Hardware manual
Version 1.1, 03/31/2015
GSS CCT Evaluation Technical Report Page 33 of 56 © 2015 Gossamer Security Solutions, Inc.
Document: AAR-BrocadeNetIron5.8 All rights reserved.
The evaluator shall examine the operational guidance to determine that any necessary preparatory steps (e.g.,
establishing credential material such as pre-shared keys, tunnels, certificates, etc.) to logging in are described. For
each supported the login method, the evaluator shall ensure the operational guidance provides clear instructions
for successfully logging on. If configuration is necessary to ensure the services provided before login are limited,
the evaluator shall determine that the operational guidance provides sufficient instruction on limiting the allowed
services.
The evaluator shall perform the following tests for each method by which administrators access the TOE (local and
remote), as well as for each type of credential supported by the login method:
Test 1: The evaluator shall use the operational guidance to configure the appropriate credential supported for the
login method. For that credential/login method, the evaluator shall show that providing correct I&A information
results in the ability to access the system, while providing incorrect information results in denial of access.
Test 2: The evaluator shall configure the services allowed (if any) according to the operational guidance, and then
determine the services available to an external remote entity. The evaluator shall determine that the list of
services available is limited to those specified in the requirement.
Test 3: For local access, the evaluator shall determine what services are available to a local administrator prior to
logging in, and make sure this list is consistent with the requirement.
The Setting Passwords section of the Security Configuration Guide discusses the different logon options. It clearly
describes that a username and password are required for logging into the machine. The Configuring Secure Shell
section of the Security Configuration Guide explains how to setup and use SSH authentication. It describes the
process for creating a public-private key pair and how to provide the public key to the user. The Configuring DSA
or RSA challenge-response authentication section provides a step by step process of the authentication process
with SSH. There are also descriptions in the same area for password authentication. The Configuring TACACS or
TACACS+ security section of the Security Configuration Guide provides step by step authentication instructions for
using TACACS+. The Configuring SSL Security for Web Management section of the Security Configuration Guide
explains how to configure and secure the web management interface.
The evaluator configured the TOE for local console access and for remote SSH and web (MLX platform) access. The
evaluator then performed an unsuccessful and successful logon of each type using bad and good credentials
respectively. The evaluator repeated the tests using a TACACS+ server to verify interaction with the TACACS+
server. The evaluator conformed the web login interface does not work with the TACACS+ server. The evaluator
was able to observe the TOE routed traffic on the traffic and it displayed a banner to the user before login. No
functions were available to the administrator accessing the console with the exception of acknowledging the
banner
2.5 SECURITY MANAGEMENT (FMT)