Transcription
Cisco Unified Communications Manager (CUCM)14.0Common Criteria Security TargetVersion 1.523 February 2022Americas Headquarters:Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA 2020 Cisco and/or its affiliates. All rights reserved. This document is CiscoPublic.
Cisco Unified Communications Manager Security TargetTable of Contents1SECURITY TARGET INTRODUCTION . 101.1ST and TOE Reference .101.2TOE Overview .101.2.1TOE Product Type .111.2.2Required non-TOE Hardware/ Software/ Firmware .111.3TOE DESCRIPTION .121.4TOE Evaluated Configuration .121.5Physical Scope of the TOE .131.6Logical Scope of the TOE .151.6.1Security Audit .151.6.2Cryptographic Support .161.6.3User Data Protection .171.6.4Identification and authentication .181.6.5Security Management .181.6.6Protection of the TSF .191.6.7TOE Access.191.6.8Trusted path/Channels .191.72Excluded Functionality .19Conformance Claims. 212.1Common Criteria Conformance Claim .212.2Protection Profile Conformance .212.2.12.33Protection Profile Additions .25Protection Profile Conformance Claim Rationale .252.3.1TOE Appropriateness .252.3.2TOE Security Problem Definition Consistency .262.3.3Statement of Security Requirements Consistency .26SECURITY PROBLEM DEFINITION . 273.1Assumptions .273.2Threats .283.3Organizational Security Policies .31Page 2 of 90
Cisco Unified Communications Manager Security Target45SECURITY OBJECTIVES . 324.1Security Objectives for the TOE .324.2Security Objectives for the Environment .32SECURITY REQUIREMENTS . 345.1Conventions .345.2TOE Security Functional Requirements .355.2.1Security audit (FAU).375.2.2Cryptographic Support (FCS) .445.2.3User Data Protection (FDP) .515.2.4Identification and authentication (FIA) .525.2.5Security management (FMT) .545.2.6Protection of the TSF (FPT).575.2.7TOE Access (FTA) .585.2.8Trusted Path/Channels (FTP) .595.3TOE SFR Dependencies Rationale for SFRs Found in NDcPPv2.1 .615.4Security Assurance Requirements .625.4.1SAR Requirements.625.4.2Security Assurance Requirements Rationale .625.56TOE Summary Specification . 666.17TOE Security Functional Requirement Measures .66Annex A: Key Zeroization . 887.18Assurance Measures .63Key Zeroization .88Annex B: References . 90Page 3 of 90
Cisco Unified Communications Manager Security TargetList of TablesTABLE 1 ACRONYMS. 5TABLE 2 TERMINOLOGY . 7TABLE 3 ST AND TOE IDENTIFICATION .10TABLE 4 REQUIRED IT ENVIRONMENT COMPONENTS .11TABLE 5 HARDWARE/SOFTWARE MODELS AND SPECIFICATIONS .14TABLE 6 FIPS REFERENCES .16TABLE 7 EXCLUDED FUNCTIONALITY .20TABLE 9 PROTECTION PROFILES .21TABLE 8 NIAP TECHNICAL DECISIONS (TD) .21TABLE 10 TOE ASSUMPTIONS .27TABLE 11 THREATS .29TABLE 12 ORGANIZATIONAL SECURITY POLICIES .31TABLE 13 SECURITY OBJECTIVES FOR THE ENVIRONMENT .32TABLE 14 SECURITY FUNCTIONAL REQUIREMENTS.35TABLE 15 AUDITABLE EVENTS .38TABLE 16 SYSTEM LOG EVENTS .42TABLE 17: ASSURANCE MEASURES.62TABLE 18 ASSURANCE MEASURES .64TABLE 19 HOW TOE SFRS MEASURES .66TABLE 20: TOE KEY ZEROIZATION .88TABLE 21: REFERENCES .90List of FiguresFIGURE 1 TOE EXAMPLE DEPLOYMENT .13Page 4 of 90
Cisco Unified Communications Manager Security TargetAcronymsThe following acronyms and abbreviations are common and may be used in this SecurityTarget:Table 1 AcronymsDefinitionAcronyms /AbbreviationsAAAAdministration, Authorization, and AccountingAESAdvanced Encryption StandardCCCommon Criteria for Information Technology Security EvaluationCEMCommon Evaluation Methodology for Information Technology SecurityCMConfiguration ManagementGCMGalois Counter ModeHTTPHyper-Text Transport ProtocolHTTPSHyper-Text Transport Protocol SecureIEEEInstitute of Electrical and Electronics EngineersIPInternet ProtocolITInformation TechnologyNDcPPcollaborative Network Device Protection ProfileOSOperating SystemPacketA block of data sent over the network transmitting the identities of the sending andreceiving stations, error-control information, and message.PPProtection ProfilePRNGPseudo Random Number GeneratorRADIUSRemote Authentication Dial In User ServiceRNGRandom Number GeneratorRSARivest, Shamir and Adleman (algorithm for public-key cryptography)SHSSecure Hash StandardSIPSession Initiation ProtocolSRTPSecure Real-time Transport ProtocolSSHv2Secure Shell (version 2)STSecurity TargetTCPTransport Control ProtocolTCP/IPTransmission Control Protocol/Internet ProtocolTLSTransport Layer SecurityTOETarget of EvaluationTSCTSF Scope of ControlPage 5 of 90
