Brocade Communications Systems, Inc. Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1.1 July 15, 2014 Prepared for: Brocade Communications Systems, Inc.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target 1. Version 1., July 15, 2014 SECURITY TARGET INTRODUCTION ........................................................................................................4 1.1 SECURITY TARGET REFERENCE ......................................................................................................................5 1.2 TOE REFERENCE ..................................................................................
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 1. Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is the Brocade Communications Systems, Inc. Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 TOE User Any person who interacts with the TOE. External IT entity Any IT product or system, untrusted or trusted, outside of the TOE that interacts with the TOE. Role A predefined set of rules establishing the allowed interactions between a user and the TOE. Identity A representation (e.g.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 1.3 TOE Overview The Target of Evaluation (TOE) is the Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 family of products. The TOE is composed of a hardware appliance with embedded software installed on a management processor. The embedded software is a version of Brocades' proprietary Multi-Service IronWare software.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 http://www.brocade.com/products/all/routers/product-details/netiron-cer-2000-series/index.page http://www.brocade.com/forms/getFile?p=documents/data_sheets/product_data_sheets/brocade-netironcer-2000-ds.pdf • Brocade NetIron CES 2000 Series http://www.brocade.com/products/all/switches/product-details/netiron-ces-2000-series/index.page http://www.brocade.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 NetIron (unlike the Broacde FastIron series, which provides no SSL encryption for external authentication servers) provides SSL encrypted TACACS+ authentication but does not provide SSL encrypted RADIUS. Thus, the use of RADIUS external authentication services are excluded from the evaluated configuration of the TOE.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 1.4.1.2.3 User data protection The TOE performs a wide variety of network switching and routing functions, passing network traffic among its various network connections. While implementing applicable network protocols associated with network traffic routing, the TOE is carefully designed to ensure that it doesn’t inadvertently reuse data found in network traffic.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 1.4.2 TOE Documentation Brocade offers a series of documents that describe the installation of the Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 as well as guidance for subsequent use and administration of the applicable security features.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 2. Conformance Claims This TOE is conformant to the following CC specifications: • Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1, Revision 4, September 2012. • • Part 2 Extended Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 3. Security Objectives The Security Problem Definition may be found in the Protection Profile for Network Devices, version 1.1, 8 June 2012 (NDPP) with Errata #2, 13 January 2014, and this section reproduces only the corresponding Security Objectives for convenience.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 OE.PHYSICAL Physical security, commensurate with the value of the TOE and the data it contains, is provided by the environment. OE.TRUSTED_ADMIN TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 4. Extended Components Definition All of the extended requirements in this ST have been drawn from the NDPP. The NDPP defines the following extended SFRs and since they are not redefined in this ST the NDPP should be consulted for more information in regard to those CC extensions. • FAU_STG_EXT.1: External Audit Trail Storage • FCS_CKM_EXT.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 5. Security Requirements This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) that serve to represent the security functional claims for the Target of Evaluation (TOE) and to scope the evaluation effort. The SFRs have all been drawn from the Protection Profile (PP): Protection Profile for Network Devices, version 1.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 FTA_SSL.3: TSF-initiated Termination FTA_SSL.4: User-initiated Termination FTA_SSL_EXT.1: TSF-initiated Session Locking FTA_TAB.1: Default TOE Access Banners FTP_ITC.1: Trusted Channel FTP_TRP.1: Trusted Path FTA: TOE access FTP: Trusted path/channels Table 1 TOE Security Functional Components 5.1.1 Security Audit (FAU) 5.1.1.1 Audit Data Generation (FAU_GEN.1) FAU_GEN.1.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 provided is correct verifies that AGD_OPE.1 is satisfied and should address the invocation of the administrative actions that are needed to verify the audit records are generated as expected. FAU_GEN.1.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Requirement FPT_TUD_EXT.1 FPT_TST_EXT.1 FTA_SSL_EXT.1 FTA_SSL.3 FTA_SSL.4 FTA_TAB.1 FTP_ITC.1 FTP_TRP.1 Auditable Events Initiation of update. None. Any attempts at unlocking of an interactive session. The termination of a remote session by the session locking mechanism. The termination of an interactive session. None. Initiation of the trusted channel. Termination of the trusted channel.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 Test 1: The evaluator shall establish a session between the TOE and the audit server according to the configuration guidance provided. The evaluator shall then examine the traffic that passes between the audit server and the TOE during several activities of the evaluator’s choice designed to generate audit data to be transferred to the audit server.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 zeros, while secret keys stored on the internal hard drive are zeroized by overwriting three times with a random pattern that is changed before each write"). 5.1.2.3 Cryptographic Operation (for data encryption/decryption) (FCS_COP.1(1)) FCS_COP.1(1).
