Cisco Unified Communications Manager Security Target
Cisco Unified Communications ManagerSecurity TargetVersion 1.010 August 2015EDCS - 1502591Page 1 of 53
Cisco Unified Communications Manager Security TargetTable of Contents1SECURITY TARGET INTRODUCTION . 81.1 ST and TOE Reference . 81.2 TOE Overview . 81.2.1 TOE Product Type . 81.2.2 Supported non-TOE Hardware/ Software/ Firmware . 91.3 TOE DESCRIPTION . 91.4 TOE Evaluated Configuration . 121.5 Physical Scope of the TOE. 121.6 Logical Scope of the TOE . 151.6.1 Security Audit . 151.6.2 Cryptographic Support . 151.6.3 Full Residual Information Protection. 161.6.4 Identification and authentication. 161.6.5 Security Management . 161.6.6 Protection of the TSF . 171.6.7 TOE Access . 171.6.8 Trusted path/Channels . 171.7 Excluded Functionality . 172Conformance Claims . 182.1 Common Criteria Conformance Claim . 182.2 Protection Profile Conformance . 182.3 Protection Profile Conformance Claim Rationale . 182.3.1 TOE Appropriateness. 182.3.2 TOE Security Problem Definition Consistency . 182.3.3 Statement of Security Requirements Consistency . 183SECURITY PROBLEM DEFINITION . 203.13.23.34SECURITY OBJECTIVES . 224.14.25Assumptions . 20Threats . 20Organizational Security Policies . 21Security Objectives for the TOE . 22Security Objectives for the Environment . 24SECURITY REQUIREMENTS . 255.1 Conventions. 255.2 TOE Security Functional Requirements . 255.3 SFRs from NDPP and SIP Server EP. 265.3.1 Security audit (FAU). 265.3.2 Cryptographic Support (FCS) . 285.3.3 User data protection (FDP) . 305.3.4 Identification and authentication (FIA) . 315.3.5 Security management (FMT) . 325.3.6 Protection of the TSF (FPT) . 33Page 2 of 53
Cisco Unified Communications Manager Security Target5.3.7 TOE Access (FTA) . 345.3.1 Trusted Path/Channels (FTP) . 345.4 TOE SFR Dependencies Rationale for SFRs Found in PP . 365.5 Security Assurance Requirements . 365.5.1SAR Requirements. 365.5.2 Security Assurance Requirements Rationale . 365.6 Assurance Measures . 366TOE Summary Specification . 386.177.18TOE Security Functional Requirement Measures . 38Annex A: Key Zeroization . 52Key Zeroization . 52Annex B: References. 53Page 3 of 53
Cisco Unified Communications Manager Security TargetList of TablesTABLE 1 ACRONYMS. 5TABLE 2 TERMINOLOGY . 6TABLE 3 ST AND TOE IDENTIFICATION . 8TABLE 4 IT ENVIRONMENT COMPONENTS . 9TABLE 5 HARDWARE MODELS AND SPECIFICATIONS .13TABLE 6 FIPS REFERENCES .15TABLE 7 TOE PROVIDED CRYPTOGRAPHY .16TABLE 8 EXCLUDED FUNCTIONALITY .17TABLE 9 PROTECTION PROFILES .18TABLE 10 TOE ASSUMPTIONS .20TABLE 11 THREATS .20TABLE 12 ORGANIZATIONAL SECURITY POLICIES .21TABLE 13 SECURITY OBJECTIVES FOR THE TOE .22TABLE 14 SECURITY OBJECTIVES FOR THE ENVIRONMENT .24TABLE 15 SECURITY FUNCTIONAL REQUIREMENTS.25TABLE 16 AUDITABLE EVENTS .27TABLE 17: ASSURANCE MEASURES.36TABLE 18 ASSURANCE MEASURES .36TABLE 19 HOW TOE SFRS ARE MET .38TABLE 20: TOE KEY ZEROIZATION .52TABLE 21: REFERENCES .53List of FiguresFIGURE 1 CISCO UCS C220 M3 SERVER .10FIGURE 2 CISCO UCS C210 M2 SERVER .11FIGURE 3 TOE EXAMPLE DEPLOYMENT .11Page 4 of 53
Cisco Unified Communications Manager Security TargetAcronymsThe following acronyms and abbreviations are common and may be used in this Security Target:Table 1 AcronymsAcronyms on, Authorization, and AccountingAccess Control ListsAdvanced Encryption StandardBasic Rate InterfaceCommon Criteria for Information Technology Security EvaluationCommon Evaluation Methodology for Information Technology SecurityConfiguration ManagementCisco Unified Communications ManagerDynamic Host Configuration ProtocolEvaluation Assurance LevelEthernet High-Speed WICEncapsulating Security PayloadGigabit Ethernet portHyper-Text Transport ProtocolHyper-Text Transport Protocol SecureInternet Control Message ProtocolInformation TechnologyNetwork Device Protection ProfileOperating SystemPower over EthernetProtection ProfileSession Border ControllersSecure Hash StandardSession Initiation ProtocolSecurity TargetTransport Control ProtocolTransport Layer SecurityTarget of EvaluationTSF Scope of ControlTOE Security FunctionTOE Security PolicyUnified Communications ManagerUser datagram protocolUnified Computing SystemVoice over IPWide Area NetworkWAN Interface CardPage 5 of 53
