32
- 1 - Nexus 7000 Series Switch Operational User Guidance (Common Criteria Specific) Version 0.7 November 2012
- 1 -
Nexus 7000 Series Switch
Operational User Guidance
(Common Criteria Specific)
Version 0.7
November 2012
- 2 -
DOCUMENT INTRODUCTION Prepared By: Prepared For: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134
Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134
This document provides supporting evidence for an evaluation of a specific Target of Evaluation (TOE), the Cisco Nexus 7000 Series Switch, comprised of the following products: Nexus 7000 Series Switch and Cisco Secure Access Control Server (ACS). This operational user guide addresses the secure usage of the Nexus 7000 TOE and describes how to maintain the Nexus 7000 as certified by Common Criteria Evaluation Assurance Level 4+ (EAL4+) in the Nexus 7000 evaluated configuration.
REVISION HISTORY Rev Date Description 0.1 April 24, 2009 Initial Internal Draft 0.2 November 2009 Updated Draft 0.3 September 2010 Updated Draft 0.4 November 2010 Updated Draft for AGD ETR 0.5 February 2011 Updated for final ACS version 0.6 August 2012 Updated for IAR package 0.7 November 2012 Updated for ACS patch
- 3 -
TABLE OF CONTENTS 1. Introduction ..................................................................................................................... 4
1.1. Audience .................................................................................................................. 4 1.2. Purpose ..................................................................................................................... 4
2. Evaluated Configuration ................................................................................................. 7 2.1. Supported Hardware/Software ................................................................................. 7 2.2. Verification of Software Versions ........................................................................... 8 2.3. Modes of Operation ................................................................................................. 9
2.3.1. Nexus 7000 ....................................................................................................... 9 2.3.2. ACS ................................................................................................................. 11
2.4. Supported Roles ..................................................................................................... 12 2.4.1. Nexus 7000 Roles ........................................................................................... 12 2.4.2. ACS Admin Roles (Web Interface/GUI) ........................................................ 14 2.4.3. ACS Admin Roles (CLI Interface) ................................................................. 16
2.5. TOE Administration Specifics – Nexus component .............................................. 19 2.5.1. System Management Operations .................................................................... 19 2.5.2. Audit storage ................................................................................................... 19 2.5.3. System Security Operations ............................................................................ 20 2.5.4. VDC Operations .............................................................................................. 21 2.5.5. Configuration of Nexus 7000 Cryptography .................................................. 21 2.5.6. Configuration of VRF ..................................................................................... 21 2.5.7. Review Nexus 7000 configuration .................................................................. 21 2.5.8. Configuration of System Time ........................................................................ 21 2.5.9. Other Routine Operations ............................................................................... 21 2.5.10. Error and System Messages .......................................................................... 22
2.6. TOE Administration Specifics – ACS component ................................................ 22 2.6.1. Configuration of ACS cryptographic services ................................................ 22 2.6.2. Configuration of ACS system settings ............................................................ 22 2.6.3. Management of Administrative Users ............................................................ 22 2.6.4. Management of Network Users ...................................................................... 22 2.6.5. Audit storage and Review ............................................................................... 22 2.6.6. Configuration of System Time ........................................................................ 23
3. Security Measures for the Operational Environment .................................................... 24 3.1. OE.PERSON .......................................................................................................... 24 3.2. OE.INSTALL ......................................................................................................... 25 3.3. OE. PHYCAL ........................................................................................................ 27 3.4. OE.CTSCOMPATIBLE ........................................................................................ 28 3.5. OE.TIME ............................................................................................................... 29 3.6. OE.EXTERNALAUTH ......................................................................................... 30
4. Reactions to Security-Relevant Events ......................................................................... 31 4.1. System crash .......................................................................................................... 31 4.2. Specific audit trail entries indicating penetration attempts .................................... 32 4.3. Specific audit trail entries indicating system malfunctions ................................... 32
- 4 -
1. Introduction This operational user Guide documents the administration of the Cisco Nexus 7000 Series Switch (N7K) and Cisco Secure Access Control Server (ACS) solution certified by Common Criteria Evaluation Assurance Level 4+ (EAL4+). The N7K is a data center-class switch for 10 Gigabit Ethernet networks with a fabric architecture. The ACS TOE component is an AAA server that provided authentication services and supports the implementation of information flow policies by the Nexus 7000 switch TOE component. The hardware and software included within the scope of this evaluation are detailed in Table 1 below. The TOE is a multiple component solution composed of the above referenced Cisco products that are configured in certain ways to provide the device security policy enforcement solution.
1.1. Audience This document is written for users of the Cisco Nexus 7000 Switch (N7K) and Cisco Secure Access Control Server (ACS). This document assumes that you are familiar with the basic concepts and terminology used in internetworking, understand your network topology and the protocols that the devices in your network can use, that you are a trusted individual, and that you are trained to use the systems on which you are running the N7K and ACS solution.
1.2. Purpose This document is the operational user guidance documentation for the Common Criteria EAL4+ evaluation. It was written to highlight the specific N7K functions and interfaces that are necessary to maintain and properly use the TOE in the evaluated configuration. This document is not meant to detail specific actions performed by the operational user but rather is a road map for identifying the appropriate locations within Cisco documentation to get the specific details for maintaining and employing N7K operations. This document is meant to be used in tandem with the Cisco Nexus 7000 Series Switch Preparative Procedures Wrapper, Version 0.7, August 2012 (EDCS-763647) and it makes reference to twenty-four (24) Cisco Systems documents. The documents used are shown below.
