Common Criteria NDPP SIP Server EP Assurance Activity Report

Common Criteria NDPP SIP Server EP Assurance Activity Report Pascal Patin ISSUED BY Acumen Security, LLC. 1

Revision History: Version Date Changes Initial Release 7/20/2015 Initial Release Version 1.0 8/26/2015 Updated with in response to Validator Comments. 2

Table of Contents 1 TOE Overview... 9 2 Assurance Activities Identification... 9 3 Reporting on Assurance Activities... 12 3.1 Reporting on TSS Assurance Activities... 12 3.2 Reporting on Guidance Assurance Activities... 12 4 Test Diagram... 13 5 Configuration Information... 14 6 Detailed Test Cases (Auditing)... 16 6.1.1 FAU_GEN.1 Guidance 1... 16 6.1.2 FAU_GEN.1 Guidance 2... 16 6.1.3 FAU_GEN.1 Test 1... 17 6.1.4 FAU_GEN.2... 17 6.1.5 FAU_STG_EXT.1.1 TSS 1... 17 6.1.6 FAU_STG_EXT.1.1 Guidance 1... 18 6.1.7 FAU_STG_EXT.1.1 TSS 1 (not audit server)... 18 6.1.8 FAU_STG_EXT.1.1 Guidance 1 (not audit server)... 19 6.1.9 FAU_STG_EXT.1 Test 1 (not audit server)... 19 6.2 Test Cases (Cryptographic Support)... 20 6.2.1 FCS_CKM.1.1 Test 1... 20 6.2.2 FCS_CKM.1.1 TSS 1... 20 6.2.3 FCS_CKM_EXT.4.1 TSS 1... 21 6.2.4 FCS_COP.1.1 (1) Test 1... 22 6.2.5 FCS_COP.1.1 (2) Test 1... 23 6.2.6 FCS_COP.1.1 (3) Test 1... 23 6.2.7 FCS_COP.1.1 (4) Test 1... 24 6.2.8 FCS_RBG_EXT.1.1 Test 1... 24 6.2.9 FCS_RBG_EXT.1.1 Test 2 (SP 800-90A DRBG)... 24 6.2.10 FCS_RBG_EXT.1.1 Guidance 1 (SP 800-90A DRBG)... 25 6.3 Test Cases (User Data Protection)... 25 6.3.1 FDP_RIP.2.1 TSS 1... 25 6.4 Test Cases (Identification and Authentication)... 26 6.4.1 FIA_PMG_EXT.1.1 Guidance 1... 26 3

6.4.2 FIA_PMG_EXT.1 Test 1... 26 6.4.3 FIA_UIA_EXT.1 TSS 1... 28 6.4.4 FIA_UIA_EXT.1 Guidance 1... 28 6.4.5 FIA_UIA_EXT.1 Test #1... 29 6.4.6 FIA_UIA_EXT.1 Test #2... 30 6.4.7 FIA_UIA_EXT.1 Test #3... 30 6.4.8 FIA_UAU_EXT.2... 30 6.4.9 FIA_UAU.7 Test #1... 30 6.4.10 FIA_SIPS_EXT.1 TSS... 31 6.4.11 FIA_SIPS_EXT.1 Test #1... 31 6.4.12 FIA_SIPS_EXT.1 Test #2... 32 6.4.13 FIA_SIPS_EXT.1 Test #3... 32 6.4.14 FIA_X509_EXT.1 TSS 1... 33 6.4.15 FIA_X509_EXT.1 Guidance 1... 33 6.4.16 FIA_X509_EXT.1 Test #1... 34 6.5 Test Cases (Security Management)... 34 6.5.1 FMT_MTD.1 Guidance 1... 34 6.5.2 FMT_MTD.1 TSS 1... 35 6.5.3 FMT_SMF.1... 35 6.5.4 FMT_SMR.2 Guidance 1... 35 6.6 Test Cases (Protection of the TSF)... 36 6.6.1 FPT_SKP_EXT.1 TSS 1... 36 6.6.2 FPT_APW_EXT.1 TSS 1... 36 6.6.3 FPT_APW_EXT.1 TSS 2... 37 6.6.4 FPT_STM.1 TSS 1... 37 6.6.5 FPT_STM.1 Guidance 1... 37 6.6.6 FPT_STM.1 Guidance 2... 38 6.6.7 FPT_STM.1 Test #1... 38 6.6.8 FPT_STM.1 Test #2... 38 6.6.9 FPT_TUD_EXT.1 TSS 1... 39 6.6.10 FPT_TUD_EXT.1 TSS 2... 39 6.6.11 FPT_TUD_EXT.1 Test #1... 40 6.6.12 FPT_TUD_EXT.1 Test #2... 41 4

6.6.13 FPT_TST_EXT.1.1 TSS 1... 41 6.6.14 FPT_TST_EXT.1.1 TSS 2... 42 6.6.15 FPT_TST_EXT.1.1 Guidance 1... 42 6.7 Test Cases (TOE Access)... 43 6.7.1 FTA_SSL_EXT.1 Test #1... 43 6.7.2 FTA_SSL.3 Test #1... 43 6.7.3 FTA_SSL.4 Test #1... 44 6.7.4 FTA_SSL.4 Test #2... 44 6.7.5 FTA_TAB.1 TSS 1... 45 6.7.6 FTA_TAB.1 Test #1... 45 6.8 Test Cases (Trusted Path/Channels)... 46 6.8.1 FTP_ITC.1(1) TSS 1... 46 6.8.2 FTP_ITC.1(1) TSS 2... 46 6.8.3 FTP_ITC.1(1) Guidance 1... 46 6.8.4 FTP_ITC.1(1) Test #1... 47 6.8.5 FTP_ITC.1(1) Test #2... 48 6.8.6 FTP_ITC.1(2) TSS 1... 48 6.8.7 FTP_ITC.1(2) Test #1... 49 6.8.8 FTP_ITC.1(3) TSS... 49 6.8.9 FTP_ITC.1(3) Test #1... 49 6.8.10 FTP_TRP.1 TSS 1... 50 6.8.11 FTP_TRP.1 TSS 2... 50 6.8.12 FTP_TRP.1 Guidance 1... 50 6.8.13 FTP_TRP.1 Test #1... 51 6.9 Test Cases (TLS)... 52 6.9.1 FCS_TLS_EXT.1.1 TSS 1... 52 6.9.2 FCS_TLS_EXT.1.1 Guidance 1... 52 6.9.3 FCS_TLS_EXT.1.1 Test #1... 52 6.9.4 FCS_TLS_EXT.1.1 Test #2... 53 6.9.5 FCS_HTTPS_EXT.1.1 TSS 1... 54 6.10 Security Assurance Requirements... 54 6.10.1 AGD_OPE.1 Guidance 1... 54 6.10.2 AGD_OPE.1 Guidance 2... 55 5

6.10.3 AGD_OPE.1 Guidance 3... 55 6.10.4 AGD_OPE.1 Guidance 4... 55 6.10.5 AGD_PRE.1 Guidance 1... 56 6.10.6 ATE_IND.1... 56 6.10.7 AVA_VAN.1... 56 6.10.8 ALC_CMC.1 Guidance 1... 56 7 Conclusion... 56 6

Assurance Activity Report (AAR) for a Target of Evaluation Cisco Unified Communications Manager (CUCM) 11.0 Cisco Unified Communications Manager Security Target, Version.03, 6 July, 2015 Network Device Protection Profile SIP Server Extended Package version 1.1 Version 1.0 Evaluated by: 18504 Office Park Dr. Montgomery Village, MD 20886 Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme 7

The Developer of the TOE: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134 The Author of the Security Target: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134 The TOE Evaluation was Sponsored by: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134 Evaluation Personnel: Antony Busciglio Pascal Patin Common Criteria Version Common Criteria Version 3.1 Revision 4 Common Evaluation Methodology Version CEM Version 3.1 Revision 4 8

1 TOE Overview The Cisco Unified Communications Manager (CUCM) TOE serves as the hardware and softwarebased call-processing component of the Cisco Unified Communications family of products. The TOE extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-ip (VoIP) gateways, and multimedia applications. 2 Assurance Activities Identification Test Case ID Activity Type Name of Evaluator/ Tester FAU_GEN.1 Test 1 Testing Pascal Patin FAU_GEN.1 Guidance 1 Guidance Pascal Patin FAU_GEN.1 Guidance 2 Guidance Pascal Patin FAU_STG_EXT.1.1 TSS 1 TSS Pascal Patin FAU_STG_EXT.1.1 Guidance 1 Guidance Pascal Patin FAU_STG_EXT.1 Test 1 Testing Pascal Patin (not audit server) FAU_STG_EXT.1.1 TSS 1 TSS Pascal Patin (not audit server) FAU_STG_EXT.1.1 Guidance 1 Guidance Pascal Patin (not audit server) TCS_CKM.1.1 TSS 1 TSS Pascal Patin FCS_CKM.1.1 Test 1 Testing Pascal Patin FCS_CKM_EXT.4.1 TSS 1 TSS Pascal Patin FCS_COP.1.1 (1) Test 1 Testing Pascal Patin FCS_COP.1.1 (2) Test 1 Testing Pascal Patin FCS_COP.1.1 (3) Test 1 Testing Pascal Patin FCS_COP.1.1 (4) Test 1 Testing Pascal Patin FCS_RBG_EXT.1.1 Test 1 Testing Pascal Patin FCS_RBG_EXT.1.1 Test 2 Testing Pascal Patin (SP 800-90A DRBG) FCS_RBG_EXT.1.1 Guidance 1 Guidance Pascal Patin (SP 800-90A DRBG) FDP_RIP.2.1 TSS 1 TSS Pascal Patin FIA_PMG_EXT.1.1 Guidance 1 Guidance Pascal Patin FIA_PMG_EXT.1 Test 1 Testing Pascal Patin FIA_UIA_EXT.1 TSS 1 TSS Pascal Patin FIA_UIA_EXT.1 Guidance 1 Guidance Pascal Patin FIA_UIA_EXT.1 Test #1 Testing Pascal Patin FIA_UIA_EXT.1 Test #2 Testing Pascal Patin FIA_UIA_EXT.1 Test #3 Testing Pascal Patin FIA_UAU.7 Test #1 Testing Pascal Patin FIA_SIPS_EXT.1 TSS TSS Pascal Patin FIA_SIPS_EXT.1 Test #1 Testing Pascal Patin 9

