Hewlett-Packard Company Network Switches Security Target Version 1.02 08/16/2013 Prepared for: Hewlett-Packard Development Company, L.P.
Security Target Version 1.02, 08/16/2013 1. SECURITY TARGET INTRODUCTION ...........................................................................................................4 1.1 1.2 1.3 2. SECURITY TARGET, TOE AND CC IDENTIFICATION ........................................................................................4 CONFORMANCE CLAIMS .................................................................................................................................5 CONVENTIONS .................
Security Target Version 1.02, 08/16/2013 8.1.1 Security Objectives Rationale for the TOE and Environment .............................................................. 54 8.2 SECURITY REQUIREMENTS RATIONALE ........................................................................................................ 56 8.2.1 Security Functional Requirements Rationale....................................................................................... 56 8.3 SECURITY ASSURANCE REQUIREMENTS RATIONALE ..........
Security Target Version 1.02, 08/16/2013 1. Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is Hewlett-Packard Network Switches provided by Hewlett-Packard Development Company.
Security Target Version 1.
Security Target Version 1.02, 08/16/2013 reproduced in this Security Target to ensure they are within scope of the corresponding evaluation. However, at the present time international recognition of the evaluation results is limited to defined assurance packages, such as EAL1, and does not extend to Scheme-defined assurance extensions or refinements. 1.
Security Target Version 1.02, 08/16/2013 2.1 TOE Overview The HP Network switches are Gigabit Ethernet switch appliances which consist of hardware and software components. While the physical form factor of each distinct series in the Network family is substantially different, the underlying hardware share a similar architecture. The software utilized is a common code base of a modular nature with only the modules applicable for the specific hardware installed.
Security Target Version 1.
Security Target Version 1.
Security Target Version 1.
Security Target Version 1.02, 08/16/2013 2.2 TOE Architecture The HP Network switches share a common software code base, called Comware. Comware is special purpose appliance system software that implements a wide array of networking technology, including: IPv4/IPv6 dualstacks, a data link layer, layer 2 and 3 routing, Ethernet switching, VLANs, Intelligent Resilient Framework (IRF), routing, Quality of Service (QoS), etc. The evaluated version of Comware is 5.2.
Security Target Version 1.02, 08/16/2013 queue management, semaphore management, time management, IPC, RPC, module loading management and component management. Underlying the main Comware components are the hardware-specific Board Support Package (BSP) and device drivers to provide necessary abstractions of the hardware components for the higher-level software components. The Comware software components are composed of subsystems designed to implement applicable functions.
Security Target Version 1.02, 08/16/2013 Security audit Cryptographic support User data protection Identification and authentication Security management Protection of the TSF TOE access Trusted path/channels 2.2.3.1 Security audit The TOE is designed to generate logs for a wide range of security relevant events. The TOE can be configured to store the logs locally to be accessed by an administrator or alternately to send the logs to a designated log server. 2.2.3.
Security Target Version 1.02, 08/16/2013 The TOE includes functions to perform self-tests so it might detect when it is failing. It also includes mechanisms so the TOE itself can be updated while ensuring the updates will not introduce malicious or other unexpected changes in the TOE. 2.2.3.
Security Target Version 1.02, 08/16/2013 3. Security Problem Definition The Security Problem Definition (composed of organizational policies, threat statements, and assumption) has been drawn verbatim from the Security Requirements for Network Devices, Version 1.1, 8 June 2012 (NDPP). The NDPP offers additional information about the identified threats, but that has not been reproduced here and the NDPP should be consulted if there is interest in that material.
Security Target Version 1.02, 08/16/2013 A.NO_GENERAL_PURPOSE It is assumed that there are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE. A.PHYSICAL Physical security, commensurate with the value of the TOE and the data it contains, is assumed to be provided by the environment. A.
Security Target Version 1.02, 08/16/2013 4. Security Objectives Like the Security Problem Definition, the Security Objectives have been drawn verbatim from the NDPP. The NDPP offers additional information about the identified security objectives, but that has not been reproduced here and the NDPP should be consulted if there is interest in that material.
