Cisco Adaptive Security Appliances (ASA) and Cisco Adaptive Security Appliances Virtual (ASAv)
|Product type: Network and Network Related Devices and Systems|
Product Status: In Evaluation
Assurance Level: Protection Profile
Version: ASA 9.4(1) and ASDM 7.4
Components: ASA 5500 Series (5506-X, 5506-H, 5506-W, 5508-X, 5516-X) and ASAv running on VM ESXi 5.1 and 5.5 on the Unified Computing System (UCS) EN120E, EN120S M2, E140S M1, E140S M2, E140D M1, E160D M2, E160D M1, E180D M2, E140DP M1, E160DP M1, C22 M3, C24 M3, C220 M3, C220 M4, C240 M3, C240 M4, C260 M2, C420 M3, C460 M2, and C460 M4
Cert Progress: Progressing
Estimated Approval: Q4 2016
Product Website: http://www.cisco.com
Cisco Systems Inc.
The TOE is a purpose-built security platform that is a purpose- built firewall and VPN services for small and medium-sized business (SMB) and enterprise applications. The Cisco Adaptive Security Appliances Virtual running on Cisco Unified Computing System (UCS) platform (TOE) is a firewall platform with VPN Capabilities.
For firewall services, the TOE (ASA 5500 Series and ASAv) provides application-aware stateful packet filtering firewalls. A stateful packet filtering firewall controls the flow of IP traffic by matching information contained in the headers of connection-oriented or connection-less IP packets against a set of rules specified by the authorised administrator for firewalls.
The Cisco ASA also provides IPsec connection capabilities. All references within this ST to “VPN” connectivity refer to the use of IPsec tunnels to secure connectivity to and/or from the TOE, for example, gateway-to-gateway VPN or remote access VPN. Other uses refer to the use of IPsec connections to tunnel traffic that originates from or terminates at the ASA itself, such as for transmissions from the ASA to remote audit/syslog servers, or AAA servers, or for an additional layer of security for remote administration connections to the ASA, such as SSH or TLS connections tunnelled in IPsec.
The TOE provides the following security functionality:
• Security Audit – can audit events and create records related to cryptographic functionality, identification and authentication, and administrative actions. The administrator can configure events, performs back-up operations, and manages audit data storage
• Cryptographic Support - The TOE provides cryptography in support of VPN connections using TLS and IPsec, and remote administrative management via SSHv2, and TLS/HTTPS. The cryptographic random but generators (RBGs) are seeded by an entropy noise source
• Full Residual Information Protection - all information flows from the TOE do not contain residual information from previous traffic. Packets are padded with zeros. Residual data is never transmitted from the TOE
• Identification and Authentication – performs two types of authentication: device-level authentication of the remote device (VPN peers) and user authentication for the authorised administrator of the TOE
• Security Management – provides secure administrative services through a secure SSHv2, TLS/HTTPS session or via a local console connection for management of general TOE configuration and the security functionality • Protection of the TSF - protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to authorized administrators
• TOE Access - displays an administrator- configurable warning banner when an administrative session is initially established. After a configurable period of inactivity, administrative sessions will be terminated, requiring administrators to re-authenticate
• Trusted path/Channels - supports establishing trusted paths between itself and remote administrators using SSHv2 for CLI access, and TLS/HTTPS for GUI/ASDM access. The TOE supports use of TLS and/or IPsec for connections with remote syslog servers. The TOE can use IPsec to encrypt connections with remote authentication servers (e.g. RADIUS or TACACS+). The TOE can establish trusted paths of peer-to-peer VPN tunnels using IPsec, and VPN client tunnels using IPsec
• Filtering – provides stateful traffic firewall functionality including IP address-based filtering (for IPv4 and IPv6) to address the issues associated with unauthorised disclosure of information, inappropriate access to services, misuse of services, disruption or denial of services, and network-based reconnaissance