Installation guide
Brocade FastIron SX, ICX, and FCX Series Switch/Router 08.0.01 Security Target Version 1.1, May 13, 2014
Page 44 of 48
The user roles offered by the TOE are categorized differently when described in FIPS documentation. Specifically,
the Authorized Administrator with Super User privilege equates to the FIPS Crypto Officer Role, the Port
Configuration User equates to the FIPS Port Configuration Administrator Role (and has write access to the interface
configuration mode only), and a user with read-only privileges and no configuration mode access equates to the
FIPS User Role.
While the Authorized Administrator with Super User privilege can create or otherwise modify accounts freely, other
users cannot change their own (or any other) security attributes. Note that the TOE supports a password
enforcement configuration where the minimum password length can be set by an administrator up to 48 characters.
Passwords can be created using any alphabetic, numeric, and a wide range of special characters (identified in
FIA_PMG_EXT.1)..
Additional authentication mechanisms can also be configured by an Authorized Administrator using an
Authentication Method List. This allows some flexibility in setting up authentication mechanisms when desired. The
available mechanisms include the Local Password for the Super User Privilege level and the SSH public key
authentication mechanism. An administrator can create users, associate passwords with user accounts, and can also
set the privilege level associated with a user. Users, after authenticating, may upload a public key to be used with
SSH client public key authentication. When authentication succeeds, the TOE looks up the user’s defined privilege
level, assigns that to the user’s session, and presents the user with a command prompt (the “#” character, e.g.,
“Brocade(config)#” ).
The Identification and authentication function is designed to satisfy the following security functional requirements:
FIA_PMG_EXT.1: The TOE implements a rich set of password composition constraints as described
above.
FIA_UAU.7: The TOE does not echo passwords as they are entered; rather ‘*’ characters are echoed when
entering passwords.
FIA_UAU_EXT.2: The TOE can be configured to utilize local password-based authentication and SSH
public-key-based authentication mechanisms.
FIA_UIA_EXT.1: The TOE doesn’t offer any services or access to its functions, except for the
switching/routing of network traffic and displaying a message of the day banner, without requiring a user to
be identified and authenticated.
6.5 Security management
The TOE associates each defined user account with a privilege level. The most privileged level is Super User (with
regards to the requirements in this Security Target users with lesser privilege levels are referred to collectively
simply as TOE users since such users do not have complete read-and-write access to the system). Again, as stated in
section 6.4, other accounts with privileges other than Super User were not tested during the evaluation as the
evaluators considered all roles as administrators and any privilege levels or defined roles serve as unclaimed limits
on user accounts. Such limits can be freely used, but have not been evaluated per NDPP limitations. The TOE
implements an internal access control mechanism that bases decisions about the use of functions and access to TOE
data on those privilege levels. In this manner, the TOE is able to ensure that only the Authorized Administrator with
Super User privilege can access audit configuration data, information flow policy ACLs, user and administrator
security attributes (including passwords and privilege levels), authentication method lists, the logon failure
threshold, the remote access user list; and cryptographic support settings.
Other than the Super User level, the TOE implements a Read Only level where only basic commands can be issued
and no changes can be made and a Port Configuration level where non-security device parameters can be managed.
Collectively, this ST refers to all users of the TOE as “TOE Users” where the “Authorized Administrator with Super
User privilege” is a subset of that broader role.
The TOE offers command line functions which are accessible via the CLI. The CLI is a text based interface which
can be accessed from a directly connected terminal or via a remote terminal using SSH. These command line
functions can be used to effectively manage every security policy, as well as the non-security relevant aspects of the
TOE.