Cisco IPS4345 Manual de usuario descargar pdf (Pagina 46)

Cisco Intrusion Prevention System Security Target

TOE SFRs

How the SFR is Satisfied

configuration data except their user passwords.

2. Operator: Can view everything and can modify the following options:

a. Signature tuning (priority, disable or enable)

b. Virtual sensor definition

c. Managed routers

d. Their user passwords

3. Administrator: Can view everything and can modify all options that

Operators can modify in addition to the following:

a. Sensor addressing configuration

b. List of hosts allowed to connect as configuration or viewing

agents

c. Assignment of physical sensing interfaces

d. Enable or disable control of physical interfaces

e. Add and delete users and passwords

f. Generate new SSH host keys and server certificates

4. Service: The service account must not be used in the evaluated

configuration. Only a user with administrator privileges can create, edit, or

delete the service account,

5. The service account is disabled by default, only one such account exists,

and no others can be created.

6. If the service account is enabled, the TOE will no longer be in its evaluated

configuration. The service account is a special account that does not use the

standard IPS CLI shell, and is intended for troubleshooting purposes only

by Cisco personnel. The service account would log into a bash shell rather

than the standard IPS CLI shell. The service account cannot login to the

IPS sensor via IDM, CSM, or IME.

FPT_SKP_EXT.1

The TOE stores all private keys not readily accessible to administrators. All pre-

shared, symmetric, and private keys are stored in encrypted form to prevent access.

FPT_APW_EXT.1

All admin passwords are stored as a hash values instead of in plaintext form to

ensure admin passwords are not readable even to administrators.

FPT_STM.1

All forms of the TOE use their software clocks to provide timestamps written to

audit records, and to track inactivity of administrative sessions. The TOEs that

include hardware clocks (4300 series and 4500 series sensors) retain time and date

across power-cycles. The TOEs that do not include hardware-clocks (the IPS SSP

hardware module and software module) obtain the time and date for their software

clocks from the hardware clock of the underlying ASA host. All forms of the TOE

can optionally be set to receive clock updates from an NTP server.

FPT_TUD_EXT.1

The TOE software version and hardware components can be queried by an

administrator. When updates are made available by Cisco, an administrator can

obtain and install those updates. An administrator can download software updates to

the TOE then generate cryptographic hash values and compare those hash values to

published (known-good) hash values to verify software/firmware update files have

not been modified from the originals distributed by Cisco before the files are used to

update the applicable TOE components.

FPT_TST_EXT.1

As a FIPS 140-2 validated product, the TOE runs a suite of self-tests during initial

start-up to verify its correct operation. Refer to the FIPS Security Policy for

available options and management of the cryptographic self-test.

For testing of the TSF, the TOE automatically runs checks and power-on self-tests

(POST) during startup and resets to ensure the TOE is operating correctly. The self

tests include verification of cryptographic module functions. Success and failure

notifications are output to the console during startup, and failure of cryptographic

1 2 ... 41 42 43 44 45 46 47 48 49 50 51 ... 60 61

Comentarios a estos manuales

Sin comentarios

Cisco IPS4345 Manual de usuario Pagina 46

Comentarios a estos manuales

Relacionado con productos y manuales para Redes Cisco IPS4345