Manualshelf

Hardware manual

ManualsBrandsBrocade Communications Systems ManualsComputer equipmentNetIron CER Series
47484950515253545556
Version 1.1, 03/31/2015
GSS CCT Evaluation Technical Report Page 56 of 56 © 2015 Gossamer Security Solutions, Inc.
Document: AAR-BrocadeNetIron5.8 All rights reserved.
The differences between the models of a given family include AC vs. DC power, fiber vs. copper network
connections, and number of available network ports. None of these differences was considered security relevant
since none of the NDPP security requirements, nor the functions to address them, are related to any of these
product characteristics. It is also assumed that the vendor would certainly do reasonable functional testing to
ensure that fiber and copper connections, AC and DC power, and the ability to use available network ports work as
expected.
Other than hardware-specific installation manuals addressing physical differences (note that the CER and CES
series share the same hardware manual), the user guidance (administration, security, FIPS, and upgrade manuals
in particular) are the same.
The evaluators ran the entire test suite on the BR-CER-2024C-4X-AC (CER) and BR-MLXE-8-MR2-M-AC (MLX)
models, covering both operating system variants. The test procedures were based on the available guidance and
provided identical in each case. Similarly, the results prove to be identical in each case.
3.5 VULNERABILITY ASSESSMENT (AVA)
3.5.1 VULNERABILITY SURVEY (AVA_VAN.1)
Assurance Activities: As with ATE_IND, the evaluator shall generate a report to document their findings with
respect to this requirement. This report could physically be part of the overall test report mentioned in ATE_IND,
or a separate document. The evaluator performs a search of public information to determine the vulnerabilities
that have been found in network infrastructure devices and the implemented communication protocols in general,
as well as those that pertain to the particular TOE. The evaluator documents the sources consulted and the
vulnerabilities found in the report. For each vulnerability found, the evaluator either provides a rationale with
respect to its non-applicability, or the evaluator formulates a test (using the guidelines provided in ATE_IND) to
confirm the vulnerability, if suitable. Suitability is determined by assessing the attack vector needed to take
advantage of the vulnerability. For example, if the vulnerability can be detected by pressing a key combination on
boot-up, a test would be suitable at the assurance level of this PP. If exploiting the vulnerability requires expert
skills and an electron microscope, for instance, then a test would not be suitable and an appropriate justification
would be formulated.
The vulnerability analysis is in the Detailed Test Report (DTR) prepared by the evaluator. The vulnerability analysis
includes a public search for vulnerabilities and a port scan. Nether the public search for vulnerabilities or the port
scan uncovered any residual vulnerability.