Cisco Unified Communications Manager Security TargetTerminologyTable 2 TerminologyTermAuthorizedAdministratorPeer CUCMSecurityAdministratorSIP ServerUserDefinitionAny user which has been assigned to a privilege level that is permitted to perform allTSF-related functions.Another CUCM on the network that the TOE interfaces with.Synonymous with Authorized Administrator for the purposes of this evaluation.The SIP Server (the TOE) interacts with a VoIP client (user smartphone) and providesregistrar and proxy capabilities required for call-session management as well asestablishing, processing, and terminating VoIP calls.Any entity (human user or external IT entity) outside the TOE that interacts with theTOE.Page 6 of 53
Cisco Unified Communications Manager Security TargetDOCUMENT INTRODUCTIONPrepared By:Cisco Systems, Inc.170 West Tasman Dr.San Jose, CA 95134This document provides the basis for an evaluation of a specific Target of Evaluation (TOE), theCisco Unified Communications Manager (CUCM). This Security Target (ST) defines a set ofassumptions about the aspects of the environment, a list of threats that the product intends tocounter, a set of security objectives, a set of security requirements, and the IT security functionsprovided by the TOE which meet the set of requirements. Administrators of the TOE will bereferred to as administrators, Authorized Administrators, TOE administrators, semi-privileged,privileged administrators, and security administrators in this document.Page 7 of 53
Cisco Unified Communications Manager Security Target1 SECURITY TARGET INTRODUCTIONThe Security Target contains the following sections: Security Target Introduction [Section 1]Conformance Claims [Section 2]Security Problem Definition [Section 3]Security Objectives [Section 4]IT Security Requirements [Section 5]TOE Summary Specification [Section 6]The structure and content of this ST comply with the requirements specified in the CommonCriteria (CC), Part 1, Annex A, and Part 2.1.1 ST and TOE ReferenceThis section provides information needed to identify and control this ST and its TOE.Table 3 ST and TOE IdentificationNameST TitleST VersionPublication DateVendor and STAuthorTOE ReferenceTOE HardwareModelsTOE SoftwareVersionKeywordsDescriptionCisco Unified Communications Manager Security Target1.010 August 2015Cisco Systems, Inc.Cisco Unified Communications Manager, CUCMCisco Unified Computing System (Cisco UCS) C220 M3 Rack Server or the CiscoUnified Computing System (Cisco UCS) C210 M2 Rack Server.CUCM 11.0CUCM, Data Protection, Authentication, Voice, Telephony1.2 TOE OverviewThe Cisco Unified Communications Manager (CUCM) TOE serves as the hardware and softwarebased call-processing component of the Cisco Unified Communications family of products. TheTOE extends enterprise telephony features and functions to packet telephony network devices suchas IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimediaapplications.The evaluated configuration of the TOE includes the CUCM 11.0 software installed on either theCisco Unified Computing System (Cisco UCS) C220 M3 Rack Server or the Cisco UnifiedComputing System (Cisco UCS) C210 M2 Rack Server.1.2.1 TOE Product TypeThe Cisco Unified Communications Manager (CUCM) is a hardware and software-based, callprocessing product that provides call processing, services, and applications. The integration ofPage 8 of 53