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 5.1.2.6 Cryptographic Operation (for keyed-hash message authentication) (FCS_COP.1(4)) FCS_COP.1(4).
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 Documentation shall include the design of the entropy source as a whole, including the interaction of all entropy source components. It will describe the operation of the entropy source to include how it works, how entropy is produced, and how unprocessed (raw) data can be obtained from within the entropy source for testing purposes.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 The evaluator shall perform a Variable Seed Test. The evaluator shall provide a set of 128 (Seed, DT) pairs to the TSF RBG function, each 128 bits. The evaluator shall also provide a key (of the length appropriate to the AES algorithm) that is constant for all 128 (Seed, DT) pairs. The DT value is incremented by 1 for each set. The seed values shall have no repeats within the set.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 5.1.2.9 Explicit: SSH (FCS_SSH_EXT.1) FCS_SSH_EXT.1.1 The TSF shall implement the SSH protocol that complies with RFCs 4251, 4252, 4253, 4254, and [no other RFCs]. FCS_SSH_EXT.1.2 The TSF shall ensure that the SSH protocol implementation supports the following authentication methods as described in RFC 4252: public key-based, password-based.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 FCS_SSH_EXT.1.5 The TSF shall ensure that the SSH transport implementation uses SSH_RSA and [no other public key algorithms] as its public key algorithm(s). Assurance Activity: The assurance activity associated with FCS_SSH_EXT.1.4 verifies this requirement. FCS_SSH_EXT.1.6 The TSF shall ensure that data integrity algorithms used in SSH transport connection is [hmacsha1].
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 also check the operational guidance to ensure that it contains instructions on configuring the TOE so that TLS conforms to the description in the TSS (for instance, the set of ciphersuites advertised by the TOE may have to be restricted to meet the requirements).
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 to meet the requirements, in some way. For each password, the evaluator shall verify that the TOE supports the password.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 The evaluator shall perform the following tests for each method by which administrators access the TOE (local and remote), as well as for each type of credential supported by the login method: Test 1: The evaluator shall use the operational guidance to configure the appropriate credential supported for the login method.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 5.1.5.3 Restrictions on Security Roles (FMT_SMR.2) FMT_SMR.2.1 The TSF shall maintain the roles: Authorized Administrator. FMT_SMR.2.2 The TSF shall be able to associate users with roles. FMT_SMR.2.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 5.1.6.3 Reliable Time Stamps (FPT_STM.1) FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own use. Assurance Activity: The evaluator shall examine the TSS to ensure that it lists each security function that makes use of time. The TSS provides a description of how the time is maintained and considered reliable in the context of each of the time related functions.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 Component Assurance Activity: Updates to the TOE either have a hash associated with them, or are signed by an authorized source. If digital signatures are used, the definition of an authorized source is contained in the TSS, along with a description of how the certificates used by the update verification mechanism are contained on the device.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 Test 2: The evaluator initiates an interactive remote session with the TOE. The evaluator then follows the operational guidance to exit or log off the session and observes that the session has been terminated. 5.1.7.3 TSF-initiated Session Locking (FTA_SSL_EXT.1) FTA_SSL_EXT.1.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 Component Assurance Activity: The evaluator shall examine the TSS to determine that, for all communications with authorized IT entities identified in the requirement, each communications mechanism is identified in terms of the allowed protocols for that IT entity.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 Test 2: For each method of remote administration supported, the evaluator shall follow the operational guidance to ensure that there is no available interface that can be used by a remote user to establish a remote administrative sessions without invoking the trusted path.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 The evaluator shall determine that the functional specification is an accurate and complete instantiation of the SFRs. Component Assurance Activity: There are no specific assurance activities associated with these SARs. The functional specification documentation is provided to support the evaluation activities described in Section 4.