[A] Cisco Nexus 7000 Series Connectivity Management Processor Configuration Guide May 2010
[B] Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 5.x March 15, 2010
[C] User Guide for the Cisco Secure Access Control System 5.2 (Text Part Number: OL-21572-01)
[D] CLI Reference Guide for the Cisco Secure Access Control System 5.2 (Text Part Number: OL-21575-01)
[E] Cisco Nexus 7000 Series NX-OS System Management Configuration Guide, Release 5.x July 2010
- 5 -
[F] Cisco Nexus 7000 Series NX-OS System Management Command Reference, Release 5.x April 2010 (Text Part Number: OL-16006-01)
[G] Cisco Systems, Inc. Nexus 7000 FIPS 140-2 Non-Proprietary Security Policy, Version 1.0, October 30, 2010
[H] Cisco Nexus 7000 Series NX-OS Fundamentals Command Reference, Release 5.x April 2010(Text Part Number: OL-19603-01)
[I] Cisco Nexus 7000 Series NX-OS Interfaces Command Reference, Release 5.x June 29, 2010 (Text Part Number: OL-19821-01)
[J] Cisco Nexus 7000 Series NX-OS Layer 2 Switching Command Reference, Release 5.x June 20, 2010 (Text Part Number: OL-19824-01)
[K] Cisco Nexus 7000 Series NX-OS Quality of Service Command Reference, Release 5.x April 2010 (Text Part Number: OL-19826-01)
[L] Cisco Nexus 7000 Series NX-OS Unicast Routing Command Reference, Release 5.x August 2, 2010 (Text Part Number: OL-20001-01)
[M] Cisco Nexus 7000 Series NX-OS Multicast Routing Command Reference, Release 5.x September 21, 2010 (Text Part Number: OL-20084-01)
[N] Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 5.x July 2010 (Text Part Number: OL-19597-01)
[O] Cisco Nexus 7000 Series NX-OS Virtual Device Context Command Reference, Release 5.x July 2010 (Text Part Number: OL-19600-01)
[P] Cisco Secure ACS Module Security Policy, Version 0.3, May 2010 [Q] Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide,
Release 5.x July 2010 (Text Part Number: OL-19599-01) [R] Cisco Nexus 7000 Series NX-OS Fundamentals Configuration Guide, Release
5.x, March 31, 2010 (Text Part Number: OL-19602-01) [S] Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide, Release 5.x
September 1, 2010 (Text Part Number: OL-19797-01) [T] Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guide,
Release 5.x March 5, 2010 (Text Part Number: OL-19823-01) [U] Cisco Nexus 7000 Series NX-OS Quality of Service Configuration Guide,
Release 5.x April 2010 (Text Part Number: OL-19825-01) [V] Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release
5.x August 16, 2010 (Text Part Number: OL-21548-01) [W] Cisco Nexus 7000 Series NX-OS Multicast Routing Configuration Guide,
Release 5.x September 17, 2010 (Text Part Number: OL-21641-01) [X] Cisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.2 August 10, 2009
(Text Part Number: OL-18669-01) [Y] Cisco Nexus 7000 Series NX-OS High Availability and Redundancy Guide,
Release 5.x April 2010 (Text Part Number: OL-19336-01) [Z] Cisco NX-OS System Messages Reference September 22, 2010 (Text Part
Number: OL-23717-01) [AA] Network Security Services (NSS) Cryptographic Module 3.12.5, Version
0.2, May 2010
- 6 -
All of the above reference documents are downloadable from www.cisco.com. Hardcopies are not provided with the product shipment.
- 7 -
2. Evaluated Configuration The Nexus 7000 TOE component is a data center-class switch for 10 Gigabit Ethernet networks with a fabric architecture that scales to 15 terabits per second (Tbps). The ACS TOE component is an AAA server that provides authentication services and supports the implementation of information flow policies by the Nexus 7000 switch TOE component. The AAA services provided by the ACS server include RADIUS and TACACs for authentication. The ACS server also maintains the authentication credentials for the Network Devices that are part of the TOE protected network and the authentication credentials for the Endpoints attempting to connect to the TOE protected network. Finally, the ACS TOE component creates the PAC Key used in the protection of packets on the TOE protected network.
2.1. Supported Hardware/Software The following table identifies the hardware and software supported in the TOE evaluated configuration. Table 1: TOE Hardware and Software components TOE Component Hardware Software
Nexus 7000 Series Switch
Cisco Nexus 7000 Series 10-Slot Chassis (Also referred to as the 7010 Switch)
NX-OS version 5.2(5) This includes a hardened version of Linux Kernel 2.6.