Security Target Version 1.02, 08/16/2013 OE.PHYSICAL Physical security, commensurate with the value of the TOE and the data it contains, is provided by the environment. OE.TRUSTED_ADMIN TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner.
Security Target Version 1.02, 08/16/2013 5. IT Security Requirements This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) that serve to represent the security functional claims for the Target of Evaluation (TOE) and to scope the evaluation effort. The SFRs have all been drawn from the Protection Profile (PP): Security Requirements for Network Devices, Version 1.1, 8 June 2012 (NDPP).
Security Target Version 1.02, 08/16/2013 5.2 TOE Security Functional Requirements The following table describes the SFRs that are satisfied by HP Network Switches. Requirement Class FAU: Security audit FCS: Cryptographic support FDP: User data protection FIA: Identification and authentication FMT: Security management FPT: Protection of the TSF FTA: TOE access FTP: Trusted path/channels Requirement Component FAU_GEN.1: Audit Data Generation FAU_GEN.2: User identity association FAU_STG_EXT.
Security Target Version 1.02, 08/16/2013 b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, information specified in column three of Table 3. Requirement FAU_GEN.1 FAU_GEN.2 FAU_STG_EXT.1 FCS_CKM.1 FCS_CKM_EXT.4 FCS_COP.1(1) FCS_COP.1(2) FCS_COP.1(3) FCS_COP.1(4) FCS_IPSEC_EXT.1 Auditable Events None. None. None. None. None. None. None. None. None. Failure to establish an IPsec SA. Establishment/Termination of an IPsec SA.
Security Target Requirement Version 1.02, 08/16/2013 Auditable Events Termination of the trusted channel. Failures of the trusted path functions. Additional Audit Record Contents identity. Table 3 Auditable Events 5.2.1.2 User identity association (FAU_GEN.2) FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. 5.2.1.3 External Audit Trail Storage (FAU_STG_EXT.
Security Target Version 1.02, 08/16/2013 5.2.2.6 Cryptographic Operation (for keyed-hash message authentication) (FCS_COP.1(4)) FCS_COP.1(4).1 Refinement: The TSF shall perform keyed-hash message authentication in accordance with a specified cryptographic algorithm HMAC-[SHA-1], key size [20 octets], and message digest sizes [160] bits that meet the following: FIPS Pub 198-1, 'The KeyedHash Message Authentication Code', and FIPS Pub 180-3, 'Secure Hash Standard.' 5.2.2.7 Explicit: IPSEC (FCS_IPSEC_EXT.
Security Target Version 1.02, 08/16/2013 5.2.3 User data protection (FDP) 5.2.3.1 Full Residual Information Protection (FDP_RIP.2) FDP_RIP.2.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [allocation of the resource to] all objects. 5.2.4 Identification and authentication (FIA) 5.2.4.1 Password Management (FIA_PMG_EXT.1) FIA_PMG_EXT.1.1 The TSF shall provide the following password management capabilities for administrative passwords: 1.
Security Target FMT_SMR.2.2 FMT_SMR.2.3 Version 1.02, 08/16/2013 The TSF shall be able to associate users with roles. The TSF shall ensure that the conditions Authorized Administrator role shall be able to administer the TOE locally; Authorized Administrator role shall be able to administer the TOE remotely; are satisfied. 5.2.6 Protection of the TSF (FPT) 5.2.6.1 Extended: Protection of Administrator Passwords (FPT_APW_EXT.1) FPT_APW_EXT.1.1 The TSF shall store passwords in non-plaintext form.
Security Target Version 1.02, 08/16/2013 5.2.7.4 Default TOE Access Banners (FTA_TAB.1) FTA_TAB.1.1 Refinement: Before establishing an administrative session the TSF shall display a Security Administrator-specified advisory notice and consent warning message regarding use of the TOE. 5.2.8 Trusted path/channels (FTP) 5.2.8.1 Trusted Channel (FTP_ITC.1) FTP_ITC.1.1 FTP_ITC.1.2 FTP_ITC.1.
