Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHousehold Appliances8
31323334353637383940
Brocade Communications Systems, Inc. Page 35 of 48
Figure 7: CryptoTarget Container
Within a storage device for which a CryptoTarget container has been defined, encryption policies must be
configured for all LUNs that reside on the storage device. Encryption policies include specifying whether
encryption will be applied to the LUN, whether existing data on the LUN should be encrypted and rekey policies.
The TOE will encrypt data sent to (and decrypt data received from) a specific LUN on a storage device when the
HBA (identified by a port number) involved in the data transfer is an initiator in the CryptoTarget for the storage
device. CryptoTarget membership determines the set of initiators associated with the CryptoTarget container. If an
initiator is not a member in the CryptoTarget container for a given storage device, the data exchanged between that
initiator and the storage device is not encrypted/decrypted.
CryptoTarget membership does not grant an HBA access to a storage device. An HBA must have access to a
storage device in accordance with the SAN Fabric SFP.
The User data protection function is designed to satisfy the following security functional requirements:
FDP_ACC.1, FDP_ACF.1: The TOE provides the ability to restrict block-read and block-write operations
to connected storage devices that are initiated by host bus adapters. Host bus adapter can only access
storage devices that are members of the same zone.
FDP_IFC.1, FDP_IFF.1: Some models of the TOE provides the ability to encrypt user data to, or decrypt
user data from, a storage device.
FCS_COP.1(2): Some models of the TOE support encryption of user data using 256-bit AES that meets
FIPS 197. The models of the TOE that support user data encryption have a FIPS 140-2 Level 3 certificate
(1796).
FCS_CKM.1(2): The TOE generates 256-bit keys for use with AES256-XTS or AES256-GCM in
accordance with the TOE’s FIPS 140-2 Level 3 certificate (1796).
6.1.3 Identification and authentication
The TOE defines administrative users in terms of:
user identity; and
password; and
role.
Role permissions determine the functions that administrators may perform. Nine roles, each with a fixed set of
permissions, are supported: Root, Factory, Admin, FabricAdmin, SecurityAdmin, SwitchAdmin,
BasicSwitchAdmin, ZoneAdmin, Operator and User. There are four pre-defined administrator accounts called
“root”, “factory”, “admin” and “user”, each of which is assigned the respective role of the same name, e.g. the
“admin” account is assigned the Admin role. Note that neither the account called “user” nor any account that is
assigned the User role, corresponds to a host bus adapter that is attempting to access a storage device, rather a User-
role account corresponds to an administrative user that can view but not change configuration settings. The internal