Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco Password Strength and Management for Common Criteria

Posted on 2014-11-17
3
Medium Priority
?
962 Views
Last Modified: 2014-11-19
We are using Cisco 2960x Switch and after the Security Auditing Exercise, we are asked to implement Password Policy for Password Strength and Management for common Criteria as shown on the link below.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-aaa-comm-criteria-pwd.html

My question is in order to implement the Password Strength and Management for common Criteria , do we need an External RADIUS TACACS server ?

Also, if we like to implement the following password policy:

1) Minimum Password age
2) Maximum Password Age
3) Password History (i.e. cannot use the password for the last 10 password history

do we need to implement RADIUS or TACACS ?

Thank you for your advice in advance.

Regards
Patrick
0
Comment
Question by:patricktam
  • 2
3 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40449625
The password complexity is standalone security policy to be enforced as it is, independent of RADIUS or TACACS server. The target of evaluation (TOE) needs all users to use passwords that conform to the complexity requirements as required by the evaluated guidance documentation. This is typically under the "Security Management" for the CISCO case.

RADIUS/TACACS+ are considered external AAA services. They are prime mostly for centralized switch and host authentication via the client modules. Both RADIUS and TACACS+ may be used in the evaluated configuration. Any host keys (passwords) that are defined for RADIUS/TACACS+ authentication must comply with the password requirements as stated in the guidance. There isn't a preference per se in either RADIUS or TACACS+ in this context.

Will be good if you can check out this pdf of CISCO device (http://www.cisco.com/web/strategy/government/security_certification/mds_9000_igs.pdf) as example for configuration and installing the CC build.

But most of the time it depends how you define the Security Target (SE) for that device. Here is another pdf instance for the SE of CISCO device. In this example, the TOE can be configured to require local authentication and/or remote authentication via a RADIUS or TACACS+ server as defined in the authentication policy for interactive (human) users.

It is a good to have but not mandate. But most of time with such capability it helps to attain a higher level of assurance with external checker instead of leveraging just local user store. compared to external AAA which can be routed to the Enterprise central identity store out of the device.
0
 

Author Closing Comment

by:patricktam
ID: 40452273
Thanks for the Details explanation on this.
0
 
LVL 65

Expert Comment

by:btan
ID: 40452305
Thanks! missed out the earlier pdf link for SE example.
http://www.commoncriteriaportal.org/files/epfiles/cisco_nac_eal2_st_v2.pdf
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question