Cisco Unified Communications Manager Security Targetreal-time enterprise communications include, but not limited to instant messaging (e.g. chat), voicethat includes IP telephony, mobility features, call control and unified messaging.CUCM serves as the hardware and software-based call-processing component of the Cisco UnifiedCommunications family of products.1.2.2 Supported non-TOE Hardware/ Software/ FirmwareThe TOE supports the following hardware, software, and firmware components in its operationalenvironment. Each component is identified as being required or not based on the claims made inthis Security Target. All of the following environment components are supported by all TOEevaluated configurations.Table 4 IT Environment ComponentsComponentLocal ConsoleRequiredNoManagementWorkstationusing webbrowser forHTTPSNTP ServerYesRADIUS orTACACS AAA ServerNoSyslog ServerYesRemoteEndpointYesYesUsage/Purpose Description for TOE performanceThis includes any IT Environment Console that is directlyconnected to the TOE via the Serial Console Port and is used bythe TOE administrator to support TOE administration.This includes any IT Environment Management workstation witha web browser installed that is used by the TOE administrator tosupport TOE administration through HTTPS protected channels.Any web browser that supports TLSv1.0 with the supportedciphersuites may be used.The TOE supports communications with an NTP server in orderto synchronize the date and time on the TOE with the NTPserver’s date and time.This includes any IT environment RADIUS or TACACS AAAserver that provides single-use authentication mechanisms. Thiscan be any RADIUS or TACACS AAA server that providessingle-use authentication.This includes any syslog server to which the TOE would transmitsyslog messages.This includes any peer (other SIP servers) or VoIP client withwhich the TOE communicates with the end points over aprotected TLS channel.1.3 TOE DESCRIPTIONThis section provides an overview of the Cisco Unified Communications Manager (CUCM) Targetof Evaluation (TOE). The TOE is comprised of both software and hardware.The CUCM system includes a suite of integrated voice applications that perform voiceconferencing and manual attendant console functions. This suite of voice applications means thatno need exists for special-purpose voice-processing hardware. Supplementary and enhancedservices such as hold, transfer, forward, conference, multiple line appearances, automatic routeselection, speed dial, last-number redial, and other features extend to IP phones and gateways.Page 9 of 53
Cisco Unified Communications Manager Security TargetA web-browsable interface to the configuration database provides the capability for remote deviceand system configuration for administrators. CUCM Administration supports the followingoperating system browsers: Microsoft Internet Explorer (IE) 7 and later when running on Microsoft Windows 8 andlater Microsoft Internet Explorer (IE) 8 and later when running on Microsoft Windows 8 andlater Firefox 3.x and later when running on Microsoft Windows 8 or Apple MAC OS X andlater Safari 4.x and later when running on Apple MAC OS X and laterHTTPS is used to secure the connection between CUCM and the browser.The CUCM software can be installed on two different models of the Cisco Unified ComputingSystem (Cisco UCS). Both of which are described below.The Cisco Unified Computing System (Cisco UCS) C220 M3. Rack Server (one rack unit [1RU])offers up to two Intel Xeon processor E5-2600 or E5-2600 v2 processors, 16 DIMM slots, eightdisk drives, and two 1 Gigabit Ethernet LAN‑on-motherboard (LOM) ports. Refer to Table 5Hardware Models and Specifications for the primary features of the Cisco UCS C220 M3.Figure 1 Cisco UCS C220 M3 ServerORThe Cisco Unified Computing System (Cisco UCS) C210 M2 General-Purpose Rack-MountServer is a two-socket, two-rack-unit (2RU) rack-mount server housing up to 16 internal smallform-factor (SFF) SAS, SATA or SSD drives for a total of up to 16 terabytes (TB) of storage.Based on six-core Intel Xeon 5600 series processors, the server is built for applicationsincluding virtualization, network file servers and appliances, storage servers, database servers, andcontent-delivery servers Refer to Table 5 Hardware Models and Specifications for the primaryfeatures of the Cisco UCS C210 M2.Page 10 of 53
