Solved

Cisco Password Strength and Management for Common Criteria

Posted on 2014-11-17
3
690 Views
Last Modified: 2014-11-19
We are using Cisco 2960x Switch and after the Security Auditing Exercise, we are asked to implement Password Policy for Password Strength and Management for common Criteria as shown on the link below.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-aaa-comm-criteria-pwd.html

My question is in order to implement the Password Strength and Management for common Criteria , do we need an External RADIUS TACACS server ?

Also, if we like to implement the following password policy:

1) Minimum Password age
2) Maximum Password Age
3) Password History (i.e. cannot use the password for the last 10 password history

do we need to implement RADIUS or TACACS ?

Thank you for your advice in advance.

Regards
Patrick
0
Comment
Question by:patricktam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40449625
The password complexity is standalone security policy to be enforced as it is, independent of RADIUS or TACACS server. The target of evaluation (TOE) needs all users to use passwords that conform to the complexity requirements as required by the evaluated guidance documentation. This is typically under the "Security Management" for the CISCO case.

RADIUS/TACACS+ are considered external AAA services. They are prime mostly for centralized switch and host authentication via the client modules. Both RADIUS and TACACS+ may be used in the evaluated configuration. Any host keys (passwords) that are defined for RADIUS/TACACS+ authentication must comply with the password requirements as stated in the guidance. There isn't a preference per se in either RADIUS or TACACS+ in this context.

Will be good if you can check out this pdf of CISCO device (http://www.cisco.com/web/strategy/government/security_certification/mds_9000_igs.pdf) as example for configuration and installing the CC build.

But most of the time it depends how you define the Security Target (SE) for that device. Here is another pdf instance for the SE of CISCO device. In this example, the TOE can be configured to require local authentication and/or remote authentication via a RADIUS or TACACS+ server as defined in the authentication policy for interactive (human) users.

It is a good to have but not mandate. But most of time with such capability it helps to attain a higher level of assurance with external checker instead of leveraging just local user store. compared to external AAA which can be routed to the Enterprise central identity store out of the device.
0
 

Author Closing Comment

by:patricktam
ID: 40452273
Thanks for the Details explanation on this.
0
 
LVL 63

Expert Comment

by:btan
ID: 40452305
Thanks! missed out the earlier pdf link for SE example.
http://www.commoncriteriaportal.org/files/epfiles/cisco_nac_eal2_st_v2.pdf
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco switch suggestion 5 89
Blocking outside IP Addresses 16 57
hsrp tracking 2 11
HIPAA Security Audit - How much do I charge? 5 17
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question