Cisco Unified Communications Manager Security TargetDefinitionAcronyms /AbbreviationsTSFTOE Security FunctionTSPTOE Security PolicyVoIPVoice over Internet ProtocolVVoIPVideo and Voice over Internet ProtocolPage 6 of 90
Cisco Unified Communications Manager Security TargetTerminologyTable 2 TerminologyTermDefinitionAuthorizedAny user which has been assigned to a privilege level that is permitted toAdministratorperform all TSF-related functions.Call Detail RecordA log of call metadata that can be used to determine characteristics of a call,such as its length and involved parties, without recording any of its content.Enterprise SessionThe ESC (the TOE) interacts with a VoIP client (user smartphone) andController (ESC)provides registrar and proxy capabilities required for call-session managementas well as establishing, processing, and terminating VoIP calls.Firmware (per NISTThe programs and data components of a cryptographic module that are storedfor FIPS validatedin hardware (e.g., ROM, PROM, EPROM, EEPROM or FLASH) within thecryptographiccryptographic boundary and cannot be dynamically written or modified duringmodules)execution.Peer CUCM (ESC)Another CUCM on the network that the TOE interfaces.SecuritySynonymous with Authorized Administrator for the purposes of this evaluation.AdministratorSession BoarderA type of network device that resides on the edge of a VVoIP network that isControllerresponsible for filtering corrupted or potentially malicious traffic andpreventing it from entering or leaving the network.TrunkingThe concept of connecting multiple networks together; analogous to the use ofa T1 line in a legacy telephone network.UserAny entity (human user or external IT entity) outside the TOE that interactswith the TOE.VVoIP EndpointA VVoIP-capable phone or software application that a human user can use tomake or receive a voice or video call.Page 7 of 90
Cisco Unified Communications Manager Security TargetDOCUMENT INTRODUCTIONPrepared By:Cisco Systems, Inc.170 West Tasman Dr.San Jose, CA 95134This document provides the basis for an evaluation of a specific Target of Evaluation (TOE),the Cisco Unified Communications Manager, (CUCM) 14.0 Unified Computing System (UCS) UCS C220 M5S and UCS C240 M5S. This Security Target (ST) defines a set ofassumptions about the aspects of the environment, a list of threats that the product intendsto counter, a set of security objectives, a set of security requirements, and the IT securityfunctions provided by the TOE, which meet the set of requirements. Administrators of theTOE will be referred to as administrators, Authorized Administrators, TOE administrators, andsecurity administrators in this document.REVISION HISTORYRevDateDescription0.120 September 2019Initial Draft0.223 October 2019Responses to initial review0.314 November 2019Responses to ARRF0.44 December 2019Response to ARRF0.518 February 2020Responses to Additional Comments0.64 March 2020Responses to Additional Comments0.729 April 2020Responses to Validator Comments0.819 May 2020Responses to Validator Comments0.918 August 2020Updates from Testing1.08 October 2020Updates from Testing1.15 November 2020Consistency Updates1.213 November 2020Updates for package submission1.310 December 2020Final UpdatesPage 8 of 90
Cisco Unified Communications Manager Security Target1.426 April 2021Updates for Assurance Maintenance1.523 February 2022Response to Validator CommentsPage 9 of 90
Cisco Unified Communications Manager Security Target1 SECURITY TARGET INTRODUCTIONThe Security Target contains the following sections: Security Target Introduction [Section 1] Conformance Claims [Section 2] Security Problem Definition [Section 3] Security Objectives [Section 4] IT Security Requirements [Section 5] TOE Summary Specification [Section 6] Key Zeroization [Annex A] References [Annex B]The structure and content of this ST comply with the requirements specified in the CommonCriteria (CC), Part 1, Annex A, and Part 2.1.1 ST and TOE ReferenceThis section provides information needed to identify and control this ST and its TOE.Table 3 ST and TOE IdentificationDescriptionNameST TitleCisco Unified Communications Manager 14.0 Common Criteria Security TargetST Version1.5Publication Date23 Bevruary 2022Vendor and ST AuthorCisco Systems, Inc.TOE ReferenceCisco Unified Communications Manager (CUCM)TOE Hardware ModelsCisco Unified Computing System UCS C220 M5S and UCS C240 M5STOE Software VersionCisco Unified Communications Manager 14.0KeywordsCUCM, Data Protection, Authentication, Voice, Telephony1.2 TOE OverviewThe TOE is Cisco Unified Communications Manager (CUCM) v14.0. The TOE is a hardwareand software-based call-processing component of the Cisco Unified Communications familyof products.The TOE extends enterprise telephony features and functions to packetPage 10 of 90