Cisco Unified Communications Manager Security TargetFigure 2 Cisco UCS C210 M2 ServerThe software is comprised of the CUCM software image Release 11.0. Cisco CUCM is a Ciscodeveloped highly configurable proprietary operating system that provides for efficient andeffective enterprise telephony features and functions. Although CUCM software provides manysignaling and call control services to Cisco integrated telephony applications functions, this TOEonly addresses the functions that provide for the security of the TOE itself as described in Section1.7 Logical Scope of the TOE below.The following figure provides a visual depiction of an example TOE deployment. The TOEboundary is surrounded with a hashed red line.RemoteAdminConsoleHTTPSInternalNetworkCisco UnifiedCommunicationsManager ure 3 TOE Example DeploymentThe previous figure includes the following: The TOEo Cisco UCS C220 M3S or Cisco UCS C210 M2o Cisco CUCM 11.0 software The following are considered to be in the IT Environment:o Management Workstationo NTP Server (does not require a secure connection)o Syslog ServerPage 11 of 53
Cisco Unified Communications Manager Security Target1.4 TOE Evaluated ConfigurationThe TOE consists of CUCM software installed on one or more appliances as specified in section1.5 below. The Cisco Unified Communications Manager system includes a suite of integratedvoice applications that perform voice-conferencing and manual attendant console functions. Thissuite of voice applications means that no need exists for special-purpose voice-processinghardware. Supplementary and enhanced services such as hold, transfer, forward, conference,multiple line appearances, automatic route selection, speed dial, last-number redial and otherfeatures extend to IP phones and gateways. Because Cisco Unified Communications Manager is asoftware application, enhancing its capabilities in production environments requires onlyupgrading software on the UCS server platform.The TOE configuration specifies the SIP ports and other properties such as the server name anddate-time settings. The TOE connects to an NTP server on its internal network for time services.The TOE is administered using the Cisco Unified Communications Manager Administrationprogram from a PC that is not the web server or has Cisco Unified Communications Managerinstalled. No browser software exists on the CUCM server. When connecting to the CUCM themanagement station must be connected to an internal network, HTTPS/TLS must be used toconnect to the TOE. A syslog server is also used to store audit records. These servers must beattached to the internal (trusted) network. The internal (trusted) network is meant to be separatedeffectively from unauthorized individuals and user traffic; one that is in a controlled environmentwhere implementation of security policies can be enforced.1.5 Physical Scope of the TOEThe TOE is a hardware and software solution that makes up the CUCM. The hardware platformis the UCS C220 M3S or the UCS C210 M2. The software is the CUCM 11.0 software. Thenetwork, on which they reside, is considered part of the environment. The TOE guidancedocumentation that is considered to be part of the TOE can be found listed in the Cisco UnifiedCommunications Manager Common Criteria Configuration Guide document and aredownloadable from the http://cisco.com web site. The TOE is comprised of the following physicalspecifications as described in Table 5 below:Page 12 of 53
Cisco Unified Communications Manager Security TargetTable 5 Hardware Models and SpecificationsHardwareUCS C220M3SPictureSize1.7 x 16.9 x28.5 in.(4.32 x 43x 72.4 cm)PowerDualredundantfans and m-FactorPlatinumPowerSupplies(450W and650W)) forenterpriseclassreliability anduptime InterfacesUp to 4 LFF or 8 SFF frontaccessible, hot-swappable, internalSAS, SATA, or SSD drives,providing redundancy options andease of serviceability2 PCIe Generation 3.0 slots I/O performance and flexibilitywith one x8 half-height andhalf-length slot, and one x16full-height and half‑length slotUp to two internal 16GB CiscoFlexFlash drives (SD cards)One internal USB flash driveFront panel - One KVM consoleconnector (supplies 2 USB, 1VGA, and 1 serial connector)Rear panel - VGA video port, 2USB 2.0 ports, an RJ45 serial port,1 Gigabit Ethernet managementport, and dual 1 Gigabit EthernetportsPage 13 of 53
