Brocade Communications Systems, Inc. Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4 March 31, 2015 Prepared for: Brocade Communications Systems, Inc.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target 1. Version 0.4, March 31, 2015 SECURITY TARGET INTRODUCTION ........................................................................................................3 1.1 SECURITY TARGET REFERENCE ......................................................................................................................4 1.2 TOE REFERENCE ................................................................................
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 1. Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is the Brocade Communications Systems, Inc. Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 TOE User Any person who interacts with the TOE. External IT entity Any IT product or system, untrusted or trusted, outside of the TOE that interacts with the TOE. Role A predefined set of rules establishing the allowed interactions between a user and the TOE. Identity A representation (e.g.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 The TOE is composed of a hardware appliance with embedded software installed on a management processor. The embedded software is a version of Brocades' proprietary Multi-Service IronWare software. The software controls the switching and routing network frames and packets among the connections available on the hardware appliances.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 http://www.brocade.com/products/all/switches/product-details/netiron-ces-2000-series/index.page http://www.brocade.com/downloads/documents/data_sheets/product_data_sheets/brocade-netiron-ces2000-ds.pdf While there are different models in the TOE, they differ primarily in physical form factor, number and types of connections and slots, and relative performance.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 1.4.1.2 Logical Boundaries This section summarizes the security functions provided by the Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 This is accomplished primarily by controlling the size of all buffers, fully overwriting buffer contents, and zeropadding of memory structures and buffers when necessary. 1.4.1.2.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 Multi-Service IronWare Federal Information Processing Standards and Common Criteria Guide Supporting Multi-Service IronWare R05.8.00a, 53-1003269-01, 20 March 2015. Multi-Service IronWare Administration Configuration Guide Supporting Multi-Service IronWare R05.8.00, 53-1003254-01, 13 January 2015.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 2. Conformance Claims This TOE is conformant to the following CC specifications: Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1, Revision 4, September 2012. Part 2 Extended Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 3. Security Objectives The Security Problem Definition may be found in the Protection Profile for Network Devices, version 1.1, 8 June 2012 (NDPP) with Errata #3, 3 November 2014, and this section reproduces only the corresponding Security Objectives for convenience.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 OE.PHYSICAL Physical security, commensurate with the value of the TOE and the data it contains, is provided by the environment. OE.TRUSTED_ADMIN TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 4. Extended Components Definition All of the extended requirements in this ST have been drawn from the NDPP. The NDPP defines the following extended SFRs and since they are not redefined in this ST the NDPP should be consulted for more information in regard to those CC extensions. FAU_STG_EXT.1: External Audit Trail Storage FCS_CKM_EXT.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 5. Security Requirements This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) that serve to represent the security functional claims for the Target of Evaluation (TOE) and to scope the evaluation effort. The SFRs have all been drawn from the Protection Profile (PP): Protection Profile for Network Devices, version 1.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 FTA_SSL.3: TSF-initiated Termination FTA_SSL.4: User-initiated Termination FTA_SSL_EXT.1: TSF-initiated Session Locking FTA_TAB.1: Default TOE Access Banners FTP_ITC.1: Trusted Channel FTP_TRP.1: Trusted Path FTA: TOE access FTP: Trusted path/channels Table 1 TOE Security Functional Components 5.1.1 Security Audit (FAU) 5.1.1.1 Audit Data Generation (FAU_GEN.1) FAU_GEN.1.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 provided is correct verifies that AGD_OPE.1 is satisfied and should address the invocation of the administrative actions that are needed to verify the audit records are generated as expected. FAU_GEN.1.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Requirement FPT_TUD_EXT.1 FPT_TST_EXT.1 FTA_SSL_EXT.1 FTA_SSL.3 FTA_SSL.4 FTA_TAB.1 FTP_ITC.1 FTP_TRP.1 Auditable Events Initiation of update. None. Any attempts at unlocking of an interactive session. The termination of a remote session by the session locking mechanism. The termination of an interactive session. None. Initiation of the trusted channel. Termination of the trusted channel.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 Test 1: The evaluator shall establish a session between the TOE and the audit server according to the configuration guidance provided. The evaluator shall then examine the traffic that passes between the audit server and the TOE during several activities of the evaluator’s choice designed to generate audit data to be transferred to the audit server.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 zeros, while secret keys stored on the internal hard drive are zeroized by overwriting three times with a random pattern that is changed before each write"). 5.1.2.3 Cryptographic Operation (for data encryption/decryption) (FCS_COP.1(1)) FCS_COP.1(1).
