Brocade Directors and Switches Security Target Version Number 3.
Copyright © 2001 - 2013 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, FabricOS, File Lifecycle Manager, MyView, and StorageX are registered trademarks and the Brocade B-wing symbol, DCX, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their respective owners.
Table of Contents 1. SECURITY TARGET INTRODUCTION ...........................................................................................................5 1.1 1.2 1.3 1.4 2. SECURITY TARGET, TOE AND CC IDENTIFICATION ........................................................................................5 CONFORMANCE CLAIMS .................................................................................................................................6 CONVENTIONS ......................................
SECURITY OBJECTIVES RATIONALE.............................................................................................................. 41 8.1 8.1.1 Security Objectives Rationale for the TOE and Environment.............................................................. 41 8.2 SECURITY REQUIREMENTS RATIONALE ........................................................................................................ 43 8.2.1 Security Functional Requirements Rationale............................................
1. Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is the Brocade Directors and Switches provided by Brocade Communications Systems, Inc. Brocade Directors and Switches are hardware appliances that implement what is called a “Storage Area Network” or “SAN”.
• Brocade – FabricOS Command Reference – Publication #53-1002921-01, 26-July 2013 • Brocade – FabricOS Message Reference – Publication #53-1002929-01, 26-July 2013 TOE Developer – Brocade Communications Systems, Inc. Evaluation Sponsor – Brocade Communications Systems, Inc. CC Identification – Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012 1.
JBOD Stands for "Just a Bunch of Disks", and it a way of connecting together a series of hard drives, combining multiple drives and capacities, into one drive LUN Logical Unit Number, used to refer to a logical device within a chain. SAN Storage Area Network Brocade Communications Systems, Inc.
2. TOE Description The Target of Evaluation (TOE) is the Brocade Directors and Switches hardware appliances running FabricOS version 7.2.0a. The various models of the TOE mentioned in Section 1.1 differ in performance, form factor and number of ports, but all run the same FabricOS version 7.2.0a software. The TOE is available in three form factors: a rack-mount Director chassis with a variable number of blades, a self-contained switch appliance device and embedded blades acting as a switch.
HBAs communicate with the TOE using Fibre Channel (FC) or FC over IP (FCIP) protocols. Storage devices in turn are physically connected to the TOE using FC/FCIP interfaces. When more than one instance of the TOE is interconnected (i.e. installed and configured to work together), they are referred to collectively as a “SAN fabric”. A zone is a specified group of fabric-connected devices (called zone members) that have access to one another. The remainder of this section summarizes the TOE architecture. 2.
Figure 2: Administrators can access the TOE using a serial terminal or across a network. Audit records are sent to a syslog server. Separate appliance ports are relied on to physically separate connected HBAs. The appliance’s physical location between HBAs and storage devices is relied on to ensure TOE interfaces cannot be bypassed. The TOE encrypts commands sent from terminal applications by administrators using SSH for the command line interface and HTTPS for the Advanced Web Tools GUI interface.
Figure 3: TOE and environment components. The intended environment of the TOE can be described in terms of the following components: • Host – A system in the environment that uses TOE SAN services. • Host Bus Adapters (HBAs) – Provides physical network interfaces from host machines in the environment to the TOE. HBA drivers provide operating system interfaces on host machines in the environment to storage devices in the environment.
any other components in the environment to provide security-related services. The TOE is interoperable with any adapter or device that is interoperable with one or more of the following standards: • FC-AL-2 INCITS 332: 1999 • FC-GS-5 ANSI INCITS 427:2006 (includes the following.
• Trusted path There is no distinction between the product and the TOE. 2.2.2.1 Security audit The TOE generates audit events for numerous activities including policy enforcement, system management and authentication. A syslog server in the environment is relied on to store audit records generated by the TOE. The TOE generates a complete audit record including the IP address of the TOE, the event details, and the time the event occurred. The time stamp is provided by the TOE appliance hardware.
2.2.2.6 TOE Access The TOE provides an IP Filter policy that is a set of rules applied to the IP management interfaces. These rules provide the ability to control how and to whom the TOE exposes the management services hosted on a switch. They cannot affect the management traffic that is initiated from a switch. 4 The TOE limits the number of concurrent login sessions for users, such that the number of simultaneous login sessions for each role is limited. 2.2.2.
3. Security Environment This section summarizes the threats addressed by the TOE and assumptions about the intended environment of the TOE. Note that while the identified threats are mitigated by the security functions implemented in the TOE, the overall assurance level (EAL-4) also serves as an indicator of whether the TOE would be suitable for a given environment. 3.1 Threats T.ACCOUNTABILITY: A user may not be held accountable for their actions. T.
