October 2015 Issue No: 2.1

Security Procedures

Cisco ISR Series Cisco ASR Series

Customers can continue to use this guidance. The content remains current, although may contain references to legacy SPF policy and classifications.

Security Procedures

Cisco ISR/ASR Series

Issue No: 2.1 October 2015

This document describes the manner in which this product should be implemented to ensure it complies with the requirements of the CPA SC that it was assessed against. The intended audience for this document is HMG implementers, and as such they should have access to the documents referenced within. If you do not have access to these documents but believe that you have an HMG focused business need, please contact CESG Enquiries.

Document History

Version Date Comment

1.0 February 2012 First issue

2.0 March 2013 Second issue

2.1 October 2015 First public release

Page 1

CISCO ISR Series CISCO ASR Series

About this document These CESG Security Procedures are intended for System Designers, Risk Managers and Accreditors. You should establish whether any departmental or local standards, which may be more rigorous than national policy, should be followed in preference to those given in these Security Procedures.

Related documents The CISCO ISR/ASR series should be deployed in accordance with a Risk Management and Accreditation Documentation Set (RMADS). The documents listed in the References section are also relevant to this deployment. For detailed information about device operation and configuration, refer to the Cisco product documentation.

Points of contact For additional hard copies of this document and general queries, please contact CESG using the following details.

CESG Enquiries

Hubble Road Cheltenham GL51 0EX United Kingdom

enquiries@cesg.gsi.gov.uk Tel: 01242-709141

CESG welcomes feedback and encourages readers to inform CESG of their experiences, good or bad in this document. Please email enquiries@cesg.gov.uk

Page 2

CISCO ISR Series CISCO ASR Series

Contents:

Chapter 1 - Introduction ........................................................................................... 3

Outline Description .................................................................................................. 3

Product Versions ..................................................................................................... 3 Hardware Supply ..................................................................................................... 4 Component Descriptions ......................................................................................... 4 Certificates and Keys ............................................................................................... 4

Chapter 2 - Security Operation ................................................................................ 5

Procedures .............................................................................................................. 5 Secure Installation and Configuration ...................................................................... 5

User Accounts ......................................................................................................... 6 Device Management ................................................................................................ 6 System Logs ............................................................................................................ 6 Crash Files .............................................................................................................. 6

Location ................................................................................................................... 6 Connectivity to Networks ......................................................................................... 7 Storage Media ......................................................................................................... 7

Movement of Equipment .......................................................................................... 7

Chapter 3 - Security Incidents ................................................................................. 8

Tampering and Other Compromises ....................................................................... 8 Reporting Comsec Incidents .................................................................................... 8

Chapter 4 - Disposal and Destruction ..................................................................... 9

Disposal and Destruction of Key Material ................................................................ 9

Routine Destruction of equipment ........................................................................... 9 Emergency Destruction ........................................................................................... 9

Glossary .................................................................................................................. 11

Page 3

CISCO ISR Series CISCO ASR Series

Chapter 1 - Introduction

Outline Description

1. The Cisco 800, 1900, 2900, 3900 series Integrated Service Routers (ISR) and Cisco 1000 series Aggregation Service Routers (ASR) can be used to protect the confidentiality and integrity of sensitive data through an Internet Key Exchange (IKE) mutually-authenticated IPsec encrypted overlay network.

2. The ISR/ASR range has been approved to secure sensitive data when configured with the PSN Interim IPsec Profile. This comprises:

Module Description

Encryption AES128 – CBC mode

PRF SHA-1

Diffie-Hellman Group Group 5 (1536 bits)

Signature RSA with X.509v3 certificate

Table 1 - PSN Interim IPsec Profile

3. Data that does not originate from a protected interface will be routed externally without any additional cryptographic protection.

4. The assurance work performed by CESG meets both the CPA Foundation Grade Security Characteristic for IPsec Gateways, and the PEPAS requirements for PSN. To use the ISR/ASR range within PSN, please consult Chapter 4 of the PSN: Cryptographic Framework, Assurance Requirements for IPsec devices, which is available from http://www.cabinetoffice.gov.uk.

5. The ISR/ASR range can be used to provide an Impact Level (IL) 3 overlay network across a CAS(T) assured IL224 bearer network, for the protection of IL2 information on an unprotected bearer network, or for other situations where a Foundation Grade level of assurance is appropriate.

6. Both primary use cases outlined in the CPA Foundation Grade Security Characteristics (that is, client-to-gateway and gateway-to-gateway) are supported.

Product Versions

7. CESG has assessed the ISR/ASR range operating Cisco IOS version 15.1(4)M3 and IOS-XE 3.4S. Later versions are automatically covered by this document. CESG will re-assess the ISR/ASR range when major releases (concerning security features) are issued.

8. Any software updates and patches from Cisco Systems should be applied in a timely fashion. Modules or updates that have not been developed by Cisco Systems should not be installed.

