Manualshelf

Hardware manual

ManualsBrandsBrocade Communications Systems ManualsComputer equipmentNetIron CER Series
21222324252627282930
Version 1.1, 03/31/2015
GSS CCT Evaluation Technical Report Page 25 of 56 © 2015 Gossamer Security Solutions, Inc.
Document: AAR-BrocadeNetIron5.8 All rights reserved.
2.2.9.3 FCS_SSH_EXT.1.3
TSS Assurance Activities: The evaluator shall check that the TSS describes how 'large packets' in terms of RFC 4253
are detected and handled.
Section 6.2 explains that there is a 256K packet buffer and as SSH packets are received they are combined to form
a complete packet to be decrypted, but if the packet is not completed when the buffer becomes full the packet will
be dropped.
Guidance Assurance Activities: None Defined
Testing Assurance Activities: The evaluator shall also perform the following test:
Test 1: The evaluator shall demonstrate that if the TOE receives a packet larger than that specified in this
component, that packet is dropped.
The evaluator created a test program that sends a packet of length 257K to the SSH server on the TOE. When the
large packet was sent to the TOE, the SSH connection was closed.
2.2.9.4 FCS_SSH_EXT.1.4
TSS Assurance Activities: The evaluator shall check the description of the implementation of this protocol in the
TSS to ensure that optional characteristics are specified, and the encryption algorithms supported are specified as
well. The evaluator shall check the TSS to ensure that the encryption algorithms specified are identical to those
listed for this component.
Section 6.2 indicates the SSH implementation supports AES CBC 128 and 256, HMAC-SHA-1, and RSA. These values
match the SFR. The description also indicates that a maximum packet size of 256K is supported and that is also
consistent with the SFR.
Guidance Assurance Activities: The evaluator shall also check the operational guidance to ensure that it contains
instructions on configuring the TOE so that SSH conforms to the description in the TSS (for instance, the set of
algorithms advertised by the TOE may have to be restricted to meet the requirements).
The ST identifies the ciphers, hashes, and authentication methods as indicated in the TSS findings above.
The FIPS Guide explains how to enable CC mode which serves to limit the ciphers to those claimed in the ST.