Cisco Nexus 7000 Series 18-Slot Chassis (Also referred to as the 7018 Switch) Cisco Nexus 7000 Series Supervisor Module (plugs into either the 10-Slot or 18-Slot chassis) Cisco Nexus 7000 10-Slot Chassis 46Gbps/Slot Fabric Module (plugs into the 10-Slot chassis) Cisco Nexus 7000 18-Slot Chassis 46Gbps/Slot Fabric Module (plugs into the 18-Slot chassis) Cisco Nexus 7000 Series 32-Port 10Gb Ethernet Module with 80Gbps Fabric (plugs into either the 10-Slot or 18-Slot chassis) Cisco Nexus 7000 Series 48-Port 10/100/1000 Ethernet Module with 46Gbps Fabric (plugs into either the 10-Slot or 18-Slot chassis) Cisco Nexus 7000 Series 48-Port Gigabit Ethernet SFP Module with 46Gbps Fabric (plugs into either the 10-Slot or 18-
- 8 -
TOE Component Hardware Software Slot chassis) Cisco Nexus 7000 Series 8-Port 10Gigabit Ethernet X2 XL Module with 80Gbps Fabric (plugs into either the 10-Slot or 18-Slot chassis) Cisco Nexus 7000 Series 48-Port Gigabit Ethernet XL SFP Module with 46Gbps Fabric (plugs into either the 10-Slot or 18-Slot chassis)
Cisco Secure Access Control Server (ACS)
Cisco CAM25 appliance – 1120 or 1121
ACS Software version 5.2 patch 11 This includes a hardened version of Linux Kernel 2.4.
2.1.1. Excluded Functionality The following functionality has been excluded from the evaluation and must not be used with the TOE:
• Telnet Management
• SNMP Management
2.2. Verification of Software Versions In order to verify software versions that are operating on the Nexus and ACS platforms the following procedures may be executed: On Nexus: At the command line type the ‘show version’ command. The following is an example of the output from this command. The version running in the example is 4.0(1a) for both the kickstart and system images. In the evaluated configuration this image must be 5.2(5) for both:
switch# show version Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2008, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php Software BIOS: version 3.17.0 loader: version N/A kickstart: version 4.0(1a) [gdb] system: version 4.0(1a) [gdb] BIOS compile time: 03/23/08 kickstart image file is: bootflash:/n7000-s1-kickstart.4.0.1a.bin kickstart compile time: 5/8/2008 13:00:00 [05/20/2008 07:52:26] system image file is: bootflash:/n7000-s1-dk9.4.0.1a.bin system compile time: 5/8/2008 13:00:00 [05/20/2008 08:35:00] Hardware cisco Nexus7000 C7010 (10 Slot) Chassis ("Supervisor module-1X")
- 9 -
Intel(R) Xeon(R) CPU with 2063436 kB of memory. Processor Board ID JAB10380101 Device name: switch bootflash: 1023120 kB slot0: 0 kB (expansion flash) Kernel uptime is 1 day(s), 3 hour(s), 48 minute(s), 20 second(s) Last reset at 761445 usecs after Wed May 21 11:46:23 2008 Reason: Reset Requested by CLI command reload System version: 4.0(1.51) Service: plugin Core Plugin, Ethernet Plugin CMP (Module 6) no response CMP (Module 5) no response
On ACS: To check the release and ACS version installed, at the system prompt, enter ‘show application version acs’. The following is an example of the output from this command. The version running in the example is 5.0.0. In the evaluated configuration this version must be 5.2 patch 11:
Cisco ACS VERSION INFORMATION ----------------------------- Version : 5.0.0 Release : B.2435
2.3. Modes of Operation
2.3.1. Nexus 7000 A N7K Family Switch has several modes of operation, these modes are as follows: Booting – while booting, the switches drop all network traffic until the NX-OS image and configuration has loaded. This mode can transition to all of the modes below. Loader Prompt – When either of the system images is corrupted and/or unusable. Setup – When the NX-OS loads and no configuration has been saved to the switch. Normal – When the NX-OS images and configuration are loaded successfully and uninterrupted. System BIOS Setup – This is an interactive text based program for configuring low-level switch hardware and boot options. When this program is exited, the switch transitions to Booting mode. In this mode the switch has no IP address and therefore does not handle network traffic, thus preventing an insecure state. Loader Prompt – This mode allows an administrator logged into the console port to specify a NX-OS image on a TFTP server to load. In this mode the switch does not handle any network traffic, apart from what is required to perform the TFTP boot, thus preventing an insecure state. Setup – The switch enters this mode after booting if no configuration exists (eg. First boot). In this mode the switch has no IP address and therefore does not handle network traffic, thus preventing an insecure state. This prevents the switch from booting into an insecure state. The switch starts an interactive setup program to allow the administrator to
- 10 -
enter basic configuration data, such as the switch’s IP address, administrator password, and management channels. When the setup program is exited, the switch transitions to the Normal mode. Normal - The NX-OS image and configuration is loaded and the switch is operating as configured. It should be noted that all levels of administrative access occur in this mode and that all TOE security functions are operating. While operating the TOE has little interaction with the administrator. However, the configuration of the TOE can have a detrimental effect on security. Misconfiguration of the TOE could result in the unprotected network having access to the internal/protected network. If an operational error occurs the switch reboots (once power supply is available) and enters booting mode. Specific Supervisor Modes The Nexus7K switches can be deployed with a single or redundant pair of supervisors. The supervisor modules have some additional modes of operation. Active The active supervisor module in the switch is ready to be
configured. HA standby A switchover is possible. Offline The switch is intentionally shut down for debugging purposes. Unknown The switch is in an invalid state and requires a support call to
TAC.
Redundancy Modes: for Supervisor
Not present The supervisor module is not present or is not plugged into the chassis.
Initializing The diagnostics have passed and the configuration is being downloaded.
Active The active supervisor module and the switch is ready to be configured.
Standby A switchover is possible. Failed The switch detects a supervisor module failure on initialization
and automatically attempts to power-cycle the module three (3) times. After the third attempt it continues to display a failed state.
Offline The supervisor module is intentionally shut down for debugging purposes.