Cisco Unified Communications Manager Security Targettelephony network devices such as IP phones, media processing devices, voice-over-IP(VoIP) gateways, and multimedia applications.1.2.1 TOE Product TypeThe Cisco Unified Communications Manager (CUCM) TOE is an Enterprise SessionController, a specific type of Network Device responsible for the establishment, processing,and termination of Voice/Video over IP (VVoIP) calls enabling more effective and secure usercommunications.1.2.2 Required non-TOE Hardware/ Software/ FirmwareThe TOE requires the following hardware/software/firmware in the IT environment whenthe TOE is configured in its evaluated configuration.Table 4 Required IT Environment ComponentsUsage/Purpose Description for TOE performanceComponentLocalThis includes any IT Environment Console that is directly connected to the TOE viaConsolethe Serial Console Port. This is used by the Security Administrator to performlocal administration.ManagementThis includes any IT Environment Management workstation that can remotelyWorkstationaccess CUCM administration interfaces with a web browser using HTTPS. Thisusing webprovides the Security Administrator the capability to perform remotebrowser foradministration over a trusted path.HTTPS(3) NTPThe NTP servers provides the CUCM TOE the ability to synchronize its clock to anServersaccurate source of time and date.At least 3 NTP time sources must be providedto the CUCM TOE.SyslogThe Syslog server provides the TOE with the capability to transmit generated auditServersdata over TLSRemoteThis includes any VoIP client with which the TOE communicates with over aEndpointprotected TLS channel.DNS ServerA DNS server provides the TOE with the capability to translate domain names tonumeric IP addresses.CertificateThe Certificate Authority provides the TOE and VVoIP clients with validAuthoritycertificates. The CA also provides the TOE with an OCSP Responder to check the(CA) andpeer certificate revocation status of devices the TOE communicates with on theOCSPnetwork.ResponderPage 11 of 90
Cisco Unified Communications Manager Security Target1.3 TOE DESCRIPTIONThis section provides an overview of the Cisco Unified Communications Manager (CUCM)Target of Evaluation (TOE). The CUCM TOE is an enterprise communications system thatprovides voice and video call-processing over an Internet Protocol (IP) network. Thisincludes supplementary and enhanced services such as hold, transfer, forward, conference,multiple line appearances, automatic route selection, speed dial, last-number redial andother features extend to IP phones and gateways.1.4 TOE Evaluated ConfigurationThe TOE consists of CUCM v14.0 software installed on VMware ESXi 6.7 running on one (1)or more UCS M5 appliances as specified in section 1.5 below. The evaluated configurationof the CUCM v14.0 TOE is limited to only one vND instance for each physical platform. Inaddition there must be no other guest VMs providing non-network device functionality.The TOE configuration specifies the SIP ports and other properties such as the server nameand date-time settings. The TOE connects to an NTP server via NTPv4 on its internal networkfor time services. The TOE is administered using the Cisco Unified Communications ManagerAdministration program from a workstation that is not the web server or has Cisco UnifiedCommunications Manager installed. No browser software exists on the CUCM server. Whenconnecting to the CUCM, the management workstation must be connected to an internalnetwork using HTTPS to secure the connection to the TOE. A syslog server is also requiredto store audit records. The audit server must be attached to the internal (trusted) networkand the connection to the server must be secured using TLS.The following figure provides a visual depiction of an example TOE deployment. The TOEboundary is surrounded with a hashed red line.Page 12 of 90