Security Target Version 1.02, 08/16/2013 5.3 TOE Security Assurance Requirements The security assurance requirements for the TOE are the EAL 1 components as specified in Part 3 of the Common Criteria (with the exception of some name changes in accordance with the NDPP). The SARs have effectively been refined with the assurance activities explicitly defined in association with both the SFRs and SARs.
Security Target Version 1.02, 08/16/2013 AGD_OPE.1.6c The operational user guidance shall, for each user role, describe the security measures to be followed in order to fulfill the security objectives for the operational environment as described in the ST. AGD_OPE.1.7c The operational user guidance shall be clear and reasonable. AGD_OPE.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 5.3.2.2 Preparative procedures (AGD_PRE.
Security Target Version 1.02, 08/16/2013 AVA_VAN.1.3e The evaluator shall conduct penetration testing, based on the identified potential vulnerabilities, to determine that the TOE is resistant to attacks performed by an attacker possessing Basic attack potential.
Security Target Version 1.02, 08/16/2013 5.4 Explicit Assurance Activities The following tables (Table 5 NDPP Security Functional Requirement Assurance Activities and Table 6 NDPP Assurance Family Assurance Activities) define the explicit assurance activities presented in the NDPP for applicable SFR elements and SAR families. The table for the SFRs has divided the assurance activities based on whether they apply to TOE design, operational guidance, or testing.
FAU_STG_EXT.1.1 Security Target Assurance Activity – Design The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored locally; what happens when the local audit data store is full; and how these records are protected against unauthorized access. The evaluator shall examine the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided. Version 1.
Assurance Activity – Design The evaluator shall check to ensure the TSS describes each of the secret keys (keys used for symmetric encryption), private keys, and CSPs used to generate key; when they are zeroized (for example, immediately after use, on system shutdown, etc.); and the type of zeroization procedure that is performed (overwrite with zeros, overwrite three times with random pattern, etc.).
Assurance Activity – Design The evaluator shall examine the TSS to verify that it describes how "confidentiality only" ESP mode is disabled. The evaluator shall examine the TSS to ensure that, in the description of the IPsec protocol supported by the TOE, it states that aggressive mode is not used for IKEv1 Phase 1 exchanges, and that only main mode is used. FCS_IPSEC_EXT.1.
Assurance Activity – Design The evaluator shall check to ensure that the TSS describes how pre-shared keys are established and used in authentication of IPsec connections. The description in the TSS shall also indicate how pre-shared key establishment is accomplished for both TOEs that can generate a pre-shared key as well as TOEs that simply use a preshared key. FCS_IPSEC_EXT.1.8 FCS_IPSEC_EXT.1.7 Security Target FCS_RBG_(EXT).1.2 FCS_RBG_(EXT).1.
FCS_SSH_EXT.1.3 FCS_SSH_EXT.1.2 Security Target Assurance Activity – Design The evaluator shall check to ensure that the TSS contains a description of the public key algorithms that are acceptable for use for authentication, that this list conforms to FCS_SSH_EXT.1.5, and ensure that password-based authentication methods are also allowed. Assurance Activity - Guidance FCS_SSH_EXT.1.4 FCS_SSH_EXT.1.
Assurance Activity – Design “Resources” in the context of this requirement are network packets being sent through (as opposed to “to”, as is the case when a security administrator connects to the TOE) the TOE. The concern is that once a network packet is sent, the buffer or memory area used by the packet still contains data from that packet, and that if that buffer is re-used, those data might remain and make their way into a new packet.
Security Target Assurance Activity - Guidance FIA_UAU_EXT.7.1 Assurance Activity – Design Version 1.02, 08/16/2013 Test 1: The evaluator shall locally authenticate to the TOE. While making this attempt, the evaluator shall verify that at most obscured feedback is provided while entering the authentication information. FPT_STM.1.1 The evaluator shall examine the TSS to ensure that it lists each security function that makes use of time.
Security Target Assurance Activity - Guidance FPT_TST_EXT.1.1 FTA_SSL.3.1 FTA_SSL.4.1 FTA_SSL_EXT.1.1 The evaluator shall examine the TSS to ensure that it details the self-tests that are run by the TSF on start-up; this description should include an outline of what the tests are actually doing (e.g.