Test Case ID Activity Type Name of Evaluator/ Tester FIA_SIPS_EXT.1 Test #2 Testing Pascal Patin FIA_SIPS_EXT.1 Test #3 Testing Pascal Patin FIA_X509_EXT.1 Guidance 1 Guidance Pascal Patin FIA_X509_EXT.1 Test #1 Testing Pascal Patin FMT_MTD.1 Guidance 1 Guidance Pascal Patin FMT_MTD.1 TSS 1 TSS Pascal Patin FMT_SMR.2 Guidance 1 Guidance Pascal Patin FPT_SKP_EXT.1 TSS 1 TSS Pascal Patin FPT_APW_EXT.1 TSS 1 TSS Pascal Patin FPT_APW_EXT.1 TSS 2 TSS Pascal Patin FPT_STM.1 TSS 1 TSS Pascal Patin FPT_STM.1 Guidance 1 Guidance Pascal Patin FPT_STM.1 Guidance 2 Guidance Pascal Patin FPT_STM.1 Test #1 Testing Pascal Patin FPT_STM.1 Test #2 Testing Pascal Patin FPT_TUD_EXT.1 TSS 1 TSS Pascal Patin FPT_TUD_EXT.1 TSS 2 TSS Pascal Patin FPT_TUD_EXT.1 Test #1 Testing Pascal Patin FPT_TUD_EXT.1 Test #2 Testing Pascal Patin FPT_TST_EXT.1.1 TSS 1 TSS Pascal Patin FPT_TST_EXT.1.1 TSS 2 TSS Pascal Patin FPT_TST_EXT.1.1 Guidance 1 Guidance Pascal Patin FTA_SSL_EXT.1 Test #1 Testing Pascal Patin FTA_SSL.3 Test #1 Testing Pascal Patin FTA_SSL.4 Test #1 Testing Pascal Patin FTA_SSL.4 Test #2 Testing Pascal Patin FTA_TAB.1 TSS 1 TSS Pascal Patin FTA_TAB.1 Test #1 Testing Pascal Patin FTP_ITC.1(1) TSS 1 TSS Pascal Patin FTP_ITC.1(1) TSS 2 TSS Pascal Patin FTP_ITC.1(1) Guidance 1 Guidance Pascal Patin FTP_ITC.1(1) Testing Pascal Patin Test #1 FTP_ITC.1 (1) Test #2 Testing Pascal Patin FTP_ITC.1(2) TSS 1 TSS Pascal Patin FTP_ITC.1(2) Test #1 Testing Pascal Patin FTP_ITC.1(3) TSS 1 TSS Pascal Patin FTP_ITC.1(3) Test #1 Testing Pascal Patin FTP_TRP.1 TSS 1 TSS Pascal Patin FTP_TRP.1 TSS 2 TSS Pascal Patin FTP_TRP.1 Guidance 1 Guidance Pascal Patin 10

Test Case ID Activity Type Name of Evaluator/ Tester FTP_TRP.1 Test #1 Testing Pascal Patin FTP_TRP.1 Test #2 Testing Pascal Patin FCS_TLS_EXT.1.1 TSS 1 TSS Pascal Patin FCS_TLS_EXT.1.1 Guidance 1 Guidance Pascal Patin FCS_TLS_EXT.1.1 Test #1 Testing Pascal Patin FCS_TLS_EXT.1.1 Test #2 Testing Pascal Patin 11

3 Reporting on Assurance Activities 3.1 Reporting on TSS Assurance Activities Information required to be in the TSS is largely self-documenting, meaning that the evaluator in most cases is required to ensure that it is present in the TSS, but little beyond that is required in most PPs. For most TSS assurance activities in the AAR, a simple indication that the information is present and a pointer to that information in the ST is sufficient; it is not required to copy and paste the assurance activity or the information in the TSS into the AAR. It is expected that the evaluator ensure that the information in the TSS as a whole is consistent, and that spurious information is not included. For some information in the TSS, the evaluator may be required to make a judgment on that information relative to the security requirement being levied. For these requirements, the evaluator shall write up their rationale in the TSS section of the AAR. 3.2 Reporting on Guidance Assurance Activities The AAR lists specifically all documents used for each platform, model, and hardware component (chassis, blade, processor, etc.) to satisfy the requirements for operational guidance assurance activities. Each applicable administrative manual must be identified in a manner such that an end user can locate the specific manual used for the evaluation. It is acceptable to list general manuals that have evaluation-specific addenda, as long as both are identified. For each assurance activity referencing information in the operational guidance, the AAR must list for each model that has a distinct manual or manuals the specific manual that contains the information, along with a pointer to the section or sections that satisfy the requirement in the assurance activity. 12

4 Test Diagram Jabber Client #1 CUCM #1 (TOE) Cisco RTMT (Audit Server) Switch NTP Server Jabber Client #2 CUCM #2 (TOE) Mgt. Console 13

5 Configuration Information CUCM#1 (TOE): o Hardware Model: C210 M2 o Version: 11.0 o IP address: 192.168.50.30 o Configuration Details: Phone Profile configured for Jabber1 Device configured Jabber1 User configured Jabber1 SIP Trunk Profile configured connecting CUCM#1 to CUCM#2 Packet Capture on outgoing/incoming interfaces configured CUCM #2 (TOE): o Hardware Model: C210 M2 o Version: 11.0 o IP address: 192.168.30.40 o Configuration Details: Phone Profile configured for device1 Device configured device1 User configured jabber1 SIP Trunk Profile configured connecting CUCM#2 to CUCM#1 Packet Capture on outgoing/incoming interfaces configured SIP Client #1 o Windows 8 o Cisco Jabber version 11.0 (SIPClient1) o IP address:192.168.50.90 o Configuration/Installed tools: Wireshark version 1.12.5 SIP Client #2 o Windows 8 o Cisco Jabber version 11.0 (SIPClient2) o IP address:192.168.50.91 o Configuration/Installed tools: Wireshark version 1.12.5 Management Console o Windows 8 o IP address:192.168.50.90 o Configuration/Installed tools: Wireshark version 1.12.5 Vsphere 5.5.0 NTP Server: o HW version: Cisco ISR 1921 o IP address: 192.168.50.80 Audit Server: 14

o Windows 8 Workstation o Cisco Real-Time Monitoring Tool (RTMT ) version 11.0 (audit server) o IP address: 192.168.50.90 o Configuration/Installed tools: Wireshark version 1.12.5 Switch: o Linksys SRW2008 15

6 Detailed Test Cases (Auditing) 6.1.1 FAU_GEN.1 Guidance 1 The evaluator shall check the administrative guide and ensure that it lists all of the auditable events and provides a format for audit records. Each audit record format type must be covered, along with a brief description of each field. The evaluator shall check to make sure that every audit event type mandated by the PP is described and that the description of the fields contains the information required in FAU_GEN1.2, and the additional information specified in Table 1. 6.1.1.1 Evaluator Findings The evaluator checked the administrative guide to ensure that it lists all of the auditable events and provides a format for audit records. Section 3.2.3 of AGD was used to determine the verdict of this assurance activity. Section 3.2.3.1 contained two tables which showed the format of audit entries as well as a list of events that generate audit records. Based on this the assurance activity is considered satisfied. 6.1.1.2 Verdict 6.1.2 FAU_GEN.1 Guidance 2 The evaluator shall also make a determination of the administrative actions that are relevant in the context of this PP. The evaluator shall examine the administrative guide and make a determination of which administrative commands, including subcommands, scripts, and configuration files, are related to the configuration (including enabling or disabling) of the mechanisms implemented in the TOE that are necessary to enforce the requirements specified in the PP. The evaluator shall document the methodology or approach taken while determining which actions in the administrative guide are security relevant with respect to this PP. The evaluator may perform this activity as part of the activities associated with ensuring the AGD_OPE guidance satisfies the requirements. 6.1.2.1 Evaluator Findings The evaluator made a determination of the administrative actions that are relevant in the context of this PP. The AGD document was used to determine the verdict of this work unit. The evaluator performed the following actions to identify the set of security relevant GUI commands required by the evaluated configuration, 1. The evaluator first began stepping through the AGD document. In addition to providing configuration specific guidance for configuring the TOE in the evaluated configuration, the document acts as a mapping document to other general guidance documents for the TOE. 2. As part of this review, the evaluator successfully compared the AGD document to the ST to verify that each of the claimed security functionalities are discussed. 3. Next, the evaluator reviewed each section of the other configuration documents referenced by the AGD 16

After performing the testing required by the NDPP and SIP EP the evaluator found that no additional commands or interfaces were required to complete testing. Based on this the assurance activity is considered satisfied. 6.1.2.2 Verdict 6.1.3 FAU_GEN.1 Test 1 Item Data/Description Test ID FAU_GEN.1 Test 1 Test Type Testing Objective The evaluator shall test the TOE s ability to correctly generate audit records by having the TOE generate audit records for the events listed in table 1 and administrative actions. This should include all instances of an event--for instance, if there are several different I&A mechanisms for a system, the FIA_UIA_EXT.1 events must be generated for each mechanism. The evaluator shall test that audit records are generated for the establishment and termination of a channel for each of the cryptographic protocols contained in the ST. If HTTPS is implemented, the test demonstrating the establishment and termination of a TLS session can be combined with the test for an HTTPS session. For administrative actions, the evaluator shall test that each action determined by the evaluator above to be security relevant in the context of this PP is auditable. When verifying the test results, the evaluator shall ensure the audit records generated during testing match the format specified in the administrative guide, and that the fields in each audit record have the proper entries. Test 1. Configure the Audit log functionality on Cisco Unified Serviceability Execution page and enable the audit log functionality. Steps 2. Enable the audit utility from CLI 3. From the CLI, verify the audit status and ensure it is in running state. Expected 1. Evidence of steps taken (e.g., screenshots or CLI output) Output 2. Generated logs (including explanation of the logs) /Fail The TOE is able to generate audit records for the events listed in FAU_GEN.1. Criteria Results 6.1.4 FAU_GEN.2 None The evaluation of this SFR is tested in conjunction with the testing of FAU_GEN.1. 6.1.5 FAU_STG_EXT.1.1 TSS 1 The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored locally; what happens when the local audit data store is full; and how these records are protected against unauthorized access. 17