At BIOS The switch has established connection with the supervisor and the supervisor module is performing diagnostics.
Unknown The switch is in an invalid state. If it persists call TAC.
Internal Redundancy States
HA standby The HA switchover mechanism in the standby supervisor module is enabled.
Active with no A switchover is possible.
- 11 -
standby Active with HA standby
The active supervisor module in the switch is ready to be configured. The standby module is in the HA-standby state.
Shutting down The switch is being shut down. HA switchover in progress
The switch is in the process of changing over to the HA switchover mechanism.
Offline The switch is intentionally shut down for debugging purposes. HA synchronization in progress
The standby supervisor module is in the process of synchronizing its state with the active supervisor modules.
Standby (failed) The standby supervisor module is not functioning. Active with failed standby
The active supervisor module and the second supervisor module is present but is not functioning.
Other The switch is in a transient state. If it persists call TAC.
2.3.2. ACS An ACS has several modes of operation, these modes are as follows: Off: This is the state in which the Cisco Secure ACS has not yet been loaded – the DLLs are not resident in memory and no keys are loaded. The single transition out of this state is for the module to start up. Note that this state can be entered from any other state by powering off the module. Booting In this state the module is conducting its power on self tests, including module integrity test and known answer tests. Two transitions exit this state – if the Self tests fail the module enters State 2: Error state, and if the tests succeed the module enters State 3: Operational state. In the Error state, the administrator may either reboot or contact the Cisco TAC (http://tools.cisco.com/ServiceRequestTool/create/) for assistance with hardware or image failures. State 3: Operational/ Normal This is the state, in which the module has been loaded, and all the power up Self tests has passed.
- 12 -
2.4. Supported Roles The N7K TOE supports several roles.
2.4.1. Nexus 7000 Roles For information on the roles and role based access control (RBAC) within N7K, see [B] Chapter 9 beginning on page 237 “Configuring User Accounts and RBAC à Information About User Accounts and RBAC”.
2.4.1.1. Network-Admin and VDC-Admin Roles Unless specified that the command is only applicable to the Network-Admin role all commands are also supported for the VDC-Admin role for a particular VDC. All commands in the command reference documentation designate which roles are supported for each command as such: Supported User Roles network-admin vdc-admin
2.4.1.1.1. Supervisor Module (Console and mgmt0 Interfaces) The Console and mgmt0 interfaces provide the main administrative access point for the Nexus 7000. The following main functionalities are available for the Network-Admin and VDC-Admin at these interfaces.
• System Management Operations • System Security Operations • VDC Operations
Specifically, guidance related to the ongoing management actions of these functions can be found in Section 2.5, below.
2.4.1.1.2. Connectivity Management Processor (CMP Interface) The CMP can be used to monitor or take control of the supervisor module control processor (CP) on the active supervisor module and to reboot the CP or Cisco NX-OS device. The following actions can be taken only by the Network-Admin from the CMP:
1. Monitoring and Taking Control of the CP To monitor or take control of the supervisor module CP console port see Monitoring the CP on page 3-2 of [A] 2. Rebooting the CP To reboot the supervisor module CP from the CMP see Rebooting the CP on page 3-2 of [A] 3. Rebooting the Nexus 7000 from the CMP To reboot the Nexus 7000 device from the CMP see Rebooting the Entire Cisco NX-OS Device from the CMP on page 3-3 of [A]
- 13 -
4. Rebooting the CMP from the CP or the CMP To reboot the CMP from the CP or CMP see Rebooting the CMP from the CP or Rebooting the CMP from the CMP on page 3-3 of [A]
2.4.1.2. Network-Operator and VDC-Operator Roles Only the Console and mgmt0 Interfaces are available to the Network-Operator and VDC-Operator roles. Unless specified that the command is only applicable to the Network-Operator role all Network-Operator commands are also supported for the VDC-Operator for a particular VDC. All commands in the command reference documentation designate which roles are supported for each command as such: Supported User Roles network-admin vdc-admin network-operator vdc-operator The Network-Operator can only execute these commands from the default VDC, and the VDC-Operator can only execute them within their assigned VDC (and for that VDC). The network-operator has complete read access to the entire Cisco NX-OS device (only available in the default VDC). The vdc-operator has read access limited to their assigned VDC.
Connectivity Management Processor (CMP Interface) The CMP can be used to monitor or take control of the supervisor module control processor (CP) on the active supervisor module and to reboot the CP or Cisco NX-OS device. The following actions can be taken only by the Network-Admin from the CMP:
1. Monitoring and Taking Control of the CP To monitor or take control of the supervisor module CP console port see Monitoring the CP on page 3-2 of [A]
2. Rebooting the CP To reboot the supervisor module CP from the CMP see Rebooting the CP on page 3-2 of [A]
3. Rebooting the Nexus 7000 from the CMP
- 14 -
To reboot the Nexus 7000 device from the CMP see Rebooting the Entire Cisco NX-OS Device from the CMP on page 3-3 of [A]
4. Rebooting the CMP from the CP or the CMP To reboot the CMP from the CP or CMP see Rebooting the CMP from the CP or Rebooting the CMP from the CMP on page 3-3 of [A]
2.4.1.3. SNMP User Roles SNMP administration is not to be used in the TOE.
2.4.1.4. Administrator-defined Roles The TOE allows for the configuration of custom administrative roles on the Nexus 7000 switch. The custom administrative roles are created on a per VDC basis. Access for the custom roles can be defined per command, feature (a group of command, or feature group (a collection of features).The steps to create custom roles can be found starting on page 246 “Creating User Roles and Rules” of [B].
