?
Solved

Cisco Password Strength and Management for Common Criteria

Posted on 2014-11-17
3
Medium Priority
?
842 Views
Last Modified: 2014-11-19
We are using Cisco 2960x Switch and after the Security Auditing Exercise, we are asked to implement Password Policy for Password Strength and Management for common Criteria as shown on the link below.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-aaa-comm-criteria-pwd.html

My question is in order to implement the Password Strength and Management for common Criteria , do we need an External RADIUS TACACS server ?

Also, if we like to implement the following password policy:

1) Minimum Password age
2) Maximum Password Age
3) Password History (i.e. cannot use the password for the last 10 password history

do we need to implement RADIUS or TACACS ?

Thank you for your advice in advance.

Regards
Patrick
0
Comment
Question by:patricktam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40449625
The password complexity is standalone security policy to be enforced as it is, independent of RADIUS or TACACS server. The target of evaluation (TOE) needs all users to use passwords that conform to the complexity requirements as required by the evaluated guidance documentation. This is typically under the "Security Management" for the CISCO case.

RADIUS/TACACS+ are considered external AAA services. They are prime mostly for centralized switch and host authentication via the client modules. Both RADIUS and TACACS+ may be used in the evaluated configuration. Any host keys (passwords) that are defined for RADIUS/TACACS+ authentication must comply with the password requirements as stated in the guidance. There isn't a preference per se in either RADIUS or TACACS+ in this context.

Will be good if you can check out this pdf of CISCO device (http://www.cisco.com/web/strategy/government/security_certification/mds_9000_igs.pdf) as example for configuration and installing the CC build.

But most of the time it depends how you define the Security Target (SE) for that device. Here is another pdf instance for the SE of CISCO device. In this example, the TOE can be configured to require local authentication and/or remote authentication via a RADIUS or TACACS+ server as defined in the authentication policy for interactive (human) users.

It is a good to have but not mandate. But most of time with such capability it helps to attain a higher level of assurance with external checker instead of leveraging just local user store. compared to external AAA which can be routed to the Enterprise central identity store out of the device.
0
 

Author Closing Comment

by:patricktam
ID: 40452273
Thanks for the Details explanation on this.
0
 
LVL 64

Expert Comment

by:btan
ID: 40452305
Thanks! missed out the earlier pdf link for SE example.
http://www.commoncriteriaportal.org/files/epfiles/cisco_nac_eal2_st_v2.pdf
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question