6.1.5.1 Evaluator Findings The evaluator examined the TS to determine if ti describes the amount of audit data that is stored locally, what happens when the local audit data store is full and how audit records are protected against unauthorized access. Table 19 of section 6.1 of the ST was used to determine the verdict of this work unit. Because CUCM can be run on different server hardware the amount of audit data storage space is variable. The TSS entry for FAU_STG_EXT.1 describes various thresholds that the TOE s Log Partition Monitoring function uses to monitor audit log storage. Alerts are sent when a specified percentage of log storage space To clarify, those updates need to be made to the AGD as well.is used up, and log files can be automatically purged to free up storage space. Audit logs are protected against unauthorized access by being transmitted to RTMT over HTTPS. Based on these findings the assurance activity is considered satisfied. 6.1.5.2 Verdict 6.1.6 FAU_STG_EXT.1.1 Guidance 1 The evaluator shall also examine the operational guidance to determine that it describes the relationship between the local audit data and the audit data that are sent to the audit log server (for TOEs that are not acting as an audit log server). For example, when an audit event is generated, is it simultaneously sent to the external server and the local store, or is the local store used as a buffer and cleared periodically by sending the data to the audit server. 6.1.6.1 Evaluator Findings The evaluator examined the operational guidance to determine that it describes the relationship between the local audit data and the audit data that are sent to the audit log server. Section 3.2.3 of the AGD document was used in support of the activity. Upon examination the evaluator found that audit logs are stored on the TOE and reviewed with the Cisco Real Time Monitoring Tool (RTMT). If an administrator wishes to store or backup audit records externally that is done through RTMT. Based on these findings the assurance activity is considered satisfied. 6.1.6.2 Verdict 6.1.7 FAU_STG_EXT.1.1 TSS 1 (not audit server) The evaluator shall examine the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided. 6.1.7.1 Evaluator Findings The evaluator examined the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided. Table 19 of Section 6.1 was used to determine the verdict of this work unit. Upon investigation, the 18

evaluator found that the TOE uses Cisco s Real Time Monitoring Tool (RTMT) to collect and store audit records externally. Communications with RTMT are protected by HTTPS. 6.1.7.2 Verdict 6.1.8 FAU_STG_EXT.1.1 Guidance 1 (not audit server) The evaluator shall also examine the operational guidance to ensure it describes how to establish the trusted channel to the audit server, as well as describe any requirements on the audit server (particular audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed to communicate with the audit server. 6.1.8.1 Evaluator Findings The evaluator examined the operational guidance to ensure it describes how to establish the trusted channel to the audit server, as well as describe any requirements on the audit server (particular audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed to communicate with the audit server. Section 3.2.3 of the AGD document was used to determine the verdict of this assurance activity. Upon investigation it was found that communications between the TOE and Cisco RTMT are protected by HTTPS/TLS. The guidance document provides a detailed description of how to install RTMT on a host PC, the system requirements for the system hosting RTMT and how to place RTMT in a protected configuration. The guidance note that the default setting is for a secure connection, and this setting must be used in the evaluated configuration. Based on this the assurance activity is considered satisfied. 6.1.8.2 Verdict 6.1.9 FAU_STG_EXT.1 Test 1 (not audit server) Item Test ID Test Type Objective Test Execution Steps Data/Description FAU_STG_EXT.1 Test 1 (not audit server) Testing The evaluator shall establish a session between the TOE and the audit server according to the configuration guidance provided. The evaluator shall then examine the traffic that passes between the audit server and the TOE during several activities of the evaluator s choice designed to generate audit data to be transferred to the audit server. The evaluator shall observe that these data are not able to be viewed in the clear during this transfer, and that they are successfully received by the audit server. The evaluator shall record the particular software (name, version) used on the audit server during testing. 1. From audit server, connect to the TOE with the following options, 19

a. Secure Connection b. Port: 443 c. OK 2. From audit server, download the audit logs, a. Trace and logs > Audit Logs 3. Examine traffic to ensure it is not plaintext. Note: This should be repeated for each secure mechanism. Expected Output Evidence of steps taken (e.g., screenshots or CLI output). Packet capture showing: Encrypted traffic Establishment of secure session Events that were generated and sent to the audit server /Fail Criteria The TOE s connections to an audit server should be protected by TLS. Results 6.2 Test Cases (Cryptographic Support) 6.2.1 FCS_CKM.1.1 Test 1 The evaluator shall use the key pair generation portions of "The FIPS 186-3 Digital Signature Algorithm Validation System (DSA2VS)", "The FIPS 186-3 Elliptic Curve Digital Signature Algorithm Validation System (ECDSA2VS)", and "The RSA Validation System (RSA2VS)" as a guide in testing the requirement above, depending on the selection performed by the ST author. 6.2.1.1 Evaluator Findings The evaluator shall use the key pair generation portions of "The RSA Validation System (RSA2VS)" was used to perform this assurance activity. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X5670 OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux 2.6. 6.2.1.2 CAVP Algorithm Certificate # 1385 6.2.1.3 Verdict 6.2.2 FCS_CKM.1.1 TSS 1 The evaluator shall ensure that the TSS contains a description of how the TSF complies with 800-56A and/or 800-56B, depending on the selections made. This description shall indicate the 20

sections in 800-56A and/or 800-56B that are implemented by the TSF, and the evaluator shall ensure that key establishment is among those sections that the TSF claims to implement. Any TOE-specific extensions, processing that is not included in the documents, or alternative implementations allowed by the documents that may impact the security requirements the TOE is to enforce shall be described. 6.2.2.1 Evaluator Findings The evaluator examined the TSS to ensure that it contains the information required for compliance with 800-56A and/or 800-56B. Table 19 of section 6.1 of the ST was used to determine the verdict of this work unit. The evaluator found that the TSS claims conformance to NIST 800-56B s standard for a random number generator for RSA key establishment. X.509v3 certificates can also be used for establishing TLS and SIP sessions. There are no TOE-specific extensions or alternative implementations. Based on these findings the work unit is considered satisfied. 6.2.2.2 Verdict 6.2.3 FCS_CKM_EXT.4.1 TSS 1 The evaluator shall check to ensure the TSS describes each of the secret keys (keys used for symmetric encryption), private keys, and CSPs used to generate key; when they are zeroized (for example, immediately after use, on system shutdown, etc.); and the type of zeroization procedure that is performed (overwrite with zeros, overwrite three times with random pattern, etc.). If different types of memory are used to store the materials to be protected, the evaluator shall check to ensure that the TSS describes the zeroization procedure in terms of the memory in which the data are stored (for example, "secret keys stored on flash are zeroized by overwriting once with zeros, while secret keys stored on the internal hard drive are zeroized by overwriting three times with a random pattern that is changed before each write"). 6.2.3.1 Evaluator Findings The evaluator examined table 20 in section 7.1 of the ST and found the following: Name Description Zeroization User word Shared Secret (8-25 characters); used to authenticate the user Overwrite with new password (NVRAM) TLS server private key RSA (1024/1536/2048 bit); Private key used for SSLv3.1/TLS CLI command zeroize RSA (NVRAM) Command: crypto key zeroise TLS server public key RSA (1024/2048/3072 bit); Public key used for SSLv3.1/TLS verify with command: show crypto key mypubkey all CLI command zeroize RSA (NVRAM) Command: crypto key 21

Name Description Zeroization zeroise TLS pre-master secret TLS session encryption key TLS session integrity key Shared Secret (384-bits); Shared Secret created using asymmetric cryptography from which new TLS session keys can be created Triple-DES (168-bits/AES (128/196/256-bits); Key used to encrypt TLS session data HMAC-SHA-1 (160-bits); HMAC-SHA-1 used for TLS data integrity protection verify with command: show crypto key mypubkey all Automatically after TLS session terminated. (SDRAM) Automatically after TLS session terminated. (SDRAM) Automatically after TLS session terminated. The entire object is overwritten by 0 s. Overwritten with: 0x00 (SDRAM) Each secret key and CSP are described along with zeroization characteristics. Based on these findings, this Assurance Activity is considered satisfied. 6.2.3.2 Verdict 6.2.4 FCS_COP.1.1 (1) Test 1 The evaluator shall use tests appropriate to the modes selected in the above requirement from "The Advanced Encryption Standard Algorithm Validation Suite (AESAVS)", "The XTS-AES Validation system (XTSVS)", The CMAC Validation System (CMACVS)", "The Counter with Cipher Block Chaining Message Authentication Code (CCM) Validation System (CCMVS)", and "The Galois/Counter Mode (GCM) and GMAC Validation System (GCMVS)" as a guide in testing the requirement above. 6.2.4.1 Evaluator Findings The tester verified that multiple modes of operation were tested via the AESAVS. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X5670 OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux 2.6. 6.2.4.2 CAVP Algorithm Certificate # Certificate #2685 6.2.4.3 Verdict 22

6.2.5 FCS_COP.1.1 (2) Test 1 The evaluator shall use the signature generation and signature verification portions of "The Digital Signature Algorithm Validation System (DSAVS or DSA2VS), "The Elliptic Curve Digital Signature Algorithm Validation System (ECDSAVS or ECDSA2VS), and "The RSA Validation System (RSAVS) as a guide in testing the requirement above. The Validation System used shall comply with the conformance standard identified in the ST (i.e., FIPS PUB 186-2 or FIPS PUB 186-3). 6.2.5.1 Evaluator Findings The tester confirmed that the module was tested against both the signature generation and verification portions of the RSA2AVS. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X5670 OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux 2.6. 6.2.5.2 CAVP Algorithm Certificate # Certificate #1385 6.2.5.3 Verdict 6.2.6 FCS_COP.1.1 (3) Test 1 The evaluator shall use "The Secure Hash Algorithm Validation System (SHAVS)" as a guide in testing the requirement above. 6.2.6.1 Evaluator Findings The evaluator found that the modules SHS implementation was tested against the SHAVS and that the testing encompassed what was found in the ST. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X5670 OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux 2.6. CAVP Algorithm Certificate # Certificate #2256 6.2.6.2 Verdict 23

6.2.7 FCS_COP.1.1 (4) Test 1 The evaluator shall use "The Keyed-Hash Message Authentication Code (HMAC) Validation System (HMACVS)" as a guide in testing the requirement above. 6.2.7.1 Evaluator Findings The evaluator found that the modules HMAC implementation was tested against the HMACVS and that the testing encompassed what was found in the ST. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X5670 OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux 2.6. 6.2.7.2 CAVP Algorithm Certificate # Certificate #1672 6.2.7.3 Verdict 6.2.8 FCS_RBG_EXT.1.1 Test 1 Documentation shall be produced and the evaluator shall perform the activities in accordance with Annex D, Entropy Documentation and Assessment. 6.2.8.1 Evaluator Findings See separately submitted Entropy Assessment Report (EAR) for details. 6.2.8.2 Verdict 6.2.9 FCS_RBG_EXT.1.1 Test 2 (SP 800-90A DRBG) The evaluator shall perform 15 trials for the RBG implementation. If the RBG has prediction resistance enabled, each trial consists of (1) instantiate drbg, (2) generate the first block of random bits (3) generate a second block of random bits (4) uninstantiate. If the RBG does not have prediction resistance, each trial consists of (1) instantiate drbg, (2) generate the first block of random bits (3) reseed, (4) generate a second block of random bits (5) uninstantiate. 6.2.9.1 Evaluator Findings The evaluator found that the modules DRBG implementation was tested against the DRBGVS and that the testing encompassed what was found in the ST. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X5670 24

OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux 2.6. 6.2.9.2 CAVP Algorithm Certificate # Certificate #435. 6.2.9.3 Verdict 6.2.10 FCS_RBG_EXT.1.1 Guidance 1 (SP 800-90A DRBG) The evaluator shall also confirm that the operational guidance contains appropriate instructions for configuring the RBG functionality. 6.2.10.1 Evaluator Findings The evaluator confirmed that the operational guidance contains appropriate instructions for configuring the RBG functionality. AGD document and SEC COM document were used to determine the verdict of this working. Upon investigation, the evaluator found that there are no RBG specific configuration options available to the user within the TOE. Therefore, this Assurance Activity is considered satisfied. 6.2.10.2 Verdict 6.3 Test Cases (User Data Protection) 6.3.1 FDP_RIP.2.1 TSS 1 The evaluator shall check to ensure that the TSS describes packet processing to the extent that they can determine that no data will be reused when processing network packets. The evaluator shall ensure that this description at a minimum describes how the previous data are zeroized/overwritten, and at what point in the buffer processing this occurs. 6.3.1.1 Evaluator Findings The evaluator checked to ensure that the TSS describes packet processing to the extent that they can determine that no data will be reused when processing network packets. Table 19 in section 6.1 of the ST was used to determine the verdict of this assurance activity. Upon examination the evaluator found that once packet handling is completed its content is zeroized before the memory which held the packed is re-allocated. This ensures that residual data is never transmitted from the TOE. Based on this the assurance activity is considered satisfied. 6.3.1.2 Verdict 25

6.4 Test Cases (Identification and Authentication) 6.4.1 FIA_PMG_EXT.1.1 Guidance 1 The evaluator shall examine the operational guidance to determine that it provides guidance to security administrators on the composition of strong passwords, and that it provides instructions on setting the minimum password length. 6.4.1.1 Evaluator Findings The evaluator examined the operational guidance to determine that it provides guidance to security administrators on the composition of strong passwords, and that it provides instructions on setting the minimum password length. AGD was used as part of this evaluation. Upon investigation, the evaluator found that section 3.2.2 of AGD provides instructions and guidance for configuring passwords on the TOE. This includes configuring strong passwords. Based on these findings, this assurance activity is considered satisfied. 6.4.1.2 Verdict 6.4.2 FIA_PMG_EXT.1 Test 1 Item Data/Description Test ID FIA_PMG_EXT.1 Test 1 Test Type Testing Objective The evaluator shall compose passwords that either meet the requirements, or fail to meet the requirements, in some way. For each password, the evaluator shall verify that the TOE supports the password. While the evaluator is not required (nor is it feasible) to test all possible compositions of passwords, the evaluator shall ensure that all characters, rule characteristics, and a minimum length listed in the requirement are supported, and justify the subset of those characters chosen for testing. Prerequisites Example word subset: Good: Exactly minimum character length, one of each type of character, appended with! till min is reached More than minimum character length, all lowercase letters, one number, one special character, one uppercase letter Exactly minimum character length, all numbers, one lowercase letter, one special character, one uppercase letter Exactly minimum character length, equal number uppercase letters, lowercase letters, numbers, special characters Bad: Short password One less then minimum character and all other requirements met 26

Test Execution Steps 1. Access the TOE s credential policy configuration screen. a. User Management > User Credentials > Credential Policy 2. Configure the TOE to support a minimum password length of 15 characters. a. Minimum Credential Length: 15 3. Attempt to enter a variety of passwords which meets the TOE password criteria. a. TestwordOne! i. User Management > Application User > <name of user> ii. Enter TestwordOne! b. TestwordNum@2 i. User Management > Application User > <name of user> ii. Enter TestwordNum@2 c. TestwordNum@2 i. User Management > Application User > <name of user> ii. Enter TestwordNum@2 d. testingpassword#3 i. User Management > Application User > <name of user> ii. Enter testingpassword#3 e. TestPa$$wordFour i. User Management > Application User > <name of user> ii. Enter TestPa$$wordFour f. Te%tP^$$wordFive i. User Management > Application User > <name of user> ii. Enter Te%tP^$$wordFive g. testp*()wordsix i. User Management > Application User > <name of user> ii. Enter testp*()wordsix 4. Attempt to enter a variety of passwords which do not meet the TOE password criteria. a. Test i. User Management > Application User > <name of user> ii. Enter Test b. TestPa55w*rd i. User Management > Application User > <name of user> 27

ii. Enter TestPa55w*rd c. Testpassword i. User Management > Application User > <name of user> ii. Enter Expected Output Evidence (e.g., screen capture or CLI output) from each password creation attempt. /Fail Criteria The TOE is capable of accepting appropriate length passwords which contain the special characters listed in the ST, and rejects passwords which do not meet the minimum length requirement. Results 6.4.3 FIA_UIA_EXT.1 TSS 1 The evaluator shall examine the TSS to determine that it describes the logon process for each logon method (local, remote (HTTPS, SSH, etc.)) supported for the product. This description shall contain information pertaining to the credentials allowed/used, any protocol transactions that take place, and what constitutes a successful logon. 6.4.3.1 Evaluator Findings The evaluator examined the TSS to determine that it describes the logon process for each logon method (local, remote (HTTPS, SSH, etc.)) supported for the product. Table 19 of section 6.1 of the ST was used to determine the verdict of this analysis. Users are able to access the TOE through a local console connection or remotely via HTTPS/TLS. The process for authentication is the same regardless of what method is used. Users are required to enter their username and enter a password to gain administrative access to the TOE. If a login attempt is unsuccessful the TOE does not provide a reason. Based on this the assurance activity is considered satisfied. 6.4.3.2 Verdict 6.4.4 FIA_UIA_EXT.1 Guidance 1 The evaluator shall examine the operational guidance to determine that any necessary preparatory steps (e.g., establishing credential material such as pre- shared keys, tunnels, certificates, etc.) to logging in are described. For each supported the login method, the evaluator shall ensure the operational guidance provides clear instructions for successfully logging on. If configuration is necessary to ensure the services provided before login are limited, the evaluator shall determine that the operational guidance provides sufficient instruction on limiting the allowed services. 6.4.4.1 Evaluator Findings The evaluator examined the operational guidance to determine that any necessary preparatory steps (e.g., establishing credential material such as pre- shared keys, tunnels, certificates, etc.) 28

to logging in are described. The AGD document was used with the evaluation activity. Upon investigation, the evaluator found that two method of administration are available to the user, Local (directly connected) CLI Remote GUI Sections 3 and 4 of the AGD document, Secure Installation and Configuration &Secure Management, describe the configuration activities required to configure both individual users of the TOE and the management interfaces themselves to provide the functionality specified in the NDPP. The evaluator found that other than the creation of an administrative account and password (performed during initial installation) there are no preparatory steps required for secure administrative login. Based on this the assurance activity is considered satisfied. 6.4.4.2 Verdict 6.4.5 FIA_UIA_EXT.1 Test #1 Item Data/Description Test ID FIA_UIA_EXT.1 Test #1 Test Type Testing Objective The evaluator shall use the operational guidance to configure the appropriate credential supported for the login method. For that credential/login method, the evaluator shall show that providing correct I&A information results in the ability access the system, while providing incorrect information results in denial of access. Test Execution Steps 1. Attempt to log into the TOE from the CLI by providing bad credentials: a. acumensec b. test 2. Attempt to log into the TOE from the GUI by providing bad credentials: a. acumensec b. test 3. Log into the CLI with correct credentials: a. acumensec b. Pa55w*rd 4. Log into the GUI with correct credentials: a. acumensec b. Pa55w*rd Expected Output Evidence (e.g., screen capture or CLI output) from each successful login Evidence (e.g., screen capture or CLI output) from each denied login Logs showing the successful and unsuccessful login /Fail Criteria The evaluator is able to access the TOE when correct credentials are 29

Results entered and is denied access when incorrect credential are used. 6.4.6 FIA_UIA_EXT.1 Test #2 Item Data/Description Test ID FIA_UIA_EXT.1 Test #2 Test Type Testing Objective The evaluator shall configure the services allowed (if any) according to the operational guidance, and then determine the services available to an external remote entity. The evaluator shall determine that the list of services available is limited to those specified in the requirement. Test Execution Steps No services are available prior to login 1. Examine the GUI screen to show that no functionality is available prior to authentication Expected Output Evidence (e.g., screen capture or CLI output) that no additional services are available /Fail Criteria An evaluator should not be able to access any TOE administrative functions prior to authentication. Results 6.4.7 FIA_UIA_EXT.1 Test #3 Item Data/Description Test ID FIA_UIA_EXT.1 Test #3 Test Type Testing Objective For local access, the evaluator shall determine what services are available to a local administrator prior to logging in, and make sure this list is consistent with the requirement. Test Execution Steps No services are available prior to login 1. Examine the Local CLI screen to show that no functionality is available prior to authentication Expected Output Evidence (e.g., CLI output) to show that no functionality is available prior to authentication /Fail Criteria An evaluator should not be able to access any TOE administrative functions prior to authentication. Results 6.4.8 FIA_UAU_EXT.2 None The evaluation of this SFR is tested in conjunction with the testing of FIA_UIA_EXT.1. 6.4.9 FIA_UAU.7 Test #1 Item Data/Description 30

Test ID FIA_UAU.7 Test #1 Test Type Testing Objective The evaluator shall locally authenticate to the TOE. While making this attempt, the evaluator shall verify that at most obscured feedback is provided while entering the authentication information. Test Execution Steps 1. Attempt to log into the local CLI with incorrect credentials: a. acumensec b. Test 2. Log into the local CLI with correct credentials: a. acumensec b. Pa55w*rd Expected Output Evidence (e.g., screenshot or CLI output) from each successful and unsuccessful login attempt. /Fail Criteria The administrator s password should not be revealed when an evaluator logs in to the TOE through a local console. Results 6.4.10 FIA_SIPS_EXT.1 TSS The evaluator shall examine the TSS to verify that it describes how the SIP session is established. This shall include the initiation of the SIP session, registration of the user, and how both outgoing and incoming calls are handled (initiated, described, and terminated). This description shall also include a description of the handling of the password from the time it is received by the TOE until the time the user is authenticated. 6.4.10.1 Evaluator Findings The evaluator examined the TSS to verify that it describes how the SIP session is established. Table 19 of section 6.1 was used to determine the verdict of this work unit. The ST states that password authentication is required for the establishment of the SIP register connection. 6.4.10.2 Verdict 6.4.11 FIA_SIPS_EXT.1 Test #1 Item Data/Description Test ID FIA_SIPS_EXT.1 Test #1 Test Type Testing Objective The evaluator shall follow the procedure for initializing their device to include establishing a connection to the SIP Server. The evaluator shall confirm that they are prompted for a password prior to successfully completing the SIP REGISTER request. Test Execution Steps 1. Verify from a SIP client that no SIP packets were sent prior to presenting authentication credentials 2. From Cisco Jabber, enter credentials and connect to the TOE: a. jabber1 31