Cisco Unified Communications Manager Security TargetHardwareUCS C210M2PictureSize2RU: 3.45x 17.2 x28.4 in.(8.76 x43.69 x72.14 cm)PowerDualredundantfans andpowersupplies forenterpriseclassreliability anduptime InterfacesUp to 16 front-accessible,hot-swappable, SFF SAS,SATA or SSD drives forlocal storage, providingredundancy options and easeof serviceabilityBalanced performance andcapacity to best meetapplication needs:o 15,000 RPM SASdrives for highestperformanceo 10,000 RPM SASdrives for highperformance andvalueo 7200-RPM SATAdrives for highcapacity and valueA choice of RAID controllersto provide data protection forup to 16 SAS, SATA or SSDdrives in PCIe and mezzaninecard form factorsHard driveo Up to 16 frontaccessible, hotswappable, 2.5-inchSAS, SATA or SSDdrivesEase of access to front-panelvideo, 2 USB ports, and serialconsoleManagemento IntegratedServerEngines Pilot2 BMCo IPMI 2.0 compliantfor management andcontrolo One 10/100BASE-Tout-of-bandmanagementinterfaceo CLI and WebGUImanagement tool forautomated, lightsout managemento KVMPage 14 of 53
Cisco Unified Communications Manager Security Target1.6 Logical Scope of the TOEThe TOE is comprised of several security features. Each of the security features identified aboveconsists of several security functionalities, as identified below.1.2.3.4.5.6.7.8.Security AuditCryptographic SupportFull Residual Information ProtectionIdentification and AuthenticationSecurity ManagementProtection of the TSFTOE AccessTrusted Path/ChannelsThese features are described in more detail in the subsections below. In addition, the TOEimplements all RFCs of the NDPP v1.1 and SIP EP v1.1 as necessary to satisfy testing andassurance measures prescribed therein.1.6.1 Security AuditThe Cisco CUCM provides extensive auditing capabilities. The TOE can audit events related tocryptographic functionality, identification and authentication, and administrative actions. TheCisco CUCM generates an audit record for each auditable event. Each security relevant auditevent has the date, timestamp, event description, and subject identity. The administratorconfigures auditable events, performs back-up operations, and manages audit data storage. TheTOE audit event logging is centralized and enabled by default. Audit logs can be backed up overa secure TLS channel to an external audit server.1.6.2 Cryptographic SupportThe TOE provides cryptography in support of other Cisco CUCM security functionality. Thiscryptography has been validated for conformance to the requirements of FIPS 140-2 Level 1 (seeTable 6 for certificate references). Refer to FIPS certificate 2100; Cisco FIPS Object Module(Software Version: 4.1).Table 6 FIPS ReferencesAlgorithmCert. #RSA#1377 and #1385AES#2678 and #2685SHS (SHA-1, 256, 384)#2247 and #2256HMAC SHA-1, SHA-256,SHA-384#1664 and #1672DRBG#431 and #435EDCSA#467 and #471There are two algorithm certificates because the processor was tested with AES-NI enabled andwith AES-NI disabled.Page 15 of 53
Cisco Unified Communications Manager Security TargetThe algorithm certificates are applicable to the TOE based on the underlying OS of the CUCM isRHEL 6 which has Linux kernel 2.6 and the processor is Intel Xeon.The TOE provides cryptography in support of remote administrative management via HTTPS.The cryptographic services provided by the TOE are described in Table 7 below.Table 7 TOE Provided CryptographyUse within the TOECryptographic MethodRSA/DSA Signature ServicesX.509 certificate signingThe TOE can also use the X.509v3 certificate for securing TLS sessions.1.6.3 Full Residual Information ProtectionThe TOE ensures that all information flows from the TOE do not contain residual informationfrom previous traffic. Residual data is never transmitted from the TOE.1.6.4 