4. Security Objectives This section summarizes the security objectives for the TOE and its environment. 4.1 Security Objectives for the TOE O.ACCESS The TOE will ensure that users gain only authorized access to the TOE and to the resources that the TOE controls. O.ADMIN_ROLE The TOE will provide authorized administrator roles to isolate administrative actions thus limiting the scope of errors that an administrator may cause. O.
5. IT Security Requirements 5.1 TOE Security Functional Requirements Requirement Class FAU: Security audit FCS: Cryptographic Support FDP: User data protection FIA: Identification and authentication FMT: Security management FPT: Protection of the TSF FTA: TOE access FTP: Trusted Path Requirement Component FAU_GEN.1: Audit data generation FCS_COP.1(1): Cryptographic Operation for Trusted Path FCS_COP.1(2): Cryptographic Operation for User Data Encryption FCS_CKM.
failed logons. unsuccessful use of the authentication mechanism unsuccessful use of the user identification mechanism, including the user identity provided use of the management functions (specifically, zone configuration, data encryption configuration, password management configuration, authentication attempts maximum configuration, TOE access filtering configuration, and setting user attributes) modifications to the group of users that are part of a role FIA_UAU.5 FIA_UID.2 FMT_SMF.1 FMT_SMR.1 5.1.
5.1.3 User data protection (FDP) 5.1.3.1 Subset access control (FDP_ACC.1) FDP_ACC.1.1 The TSF shall enforce the [SAN Fabric SFP] on [ a.) subjects: host bus adapters b.) objects: storage devices c.) operations: block-read and block-write ]. 5.1.3.2 Security attribute based access control (FDP_ACF.1) FDP_ACF.1.1 FDP_ACF.1.2 FDP_ACF.1.3 FDP_ACF.1.4 The TSF shall enforce the [SAN Fabric SFP] to objects based on the following: [ a.) subject security attributes: 1. port number; 2. zone membership b.
2. decrypt blocks read from the storage device port before sending the data frames to the HBA; b.) the CryptoTarget container membership for the storage device includes the HBA port number and indicates the LUN should be encrypted, then the TOE will NOT 1. encrypt blocks written from the HBA to the LUN to the storage device port; or 2. decrypt blocks read from the storage device port before sending the data frames to the HBA; ]. FDP_IFF.1.
5.1.5 Security management (FMT) 5.1.5.1 Management of security attributes (FMT_MSA.1(1)) FMT_MSA.1.1(1) The TSF shall enforce the [SAN Fabric SFP] to restrict the ability to [[add or remove members of a zone]] the security attributes [host bus adapter port number; storage device port number; zone membership of a host bus adapter and zone membership of a storage device] to [users possessing one of the following administrative roles: admin, zoneAdmin, fabricAdmin, root, factory].
5.1.5.6 Management of TSF data (FMT_MTD.1(2)) FMT_MTD.1.1(2) The TSF shall restrict the ability to [set] the [passwords] to [the administrative user associated with the password, and users possessing one of the following administrative roles: admin, SecurityAdmin, root, factory]. 5.1.5.7 Specification of Management Functions (FMT_SMF.1) FMT_SMF.1.
5.1.8 Trusted Path (FTP) 5.1.8.1 Trusted path (FTP_TRP.1) FTP_TRP.1.1 The TSF shall provide a communication path between itself and [remote] users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from [disclosure, modification]. FTP_TRP.1.2 The TSF shall permit [remote users] to initiate communication via the trusted path. FTP_TRP.1.
ADV_ARC.1.1c The security architecture description shall be at a level of detail commensurate with the description of the SFR-enforcing abstractions described in the TOE design document. ADV_ARC.1.2c The security architecture description shall describe the security domains maintained by the TSF consistently with the SFRs. ADV_ARC.1.3c The security architecture description shall describe how the TSF initialisation process is secure. ADV_ARC.1.
ADV_TDS.3.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ADV_TDS.3.2e The evaluator shall determine that the design is an accurate and complete instantiation of all security functional requirements. 5.2.2 Guidance documents (AGD) 5.2.2.1 Operational user guidance (AGD_OPE.1) AGD_OPE.1.1d The developer shall provide operational user guidance. AGD_OPE.1.
ALC_CMC.4.6c The CM documentation shall include a CM plan. ALC_CMC.4.7c The CM plan shall describe how the CM system is used for the development of the TOE. ALC_CMC.4.8c The CM plan shall describe the procedures used to accept modified or newly created configuration items as part of the TOE. ALC_CMC.4.9c The evidence shall demonstrate that all configuration items are being maintained under the CM system. ALC_CMC.4.