2.4.2. ACS Admin Roles (Web Interface/GUI) Information related to the ACS functions for all ACS roles for the ACS Web Interface/GUI can be found in [C] User Guide for the Cisco Secure Access Control System 5.2
2.4.2.1. SuperAdmin The SuperAdmin role has complete access to every ACS administrative function. If you do not need granular access control, this role is most convenient, and this is the role assigned to the predefined ACSAdmin account. This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources. Note: The first time you log in to ACS 5.2 patch 11, you are prompted for the predefined administrator username (ACSAdmin) and required to change the predefined password name (default). After you change the password, you can start configuring the system. To create further granularity in your access control, follow these steps: 1.Define Administrators. See Configuring System Administrators and Accounts, page 16-3 of [C] 2.Associate roles to administrators. See Understanding Roles, page 16-3 of [C].
- 15 -
When these steps are completed, defined administrators can log in and start working in the system. If multiple administrators are to be using the TOE it is recommended that the SuperAdmin (ACSAdmin) account be used only when needed and additional administrators be defined with the following roles.
2.4.2.2. NetworkDeviceAdmin This role is intended for ACS administrators who need to manage the ACS network device repository only, such as adding, updating, or deleting devices. This role has the following permissions:
• Read and write permissions on network devices • Read permission on network device groups (NDG)s
2.4.2.3. PolicyAdmin This role is intended for the ACS policy administrator responsible for creating and managing ACS access services and access policy rules, and the policy elements referenced by the policy rules. This role has the following permissions:
• Read and write permissions on policy elements (authorization profile, NDGs, IDGs, conditions)
• Read and write permissions on services policy
2.4.2.4. ReadOnlyAdmin This role is intended for ACS administrators who need read-only access to all parts of the ACS user interface. This role has read-only access to all resources
2.4.2.5. ReportAdmin This role is intended for administrators who need access to the ACS Monitoring & Report Viewer to generate and view reports or monitoring data only. This role has read-only access on logs.
2.4.2.6. SecurityAdmin This role is required in order to create, update, or delete ACS administrator accounts, to assign administrative roles, and to change the ACS password policy. This role has the following permissions:
• Read and write permissions on administrators • Read and write permission on roles and permissions
2.4.2.7. SystemAdmin This role is intended for administrators responsible for ACS system configuration and operations. This role has the following permissions:
- 16 -
• Read and write permissions on all system administration activities except for account definition
• Read and write permissions on ACS instances
2.4.2.8. UserAdmin This role is intended for administrators who are responsible for adding, updating, or deleting entries in the internal ACS identity stores, which includes internal users and internal hosts. This role has the following permissions:
• Read and write permissions on users and hosts • Read permission on IDGs
2.4.2.9. ChangeAdminPassword This role is intended for ACS administrators who manage other administrator accounts. This role entitles the administrator to change the password of other administrators.
2.4.2.10. ChangeUserPassword This role is intended for ACS administrators who manage internal user accounts. This role entitles the administrator to change the password of internal users.
2.4.3. ACS Admin Roles (CLI Interface) Information related to the ACS functions for all ACS roles for the ACS CLI Interface can be found in [D] CLI Reference Guide for the Cisco Secure Access Control System 5.2. Note that before logging in to the ACS CLI, you must have completed the hardware installation and configuration process outlined in [D] “Before Accessing the ACS CLI”, page 2-1.
2.4.3.1. Admin (administrator) and Operator (User) Roles Two different types of accounts are available on the ACS server:
• Admin (administrator) • Operator (user)
When you power up the ACS appliance for the first time, you are prompted to run the setup utility to configure the appliance. During this setup process, an administrator user account, also known as an Admin account, is created. An operator role may be created using the username command:
username name password plain password role user
- 17 -
The complete list of CLI available commands are as follows and can be found in table 1-2 beginning on page 1-5 of [D]. Details of usage and syntax for each command is found in Appendix A ACS Command Reference of [D]. Command User Account
Admin Operator (User)
acs commands �
acs-config �
acs-migration-interface �
application commands �
backup �
backup-logs �
cdp run �
clock �
configure terminal �
copy commands �
debug �
debug-adclient �
debug-log �
delete �
dir �
end �
exit � �
forceout �
halt �
hostname �
icmp �
interface �
ip default-gateway �
ip domain-name �
ip name-server �
ip route �
kron �
logging commands �
mkdir �
nslookup � �
ntp server �
password policy �
patch �
- 18 -
ping � �
reload �
replication �
repository �
restore commands �
rmdir �
service �
show acs-logs � �
show acs-migration-interface
� �
show application �
show backup �
show cdp � �
show clock � �
show cpu � �
show debug-adclient �
show debug-log �
show disks � �
show icmp_status � �
show interface � �
show ip route �
show logging � �
show logins � �
show memory � �
show ntp � �
show ports � �
show process � �
show repository �
show restore �
show running-configuration
�
show startup-configuration
�
show tac �
show tech-support �
show terminal � �
show timezone � �
show timezones �
show udi � �
show uptime � �
show users �
show version � �
- 19 -
snmp-server commands1 �
ssh � �
ssh keygen � �
ssh rmkey � �
tech �
telnet � �
terminal � �
traceroute � �
undebug �
username �
write �
2.5. TOE Administration Specifics – Nexus component
2.5.1. System Management Operations Information related to the System Management functions for the N7K can be found in [E] Cisco Nexus 7000 Series NX-OS System Management Configuration Guide, Release 5.x and [F] Cisco Nexus 7000 Series NX-OS System Management Command Reference, Release 5.x Specifically, guidance related to the ongoing management actions can be found in the sections below.