Cisco Unified Communications Manager Security TargetFigure 1 TOE Example DeploymentIn figure 1 the following are considered to be in the IT Environment:oDNS Server (does not require a secure connection)oCertificate Authority (CA) and OCSP Responder (does not require a secureconnection)oManagement Workstation (secure connection is HTTPS (over TLS))oNTP Servers (connection is NTPv4)oPeer ESC (secure connection is TLS)oSyslog Server (secure connection is TLS)oVideo and Voice End-points (VVoIP) (secure connection is SIP over TLS)1.5 Physical Scope of the TOEThe TOE is comprised of hardware and software. The hardware platform is the UCS C220M5 or the UCS C240 M5 as described in Table 5 below. The software is VMware ESXi 6.7and CUCM v14.0 with CentOS 7.7. The network, on which the TOE resides, is considered partof the environment.Page 13 of 90
Cisco Unified Communications Manager Security TargetTable 5 Hardware/Software Models and SpecificationsSpecificationsHardware/ SoftwareCisco Unified Communications Manager v14.0 with CentOS 7.7 Form Factor :oUCS C220 M5: 1RUoUCS C240 M5: 2RUMemory: 24 DDR4 DIMM slots: 8, 16, 32, 64, and 128 GB up to2666 MHz Internal Storage, backplane options, UCS C220 M5:oUp to 10 x 2.5-inch SAS and SATA HDDs and SSDsand up to 2 NVMe PCIe drivesoUp to 10 x 2.5-inch NVMe PCIe drivesoUp to 4 x 3.5-inch SAS and SATA HDDs and SSDsand up to 2 NVMe PCIe drive Internal Storage, backplane options, UCS C220 M5:oUp to 26 x 2.5-inch SAS and SATA HDDs and SSDsand up to 4 NVMe PCIe drivesoUp to 10 x 2.5-inch NVMe PCIe and 16 SAS and SATAHDDs and SSDsoUp to 12 x 3.5-inch SAS and SATA HDDs and SSDs,and 2 rear 2.5-inch HDDs and SSDs and up to 4NVMe PCIe drives Ports:o1x RJ-45 console porto2x USB 3.0 portso1x RJ-45 management porto2x 10GTbase-T portsoVGA connectoroOne KVM console connector (supplies two USB 2.0connectors, one VGA DB15 video connector, and oneserial port (RS232) RJ45 connector)o and one serial port (RS232) RJ45 connector)CPU: Intel Xeon Cascade Lake SP (Cascade Lakemicroarchitecture)11The specific CPU used in the CC tested configuration was Intel Xeon Gold 6244 (Cascade Lake)Page 14 of 90
Cisco Unified Communications Manager Security Target1.6 Logical Scope of the TOEThe TOE is comprised of several security features. Each of the security features identifiedabove consists of several security functionalities, as identified below. Security Audit Cryptographic Support User Data Protection Identification and Authentication Security Management Protection of the TSF TOE Access Trusted Path/ChannelsThese features are described in more detail in the subsections below. In addition, the TOEimplements all RFCs of the NDcPP v2.1 and ESC EP v1.0 as necessary to satisfy testing andassurance measures prescribed therein.1.6.1 Security AuditAuditing allows Security Administrators to discover intentional and unintentional issues withthe TOE’s configuration and/or operation. Auditing of administrative activities providesinformation that may be used to hasten corrective action should the system be configuredincorrectly. Security audit data can also provide an indication of failure of critical portionsof the TOE (e.g. a communication channel failure or anomalous activity (e.g. establishmentof an administrative session at a suspicious time, repeated failures to establish sessions orauthenticate to the TOE) of a suspicious nature).The TOE provides extensive capabilities to generate audit data targeted at detecting suchactivity. The TOE generates an audit record for each auditable event. Each securityrelevant audit event has the date, timestamp, event description, and subject identity.The TOE also generates Call Detail Records (CDR) which contain log information abouteach VVoIP call processed by the CUCM TOE.Page 15 of 90