ALC_FLR.2.6c The procedures for processing reported security flaws shall ensure that any reported flaws are corrected and the correction issued to TOE users. ALC_FLR.2.7c The procedures for processing reported security flaws shall provide safeguards that any corrections to these security flaws do not introduce any new flaws. ALC_FLR.2.8c The flaw remediation guidance shall describe a means by which TOE users report to the developer any suspected security flaws in the TOE. ALC_FLR.2.
5.2.4.3 Functional testing (ATE_FUN.1) ATE_FUN.1.1d ATE_FUN.1.2d ATE_FUN.1.1c ATE_FUN.1.2c The developer shall test the TSF and document the results. The developer shall provide test documentation. The test documentation shall consist of test plans, expected test results and actual test results. The test plans shall identify the tests to be performed and describe the scenarios for performing each test. ATE_FUN.1.
6. TOE Summary Specification This chapter describes the security functions and associated assurance measures. 6.1 TOE Security Functions 6.1.1 Audit The TOE generates audit records for start-up and shutdown of the TOE, and for an unspecified level of audit. Audit records include date and time of the event, type of event, user identity that caused the event to be generated, and the outcome of the event. The TOE sends audit records to a syslog server in the environment.
Figure 4: TOE and environment audit record components. Since the time stamp applied by the TOE was included as part of the event details, the time stamp in the event details can be used to determine the order in which events occurred on the TOE. Similarly, the instance of the TOE that generated the record can be determined by examining the field containing the IP address of the TOE. For example: Jun 20 11:07:11 [10.33.8.20.2.
member of a zone under hard zoning, configured by an administrator, before a host bus adapter can access a storage device. Zoning works by checking each frame before it is delivered to a zone member and discarding it if there is a zone mismatch. The TOE monitors HBA communications and blocks any frames that do not comply with the zone configuration. Zoning prevents users from even discovering the existence of unauthorized target devices.
blocks (in the case of a block-read operation). When a write operation is performed, the storage device after the operation has completed transmits a single frame back through the TOE to the HBA to acknowledge that all data was received and written to the storage device. When a host bus adapter performs a read to a target device for which it has established a connection, the HBA first issues the appropriate FC/FCIP protocol command to the target at its defined 24-bit address.
Figure 5: User Data Encryption 6.1.2.1.1 Key Management System The user data encryption mechanism is transparent to the FC routing and zone enforcement mechanisms and is subject to all FC routing and zone enforcement configuration. Brocade Communications Systems, Inc.
Figure 6: User Data Flow for User Data Encryption SFP Data encryption keys (DEKs) are generated by the TOE. Data is encrypted and decrypted using the same DEK. A DEK must be preserved at least long enough to decrypt the ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly, and some data may be stored for years or decades before it is accessed. Key management systems provide life cycle management for all DEKs created by the encryption engine.
Figure 7: CryptoTarget Container Within a storage device for which a CryptoTarget container has been defined, encryption policies must be configured for all LUNs that reside on the storage device. Encryption policies include specifying whether encryption will be applied to the LUN, whether existing data on the LUN should be encrypted and rekey policies.
FabricOS root account is disabled during TOE configuration, since it allows access to the operating system. This FabricOS root account is not the same as the “Root” role. The TOE authenticates administrative users using either its own authentication mechanism or a RADIUS or LDAP Server. The TOE provides its own password authentication mechanism to authenticate administrative users.
• admin – can perform all administrative commands • switchAdmin – can perform administrative commands except for those related to user management and zoning configuration commands • operator – can perform administrative commands that do not affect security settings • zoneAdmin – can perform administrative commands that only affect zoning configuration • fabricAdmin – can perform administrative commands except for those related to user management • basicSwitchAdmin – can be used to monitor system
TOE, and between the TOE and the storage device. On those models providing user data encryption, data is protected from disclosure when it is written to or read from storage devices by host bus adapters. Separate appliance ports are relied on to physically separate connected HBAs. The appliance’s physical location between HBAs and storage devices is relied on to ensure TOE interfaces cannot be bypassed. The TOE does encrypt commands sent from terminal applications by administrators using SSH and HTTPS.
6.1.7 Trusted Path The TOE provides a trusted path for its remote administrative users accessing the TOE via the Ethernet ports provided on the TOE using either the command line interface using SSH or Advanced Web Tools using HTTPS. Note that local administrator access via the serial port is also allowed for command line access, however this access is protected by physical protection of the serial interface along with the TOE itself.