Identification and authenticationThe TOE provides authentication services for administrative users to connect to the TOEs GUIadministrator interface. The TOE requires Authorized Administrators to be successfully identifiedand authenticated prior to being granted access to any of the management functionality. The TOEcan be configured to require a minimum password length of 15 characters. The TOE providesadministrator authentication against a local user database using the GUI interface accessed viasecure HTTPS connection.1.6.5 Security ManagementThe TOE provides secure administrative services for management of general TOE configurationand the security functionality provided by the TOE. All TOE administration occurs either througha secure HTTPS session or via a local console connection. The TOE provides the ability tosecurely manage: All TOE administrative users;All identification and authentication;All audit functionality of the TOE;All TOE cryptographic functionality;Update to the TOE; andTOE configurationThe TOE supports the security administrator role. Only the privileged administrator can performthe above security relev
Cisco Unified Computing System (Cisco UCS) C220 M3 Rack Server or the Cisco Unified Computing System (Cisco UCS) C210 M2 Rack Server. 1.2.1 TOE Product Type The Cisco Unified Communications Manager (CUCM) is a hardware and software-based, call-processing product that provides call p
Cisco Unified Workspace Licensing (CUWL) Cisco Unity FAX Server : Cisco IP Communicator . Cisco Unified Application Server : Cisco Unified Media Engine . Cisco Unified Communications Manager Attendant Console : Cisco Unified Presence . Cisco Emergency Responder : Cisco Unified Personal Communicator . Cisco Unified IP Interactive Voice Response
Cisco Unified MeetingPlace Express VT: cotang@cisco.com Cisco Unified Personal Communicator: jchase@cisco.com Cisco IP Communicator: cs-communicator@cisco.com Cisco Unified Video Advantage: cotang@cisco.com Cisco Unfied Presence: stlevy@cisco.com Cisco Unified Mobility Advantage: unified_mobility_og@cisco.com
The Cisco Unified Communications Manager Adapter pr ovides connectivity between the IBM Security Identity server and the Cisco Unified Communications Manager server . The adapter r uns as a service, independent of whether you ar e logged on to IBM Security Identity Manager . The Cisco Unified Communications Manager Adapter automates the following
For Cisco Unified Communications Manager Release 5.0 or earlier, see Bulk Administration Tool User Guide for Cisco Unified Communications Manager for detailed instructions about BAT and TAPS. For Cisco Unified Communications Manager Release 6.0 or later, see Cisco Unified Communications Manager Bulk Administration Guide. Related Topics
Cisco Unified IP Phone 6921, 6941, 6945, and 6961 Administration Guide for Cisco Unified Communications Manager 8.6 (SCCP and SIP) OL-24567-01 Understanding How the Cisco Unified IP Phone Interacts with Cisco Unified Communications Manager Express 2-3 Providing Power to the Cisco Unified IP Phone 2-4 Power Guidelines 2-4 Power Outage 2-5
4 Release Notes for Cisco Unified Communications Manager Release 8.5(1) OL-23282-01 System Requirements Note Make sure that the matrix shows that your server model supports Cisco Unified CM Release 8.5(1). Note Be aware that some servers that are listed in the Cisco Unified Communications Manager Software Compatibility Matrix may require additional hardware support for Cisco Unified CM Release .
Cisco Unified IP Phone 6901/6911/6921/6941/ 6961 Cisco Unified Personal Communicator Cisco IP Communicator Cisco Unified Wireless IP Phone 7921G/ 7925G/7925G-EX Cisco Unified Personal Communicator Cisco Unified CME 8.5 - IP Phone Portfolio Accessories Mobility Conference Video Business Manager
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unified Computing System (Cisco UCS), Cisco UCS B-Series Blade Servers, Cisco UCS C-Series Rack Servers, Cisco UCS S-Series Storage Servers, Cisco UCS Manager, Cisco UCS