Expected Output /Fail Criteria Results b. 123Test321 3. Verify that after the logging via the SIP client, the SIP REGISTER request is completed. Evidence (e.g., screenshot or CLI output) from each successful and unsuccessful login attempt. No SIP REGISTER request is completed until a correct password is provided. 6.4.12 FIA_SIPS_EXT.1 Test #2 Item Data/Description Test ID FIA_SIPS_EXT.1 Test #2 Test Type Testing Objective The evaluator shall follow the procedure for initializing their device to include establishing a connection to the SIP Server. The evaluator shall confirm that entering an incorrect password results in the device not being registered by the SIP Server (e.g. they are unable to successfully place or receive calls). The evaluator shall also confirm that entering the correct password allows the successful registration of the device (e.g. by being able to place and receive calls). Test Execution Steps 1. From the SIP client attempt to connect to the TOE with incorrect credentials: a. jabber1 b. 12Test2112Test21 2. Verify that the SIP client does not register to the TOE. 3. Connect to the TOE using correct credentials: a. jabber1 b. 123Test321 4. Verify that the connection was made. Expected Output Evidence (e.g., screenshot or CLI output) from each successful and unsuccessful login attempt. /Fail Criteria Entering an incorrect password prevents an evaluator from establishing a SIP session, while entering a correct password results in a SIP session being established. Results 6.4.13 FIA_SIPS_EXT.1 Test #3 Item Data/Description Test ID FIA_SIPS_EXT.1 Test #3 Test Type Testing Objective The evaluator shall set up the test environment such that a variety of passwords are shown to be accepted by the TOE, such that the 32

length and character set identified in FIA_SIPC_EXT.1.3 is represented. The test report shall contain a rationale by the evaluator that the test set used is representative of the allowed lengths and characters. Test Execution Steps See FIA_PMG_EXT.1 Test 1. Expected Output See FIA_PMG_EXT.1 Test 1. /Fail Criteria The requirements of this test were satisfied by FIA_PMG_EXT.1 Test 1. The same password policy is applied to all passwords used by the TOE, so the passwords tested in that test apply to SIP passwords as well. Results 6.4.14 FIA_X509_EXT.1 TSS 1 The evaluator shall ensure the TSS describes all certificate stores implemented that contain certificates used to meet the requirements of this EP. This description shall contain information pertaining to how certificates are loaded into storage, and how the storage is protected from unauthorized access. 6.4.14.1 Evaluator Findings The evaluator examined the TSS to ensure it describes all certificate stores implemented that contain certificates used to meet the requirements of the EP. Table 19 in section 6.1 was used to determine the verdict of this assurance activity. According to the TSS X509 certificates are used by the TOE to support authentication for TLS connections. Certificates themselves are protected with digital signatures. Any modification or tampering would result in an invalid hash value. The physical security of the TOE also prevents certificates from being tampered with or deleted. Certificates are stored in a hidden, protected directory that has no external interfaces. Based on this the assurance activity is considered satisfied. 6.4.14.2 Verdict 6.4.15 FIA_X509_EXT.1 Guidance 1 The evaluator shall examine the guidance documentation to ensure it describes how to configure either the TOE or the environment to prevent unauthorized modification or deletion of the certificates. 6.4.15.1 Evaluator Findings The evaluator examined the guidance documentation to ensure it describes how to configure the TOE to prevent unauthorized modification or deletion of certificates. The AGD document s description of the TOE s certificate functionality in section 3.2.1 was used to determine the verdict of this work unit. The evaluator found that certificates are controlled through the 33

administrative interface to the TOE. Users without administrative credentials have no access to the TOE s certificate management functionality. Based on this the assurance activity is considered satisfied. 6.4.15.2 Verdict 6.4.16 FIA_X509_EXT.1 Test #1 Item Data/Description Test ID FIA_X509_EXT.1 Test #1 Test Type Testing Objective The evaluator shall demonstrate that using a certificate without a valid certification path results in the function failing. The evaluator shall then load a certificate or certificates needed to validate the certificate to be used in the function, and demonstrate that the function succeeds. The evaluator then shall delete one of the certificates, and show that the function fails. Test Execution Steps 1. Attempt to upload a certificate without a valid certification path. 2. Verify that the TOE rejected the certificate. 3. Upload a certificate with a valid certification path. 4. Verify that the certificate was accepted. Expected Output Evidence (e.g., screenshot or CLI output) from each successful and unsuccessful login attempt. /Fail Criteria Certificates with an invalid certification path are rejected. Certificates with a valid certification path are accepted. Results 6.5 Test Cases (Security Management) 6.5.1 FMT_MTD.1 Guidance 1 The evaluator shall review the operational guidance to determine that each of the TSF-datamanipulating functions implemented in response to the requirements of this PP is identified, and that configuration information is provided to ensure that only administrators have access to the functions. 6.5.1.1 Evaluator Findings The evaluator reviewed the operational guidance to determine that each of the TSF-datamanipulating functions implemented in response to the requirements of this PP is identified, and that configuration information is provided to ensure that only administrators have access to the functions. The AGD document was used to as part of this evaluation activity. Upon investigation, the evaluator found that the AGD document address the configuration of the following items in response to the requirements of the NDPP and the SIP EP, Section 3.4 Network Protocols and Cryptographic Settings 34

Section 3.2.3 Logging Configuration Section 4 Security Management Section 5 Security Relevant Events (for auditing) Section 6 Network Services and Protocols These items combined covers all of the functionality described in the NDPP and the SIP EP. Access to these functions is restricted to administrators because there is no non-administrative access to the TOE. The only user level access is for SIP clients that use the TOE as a SIP server. Based on these findings, this work unit is considered satisfied. 6.5.1.2 Verdict 6.5.2 FMT_MTD.1 TSS 1 The evaluator shall examine the TSS to determine that, for each administrative function identified in the operational guidance; those that are accessible through an interface prior to administrator log-in are identified. For each of these functions, the evaluator shall also confirm that the TSS details how the ability to manipulate the TSF data through these interfaces is disallowed for non-administrative users. 6.5.2.1 Evaluator Findings The evaluator examined the TSS to determine what administrative functions are available through an interface prior to administrator log-in. The evaluator examined table 19 of section 6.1 of the ST as part of this analysis. Upon investigation the evaluator found that all administrative functions must be accessed through the GUI as an authorized administrator, which requires authentication. Based on this the assurance activity is considered satisfied. 6.5.2.2 Verdict 6.5.3 FMT_SMF.1 None - The security management functions for FMT_SMF.1 are distributed throughout the PP and are included as part of the requirements in FMT_MTD, FPT_TST_EXT, and any cryptographic management functions specified in the reference standards. Compliance to these requirements satisfies compliance with FMT_SMF.1. 6.5.4 FMT_SMR.2 Guidance 1 The evaluator shall review the operational guidance to ensure that it contains instructions for administering the TOE both locally and remotely, including any configuration that needs to be performed on the client for remote administration. 6.5.4.1 Evaluator Findings The evaluator reviewed the operational guidance to ensure that it contains instructions for administering the TOE both locally and remotely, including any configuration that needs to be performed on the client for remote administration. The AGD document was used to determine 35

the verdict of this work unit. Upon investigation, the evaluator found that the configuration both local and remote administration are covered in section 4, Secure Management. Additionally, the configuration of session parameters, such as, time out settings are covered in the administrator configuration section, section 3.2.2. Finally, section 3.4.1, Remote Administration Protocols, describes configuration requirements of a connected client. Based on these findings, this work unit is considered satisfied. 6.5.4.2 Verdict 6.6 Test Cases (Protection of the TSF) 6.6.1 FPT_SKP_EXT.1 TSS 1 The evaluator shall examine the TSS to determine that it details how any pre-shared keys, symmetric keys, and private keys are stored and that they are unable to be viewed through an interface designed specifically for that purpose, as outlined in the application note. If these values are not stored in plaintext, the TSS shall describe how they are protected/obscured. 6.6.1.1 Evaluator Findings The evaluator examined the TSS to determine that it details how any pre-shared keys, symmetric keys, and private keys are stored and that they are unable to be viewed through an interface designed specifically for that purpose, as outlined in the application note. Table 19 of section 6.1 of the ST was used to determine the verdict of this work unit. Upon investigation, the evaluator found that: 1. The TOE stores all private keys in a secure directory that is not readily accessible to administrators. 2. No pre-shared, symmetric or private keys are stored in plaintext form. Based on these findings, this Assurance Activity is considered satisfied. 6.6.1.2 Verdict 6.6.2 FPT_APW_EXT.1 TSS 1 The evaluator shall examine the TSS to determine that it details all authentication data that are subject to this requirement, and the method used to obscure the plaintext password data when stored. 6.6.2.1 Evaluator Findings The evaluator examined the TSS to determine that it details all authentication data that are subject to this requirement, and the method used to obscure the plaintext password data when stored. Table 19 of section 6.1 of the ST was used to determine the verdict of this work unit. Upon investigation, the evaluator found that plaintext user passwords are never disclosed, even to administrators. Based on this the assurance activity is considered complete. 36

6.6.2.2 Verdict 6.6.3 FPT_APW_EXT.1 TSS 2 The TSS shall also detail passwords are stored in such a way that they are unable to be viewed through an interface designed specifically for that purpose, as outlined in the application note. 6.6.3.1 Evaluator Findings As stated in the FPT_APW_EXT.1 TSS 1 assurance activity user passwords are never disclosed. There are no interfaces that display user passwords. Based on this the assurance activity is considered complete. 6.6.3.2 Verdict 6.6.4 FPT_STM.1 TSS 1 The evaluator shall examine the TSS to ensure that it lists each security function that makes use of time. The TSS provides a description of how the time is maintained and considered reliable in the context of each of the time related functions. 6.6.4.1 Evaluator Findings The evaluator examined the TSS to ensure that it lists each security function that makes use of time. The TSS provides a description of how the time is maintained and considered reliable in the context of each of the time related functions. Table 19 of section 6 of the ST was used to determine the verdict of this work unit. Upon investigation, the evaluator found that: Time stamps are applied to generated audit records. TOE date and time are used to track inactivity of administrative sessions. The TOE date and time source is used for cryptographic functions. Reliability of timestamps is ensure by requiring the TOE to synchronize with an NTP server in the evaluated configuration. The use of multiple NTP servers is recommended to support multiple clusters or servers in different time zones. Based on these findings, the assurance activity is considered satisfied. 6.6.4.2 Verdict 6.6.5 FPT_STM.1 Guidance 1 The evaluator examines the operational guidance to ensure it instructs the administrator how to set the time. 6.6.5.1 Evaluator Findings The evaluator examined the operational guidance to ensure that it instructs the administrator how to set the time. Section 4.2 of the AGD document was used to determine the verdict of this assurance activity. The evaluator found that the TOE is required to use an NTP server in the 37

evaluated configuration. NTP configuration is performed during setup, and there are instructions on how to add NTP servers after installation as well. Based on this the assurance activity is considered satisfied. 6.6.5.2 Verdict 6.6.6 FPT_STM.1 Guidance 2 If the TOE supports the use of an NTP server, the operational guidance instructs how a communication path is established between the TOE and the NTP server, and any configuration of the NTP client on the TOE to support this communication. 6.6.6.1 Evaluator Findings The evaluator examined the operational guidance to ensure that it instructs the administrator how to set the time. Section 4.2 of the AGD document was used to determine the verdict of this assurance activity. The evaluator found that the TOE is required to use an NTP server in the evaluated configuration. NTP configuration is performed during setup, and there are instructions on how to add NTP servers after installation as well. Based on this the assurance activity is considered satisfied. 6.6.6.2 Verdict 6.6.7 FPT_STM.1 Test #1 Item Data/Description Test ID FPT_STM.1 Test #1 Test Type Testing Objective The evaluator uses the operational guide to set the time. The evaluator shall then use an available interface to observe that the time was set correctly. Test Execution Steps 1. Configure the TOE to support an NTP server a. Settings -> NTP Servers 2. Verify that time was updated 3. Attempt to delete the NTP server Expected Output Evidence (e.g., screenshot or CLI output) from each time change. Evidence (e.g., screenshot or CLI output) from each time verification. Logs showing each time change. /Fail Criteria An administrator should be able to set the time on the TOE. Results 6.6.8 FPT_STM.1 Test #2 Item Data/Description Test ID FPT_STM.1 Test #2 38