2.5.2. Audit storage The Nexus 7000 supports local logging of events. Authentication and authorization events are maintained in the local accounting log. See “Monitoring and Clearing the Local AAA Accounting Log” starting on page 34 of [B] for information on viewing and clearing these logs. System events are maintained by default in the file log:messages. This file can be viewed and the settings for it can be modified as indicated in Chapter 5, “Configuring System Message Logging” à “Logging System Messages to a File” and “Displaying and Clearing Log Files” of [E]. By default, the TOE logs the most recent 100 messages of severity 0, 1, or 2 (emergency, alert, or critical) to the NVRAM log. This setting cannot be changed. The NVRAM contents are viewed and cleared through the following commands: show logging nvram [last number-lines] clear logging nvram
1 Note that the SNMP server is not to be configured in the evaluated configuration.
- 20 -
All other logging on the Nexus TOE is not needed in the evaluated configuration and is considered non-interfering with the TOE functionality. Table 1-1 in [Z], contains the format and field descriptions for the audit records. The date and time of the event is in the “month dd” and “hh:mm:ss” elements. The type of event is in the “facility” and “MNEMONIC” elements. The subject identity (if applicable) is in the “switchname” and “description” elements. The outcome (success or failure) of the event is also listed in the “description” element.
2.5.3. System Security Operations Information related to the System Security functions for the N7K Network-Admin and VDC-Admin roles can be found in [B] Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 5.x and [N] Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 5.x. Guidance for the following system security functions of these roles can be found in [B]. Each has its own chapter in [B] which details the specifics of how to configure each particular security function:
• Configuring AAA (including Role Based Access Control) • RADIUS • TACACS+ • PKI • SSH and Telnet • User Accounts and Roles • 802.1X • NAC • Cisco TrustSec (including the EAP-FAST PAC settings to configure the
Nexus 7000 to use with the ACS server) • IP ACLs (RACLs, PACLs, and VACL IP ACLs) • MAC ACLs • VACLs • Port Security • DHCP Snooping • Dynamic ARP Inspection • IP Source Guard • Keychain Management • Traffic Storm Control • Control Plane Policing • Rate Limits • Monitoring
- 21 -
2.5.4. VDC Operations Information related to the Virtual Device Context functions can be found in [Q] Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide, Release 5.x and [O] Cisco Nexus 7000 Series NX-OS Virtual Device Context Command Reference, Release 5.x Specifically, guidance related to the ongoing VDC actions of these roles can be found in the following locations in [Q]:
1. Creating Chapter 3, Creating VDC’s
2. Management Chapter 4, Managing VDC’s
2.5.5. Configuration of Nexus 7000 Cryptography The Nexus 7000 must be operated in FIPS mode, as defined in [G]. RSA keys are created using the following command: crypto key generate rsa [label label-string] [exportable] [modulus size] To regenerate SAP keys for an interface, follow the instructions in [B] “Regenerating SAP Keys on an Interface” starting on page 378.
2.5.6. Configuration of VRF A VRF represents a layer 3 addressing domain. Each layer 3 interface (logical or physical) belongs to one VRF. A VRF belongs to one VDC. Each VDC can support multiple VRFs. For more information, see [V] Chapter 14, “Configuring Layer 3 Virtualization.”
2.5.7. Review Nexus 7000 configuration To display the running configuration, use the show running-config command.
show running-config [all | exclude component-list]
2.5.8. Configuration of System Time For NTP configuration, see [E], Chapter 3, “Configuring NTP”. To manually set the clock on a Cisco NX-OS device, use the clock set command.
clock set time day month year
- 22 -
2.5.9. Other Routine Operations All other routine operations related to the administration of the N7K Network-Admin and VDC-Admin roles can be found in [R]-[Y] additional Cisco Nexus 7000 Series NX-OS Configuration Guides and [H]-[M] Cisco Nexus 7000 Command References.
2.5.10. Error and System Messages Any error and system messages output by the N7K can be found in [Z] Cisco NX-OS System Messages Reference.
2.6. TOE Administration Specifics – ACS component
2.6.1. Configuration of ACS cryptographic services The ACS must be operated in FIPS mode, as defined in [P] and [AA]. RSA keys are created for SSH using the following command at the CLI:
ssh keygen
2.6.2. Configuration of ACS system settings For ACS system settings see [C], “Configuring Global System Options” beginning on page 18-1.
2.6.3. Management of Administrative Users For management of local ACS administrators see, [C], “Configuring System Administrators and Accounts” beginning on page 16-3.
2.6.4. Management of Network Users For management of network users see [C], “Managing Users and Identity Stores” beginning on page 8-1.
2.6.5. Audit storage and Review The ACS supports local logging of events. The event types that are logged include:
• Accounting messages • AAA audit and diagnostics messages • System diagnostics messages • Administrative and operational audit messages
See [C], starting with “Configuring Logs” on page 18-20, and specifically “Configuring the Local Log” on page 18-23 and Chapter 19 “Understanding Logging”.
- 23 -
Table 19-2 in [C], contains the format and field descriptions for the audit records. The date and time is found in the timestamp. The type of event is found in the msg_class. The subject identity and outcome and the additional ACS specific details (configuration values, user id, interface etc) are found in the attr=value.
