Solved

Cisco Password Strength and Management for Common Criteria

Posted on 2014-11-17
3
513 Views
Last Modified: 2014-11-19
We are using Cisco 2960x Switch and after the Security Auditing Exercise, we are asked to implement Password Policy for Password Strength and Management for common Criteria as shown on the link below.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-aaa-comm-criteria-pwd.html

My question is in order to implement the Password Strength and Management for common Criteria , do we need an External RADIUS TACACS server ?

Also, if we like to implement the following password policy:

1) Minimum Password age
2) Maximum Password Age
3) Password History (i.e. cannot use the password for the last 10 password history

do we need to implement RADIUS or TACACS ?

Thank you for your advice in advance.

Regards
Patrick
0
Comment
Question by:patricktam
  • 2
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40449625
The password complexity is standalone security policy to be enforced as it is, independent of RADIUS or TACACS server. The target of evaluation (TOE) needs all users to use passwords that conform to the complexity requirements as required by the evaluated guidance documentation. This is typically under the "Security Management" for the CISCO case.

RADIUS/TACACS+ are considered external AAA services. They are prime mostly for centralized switch and host authentication via the client modules. Both RADIUS and TACACS+ may be used in the evaluated configuration. Any host keys (passwords) that are defined for RADIUS/TACACS+ authentication must comply with the password requirements as stated in the guidance. There isn't a preference per se in either RADIUS or TACACS+ in this context.

Will be good if you can check out this pdf of CISCO device (http://www.cisco.com/web/strategy/government/security_certification/mds_9000_igs.pdf) as example for configuration and installing the CC build.

But most of the time it depends how you define the Security Target (SE) for that device. Here is another pdf instance for the SE of CISCO device. In this example, the TOE can be configured to require local authentication and/or remote authentication via a RADIUS or TACACS+ server as defined in the authentication policy for interactive (human) users.

It is a good to have but not mandate. But most of time with such capability it helps to attain a higher level of assurance with external checker instead of leveraging just local user store. compared to external AAA which can be routed to the Enterprise central identity store out of the device.
0
 

Author Closing Comment

by:patricktam
ID: 40452273
Thanks for the Details explanation on this.
0
 
LVL 61

Expert Comment

by:btan
ID: 40452305
Thanks! missed out the earlier pdf link for SE example.
http://www.commoncriteriaportal.org/files/epfiles/cisco_nac_eal2_st_v2.pdf
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now