the organisation is concerned that the compromise has resulted from a failure of the product then they should contact CESG Enquiries.
35. The following table provides instructions to be followed if a compromise to the ISR/ASR range is suspected or identified. The actual procedures and policies should be compiled in conjunction with system accreditation requirements.
Component Protective marking Action if lost or compromised
ISR/ASR Range
Highest protective marking of data which device has (or will) handle.
Revoke certificates.
If compromised, erase the long term secrets following the process as listed in Chapter 4, then re-install the system and follow the initial setup and configuration guidance.
Table 3 - Actions to be taken after actual or suspected Comsec incidents
Page 9
CISCO ISR Series CISCO ASR Series
Chapter 4 - Disposal and Destruction
Disposal and Destruction of Key Material
36. Procedures and processes for the destruction of key material used with the ISR/ASR range should be implemented in accordance with its protective marking, with accurate destruction records made in accordance with approved local policy.
37. Long-term secrets should be erased from the ISR/ASR range by using the command ‘crypto key zeroize’.
38. The certificates related to these keys must be revoked within the respective PKI to ensure that other cryptographic devices on the network are prevented from communicating with the device.
39. Issuing ‘crypto key zeroize’ takes the protective marking of the device from RESTRICTED to NPM.
Routine Destruction of equipment
40. Before disposal, the long-term secrets should be erased from the ISR/ASR range as described above. Once erased, the product can be returned to factory defaults, and handled as Not Protectively Marked, by using the command ‘erase nvram’ and flushing the running configuration.
41. If any of these commands fail, the product should be disposed of in accordance with Information Assurance Standard No. 5 (IS5), Secure Sanitisation (reference [e]).
42. Disposal and destruction at overseas locations should follow that of the routine disposal and destruction.
Emergency Destruction
43. The assessed devices are not for use in high threat locations, therefore emergency destruction procedures are not required.
Page 10
CISCO ISR Series CISCO ASR Series
References
Unless stated otherwise, these documents are available from the CESG website. Users who do not have access should contact CESG Enquiries to enquire about obtaining documents. [a] HMG Security Policy Framework, available from
http://www.cabinetoffice.gov.uk.spf.aspx
[b] CESG PSN: Cryptographic Standards Version 1.0 is available at: http://www.cabinetoffice.gov.uk
[c] CESG PSN: Cryptographic Framework 1.3 is available at: http://www.cabinetoffice.gov.uk
[d] HMG Information Assurance Standard No. 1 & 2, Information Risk Management – latest issue available from the CESG website.
[e] HMG Information Assurance Standard No. 5, Secure Sanitisation – latest issue available from the CESG website.
[f] CESG Implementation Guide No. 3, User Authentication Systems – latest issue available from the CESG website.
Page 11
CISCO ISR Series CISCO ASR Series
Glossary
CA Certificate Authority
CESG UK National Technical Authority for Information Assurance
ComSO Communications Security Officer
CPA Commercial Product Assurance
DSO Departmental Security Officer
IKE Internet key Exchange
IPSec Internet Protocol Security
ITSO Information Technology (IT) Security Officer
NPM Not Protectively Marked
PEPAS CESG’s PSN Encryption Product Assurance Service
TACAS Terminal Access Controller Access-Control System
VPN Virtual Private Network
CESG provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not substitute for seeking appropriate tailored advice.
CESG Enquiries Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Email: [email protected] © Crown Copyright 2015.