2.6.6. Configuration of System Time To allow for software clock synchronization by the Network Time Protocol (NTP) server for the system, use the ntp server command in Configuration mode. The ACS allows up to two servers to be configured. To disable this capability, use the no form of this command.
ntp server {ip-address | hostname} [ip-address | hostname] To manually set the system clock from the ACS CLI, use the clock command in the EXEC mode. To remove this function, use the no form of this command.
clock {set} [month day hh:min:ss yyyy]
- 24 -
3. Security Measures for the Operational Environment Proper operation of the TOE requires functionality from the environment (in some cases optionally). It is the responsibility of the authorized users of the TOE to ensure that the TOE environment provides the necessary functions. The following identifies the requirements and the associated security measures of the authorized users.
3.1. OE.PERSON Personnel working as authorized administrators shall be carefully selected and trained for proper operation of the TOE (both the Nexus 7000 switch and ACS TOE components).
1. Network-Admin: These users must be properly trained in the usage and proper operation of the N7K TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
2. VDC-Admin: These users must be properly trained in the usage and proper operation of the N7K TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
3. Network-Operator: These users must be properly trained in the usage and proper operation of the N7K TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
4. VDC-Operator: These users must be properly trained in the usage and proper operation of the N7K TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
5. ChangeAdminPassword (ACS GUI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
6. ChangeUserPassword (ACS GUI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
7. Network Device Admin (ACS GUI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
8. Policy Admin (ACS GUI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
- 25 -
9. ReadOnlyAdmin (ACS GUI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
10. ReportAdmin (ACS GUI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
11. SecurityAdmin (ACS GUI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
12. System Admin (ACS GUI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
13. User Admin (ACS GUI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
14. SuperAdmin (ACS GUI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
15. SuperAdmin (ACS CLI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
16. MachineAdmin (ACS CLI role): These users must be properly trained in the usage and proper operation of the ACS TOE and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
3.2. OE.INSTALL Those responsible for the TOE must ensure that the TOE is delivered, installed, managed, and operated in a manner which is consistent with IT security.
1. Network-Admin: These users must be properly trained in the receipt of, installation, management, usage and proper operation of the N7K TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
- 26 -
2. VDC-Admin: These users must be properly trained in the receipt of, installation, management, usage and proper operation of the N7K TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
3. Network-Operator: These users must be properly trained in the receipt of, installation, management, usage and proper operation of the N7K TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
4. VDC-Operator: These users must be properly trained in the receipt of, installation, management, usage and proper operation of the N7K TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
5. ChangeAdminPassword (ACS GUI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
6. ChangeUserPassword (ACS GUI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
7. Network Device Admin (ACS GUI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
8. Policy Admin (ACS GUI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
9. ReadOnlyAdmin (ACS GUI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
10. ReportAdmin (ACS GUI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
11. SecurityAdmin (ACS GUI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
- 27 -
12. System Admin (ACS GUI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
13. User Admin (ACS GUI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
14. SuperAdmin (ACS GUI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
15. SuperAdmin (ACS CLI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
16. MachineAdmin (ACS CLI role): These users must be properly trained in the receipt of, installation, management, usage and proper operation of the ACS TOE component and all the provided functionality per the implementing organization’s operational security policies. These users must follow the provided guidance.
3.3. OE. PHYCAL Those responsible for the TOE must ensure that those parts of the TOE critical to security policy are protected from any physical attack.
1. Network-Admin: These users should ensure that the N7K switch is being physically protected in a manner consistent with the implementing organization’s security policies.
2. VDC-Admin: These users should ensure that the N7K switch is being physically protected in a manner consistent with the implementing organization’s security policies.
3. Network-Operator: These users should ensure that the N7K switch is being physically protected in a manner consistent with the implementing organization’s security policies.
4. VDC-Operator: These users should ensure that the N7K switch is being physically protected in a manner consistent with the implementing organization’s security policies.
5. ChangeAdminPassword (ACS GUI role): users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
- 28 -
6. ChangeUserPassword (ACS GUI role): users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
7. Network Device Admin (ACS GUI role): users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
8. Policy Admin (ACS GUI role): users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
9. ReadOnlyAdmin (ACS GUI role): users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
10. ReportAdmin (ACS GUI role): users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
11. SecurityAdmin (ACS GUI role): users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
12. System Admin (ACS GUI role): users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
13. User Admin (ACS GUI role): users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
14. SuperAdmin (ACS GUI role): users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
15. SuperAdmin (ACS CLI role): These users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
16. MachineAdmin (ACS CLI role): users should ensure that the ACS Server is being physically protected in a manner consistent with the implementing organization’s security policies.
3.4. OE.CTSCOMPATIBLE The environment may include devices that support CTS-enabled communications.
1. Network-Admin: These users should ensure that CTS is enabled on the N7K switch and supported as needed per CTS cloud.
- 29 -
2. VDC-Admin: These users should ensure that CTS is enabled on the N7K switch and supported as needed per CTS cloud.
3. Network-Operator: N/A 4. VDC-Operator: N/A
5. ChangeAdminPassword (ACS GUI role): N/A 6. ChangeUserPassword (ACS GUI role): N/A
7. Network Device Admin (ACS GUI role): These users should ensure the ACS is configured in such a way as to provide CTS capable devices to join the CTS cloud.