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 to the process that 'listens' on the network interface). It is acceptable to list all processes running (or that could run) on the TOE in its evaluated configuration instead of attempting to determine just those that process the network data. For each process listed, the administrative guidance will contain a short (e.g.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 5.2.3 Life-cycle support (ALC) 5.2.3.1 Labelling of the TOE (ALC_CMC.1) ALC_CMC.1.1d The developer shall provide the TOE and a reference for the TOE. ALC_CMC.1.1c The TOE shall be labelled with its unique reference. ALC_CMC.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 Component Assurance Activity: The evaluator shall prepare a test plan and report documenting the testing aspects of the system. The test plan covers all of the testing actions contained in the CEM and the body of the NDPP’s Assurance Activities.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 ATE_IND, or a separate document. The evaluator performs a search of public information to determine the vulnerabilities that have been found in network infrastructure devices and the implemented communication protocols in general, as well as those that pertain to the particular TOE. The evaluator documents the sources consulted and the vulnerabilities found in the report.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target FTP_TRP.1 ADV_FSP.1 AGD_OPE.1 AGD_PRE.1 ALC_CMC.1 ALC_CMS.1 ATE_IND.1 AVA_VAN.1 none none ADV_FSP.1 none ALC_CMS.1 none ADV_FSP.1 and AGD_OPE.1 and AGD_PRE.1 ADV_FSP.1 and AGD_OPE.1 and AGD_PRE.1 Version 1., July 15, 2014 none none ADV_FSP.1 none ALC_CMS.1 none ADV_FSP.1 and AGD_OPE.1 and AGD_PRE.1 ADV_FSP.1 and AGD_OPE.1 and AGD_PRE.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 6. TOE Summary Specification This chapter describes the security functions: • Security audit • Cryptographic support • User data protection • Identification and authentication • Security management • Protection of the TSF • TOE access • Trusted path/channels 6.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 6.2 Cryptographic support The TOE includes a FIPS 140 certified crypto module providing supporting cryptographic functions. The evaluated configuration requires that the TOE be configured in Common Criteria mode to ensure FIPS certified functions are used. The following functions have been FIPS certified in accordance with the identified standards.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target NIST SP800-56B Section Reference 6.5.2 6.5.2.1 6.6 7.1.2 7.2.1.3 7.2.1.3 7.2.2.3 7.2.2.3 7.2.2.3 7.2.2.3 7.2.2.3 7.2.2.3 7.2.3.3 7.2.3.3 7.2.3.3 7.2.3.3 7.2.3.3 7.2.3.3 8 8.3.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Key or CSP: DRBG Constant C Zeroized upon: Stored in: Every 100ms RAM Table 7 Keys and CSPs Version 1., July 15, 2014 Zeroized by: Overwritten with new value The TOE stores all persistent secret and private keys in FLASH and store all ephemeral keys in RAM (as indicated in the above table).
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 The Cryptographic support function is designed to satisfy the following security functional requirements: • FCS_CKM.1: See Table 6 NIST SP800-56B Conformance above. • FCS_CKM_EXT.4: Keys are zeroized when they are no longer needed by the TOE. • FCS_COP.1(1): See Table 5 Cryptographic Functions above. • FCS_COP.1(2): See Table 5 Cryptographic Functions above. • FCS_COP.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 The user roles offered by the TOE are categorized differently when described in FIPS documentation.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 Similarly, the TOE’s MLX series offers a Web Management Interface that offers access to the same functions as the CLI. While the Web Management Interface could be configured to be accessible via HTTP or HTTPS (using TLSv1.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 The Security management function is designed to satisfy the following security functional requirements: • FMT_MTD.1: The TOE restricts the access to manage TSF data that can affect the security functions of the TOE to Authorized Administrator with Super User privilege (aka Security Administrator). • FMT_SMF.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target • Version 1., July 15, 2014 FPT_TUD_EXT.1: The TOE provides function to query the version and upgrade the software embedded in the TOE appliance. When installing updated software, digital signatures are used to authenticate the update to ensure it is the update intended and originated by Brocade. 6.
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00 Security Target Version 1., July 15, 2014 • FTP_ITC.1: In the evaluated configuration, the TOE must be configured to use TLS to ensure that any authentication operations and exported audit records are sent only to the configured server so they are not subject to inappropriate disclosure or modification. • FTP_TRP.