Page 4

CISCO ISR Series CISCO ASR Series

9. For software images that are not cryptographically signed, the MD5 and/or the SHA1 hash values published by Cisco Systems must be verified. Check the hash values when loading new software images onto the device and as part of its routine maintenance.

Hardware Supply

10. Ensure hardware is manufactured by (and branded) Cisco Systems, and acquired through a Cisco Systems authorised reseller/distributor.

Component Descriptions

11. The following table summarises the components of the ISR/ASR range and their protective markings.

Device Description Protective marking

ISR/ASR range (including processor cards)

After configuration and keys have been generated.

Highest protective marking of data which the device has (or will) handle.

After using the command ‘crypto key zeroize’.

Not Protectively Marked (NPM).

Table 2 - Summary of devices and their protective markings

12. Configuration files for the ISR/ASR series does not attract a protective marking, unless:

They contain any (non-revoked) private keys, or

They contain any traffic encryption keys, or

They contain any device passwords (or hashed passwords)

13. If none of the above are present, then the files should be given the protective marking of the highest classification data that the device is used to protect (normally RESTRICTED).

14. Note also that if none of the above are present, then the configuration files are NPM.

Certificates and Keys

15. The ISR/ASR series requires IKE mutual authentication to protect data. For this they require:

The main root Certificate Authority (CA) certificate

A client certificate signed by an authority trusted by the above CA

16. The devices do not require any key material originating from CESG - entropy is generated locally by the device. The validity period of the ISR/ASR certificates must not exceed one year.

Page 5

CISCO ISR Series CISCO ASR Series

Chapter 2 - Security Operation

Procedures

17. Before installing the ISR/ASR range, the following steps should be taken:

Access to the device should be limited to those personnel with the appropriate authority

Management access to the device should be limited to protected management network locations, or via the local console port. Management through an encrypted overlay (either the customer overlay network or a dedicated management VPN) is allowed after the initial setup and configuration process is completed

System services that rely on weak encryption or vulnerable key exchanges (such as FTP, Finger, Telnet, TFTP and any other non-encrypted service) should be disabled

The Administrator password hashing algorithm must be set to SHA-1 or better where available (DES and MD5 are not permitted)

Secure Installation and Configuration

18. The ISR/ASR range should be configured as illustrated in Figure 1, which shows separate physical LAN interfaces to be reserved for protected and unprotected networks.

Cisco ASR/ISR Device

Protected Network

Unprotected Network

Physical Interface

Physical Interface

Physical Interface

Bearer Network

ENCRYPTION

Unprotected Routed TrafficProtected Traffic

Figure 1 – Example Configuration

19. The designated protected interface(s) will always encrypt data, before routing it to an appropriate peer device. The unprotected interface(s) will always route traffic without any encryption.

20. Logical separation of security domains with different classifications (e.g. VLAN tagging) should not be used to produce a single connection to the service gateway.

Page 6

CISCO ISR Series CISCO ASR Series

User Accounts

21. User accounts can be created with different permissions. Create user accounts with different permissions for routine administration tasks. Integration of administrative user accounts into existing management infrastructures, such as Terminal Access Controller Access-Control System (TACACS), should follow local procedures. Password complexity can be set within Cisco IOS to help prevent weak passwords for any user account.

Device Management

22. Where possible, the ISR/ASR range should be managed outside the standard communications channels (out-of-band) by using the management console port. If in-band management has to be used (i.e. using the same communications channel as data), ensure that only SSH, SNMP v3 or HTTPS are used. All other protocols must be disabled.

System Logs

23. The device-generated system logs do not need to be routinely deleted or ‘cleaned’, but should be regularly backed up to an off-device location (e.g. via Syslog). To ensure that the timestamps within the ISR/ASR logs coincide with other systems’ logs, the ISR/ASR range should sync with an appropriate time source over NTP. Ensure that the time server is the same for the ISR/ASR range and any other management infrastructure devices.

Crash Files

24. The devices can generate two types of crash files in the result of an exception:

Crashinfo files, which contain CPU registers, stack traces, stack frame pointers and other items of information relating to the current running process

Crash dumps, which is a full dump of the information stored in memory

25. The files are useful when trying to debug exceptional events on the device, and

may need to be shared with the manufacturer to aid in the resolution of problems.

26. Unless there is confidence that such files cannot contain protectively marked data (that is, they were generated before the device had access to any such information), the files should be given the protective marking of the highest classification data that the device is used to protect (normally RESTRICTED). As an added precaution, if the files are going to be shared, CESG recommend that any private keys associated with the generating device are revoked.

Location

27. The ISR/ASR range has not been TEMPEST certified and should only be deployed in an environment where the TEMPEST and/or Electromagnetic Security threat level has been assessed as negligible or low. If there are plans

Page 7

CISCO ISR Series CISCO ASR Series

to deploy an ISR/ASR device in an environment where the threat level is assessed as moderate or above, then seek advice from CESG.

Connectivity to Networks

28. Reverse tunnelling is a configuration where a lower impact level network is tunnelled across a higher impact level network, isolating the lower impact level traffic. CESG assessment does not include reverse tunnelling and the ISR/ASR range should not be deployed in this configuration.