Test Type Testing Objective If the TOE supports the use of an NTP server; the evaluator shall use the operational guidance to configure the NTP client on the TOE, and set up a communication path with the NTP server. The evaluator will observe that the NTP server has set the time to what is expected. Prerequisites TOE supports an NTP server Test Bed Testbed #1 Test Execution Steps 1. Configure the NTP services on the TOE (using user guide). 2. Verify time via the local console 3. Query time from a remote console Expected Output Evidence (e.g., screenshot or CLI output) of configuring the use of NTP server. Evidence (e.g., screenshot or CLI output) of action used to trigger the use of time server. /Fail Criteria The test case demonstrates that, when the TOE is configured to use an NTP server, the TOE updates it s time to the time of the server. Results 6.6.9 FPT_TUD_EXT.1 TSS 1 Updates to the TOE either have a hash associated with them, or are signed by an authorized source. If digital signatures are used, the definition of an authorized source is contained in the TSS, along with a description of how the certificates used by the update verification mechanism are contained on the device. The evaluator ensures this information is contained in the TSS. 6.6.9.1 Evaluator Findings Table 19 in section 6.1 of the ST was used to determine the verdict of this work unit. The evaluator found that digital signatures are used to verify software/firmware update files. Authorized sources are the original update files distributed by Cisco. SHA-512 hashes are used to ensure that update files have not been tampered with compared to the originals. Software authentication information such as image credentials, signing information and verification keys are stored on the TOE. Based on this the assurance activity is considerd satisfied. 6.6.9.2 Verdict 6.6.10 FPT_TUD_EXT.1 TSS 2 The evaluator also ensures that the TSS (or the operational guidance) describes how the candidate updates are obtained; the processing associated with verifying the digital signature or calculating the hash of the updates; and the actions that take place for successful (hash or signature was verified) and unsuccessful (hash or signature could not be verified) cases. 39

6.6.10.1 Evaluator Findings The evaluator ensures that the TSS (or the operational guidance) describes how the candidate updates are obtained; the processing associated with verifying the digital signature or calculating the hash of the updates; and the actions that take place for successful (hash or signature was verified) and unsuccessful (hash or signature could not be verified) cases. Both the ST and the AGD documents were used to determine the verdict of this work unit. Upon investigation, the evaluator found that section 6.1, table 19, of the ST describes the type of integrity test used to verify signatures (digital signature) and section 4.5, Product Updates, of the AGD document describes the actual procedures for updating the TOE software. Based on these findings, this assurance activity is considered satisfied. 6.6.10.2 Verdict 6.6.11 FPT_TUD_EXT.1 Test #1 Item Data/Description Test ID FPT_TUD_EXT.1 Test #1 Test Type Testing Objective The evaluator performs the version verification activity to determine the current version of the product. The evaluator obtains a legitimate update using procedures described in the operational guidance and verifies that it is successfully installed on the TOE. Then, the evaluator performs a subset of other assurance activity tests to demonstrate that the update functions as expected. After the update, the evaluator performs the version verification activity again to verify the version correctly corresponds to that of the update. Prerequisite A new image is uploaded to the TOE Test Execution Steps 1. Verify the current version of the TOE: a. The information is listed on the initial screen 2. Perform an upgrade to the TOE: a. Software Upgrades -> Software Installation/Upgrade 3. Restart the TOE 4. Verify the new version of the TOE: a. Settings -> Version Expected Output Evidence (e.g., screenshot or CLI output) from executing the version verification (with TOE version). Logs showing the execution of the show version actions. Evidence (e.g., screenshot or CLI output) from executing the software update including the integrity verification. Logs showing the initiation of the software update. Evidence (e.g., screenshot or CLI output) from executing the new version verification (with TOE version). 40

/Fail Criteria Results The tester was able to verify the current version of software as was required by the first part of the test. The tester was then able to obtain a software update and perform an upgrade. The tester was then able to verify that the new software was installed and reperformed FIA_UAU.7 (which passed). 6.6.12 FPT_TUD_EXT.1 Test #2 Item Data/Description Test ID FPT_TUD_EXT.1 Test #2 Test Type Testing Objective The evaluator performs the version verification activity to determine the current version of the product. The evaluator obtains or produces an illegitimate update, and attempts to install it on the TOE. The evaluator verifies that the TOE rejects the update. Prerequisites New software version is available Test Bed Testbed #1 Test Execution Steps 1. Corrupt a TOE software image This was done by chaining a single byte in the image 2. Attempt to upload the corrupted image to the TOE 3. Verify that the corrupt image was not accepted Expected Output Description of how the software was corrupted. Evidence (e.g., screenshot or CLI output) from executing the software update including the integrity failure. Logs showing the initiation/failure of the software update. /Fail Criteria The corrupted software image is NOT accepted or loaded by the TOE. Results 6.6.13 FPT_TST_EXT.1.1 TSS 1 The evaluator shall examine the TSS to ensure that it details the self-tests that are run by the TSF on start-up; this description should include an outline of what the tests are actually doing (e.g., rather than saying "memory is tested", a description similar to "memory is tested by writing a value to each memory location and reading it back to ensure it is identical to what was written" shall be used). 6.6.13.1 Evaluator Findings The evaluator examined the TSS to ensure that it details the self-tests that are run by the TSF on start-up; this description should include an outline of what the tests are actually doing (e.g., rather than saying "memory is tested", a description similar to "memory is tested by writing a value to each memory location and reading it back to ensure it is identical to what was written" shall be used). Table 19 of Section 6.1 was used to determine the verdict of this work unit. 41

The evaluator found that the TOE s start-up tests: Verify that the correct version of the TOE software is running. Verify that cryptographic operations are performing as expected. Based on these findings the assurance activity is considered satisfied. 6.6.13.2 Verdict 6.6.14 FPT_TST_EXT.1.1 TSS 2 The evaluator shall ensure that the TSS makes an argument that the tests are sufficient to demonstrate that the TSF is operating correctly. 6.6.14.1 Evaluator Findings The evaluator shall ensure that the TSS makes an argument that the tests are sufficient to demonstrate that the TSF is operating correctly. Section 6.1, table 19, of the ST was used as part of this evaluation activity. Upon investigation, the evaluator found that the ST describes the suite of tests running at start-up and that these tests verify the correct operation of the TOE. They also verify that the correct version of the TOE software is running. Based on these findings, this assurance activity is considered satisfied. 6.6.14.2 Verdict 6.6.15 FPT_TST_EXT.1.1 Guidance 1 The evaluator shall also ensure that the operational guidance describes the possible errors that may result from such tests, and actions the administrator should take in response; these possible errors shall correspond to those described in the TSS. 6.6.15.1 Evaluator Findings The evaluator ensured that the operational guidance describes the possible errors that may result from such tests, and actions the administrator should take in response; these possible errors shall correspond to those described in the TSS. The AGD document was used as part of this evaluation activity. Upon investigation, the evaluator found that self-tests which are run by the TOE are described in section 3.2.1. If any of the self-tests fail, the TOE transitions into an error state. In the error state all secure management and data transmission that is affected by the failure is halted and the TOE outputs status information indicating the failure. An administrator may still be able to log on to troubleshoot the issue. Based on this the assurance activity is considered satisfied. 6.6.15.2 Verdict 42

6.7 Test Cases (TOE Access) 6.7.1 FTA_SSL_EXT.1 Test #1 Item Data/Description Test ID FTA_SSL_EXT.1 Test #1 Test Type testing Objective The evaluator follows the operational guidance to configure several different values for the inactivity time period referenced in the component. For each period configured, the evaluator establishes a local interactive session with the TOE. The evaluator then observes that the session is either locked or terminated after the configured time period. If locking was selected from the component, the evaluator then ensures that re-authentication is needed when trying to unlock the session. Test Flow (generic test steps) 1. Configure a local time out period on administrative sessions. 2. Log onto the local administrative interface and let it set idle for the configured time period. 3. Verify that the session was locked or terminated. 4. If the session was locked, verify that it requires reauthentication. 5. Repeat with different values for the time out period. Expected Output Evidence (e.g., screenshot or CLI output) from time out configuring. Log showing the time out period being changed. Log showing the administrative log on (with time). Evidence (e.g., screenshot or CLI output) showing administrator being locked out/terminated. Log showing the lock out/termination. Repeat for each set of values. /Fail Criteria Results 6.7.2 FTA_SSL.3 Test #1 The TOE logged the administrative user out automatically after each configured inactivity period. Item Data/Description Test ID FTA_SSL.3 Test #1 Test Type Testing Objective The evaluator follows the operational guidance to configure several different values for the inactivity time period referenced in the component. For each period configured, the evaluator establishes a remote interactive session with the TOE. The evaluator then observes that the session is terminated after the configured time period. Test Execution Steps 1. Configure a remote time out period on administrative sessions. 43