FTP_ITC.1.1 FTA_TAB.1.1 Security Target Version 1.02, 08/16/2013 Assurance Activity – Design The evaluator shall check the TSS to ensure that it details each method of access (local and remote) available to the administrator (e.g., serial port, SSH, HTTPS).
AGD_OPE ADV_FSP Security Target Version 1.02, 08/16/2013 Assurance Activity There are no specific assurance activities associated with these SARs. The functional specification documentation is provided to support the evaluation activities described in Section 4.2 (of the NDPP), and other activities described for AGD, ATE, and AVA SARs.
ATE_IND Security Target Version 1.02, 08/16/2013 Assurance Activity The evaluator shall prepare a test plan and report documenting the testing aspects of the system. The test plan covers all of the testing actions contained in the CEM and the body of the NDPP’s Assurance Activities. While it is not necessary to have one test case per test listed in an Assurance Activity, the evaluator must document in the test plan each applicable testing requirement in the ST is covered.
Security Target Version 1.02, 08/16/2013 6. TOE Summary Specification This chapter describes the security functions: Security audit Cryptographic support User data protection Identification and authentication Security management Protection of the TSF TOE access Trusted path/channels 6.1 Security audit The TOE is designed to generate log records for a wide range of security relevant and other events as they occur.
Security Target Version 1.
Security Target Version 1.02, 08/16/2013 The TOE uses a software-based random bit generator that complies with FIPS 140-2 ANSI x9.31 Random Number Generation (RNG) when operating in the FIPS mode. The entropy source is a 128-bit value extracted from Comware entropy pool. The design architecture of the Comware entropy source is the same as the architecture of the Linux kernel entropy pool. The noise sources for the Comware entropy pool include interrupt, process scheduling and memory allocation.
Security Target Version 1.02, 08/16/2013 Identifier Name Generation/ Algorithm CSP6 SSH Session Keys CSP7 IPsec authentication Keys Purpose Storage Location Zeroization Summary ANSI X9.31 / 3DES-AES SSH keys RAM (plain text) Keys in RAM will be zeroized upon resetting or rebooting the security appliance. ANSI X9.31 / 3DES-AES / DH Exchanged using the IKE protocol and the public/private key pairs.
Security Target Identifier Name CSP13 IKE Encryption Key Version 1.02, 08/16/2013 Generation/ Algorithm Generated using IKE (X9.31+HMACSHA1+DH). Purpose Storage Location Zeroization Summary Used to encrypt IKE negotiations RAM (plain text) Keys in RAM will be zeroized upon resetting or rebooting the security appliance. Used for authenticating the RADIUS server to the security appliance and vice versa. Entered by the Security administrator in plain text form and stored in cipher text form.
Security Target Version 1.02, 08/16/2013 being received, the TOE uses a buffer to build all packet information. Once complete, the packet is checked to ensure it can be appropriately decrypted. However, if it is not complete when the buffer becomes full (256K bytes) the packet will be dropped. The TOE includes an implementation of IPsec in accordance with RFC 4303 for security.
Security Target Version 1.02, 08/16/2013 FCS_CKM.1: See table above. FCS_CKM_EXT.4: Keys are zeroized when they are no longer needed by the TOE. FCS_COP.1(1): See table above. FCS_COP.1(2): See table above. FCS_COP.1(3): See table above. FCS_COP.1(4): See table above. FCS_IPSEC_EXT.1: The TOE supports IPsec cryptographic network communication protection. FCS_RBG_EXT.1: See table above. FCS_SSH_EXT.
Security Target Version 1.02, 08/16/2013 The Identification and authentication function is designed to satisfy the following security functional requirements: FIA_PMG_EXT.1: The TOE implements a configurable minimum password length and allows passwords to be composed of any combination of upper and lower case letters, numbers and special characters, as described above. FIA_UAU.7: The TOE does not echo passwords as they are entered. FIA_UAU_EXT.
