Cyber Security and Cisco
Cisco faces cyber attacks to its global operations on a continual basis and has created this paper to share a multi-layered approach to cyber defence with our Public Sector partners.
Cyber Security and Cisco: Assuring Government IT Services
Malicious attacks on Government IT systems can cause havoc - with citizens suffering as a result of lost or impaired services. Cyber-attacks often make use of computer networks to propagate. Attacks can cause severe harm to Government business processes and systems, and because they can be introduced by attackers overseas, they can be difficult to control - and can spread quickly.
The Government takes the cyber threat very seriously:
"As Foreign Secretary I see frequent evidence of deliberate and organised attacks against intellectual property and Government networks in the United Kingdom." (William Hague, UK Foreign Secretary, Speech at the Budapest Conference on Cyberspace, October, 2012).
Cisco, as a major multi-national computer networking provider, faces cyber-attacks to its global operations on a constant basis. It has built considerable expertise and works with customers - including our Government customers worldwide - to defend against and mitigate the effects of cyber-attacks.
Our Commitment to Reducing the Cyber Threat
Independent validation of security products and technology is critical to providing information risk owners the assurance they need when deploying solutions to protect sensitive data.
Cisco has a long history in participating in a range of product evaluation schemes and in 2011 certified the ISR G2 and ASR 1000 series routers under the CESG PEPAS cryptographic evaluation program. The PEPAS scheme was developed specifically to meet the cryptographic needs for the IPsec protected overlay of the Public Service Network (PSN) programme.
The PEPAS scheme has since been retired by CESG and, along with a number of other schemes has been collapsed in to a new consolidated certificate entitled Foundation Grade. Foundation Grade certification can be achieved through successful evaluation via the CESG Commercial Product Assurance (CPA) scheme, or Common Criteria using a suitable protection profile. During the transition, existing PEPAS certified products were grandfathered in to CPA and subsequently awarded Foundation Grade certificates. These certificates have now expired, however Cisco is currently in the process of re-certifying both the ISR G2 and ASR 1000 Series under the CPA scheme.
Foundation Grade certified products are aligned with the new OFFICIAL tier of the Government Classification Policy (GCP). Certification against this grade enables risk owners to have confidence that products are fulfilling their security functions, whilst providing protection against the likely threats at this tier of the GCP.
To further demonstrate Cisco’s commitment to improving cyber security throughout the UK, Cisco has been awarded a Foundation Grade certificate for both ASA 5500 and 5500-X series security appliances after successful evaluation through the CESG CPA scheme. The evaluation has been completed against the CPA IPsec VPN Security Gateway security characteristic, allowing the ASA platform to be deployed either as site-to-site or remote-access IPsec VPN gateway. In addition, Cisco ASA 5500-X is the first Foundation Grade product certified to support both CESG interim and PRIME cipher suites, enabling customers to take advantage of the latest next-generation encryption technology.
Security procedures detailing the secure deployment and operation of; Cisco ISR G2, ASR 1000 and the Cisco ASA 5500 and 5500-X can be found on the CESG IA Policy Portfolio or can be obtained through CESG Enquiries. In addition, more detailed guidance for both platforms is available providing our customers with a baseline configuration for operating these platforms in an approved fashion.
The table below contains a detailed summary of the CESG Foundation Grade evaluated products along with certificate details and detailed configuration guidance. For more information, please contact firstname.lastname@example.org
|Security Characteristic||Platform||Model||CESG PRIME Support||Certificate||Configuration Guide|
|IPsec Security Gateway v1.21||Integrated Services Router (ISR) G2||800,1900,2900,3900,3900E,4451-X||
Yes. IOS 15.4(2)T2
|Aggregation Services Router (ASR)||1001,1002,1002-X,1004,1006,1013||
1002-X, ESP-100 and ESP-200 Only. IOS-XE 3.12S and above2
|Embedded Services Processor (ESP)||ESP5, ESP10, ESP20, ESP40, ESP100, ESP200|
|Cisco ASR 1000 Route Processor (RP)||RP1, RP2|
IPsec Security Gateway v2.3
|Cisco ASA 5500||ASA 5505 , 5510, 5520, 5540, 5550, 5580||
Partial - ASA 5580 Only
|Cisco ASA 5500-X||ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X||Yes|
|IPsec VPN for Remote Working - Software Client v2.3||Cisco AnyConnect Secure Mobility Client v3.1||Microsoft Windows 7, 8, 8.1
Apple OS X 10.6, 10.7, 10.8 & 10.9
Redhat Linux 6.x and 6.4, Ubuntu 9.x, 10.x, 11.x 12.04, 12.10
|Yes||In Evaluation||In Evaluation|
|Cisco AnyConnect Secure Mobility Client v3.0||Apple iOS 6 & 7
Samsung , HTC & Kindle Based Android
Generic Android IceCreamSandwich or later
Rooted Android 2.1 or later
1 – ISR and ASR Platforms are currently undergoing re-certification against version 2.3 of the IPsec VPN gateway security characteristic
2 – PRIME cipher suite not certified under current certificate. Will be included as part of re-certification process.
Cisco also participates in a number of internationally recognised product certification schemes and full details of these can be found on the global government certification pages.
Assuring the Cloud
Information technology promises to deliver new services to citizens enabled by cloud technology. The cloud provides a much more flexible way to deliver more information and services within Government itself - and also to citizens.
Cisco believes that the borderless Government networks - that provide much more fluid and responsive business processes - should be protected from malware and malicious attacks. That's why we offer the Cisco ScanSafe Web Security solution - to ensure that secure connection to the web is always on offer.
Secure and Modern ICT Environments within Government
Our paper, Cyber Security Solutions for the Public Sector, sets out Cisco's recommendations on best practice for securing government ICT environments. We recommend an approach that makes the network itself a 'security sensor' - as well as a layered approach to public sector ICT security.
Please click here to download a copy of 'Cyber Security Solutions for the Public Sector'.
Links to Other Resources
Foundation Grade certification for the ASA 5500 and 5500-X
Find out more »