2. Log onto the remote administrative interface and let it set idle for the configured time period. 3. Verify that the session was terminated. 4. Repeat with different values for the time out period. Expected Output Evidence (e.g., screenshot or CLI output) from configuring the time out. Log showing the time out period being changed. Log showing the administrative log on (with time) Evidence (e.g., screenshot or CLI output) showing administrator being terminated Log showing the termination Repeat for each test /Fail Criteria Users who are inactive on a remote administrative interface for a designated amount of time are disconnected for inactivity. Results 6.7.3 FTA_SSL.4 Test #1 Item Data/Description Test ID FTA_SSL.4 Test #1 Test Type Testing Objective The evaluator initiates an interactive local session with the TOE. The evaluator then follows the operational guidance to exit or log off the session and observes that the session has been terminated. Test Execution Steps 1. Log into the TOE through the local interface acumensec Pa55w*rd 2. Exit the local interface quit Expected Output Evidence (e.g., screenshot or CLI output) from logging into the TOE locally. Evidence (e.g., screenshot or CLI output) showing the log out. /Fail Criteria Results The tester is able to log into the TOE and also log out of the TOE via the local interface. 6.7.4 FTA_SSL.4 Test #2 Item Data/Description Test ID FTA_SSL.4 Test #2 Test Type Testing Objective The evaluator initiates an interactive remote session with the TOE. The evaluator then follows the operational guidance to exit or log off the session and observes that the session has been terminated 44

Test Execution Steps 1. Log into the TOE via the remote GUI acumensec Pa55w*rd 2. Log out of the TOE from the remote GUI Logout Expected Output Evidence (e.g., screenshot or CLI output) from logging into the TOE remotely. Evidence (e.g., screenshot or CLI output) showing the log out. /Fail Criteria The tester is able to log into the TOE and also log out of the TOE via the remote interface. Results 6.7.5 FTA_TAB.1 TSS 1 The evaluator shall check the TSS to ensure that it details each method of access (local and remote) available to the administrator (e.g., serial port, SSH, HTTPS). 6.7.5.1 Evaluator Findings The evaluator examined the TSS to ensure that it details each method of access available to the administrator. Table 19 of section 6.1 of the ST was used to determine the verdict of this assurance activity. In the Table 19 entry for FMT_SMR.2 the TSS states that the TOE supports local administration via a directly connected console and remote authentication via TLS/HTTPS. Based on this the assurance activity is considered satisfied. 6.7.5.2 Verdict 6.7.6 FTA_TAB.1 Test #1 Item Data/Description Test ID FTA_TAB.1 Test #1 Test Type Testing Objective The evaluator follows the operational guidance to configure a notice and consent warning message. The evaluator shall then, for each method of access specified in the TSS, establish a session with the TOE. The evaluator shall verify that the notice and consent warning message is displayed in each instance. Test Execution Steps 1. Upload a notice and consent message to the TOE as a.txt file. 2. Log into the TOE from the local CLI 3. Verify that the banner was presented 4. Log into the TOE from the remote GUI 5. Verify that the banner was presented Expected Output Evidence (e.g., screenshot or CLI output) from configuring warning message. 45

/Fail Criteria Results Evidence (e.g., screenshot or CLI output) from logon with warning. Same evidence for each access attempt. The uploaded notice and consent warning should be displayed each time the evaluator attempt to log in to the TOE. 6.8 Test Cases (Trusted Path/Channels) 6.8.1 FTP_ITC.1(1) TSS 1 The evaluator shall examine the TSS to determine that, for all communications with authorized IT entities identified in the requirement, each communications mechanism is identified in terms of the allowed protocols for that IT entity. 6.8.1.1 Evaluator Findings The evaluator examined the TSS to determine that, for all communications with authorized IT entities identified in the requirement, each communications mechanism is identified in terms of the allowed protocols for that IT entity. Table 19 of section 6.1 of the ST was used to in this analysis. The evaluator found that TLS is used to protect communications between the TOE and the remote audit server. Based on this the assurance activity is considered satisfied. 6.8.1.2 Verdict 6.8.2 FTP_ITC.1(1) TSS 2 The evaluator shall also confirm that all protocols listed in the TSS are specified and included in the requirements in the ST. 6.8.2.1 Evaluator Findings The evaluator examined the ST to confirm that all protocols listed in the TSS are specified and included in the requirements in the ST. Upon examination the evaluator found that the module supports TLS and HTTPS. In support of these protocols the ST includes: FCS_TLS_EXT.1 FCS_HTTPS_EXT.1 Based on these findings, the work unit is considered satisfied. 6.8.2.2 Verdict 6.8.3 FTP_ITC.1(1) Guidance 1 The evaluator shall confirm that the operational guidance contains instructions for establishing the allowed protocols with each authorized IT entity, and that it contains recovery instructions should a connection be unintentionally broken. 46

6.8.3.1 Evaluator Findings The evaluator confirmed that the operational guidance contains instructions for establishing the allowed protocols with each authorized IT entity, and that it contains recovery instructions should a connection be unintentionally broken. The AGD document was used as part of this evaluation. Upon investigation the evaluator found that the TOE is set up for secure management by default. An administrative user only needs to use an appropriate web browser to connect to the management GUI address provided in the guidance. If a connection is interrupted for any reason it must be re-established manually by going back to the address described above. SIP connections need to be setup by following the directions in section 3.4.2 of the AGD. Connections to clients must be re-established manually in the event that they are broken while the TOE will attempt to re-establish SIP trunks on its own if they go down. Based on this the assurance activity is considered satisfied. 6.8.3.2 Verdict 6.8.4 FTP_ITC.1(1) Test #1 Item Data/Description Test ID FTP_ITC.1(1) Test #1 Test Type Testing Objective The evaluators shall ensure that communications using each protocol with each authorized IT entity is tested during the course of the evaluation, setting up the connections as described in the operational guidance and ensuring that communication is successful. For each protocol that the TOE can initiate as defined in the requirement, the evaluator shall follow the operational guidance to ensure that in fact the communication channel can be initiated from the TOE. The evaluator shall ensure, for each communication channel with an authorized IT entity, the channel data is not sent in plaintext. Prerequisites This will cover Tests 1, 2, and 3 in the Assurance Activities Test Execution Steps See FAU_STG_EXT.1 Test 1. Expected Output See FAU_STG_EXT.1 Test 1. Execution Output See FAU_STG_EXT.1 Test 1. /Fail Criteria This test was performed in conjunction with FAU_STG_EXT.1. The only type of device covered by FTP_ITC.1(1) is an external audit server, and TLS/HTTPS is the only type of connection method that is required. As show by the screenshots and packet captures in FAU_STG_EXT.1 the TOE is capable of using TLS/HTTPS to provide a 47

Results trusted communication channel between itself and an audit server. 6.8.5 FTP_ITC.1(1) Test #2 Item Data/Description Test ID FTP_ITC.1(1) Test #2 Test Type Testing Objective The evaluators shall, for each protocol associated with each authorized IT entity tested during test 1, the connection is physically interrupted. The evaluator shall ensure that when physical connectivity is restored, communications are appropriately protected Test Execution Steps 1. From the Syslog server, connect to the TOE to collect audt records. Secure connection 443 ok 2. Verify the connection is via TLS. 3. Disconnect the TOE from the syslog server 4. Verify that no plaintext audit records are sent 5. Reconnect the TOE and the syslog server 6. Verify that a protected connection is reestablished Expected Output Packet capture showing the secure connection to the audit server. Evidence showing the disconnection. Packet capture showing the secure reconnection to the audit server (with encrypted traffic and session establishment). /Fail Criteria When a physical connection between the TOE and a remote audit server is interrupted no unprotected data should be sent after that connection is restored. Results 6.8.6 FTP_ITC.1(2) TSS 1 The evaluator shall check the TSS section to confirm that it describes how this requirement is implemented in the TOE. 6.8.6.1 Evaluator Findings The evaluator examined the TSS to confirm that is describes how FTP_ITC.1(2) is implemented in the TOE. Table 19 of section 6.1 was used to determine the verdict of this assurance activity. The evaluator found that communications between the TOE and SIP client are protected using TLS. This provides a secure communications channel to send and receive calls. Based on this the assurance activity is considered satisfied. 6.8.6.2 Verdict 48

6.8.7 FTP_ITC.1(2) Test #1 Item Data/Description Test ID FTP_ITC.1(2) Test #1 Test Type Testing Objective The evaluator shall verify that communication can be initiated from a SIP client. Prerequisites The TOE and a SIP client should be setup to be able to communicate with each other. Test Execution Steps 1. From Cisco Jabber, connect to the TOE: jabber1 123Test321 2. Verify that Jabber connected to the TOE 3. Verify that the connection was a SIP connection Expected Output Evidence of connecting to the TOE Wire capture showing connection /Fail Criteria A SIP client should be able to initiate a SIP connection to the TOE. Results 6.8.8 FTP_ITC.1(3) TSS The evaluator shall check the TSS section to confirm that it describes how this requirement is implemented in the TOE. 6.8.8.1 Evaluator Findings The evaluator examined the TSS to confirm that is describes how FTP_ITC.1(3) is implemented in the TOE. Table 19 of section 6.1 was used to determine the verdict of this assurance activity. The evaluator found that communications between the TOE and another SIP server are protected using TLS. This provides a secure communications channel to send and receive calls. Based on this the assurance activity is considered satisfied. 6.8.8.2 Verdict 6.8.9 FTP_ITC.1(3) Test #1 Item Data/Description Test ID FTP_ITC.1(3) Test #1 Test Type Testing Objective The evaluator shall verify that communication can be initiated from both the TSF and another SIP Server. Prerequisites The TOE and a peer SIP Server need to be capable of communicating with each other. Test Execution 1. Configure two separate instances of the TOE to connect. This will Steps show a SIP connection initiated from both the TOE and an external SIP server. 49

2. Initiate SIP communication from one instance of the TOE to another. 3. Verify that a connection between the two is established. Expected Output Evidence of configuration of both the TOE and the peer TOE Wire capture of the connection showing the SIP connection /Fail Criteria Both the TOE and a second SIP server are capable of initiating SIP connections to each other. Results 6.8.10 FTP_TRP.1 TSS 1 The evaluator shall examine the TSS to determine that the methods of remote TOE administration are indicated, along with how those communications are protected. 6.8.10.1 Evaluator Findings The evaluator examined the TSS to determine that the methods of remote TOE administration are indicated, along with how those communications are protected. Table 19 of section 6.1q of the ST was used to determine the verdict of this work unit. Upon investigation, the evaluator found that all remote administrative access is protected by TLS/HTTPS. Based on these findings, this Assurance Activity is considered satisfied. 6.8.10.2 Verdict 6.8.11 FTP_TRP.1 TSS 2 The evaluator shall also confirm that all protocols listed in the TSS in support of TOE administration are consistent with those specified in the requirement, and are included in the requirements in the ST 6.8.11.1 Evaluator Findings The evaluator examined the ST to confirm that all protocols listed in the TSS in support of TOE administration are specified and included in the requirements in the ST. Upon examination the evaluator found that TLS and HTTPS are used for remote administration. In support of these protocols the ST includes: FCS_TLS_EXT.1 FCS_HTTPS_EXT.1 Based on these findings, the work unit is considered satisfied. 6.8.11.2 Verdict 6.8.12 FTP_TRP.1 Guidance 1 The evaluator shall confirm that the operational guidance contains instructions for establishing the remote administrative sessions for each supported method. 50