7. Protection Profile Claims There is no Protection Profile claim. Brocade Communications Systems, Inc.
8. Rationale This section provides the rationale for completeness and consistency of the Security Target. The rationale addresses the following areas: • Security Objectives; • Security Functional Requirements; • Security Assurance Requirements; • Requirement Dependencies; • TOE Summary Specification; and, • PP Claims. 8.1 Security Objectives Rationale This section shows that all secure usage assumptions, organizational security policies, and threats are completely covered by security objectives.
This Threat is countered by ensuring that: • O.AUDIT_GENERATION: The TOE will provide the capability to create records of security relevant events associated with users. 8.1.1.2 T.ADMIN_ERROR An authorized administrator may incorrectly install or configure the TOE resulting in ineffective security mechanisms. This Threat is countered by ensuring that: • O.
This Assumption is satisfied by ensuring that: • OE.NETWORK: The Environment will protect network communication to and from the TOE from unauthorized disclosure or modification. 8.1.1.8 A. NO_EVIL The TOE will be installed, configured, managed and maintained in accordance with its guidance documentation. This Assumption is satisfied by ensuring that: • OE.CONFIG: The TOE will be installed, configured, managed and maintained in accordance with its guidance documentation 8.
O.USER_IDENTIFICATION O.USER_AUTHENTICATION O.TOE_PROTECTION O.MANAGE O.AUDIT_GNEERATION O.ADMIN_ROLE O.ACCESS FMT_MSA.3 (1) FMT_MSA.3 (2) FMT_MTD.1(1) FMT_MTD.1(2) FMT_SMF.1 FMT_SMR.1 FPT_STM.1 FTA_MCS.1 FTA_TSE.1 FTP_TRP.1 ADV_ARC.1 x x x x x x x x x x x x Table 5 Objective to Requirement Correspondence 8.2.1.1 O.ACCESS The TOE will ensure that users gain only authorized access to the TOE and to the resources that the TOE controls.
• FAU_GEN.1: The TOE generates audit events for the not specified level of audit. • FPT_STM.1: The TOE provides time stamps for its own use. 8.2.1.4 O.MANAGE The TOE will allow administrators to effectively manage the TOE and its security functions, must ensure that only authorized administrators are able to access such functionality, and that communication between the TOE and the administrator is protected. This TOE Security Objective is satisfied by ensuring that: • FMT_MSA.
8.2.1.6 O.USER_AUTHENTICATION The TOE will verify the claimed identity of users. This TOE Security Objective is satisfied by ensuring that: • FIA_AFL.1: The TOE locks user accounts as a result of too many failed logon attempts. • FIA_ATD.1: The TOE maintains security attributes for administrative users. • FIA_SOS.1: The TOE provides administratively defined constraints on user passwords. • FIA_UAU.2: The TOE performs user authentication before allowing any other actions. • FIA_UAU.
ST Requirement FIA_ATD.1 FIA_SOS.1 FIA_UAU.2 FIA_UAU.5 FIA_UID.2 FMT_MSA.1 (1) FMT_MSA.1(2) FMT_MSA.3 (1) FMT_MSA.3 (2) FMT_MTD.1 FMT_SMF.1 FMT_SMR.1 FPT_STM.1 FTA_MCS.1 FTA_TSE.1 FTP_TRP.1 ALC_FLR.2 CC Dependencies none none FIA_UID.1 none none FMT_SMR.1 and FMT_SMF.1 and (FDP_ACC.1 or FDP_IFC.1) FMT_SMR.1 and FMT_SMF.1 and (FDP_ACC.1 or FDP_IFC.1) FMT_MSA.1 and FMT_SMR.1 FMT_MSA.1 and FMT_SMR.1 FMT_SMR.1 and FMT_SMF.1 none FIA_UID.1 none FIA_UID.1 none none none ST Dependencies none none FIA_UID.
Trusted path TOE Access Protection of the TSF Security management Identification and authentication User data protection Security audit x FAU_GEN.1 FCS_COP.1(1) FCS_COP.1(2) FCS_CKM.1(1) FCS_CKM.1(2) FCS_CKM.4 FDP_ACC.1 FDP_ACF.1 FDP_IFC.1 FDP_IFF.1 FIA_AFL.1 FIA_ATD.1 FIA_SOS.1 FIA_UAU.2 FIA_UAU.5 FIA_UID.2 FMT_MSA.1(1) FMT_MSA.1(2) FMT_MSA.3(1) FMT_MSA.3(1) FMT_MTD.1 FMT_SMF.1 FMT_SMR.1 FPT_STM.1 FTA_MCS.1 FTA_TSE.1 FTP_TRP.