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 5.1.2.6 Cryptographic Operation (for keyed-hash message authentication) (FCS_COP.1(4)) FCS_COP.1(4).
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 Design Description Documentation shall include the design of the entropy source as a whole, including the interaction of all entropy source components. It will describe the operation of the entropy source to include how it works, how entropy is produced, and how unprocessed (raw) data can be obtained from within the entropy source for testing purposes.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 'expected values' are produced by a reference implementation of the algorithm that is known to be correct. Proof of correctness is left to each Scheme. The evaluator shall perform a Variable Seed Test. The evaluator shall provide a set of 128 (Seed, DT) pairs to the TSF RBG function, each 128 bits.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 Additional input: the additional input bit lengths have the same defaults and restrictions as the personalization string lengths. 5.1.2.9 Explicit: SSH (FCS_SSH_EXT.1) FCS_SSH_EXT.1.1 The TSF shall implement the SSH protocol that complies with RFCs 4251, 4252, 4253, 4254, and [no other RFCs]. FCS_SSH_EXT.1.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 algorithms specified by the requirement. It is sufficient to observe (on the wire) the successful negotiation of the algorithm to satisfy the intent of the test. FCS_SSH_EXT.1.5 The TSF shall ensure that the SSH transport implementation uses SSH_RSA and [no other public key algorithms] as its public key algorithm(s).
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 The evaluator shall check the description of the implementation of this protocol in the TSS to ensure that the ciphersuites supported are specified. The evaluator shall check the TSS to ensure that the ciphersuites specified are identical to those listed for this component.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 on setting the minimum password length. The evaluator shall also perform the following tests. Note that one or more of these tests can be performed with a single test case. Test 1: The evaluator shall compose passwords that either meet the requirements, or fail to meet the requirements, in some way. For each password, the evaluator shall verify that the TOE supports the password.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 login are limited, the evaluator shall determine that the operational guidance provides sufficient instruction on limiting the allowed services.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 5.1.5.3 Restrictions on Security Roles (FMT_SMR.2) FMT_SMR.2.1 The TSF shall maintain the roles: Authorized Administrator. FMT_SMR.2.2 The TSF shall be able to associate users with roles. FMT_SMR.2.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 5.1.6.3 Reliable Time Stamps (FPT_STM.1) FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own use. Assurance Activity: The evaluator shall examine the TSS to ensure that it lists each security function that makes use of time.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 Component Assurance Activity: Updates to the TOE either have a hash associated with them, or are signed by an authorized source. If digital signatures are used, the definition of an authorized source is contained in the TSS, along with a description of how the certificates used by the update verification mechanism are contained on the device.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 Test 2: The evaluator initiates an interactive remote session with the TOE. The evaluator then follows the operational guidance to exit or log off the session and observes that the session has been terminated. 5.1.7.3 TSF-initiated Session Locking (FTA_SSL_EXT.1) FTA_SSL_EXT.1.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 Component Assurance Activity: The evaluator shall examine the TSS to determine that, for all communications with authorized IT entities identified in the requirement, each communications mechanism is identified in terms of the allowed protocols for that IT entity.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 Test 2: For each method of remote administration supported, the evaluator shall follow the operational guidance to ensure that there is no available interface that can be used by a remote user to establish a remote administrative sessions without invoking the trusted path.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 The evaluator shall determine that the functional specification is an accurate and complete instantiation of the SFRs. Component Assurance Activity: There are no specific assurance activities associated with these SARs. The functional specification documentation is provided to support the evaluation activities described in Section 4.