Security Target Version 1.02, 08/16/2013 6.6 Protection of the TSF The TOE is an appliance and as such is designed to work independent of other components to a large extent. Secure communication with third-party peers as addressed in section 6.8, Trusted path/channels, and secure communication among multiple instances of the TOE is limited to a direct link between redundant switch appliances deployed in a high-availability configuration.
Security Target Version 1.02, 08/16/2013 FPT_STM.1: The TOE includes its own hardware clock. FPT_TST_EXT.1: The TOE includes a number of power-on diagnostics that will serve to ensure the TOE is functioning properly. The tests include ensure memory and flash can be accessed as expected, to ensure software checksums are correct, and also to test the presence and function of plugged devices. FPT_TUD_EXT.
Security Target Version 1.02, 08/16/2013 To support secure remote administration, the TOE includes an implementation of SSHv2. In each case, a remote host (presumably acting on behalf of an administrator) can initiate a secure remote connection for the purpose of security management. Only the local console is available by default and each of these remote administration services can be independently enabled by an administrator.
Security Target Version 1.02, 08/16/2013 7. Protection Profile Claims This ST is conformant to the Security Requirements for Network Devices, Version 1.1, 8 June 2012 (NDPP) – with the optional SSH and IPsec requirements. The TOE includes Ethernet switch devices. As such, the TOE is a network device making the NDPP claim valid and applicable. As explained in section 3, Security Problem Definition, the Security Problem Definition of the NDPP has been copied verbatim into this ST.
Security Target Version 1.02, 08/16/2013 8. Rationale This section provides the rationale for completeness and consistency of the Security Target. The rationale addresses the following areas: Security Objectives; Security Functional Requirements; Security Assurance Requirements; Requirement Dependencies; TOE Summary Specification. 8.
Security Target Version 1.02, 08/16/2013 8.1.1.1 P.ACCESS_BANNER The TOE shall display an initial banner describing restrictions of use, legal agreements, or any other appropriate information to which users consent by accessing the TOE. This Organizational Policy is satisfied by ensuring: O.DISPLAY_BANNER: To fulfill the policy to display advisory information to users prior to their use of the TOE, the TOE is expected to display a configured banner when users login to establish an interactive session.
Security Target Version 1.02, 08/16/2013 8.1.1.6 T.UNDETECTED_ACTIONS Malicious remote users or external IT entities may take actions that adversely affect the security of the TOE. These actions may remain undetected and thus their effects cannot be effectively mitigated. This Threat is satisfied by ensuring: O.
O.VERIFIABLE_UPDATES O.TSF_SELF_TEST X X X FAU_GEN.1 FAU_GEN.2 FAU_STG_EXT.1 FCS_CKM.1 FCS_CKM_EXT.4 FCS_COP.1(1) FCS_COP.1(2) FCS_COP.1(3) FCS_COP.1(4) FCS_IPSEC_EXT.1 FCS_RBG_EXT.1 FCS_SSH_EXT.1 FDP_RIP.2 FIA_PMG_EXT.1 FIA_UAU.7 FIA_UAU_EXT.2 FIA_UIA_EXT.1 FMT_MTD.1 FMT_SMF.1 FMT_SMR.1 FPT_APW_EXT.1 FPT_SKP_EXT.1 FPT_STM.1 FPT_TST_EXT.1 FPT_TUD_EXT.1 FTA_SSL.3 X X X X X X X X X X X X X X X X X X X X X X X X X FTA_SSL.4 FTA_SSL_EXT.1 FTA_TAB.1 FTP_ITC.1 FTP_TRP.1 O.TOE_ADMINISTRATION O.
Security Target Version 1.02, 08/16/2013 This TOE Security Objective is satisfied by ensuring: FTA_TAB.1: The TOE is required to display the configured advisory banner whenever a user/administrator connects to the TOE. 8.2.1.2 O.PROTECTED_COMMUNICATIONS The TOE will provide protected communication channels for administrators, other parts of a distributed TOE, and authorized IT entities. This TOE Security Objective is satisfied by ensuring: FCS_CKM.