8. Policy Admin (ACS GUI role): These users should ensure the ACS is configured in such a way as to provide CTS capable devices to join the CTS cloud.
9. ReadOnlyAdmin (ACS GUI role): N/A
10. ReportAdmin (ACS GUI role): N/A 11. SecurityAdmin (ACS GUI role): N/A
12. System Admin (ACS GUI role): These users should ensure the ACS is configured in such a way as to provide CTS capable devices to join the CTS cloud.
13. User Admin (ACS GUI role): These users should ensure the ACS is configured in such a way as to provide CTS capable devices to join the CTS cloud.
14. SuperAdmin (ACS GUI role): These users should ensure the ACS is configured in such a way as to provide CTS capable devices to join the CTS cloud.
15. SuperAdmin (ACS CLI role): These users should ensure the ACS is configured in such a way as to provide CTS capable devices to join the CTS cloud.
16. MachineAdmin (ACS CLI role): These users should ensure the ACS is configured in such a way as to provide CTS capable devices to join the CTS cloud.
3.5. OE.TIME The IT Environment will provide reliable timestamps to the TOE.
1. Network-Admin: These users should ensure that the optional NTP servers are operational and providing accurate timestamps for use by the TOE at regular intervals in accordance to the implementing organization’s operational security policies.
2. VDC-Admin: These users should ensure that the optional NTP servers are operational and providing accurate timestamps for use by the TOE at regular intervals in accordance to the implementing organization’s operational security policies.
- 30 -
3. Network-Operator: These users should ensure that the optional NTP servers are operational and providing accurate timestamps for use by the TOE at regular intervals in accordance to the implementing organization’s operational security policies.
4. VDC-Admin: These users should ensure that the optional NTP servers are operational and providing accurate timestamps for use by the TOE at regular intervals in accordance to the implementing organization’s operational security policies.
5. ChangeAdminPassword (ACS GUI role): N/A 6. ChangeUserPassword (ACS GUI role): N/A
7. Network Device Admin (ACS GUI role): N/A 8. Policy Admin (ACS GUI role): N/A
9. ReadOnlyAdmin (ACS GUI role): N/A 10. ReportAdmin (ACS GUI role): N/A
11. SecurityAdmin (ACS GUI role): N/A 12. System Admin (ACS GUI role): These users should ensure the ACS is configured
in such a way as to provide CTS capable devices to join the CTS cloud. 13. User Admin (ACS GUI role): N/A
14. SuperAdmin (ACS GUI role): These users should ensure that the optional NTP servers are operational and providing accurate timestamps for use by the TOE at regular intervals in accordance to the implementing organization’s operational security policies.
15. SuperAdmin (ACS CLI role): These users should ensure that the optional NTP servers are operational and providing accurate timestamps for use by the TOE at regular intervals in accordance to the implementing organization’s operational security policies.
16. MachineAdmin (ACS CLI role): These users should ensure that the optional NTP servers are operational and providing accurate timestamps for use by the TOE at regular intervals in accordance to the implementing organization’s operational security policies.
3.6. OE.EXTERNALAUTH The environment shall optionally provide authentication credential verification to the TOE.
1. Network-Admin: N/A 2. VDC-Admin: N/A
3. Network-Operator: N/A
- 31 -
4. VDC-Admin: N/A 5. ChangeAdminPassword (ACS GUI role): N/A
6. ChangeUserPassword (ACS GUI role): N/A 7. Network Device Admin (ACS GUI role): These users should ensure that the
optional LDAP server, active directory server, or another ACS server is operational and accessible to the TOE in accordance to the implementing organization’s operational security policies.
8. Policy Admin (ACS GUI role): N/A
9. ReadOnlyAdmin (ACS GUI role): N/A 10. ReportAdmin (ACS GUI role): N/A
11. SecurityAdmin (ACS GUI role): N/A 12. System Admin (ACS GUI role): These users should ensure that the optional
LDAP server, active directory server, or another ACS server is operational and accessible to the TOE in accordance to the implementing organization’s operational security policies.
13. User Admin (ACS GUI role): These users should ensure that the optional LDAP server, active directory server, or another ACS server is operational and accessible to the TOE in accordance to the implementing organization’s operational security policies.
14. SuperAdmin (ACS GUI role): These users should ensure that the optional LDAP server, active directory server, or another ACS server is operational and accessible to the TOE in accordance to the implementing organization’s operational security policies.
15. SuperAdmin (ACS CLI role): These users should ensure that the optional LDAP server, active directory server, or another ACS server is operational and accessible to the TOE in accordance to the implementing organization’s operational security policies.
16. MachineAdmin (ACS CLI role): These users should ensure that the optional LDAP server, active directory server, or another ACS server is operational and accessible to the TOE in accordance to the implementing organization’s operational security policies.
4. Reactions to Security-Relevant Events
4.1. System crash In the event that the device will not operate due to a system crash, capture device output and contact the Cisco TAC (http://tools.cisco.com/ServiceRequestTool/create/).
- 32 -
4.2. Specific audit trail entries indicating penetration attempts In the event that entries are noted in the audit trail that indicate an unauthorized user is attempting to gain access to TOE resources, ensure that all access policies on the device are configured to block access to that entity.
4.3. Specific audit trail entries indicating system malfunctions In the event that audit entries are noted that indicate that the ACS or N7K is malfunctioning, per the event entry, contact the Cisco TAC (http://tools.cisco.com/ServiceRequestTool/create/).