Storage Media

29. The ISR series contain non-removable storage media and therefore attracts a protective marking, see Table 2. Long-term secrets must be deleted manually, as described in Chapter 4.

30. Although the ASR series contain removable storage media, the configurations and RSA keys are stored on non-removable storage and therefore attract a protective marking, see Table 2. Long-term secrets are also stored in non-removable storage, and must be deleted manually deleted, as described in Chapter 4.

Movement of Equipment

31. Since no special preparatory configuration changes are required before transporting, an ISR/ASR device can be moved in line with appropriate security precautions.

Page 8

CISCO ISR Series CISCO ASR Series

Chapter 3 - Security Incidents

Tampering and Other Compromises

32. If evidence of actual or suspected tampering (or other compromise) is found, withdraw the ISR/ASR device whilst the incident is investigated. If the equipment may have been compromised, isolate the device from any network and quarantine to preserve potential evidence, and return it to CESG for further analysis.

Reporting Comsec Incidents

33. Organisations should establish internal processes to manage any incidents with these products in line with the product specific Security Procedures.

34. In the first instance, incidents involving CPA/CC Foundation Grade products should be reported to the product vendor. Where the incident is assessed to have resulted in the compromise of information or data, the organisation’s local IT security incident management policy should ensure that the Department Security Officer (DSO) or equivalent is informed. Depending on the severity of the incident, the DSO, at their discretion, should also ensure that GovCertUK is informed. If the organisation is concerned that the compromise has resulted from a failure of the product then they should contact CESG Enquiries.

35. The following table provides instructions to be followed if a compromise to the ISR/ASR range is suspected or identified. The actual procedures and policies should be compiled in conjunction with system accreditation requirements.

Component Protective marking Action if lost or compromised

ISR/ASR Range

Highest protective marking of data which device has (or will) handle.

Revoke certificates.

If compromised, erase the long term secrets following the process as listed in Chapter 4, then re-install the system and follow the initial setup and configuration guidance.

Table 3 - Actions to be taken after actual or suspected Comsec incidents

Page 9

CISCO ISR Series CISCO ASR Series

Chapter 4 - Disposal and Destruction

Disposal and Destruction of Key Material

36. Procedures and processes for the destruction of key material used with the ISR/ASR range should be implemented in accordance with its protective marking, with accurate destruction records made in accordance with approved local policy.

37. Long-term secrets should be erased from the ISR/ASR range by using the command ‘crypto key zeroize’.

38. The certificates related to these keys must be revoked within the respective PKI to ensure that other cryptographic devices on the network are prevented from communicating with the device.

39. Issuing ‘crypto key zeroize’ takes the protective marking of the device from RESTRICTED to NPM.

Routine Destruction of equipment

40. Before disposal, the long-term secrets should be erased from the ISR/ASR range as described above. Once erased, the product can be returned to factory defaults, and handled as Not Protectively Marked, by using the command ‘erase nvram’ and flushing the running configuration.

41. If any of these commands fail, the product should be disposed of in accordance with Information Assurance Standard No. 5 (IS5), Secure Sanitisation (reference [e]).

42. Disposal and destruction at overseas locations should follow that of the routine disposal and destruction.

Emergency Destruction

43. The assessed devices are not for use in high threat locations, therefore emergency destruction procedures are not required.

Page 10

CISCO ISR Series CISCO ASR Series

References

Unless stated otherwise, these documents are available from the CESG website. Users who do not have access should contact CESG Enquiries to enquire about obtaining documents. [a] HMG Security Policy Framework, available from

http://www.cabinetoffice.gov.uk.spf.aspx

[b] CESG PSN: Cryptographic Standards Version 1.0 is available at: http://www.cabinetoffice.gov.uk

[c] CESG PSN: Cryptographic Framework 1.3 is available at: http://www.cabinetoffice.gov.uk

[d] HMG Information Assurance Standard No. 1 & 2, Information Risk Management – latest issue available from the CESG website.

[e] HMG Information Assurance Standard No. 5, Secure Sanitisation – latest issue available from the CESG website.

[f] CESG Implementation Guide No. 3, User Authentication Systems – latest issue available from the CESG website.

Page 11

CISCO ISR Series CISCO ASR Series

Glossary

CA Certificate Authority

CESG UK National Technical Authority for Information Assurance

ComSO Communications Security Officer

CPA Commercial Product Assurance

DSO Departmental Security Officer

IKE Internet key Exchange

IPSec Internet Protocol Security

ITSO Information Technology (IT) Security Officer

NPM Not Protectively Marked

PEPAS CESG’s PSN Encryption Product Assurance Service

TACAS Terminal Access Controller Access-Control System

VPN Virtual Private Network

CESG provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not substitute for seeking appropriate tailored advice.

CESG Enquiries Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Email: enquiries@cesg.gsi.gov.uk © Crown Copyright 2015.