Security Target Version 1.02, 08/16/2013 This TOE Security Objective is satisfied by ensuring: FAU_GEN.1: The TOE is required to be able to generate audit events for security relevant activities on the TOE. FAU_GEN.2: The TOE is required to associate audit events to users to ensure proper accountability. FAU_STG_EXT.1: The TOE is required to be able to export audit records to an external audit server via a secure channel to protect the integrity and security of those records. FPT_STM.
Security Target Version 1.02, 08/16/2013 FCS_COP.1(3): The TOE is required to either use digital signatures or cryptographic hashes to ensure the integrity of updates. FPT_TUD_EXT.1: The TOE is required to provide update functions and also the means for an administrator to initiate and verify updates before they are applied. 8.3 Security Assurance Requirements Rationale The Security Assurance Requirements (SARs), which correspond to EAL1, in this ST represents the SARs identified in the NDPP.
Security Target ST Requirement FTP_ITC.1 FTP_TRP.1 ADV_ARC.1 ADV_FSP.2 ADV_TDS.1 AGD_OPE.1 AGD_PRE.1 ALC_CMC.2 ALC_CMS.2 ALC_DEL.1 ALC_FLR.2 ATE_COV.1 ATE_FUN.1 ATE_IND.2 AVA_VAN.2 Version 1.02, 08/16/2013 CC Dependencies none none ADV_FSP.1 and ADV_TDS.1 ADV_TDS.1 ADV_FSP.2 ADV_FSP.1 none ALC_CMS.1 none none none ADV_FSP.2 and ATE_FUN.1 ATE_COV.1 ADV_FSP.2 and AGD_OPE.1 and AGD_PRE.1 and ATE_COV.1 and ATE_FUN.1 ADV_ARC.1 and ADV_FSP.2 and ADV_TDS.1 and AGD_OPE.1 and AGD_PRE.
FAU_GEN.1 FAU_GEN.2 FAU_STG_EXT.1 FCS_CKM.1 FCS_CKM_EXT.4 FCS_COP.1(1) FCS_COP.1(2) FCS_COP.1(3) FCS_COP.1(4) FCS_IPSEC_EXT.1 FCS_RBG_EXT.1 FCS_SSH_EXT.1 FDP_RIP.2 FIA_PMG_EXT.1 FIA_UAU.7 FIA_UAU_EXT.2 FIA_UIA_EXT.1 FMT_MTD.1 FMT_SMF.1 FMT_SMR.1 FPT_APW_EXT.1 FPT_SKP_EXT.1 FPT_STM.1 FPT_TST_EXT.1 FPT_TUD_EXT.1 FTA_SSL.3 FTA_SSL.4 FTA_SSL_EXT.1 FTA_TAB.1 FTP_ITC.1 FTP_TRP.
Security Target Version 1.02, 08/16/2013 Appendix A: Documentation for A Series Switches This Appendix provides a list of the product documentation used during the evaluation of each Network switch product family. 5120 EI Switch Series The following documents for the 5120 EI Switch series can be found under the General Reference section of the 5120 EI Switch Series documentation page on the HP Web site. The link is provided below.
Security Target Version 1.02, 08/16/2013 The following documents for the 5500 HI Switch series can be found under the General Reference section of the 5500 HI Switch Series documentation page on the HP Web site. The link is provided below.
Security Target Version 1.02, 08/16/2013 R1211-HP 5820X & 5800 Switch Series Layer-3 IP Services Command Reference, 8 Jan 2013 http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?contentType=SupportManual&lang=en& cc=us&docIndexId=64179&taskId=101&prodTypeId=12883&prodSeriesId=4218345#0 The following documents for the 5820 Switch series can be found under the Setup and Install section of the 5820 Switch Series documentation page on the HP Web site. The link is provided below.
Security Target Version 1.02, 08/16/2013 H3C S9500E Series Routing Switches Network Management and Monitoring Configuration Guide, 1 Dec 2010 H3C S9500E Series Routing Switches ACL and QoS Configuration Guide, 3 Feb 2011 H3C S9500E Series Routing Switches Layer-3 IP Services Configuration Guide, 1 Dec 2010 H3C S9500E Series Routing Switches Installation Manual, 1 Dec 2010 http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.