Cisco Unified Communications Manager Security TargetThe TOE transmits its audit messages to an external syslog server over a secure TLSchannel.1.6.2 Cryptographic SupportThe TOE provides cryptographic functions to support HTTPS/TLS communication protocols.The cryptographic algorithm implementation has been validated for CAVP conformance. Thisincludes key generation and random bit generation, key establishment methods, keydestruction, and the various types of cryptographic operations to provide AESencryption/decryption, signature verification, hash generation, and keyed hash generation.All cryptography is implemented using the CiscoSSL FOM 6.2 cryptographic module. Referto Table 6 for algorithm certificate references.Table 6 FIPS rt. FIPS PUB 186-4A511CiscoSSLIntel Xeon Gold 6244FCS CKM.1Generation,FIPS Object(Cascade Lake) w/FCS CKM.2Verification,ModuleCentOS 7.6 onFCS COP.1/SigGen(FOM) v6.2VMware ESXi v6and keytransportECDSACryptographicFIPS PUB 186-4A511SignatureservicesAESUsed forAES in CBC andsymmetricGCM (128 andencryption/de256 bits)A511cryptionFCS CKM.1(Cascade Lake) w/FCS COP.1/SigGenModuleCentOS 7.6 on(FOM) v6.2VMware ESXi v6CiscoSSLIntel Xeon Gold 6244FCS COP.1/DataEncrFIPS Object(Cascade Lake) w/yptionModuleCentOS 7.6 on(FOM) v6.2VMware ESXi v6CiscoSSLIntel Xeon Gold 6244Cryptographic256, 384,hashingFIPS Object(Cascade Lake) w/512)servicesModuleCentOS 7.6 on(FOM) v6.2VMware ESXi v6CiscoSSLIntel Xeon Gold 6244FCS COP.1/KeyedHaFIPS Object(Cascade Lake) w/shKeyed hashing1, SHA-256,services andByte OrientedA511Intel Xeon Gold 6244SHS (SHA-1,HMAC SHA-Byte OrientedCiscoSSLFIPS ObjectA511FCS COP.1//HashPage 16 of 90
Cisco Unified Communications Manager Security TargetAlgorithmDescriptionSupportedCAVPMode/Cert. wareModuleCentOS 7.6 onSHA-512integrity test(FOM) v6.2VMware ESXi v6DRBGDeterministicCTR DRBG (AESCiscoSSLIntel Xeon Gold 6244random bit256)FIPS Object(Cascade Lake) w/generationModuleCentOS 7.6 onservices in(FOM) v6.2VMware ESXi v6CiscoSSLIntel Xeon Gold 6244FIPS Object(Cascade Lake) w/ModuleCentOS 7.6 on(FOM) v6.2VMware ESXi v6A511FCS RBG EXT.1accordancewith ISO/IEC18031:2011KAS-ECCKeyNIST SpecialAgreementPublication 800-A51156A Revision 3FCS CKM.2The algorithm certificates are applicable to the TOE based on CUCM and Intel Xeon processors as noted in Section 1.5 Physical Scope of the TOE.The TOE provides cryptography in support of remote administrative management viaHTTPS/TLS, the secure connection to an external audit server using TLS. The TOE uses theX.509v3 certificate for securing TLS connections.The TOE also ensures software updates to the TOE are from Cisco Systems, Inc. using digitalsignature verification.1.6.3 User Data ProtectionThe TOE ensures VVoIP calls are set up using the SIP call control protocol prior toredirecting streaming media data between the endpoints.If the organization has a policy that requires all data on all disks to be cleared, the TOEprovides the Security Administrator the ability wipe all residual information from storage.Page 17 of 90
Cisco Unified Communications Manager Security Target1.6.4 Identification and authenticationThe TOE implements two types of authentication: 1) X.509v3 certificate-basedauthentication for remote devices; and 2) password-based authentication for SecurityAdministrators. Device-level authentication allows the TOE to establish a securecommunication channel with remote endpoints over TLS.Security Administrators have the ability to compose strong passwords of 15 characters inlength which are stored in an obscured form. Additionally, the TOE detects and trackssuccessive unsuccessful remote authentication attempts and will prevent the offendingaccount from further attempts if a Security Administrator defined threshold is reached.1.6.5 Security ManagementThe TOE provides secure administrative services for management of general TOEconfiguration and the security functionality provided by the TOE. All TOE administrationoccurs either through a secure HTTPS session or via a local console connection. The TOEprovides the ability to securely manage: Ability to administer the TOE locally and remotely; Ability to configure the access banner; Ability to configure the session inactivity time before session termination or locking; Ability to update the TOE, and to verify the updates using digital signature capabilityprior to installing those updates; Ability to configure the authentication failure parameters for FIA AFL.1; Configure the number of failed administrator authentication attempts; Ability to display the real-time connection status of all VVoIP endpoints (hardwareand software) and telecommunications devices; Ability to clear all TSF data stored on disk;
TOE Software Version Cisco Unified Communications Manager 14.0 Keywords CUCM, Data Protection, Authentication, Voice, Telephony 1.2 TOE Overview The TOE is Cisco Unified Communications Manager (CUCM) v14.0. The TOE is a hardware and software-based call-processing component of the Cisco Unified Communications family of products.