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 to the process that 'listens' on the network interface). It is acceptable to list all processes running (or that could run) on the TOE in its evaluated configuration instead of attempting to determine just those that process the network data. For each process listed, the administrative guidance will contain a short (e.g.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 5.2.3 Life-cycle support (ALC) 5.2.3.1 Labelling of the TOE (ALC_CMC.1) ALC_CMC.1.1d The developer shall provide the TOE and a reference for the TOE. ALC_CMC.1.1c The TOE shall be labelled with its unique reference. ALC_CMC.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 Component Assurance Activity: The evaluator shall prepare a test plan and report documenting the testing aspects of the system. The test plan covers all of the testing actions contained in the CEM and the body of the NDPP’s Assurance Activities.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 ATE_IND, or a separate document. The evaluator performs a search of public information to determine the vulnerabilities that have been found in network infrastructure devices and the implemented communication protocols in general, as well as those that pertain to the particular TOE. The evaluator documents the sources consulted and the vulnerabilities found in the report.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target FTP_TRP.1 ADV_FSP.1 AGD_OPE.1 AGD_PRE.1 ALC_CMC.1 ALC_CMS.1 ATE_IND.1 AVA_VAN.1 none none ADV_FSP.1 none ALC_CMS.1 none ADV_FSP.1 and AGD_OPE.1 and AGD_PRE.1 ADV_FSP.1 and AGD_OPE.1 and AGD_PRE.1 Version 0.4, March 31, 2015 none none ADV_FSP.1 none ALC_CMS.1 none ADV_FSP.1 and AGD_OPE.1 and AGD_PRE.1 ADV_FSP.1 and AGD_OPE.1 and AGD_PRE.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 6. TOE Summary Specification This chapter describes the security functions: Security audit Cryptographic support User data protection Identification and authentication Security management Protection of the TSF TOE access Trusted path/channels 6.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 6.2 Cryptographic support The TOE includes a FIPS 140 certified crypto module providing supporting cryptographic functions. The evaluated configuration requires that the TOE be configured in Common Criteria mode to ensure FIPS certified functions are used. The following functions have been FIPS certified in accordance with the identified standards.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target NIST SP800-56B Section Reference 6.5.2 6.5.2.1 6.6 7.1.2 7.2.1.3 7.2.1.3 7.2.2.3 7.2.2.3 7.2.2.3 7.2.2.3 7.2.2.3 7.2.2.3 7.2.3.3 7.2.3.3 7.2.3.3 7.2.3.3 7.2.3.3 7.2.3.3 8 8.3.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Key or CSP: DRBG Constant C Zeroized upon: Stored in: Every 100ms RAM Table 7 Keys and CSPs Version 0.4, March 31, 2015 Zeroized by: Overwritten with new value The TOE stores all persistent secret and private keys in FLASH and store all ephemeral keys in RAM (as indicated in the above table).
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 The TOE allows users to perform SSHv2 authentication using password based authentication and allows users to upload a public key for SSHv2 public key client authentication. The TOE’s SSHv2 implementation limits SSH packets to a size of 256K bytes.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 The Authorized Administrator with Super User privilege represents the “administrator” referred to in the security requirements of the protection profile. Other accounts with privileges other than Super User were not testing during evaluation.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 Other than the Super User level, the TOE implements a Read Only level where only basic commands can be issued and no changes can be made and a Port Configuration level where non-security device parameters can be managed. Collectively, this ST refers to all users of the TOE as “TOE Users” where the “Authorized Administrator with Super User privilege” is a subset of that broader role.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Command Version 0.4, March 31, 2015 Tested Command Variantts Description show clock show ip client-pub-key show ip ssl show logging show run | Table 8 Security Related Configuration Commands The TOE also provides a comprehensive set of network routing configuration commands.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 The Protection of the TSF function is designed to satisfy the following security functional requirements: FPT_SKP_EXT.1: The TOE does not offer any functions that will disclose to any users a stored cryptographic key. FPT_APW_EXT.1: The TOE does not offer any functions that will disclose to any user a plain text password.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.8.00 Security Target Version 0.4, March 31, 2015 Note that the product includes other cryptographic algorithms, but since they are not FIPS certified they are not recommended for use and excluded from the scope of evaluation. Remote connection to SYSLOG servers is protected using TLS (as specified earlier).