Cisco IPS4345 Bedienungsanleitung PDF herunterladen (Seite 44)

Cisco Intrusion Prevention System Security Target

TOE SFRs

How the SFR is Satisfied

HTTP layered on TLS or SSL (though only TLS is used in the TOE). HTTP version

1.1 (“HTTP/1.1", RFC 2616, as referenced in RFC 2818) is used to for the exchange

of OSI application layer data between the client and server including username and

password authentication credentials. TLS operates at a lower sub-layer of the OSI

application layer, and after the TCP handshake has completed, TLS negotiates its

own TLS handshake to negotiate cryptographic parameters for the secure

transmission of HTTP(S).

For further description of TLS, see the description of FCS_TLS_EXT.1 elsewhere in

this table.

FCS_RBG_EXT.1

The TOE implements a NIST-approved AES-CTR Deterministic Random Bit

Generator (DRBG), as specified in SP 800-90. (FIPS #1668 and #937)

The boundary of the entropy source is the entire TOE platform. An adversary on the

outside is not able to affect the entropy rate in any determinable way, because of the

number of sources, and the fact that the only one of the sources (allocated packet

buffer) is populated with data that came from outside of the system.

FCS_SSH_EXT.1

The TOE implements SSHv2 (telnet is disabled in the evaluated configuration). SSH

connections will be dropped if the TOE receives a packet larger than 65,535 bytes.

 The TOE implementation of SSHv2 supports the following public key

algorithms for authentication: RSA Signature Verification.

 The TOE also supports local password-based authentication for

administrative users accessing the TOE through SSHv2, and optionally

supports deferring authentication to a remote AAA server.

 The TOE implementation of SSHv2 supports the following encryption

algorithms, AES-CBC-128, AES-CBC-256 to ensure confidentiality of the

session.

 The TOE’s implementation of SSHv2 supports hashing algorithm HMAC-

SHA1to ensure the integrity of the session.

FCS_TLS_EXT.1

The TOE implements TLSv1.0 conformant to RFC 2246, TLS 1.1 conformant to

RFC 4346, and TLS 1.2 conformant to RFC 5246. The TOE uses TLS/HTTPS to

secure communications from remote administration workstations running IDM,

CSM, or IME. Remote administrators can connect to the using TLS/HTTPS to

download audit files. The TOE can initiate outbound TLS/HTTPS connections to

download IPS signature file updates. The TOE can be configured to negotiate only

the following four SHA-1 ciphersuites (defined as ‘mandatory’ by the NDPPv1.1):

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

FDP_RIP.2

The TOE ensures that packets transmitted from the TOE do not contain residual

information from previous packets. Frames that are not at least the minimum length

are padded with zeros. Residual data is never transmitted from the TOE because

memory buffers are overwritten upon reuse. This applies to both data plane traffic

and administrative session traffic. FDP_RIP.2 is enforced for sessions that

terminate at the TOE, but also applies to traffic traversing the TOE (applicable to the

IPS standalone appliances that support inline deployment).

FIA_PMG_EXT.1

The TOE supports the local definition of users with corresponding passwords. The

passwords can be composed of any combination of upper and lower case letters,

numbers, and special characters that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”,

“(“, “)”, “[“, “+”, “:”, “,”, “_” (underscore), “/”, “-“, “?”, and “]”. Minimum

1 2 ... 39 40 41 42 43 44 45 46 47 48 49 ... 60 61

Kommentare zu diesen Handbüchern

Keine Kommentare

Cisco IPS4345 Bedienungsanleitung Seite 44

Kommentare zu diesen Handbüchern

Verwandte Produkte und Handbücher für Vernetzung Cisco IPS4345