Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHousehold Appliances8
31323334353637383940
Brocade Communications Systems, Inc. Page 38 of 48
TOE, and between the TOE and the storage device. On those models providing user data encryption, data is
protected from disclosure when it is written to or read from storage devices by host bus adapters. Separate appliance
ports are relied on to physically separate connected HBAs. The appliance’s physical location between HBAs and
storage devices is relied on to ensure TOE interfaces cannot be bypassed. The TOE does encrypt commands sent
from terminal applications by administrators using SSH and HTTPS. Further, TOE requires administrators to login
after a SSH or HTTPS connection has been established.
Administrators cannot bypass TOE functions because they are required to log in before the requested operation is
allowed. When an administrator attempts to login using SSH, the SSL switch certificate is the one that is presented
to the calling application in the environment. The SSL cipher list is configured as follows:
ALL all ciphers suites except the eNULL ciphers which must be explicitly enabled
ADH anonymous DH cipher suites.
EXPORT56 56 bit export encryption algorithms. In OpenSSL 0.9.8d and later the set of 56 bit export
ciphers is empty unless OpenSSL has been explicitly configured with support for experimental ciphers.
RC4 cipher suites using RC4.
RSA cipher suites using RSA key exchange.
HIGH ``high'' encryption cipher suites. This currently means those with key lengths larger than 128 bits,
and some cipher suites with 128-bit keys.
MEDIUM “medium” encryption cipher suites, currently some of those using 128 bit encryption.
LOW “low” encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but
excluding export cipher suites.
ssl2 only include SSL v2 ciphers.
The application must be configured with the same issuing CA certificate in order to build a path and to verify the
switch certificate’s signature to establish the secure connection.
The TOE generates time stamps to support the auditing function.
The Protection of the TSF function is designed to satisfy the following security functional requirements:
FPT_STM.1: The TOE generates time stamps for use in audit records.
6.1.6 TOE Access
The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering firewall. The IP
Filter policy permits or denies traffic to go through the IP management interfaces according to the policy rules.
The TOE’s password expiration policy forces expiration of a password after a configurable period of time, and is
enforced across all user accounts. When a user’s password expires, that user must change the password to complete
the authentication process and open a new session. Password expiration does not disable or lock out the account.
The management channel is the communication established between the management workstation and the TOE.
The TOE restricts user logon based upon the number of simultaneous login sessions allowed for each role when
authenticated locally. The maximum number of simultaneous sessions for the admin role is two (2), while all other
roles have a maximum of four (4).
The TOE Access function is designed to satisfy the following security functional requirements:
FTA_MCS.1: The TOE restricts a user’s concurrent sessions based upon the user’s role using the limits
stated in this section.
FTA_TSE.1: The TOE restricts administrators from connecting based upon the source IP address and
service (e.g., SSH) being used to establish the connection. The TOE also denies logon when authentication
credentials have expired.