6.8.12.1 Evaluator Findings The evaluator examined the operational guidance to determine if it contains instructions for establishing remote administrative sessions for each supported method. The AGD document was used as part of this evaluation activity. Upon investigation, the evaluator found that the TOE supports one type of remote administration, a GUI over HTTPS/TLS. No configuration activities are required for this functionality. 6.8.12.2 Verdict 6.8.13 FTP_TRP.1 Test #1 Item Data/Description Test ID FTP_TRP.1 Test #1 Test Type Testing Objective The evaluators shall ensure that communications using each specified (in the operational guidance) remote administration method is tested during the course of the evaluation, setting up the connections as described in the operational guidance and ensuring that communication is successful Prerequisites Test Execution Steps For each method of remote administration supported, the evaluator shall follow the operational guidance to ensure that there is no available interface that can be used by a remote user to establish a remote administrative sessions without invoking the trusted path The evaluator shall ensure, for each method of remote administration, the channel data is not sent in plaintext This will cover Tests 1 and 3 in the Assurance Activities 1. HTTP is not supported no additional configuration is required 2. Log into the TOE 3. Verify that the communication is via TLS Expected Output Evidence (e.g., screenshot or CLI output) from secure connection configuration. Logs for configuration of secure connection. Packet capture of secure remote administration including, session establishment and encrypted packets. Same evidence as above for each connection method. /Fail Criteria Results The remote administrative session with the TOE occurs over TLS. 51

6.9 Test Cases (TLS) 6.9.1 FCS_TLS_EXT.1.1 TSS 1 The evaluator shall check the description of the implementation of this protocol in the TSS to ensure that the ciphersuites supported are specified. The evaluator shall check the TSS to ensure that the ciphersuites specified are identical to those listed for this component. The evaluator shall also check the operational guidance to ensure that it contains instructions on configuring the TOE so that TLS conforms to the description in the TSS (for instance, the set of ciphersuites advertised by the TOE may have to be restricted to meet the requirements). 6.9.1.1 Evaluator Findings The evaluator checked the description of the implementation of TLS in the TSS to ensure that the ciphersuites supported are specified. Table 19 of section 6.1 was used to determine the verdict of this work unit. The TSS states that the following ciphersuites are supported: TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_ASES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH _AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 These ciphersuites were found to be identical to those listed for FCS_TLS_EXT.1.1 in section 5.3.2.9 of the ST. 6.9.1.2 Verdict 6.9.2 FCS_TLS_EXT.1.1 Guidance 1 The evaluator shall also check the operational guidance to ensure that it contains instructions on configuring the TOE so that TLS conforms to the description in the TSS. 6.9.2.1 Evaluator Findings The evaluator examined the AGD document to determine if it contains instructions on configuring the TOE so it conforms to the description in the TSS. Section 3.4 of the AGD was used to determine the verdict of this assurance activity. The evaluator found that no configuration is required for the TOE, and that it supports only the listed ciphersuites from the TOE in its default configuration. 6.9.2.2 Verdict 6.9.3 FCS_TLS_EXT.1.1 Test #1 Item Data/Description Test ID FCS_TLS_EXT.1.1 Test #1 52

Test Type Testing Objective The evaluator shall establish a TLS connection using each of the ciphersuites specified by the requirement. This connection may be established as part of the establishment of a higher-level protocol, e.g., as part of a SIP session. It is sufficient to observe (on the wire) the successful negotiation of a ciphersuite to satisfy the intent of the test; it is not necessary to examine the characteristics of the encrypted traffic in an attempt to discern the ciphersuite being used (for example, that the cryptographic algorithm is 128-bit AES and not 256-bit AES) Test Execution Steps Actual Test steps Expected Output Evidence (screenshot or CLI output) showing configuration of TOE TLS. Log showing the configuration of TOE TLS. Packet capture of each TLS session showing the correct Ciphersuite negotiation. /Fail Criteria Each of the claimed ciphersuites are supported by the TOE. Results 6.9.4 FCS_TLS_EXT.1.1 Test #2 Item Data/Description Test ID FCS_TLS_EXT.1.1 Test #2 Test Type Testing Objective The evaluator shall setup a man-in-the-middle tool between the TOE and the TLS Peer and shall perform the following modifications to the traffic: [Conditional: TOE is a server] Modify at least one byte in the server s nonce in the Server Hello handshake message, and verify that the server denies the client s Finished handshake message. [Conditional: TOE is a client] Modify the server s selected ciphersuite in the Server Hello handshake message to be a ciphersuite not presented in the Client Hello handshake message. The evaluator shall verify that the client rejects the connection after receiving the Server Hello. [Conditional: TOE is a client] If a DHE or ECDHE ciphersuite is supported, modify the signature block in the Server s KeyExchange handshake message, and verify that the client rejects the connection after receiving the Server KeyExchange. [Conditional: TOE is a client] Modify a byte in the Server Finished handshake message, and verify that the client sends a fatal alert upon receipt and does not send any application 53

data. Per the resolution section of TRRT #4, TD0004: FCS_TLS_EXT Man-in-the-Middle Tests (https://www.niap-ccevs.org/documents_and_guidance/view_td.cfm?td_id=6), this test case has been removed. The following is a reproduction of the resolution: Remove the FCS_TLS_EXT man-in-the-middle tests for the NDPP (FCS_TLS_EXT.1.1, Test 2) and the MDFPP (FCS_TLS_EXT.1, Test 5, FCS_TLS_EXT.2, Test 5) Results N/A 6.9.5 FCS_HTTPS_EXT.1.1 TSS 1 The evaluator shall check the TSS to ensure that it is clear on how HTTPS uses TLS to establish an administrative session, focusing on any client authentication required by the TLS protocol vs. security administrator authentication which may be done at a different level of the processing stack. 6.9.5.1 Evaluator Findings The evaluator checked the TSS to ensure that it is clear on how HTTPS uses TLS to establish an administrative session. Table 19 of Section 6.1 was used to determine the verdict of this assurance activity. TLS is used to protect all HTTPS sessions, using the ciphersuites listed in FCS_TLS_EXT.1. Based on this the assurance activity is considered satisfied. 6.9.5.2 Result 6.10 Security Assurance Requirements 6.10.1 AGD_OPE.1 Guidance 1 The operational guidance shall at a minimum list the processes running (or that could run) on the TOE in its evaluated configuration during its operation that are capable of processing data received on the network interfaces (there are likely more than one of these, and this is not limited to the process that "listens" on the network interface). It is acceptable to list all processes running (or that could run) on the TOE in its evaluated configuration instead of attempting to determine just those that process the network data. For each process listed, the administrative guidance will contain a short (e.g., one- or two-line) description of the process' function, and the privilege with which the service runs. "Privilege" includes the hardware privilege level (e.g., ring 0, ring 1), any software privileges specifically associated with the process, and the privileges associated with the user role the process runs as or under. 6.10.1.1 Evaluator Findings As described in sections 1.4, 1.6 and 7 of the operational guidance, the TOE s SIP server functionality is the only process running. Its purpose is to interact with VoIP clients a provide registrar and proxy capabilities required for call-session management. It also establishes, processes and terminates VoIP calls. 6.10.1.2 Verdict 54

6.10.2 AGD_OPE.1 Guidance 2 The operational guidance shall contain instructions for configuring the cryptographic engine associated with the evaluated configuration of the TOE. It shall provide a warning to the administrator that use of other cryptographic engines was not evaluated nor tested during the CC evaluation of the TOE. 6.10.2.1 Evaluator Findings There are no alternate cryptographic engines that can be used on the TOE and section 1.6 of the guidance documentation states that non FIPS 140-2 cryptography is excluded from the evaluation. The cryptographic engine that the TOE does use is setup by default and does not require any user configuration. Section 3.2.1 of the operational guidance describes how to place the TOE into FIPS mode and describes the self-tests that are performed on the cryptographic engine at startup to ensure it is working properly. 6.10.2.2 Verdict 6.10.3 AGD_OPE.1 Guidance 3 The documentation must describe the process for verifying updates to the TOE, either by checking the hash or by verifying a digital signature. The evaluator shall verify that this process includes the following steps: 1. For hashes, a description of where the hash for a given update can be obtained. For digital signatures, instructions for obtaining the certificate that will be used by the FCS_COP.1(2) mechanism to ensure that a signed update has been received from the certificate owner. This may be supplied with the product initially, or may be obtained by some other means. 2. Instructions for obtaining the update itself. This should include instructions for making the update accessible to the TOE (e.g., placement in a specific directory). 3. Instructions for initiating the update process, as well as discerning whether the process was successful or unsuccessful. This includes generation of the hash/digital signature. 6.10.3.1 Evaluator Findings According to section 4.5 of the AGD document TOE updates are verified in the same manner as TOE software images. The process for verifying TOE software is described on pages 12 and 13 of the AGD document. Updates for the TOE as well as hashes for those updates are obtained directly from Cisco. 6.10.3.2 Verdict 6.10.4 AGD_OPE.1 Guidance 4 The TOE will likely contain security functionality that does not fall in the scope of evaluation under this PP. The operational guidance shall make it clear to an administrator which security functionality is covered by the evaluation activities. 6.10.4.1 Evaluator Findings Section 1.6 of the AGD document has a table (table 5) that lists the functionality that is excluded from the evaluation. 55

6.10.4.2 Verdict 6.10.5 AGD_PRE.1 Guidance 1 The evaluator shall check to ensure that the guidance provided for the TOE adequately addresses all platforms claimed for the TOE in the ST. 6.10.5.1 Evaluator Findings The ST claims two different possible hardware platforms for the TOE. The platforms differ in their processing, memory and storage capabilities but do not affect how the TOE is configured or operated. The AGD, section 1.4, document covers all possible platforms the TOE could be installed on. 6.10.5.2 Verdict 6.10.6 ATE_IND.1 This security assurance requirement is satisfied by the test plan created for this evaluation. 6.10.7 AVA_VAN.1 This security assurance requirement is satisfied by the vulnerability analysis in this evaluation s test report. 6.10.8 ALC_CMC.1 Guidance 1 The evaluator shall check the AGD guidance and TOE samples received for testing to ensure that the version number is consistent with that in the ST. If the vendor maintains a web site advertising the TOE, the evaluator shall examine the information on the web site to ensure that the information in the ST is sufficient to distinguish the product. 6.10.8.1 Evaluator Findings The evaluator examined the ST, the AGD document and the TOE itself and found that version numbers were consistent across all three. The version information provided in the ST was also sufficient to distinguish the TOE from other versions of the product. 6.10.8.2 Verdict 7 Conclusion The testing shows that all test cases required for conformance have passed testing. 56

57

End of Document 58