ciena carrier ethernet solutions 3900/5100 series ... · pdf fileciena carrier ethernet...
Post on 12-Mar-2018
229 Views
Preview:
TRANSCRIPT
Ciena Carrier Ethernet Solutions 3900/5100 Series
Supplemental Administrative Guidance Version 1.0
December 18, 2015
Ciena Corporation
7035 Ridge Road
Hanover, MD 21076
Prepared By:
Cyber Assurance Testing Laboratory
900 Elkridge Landing Road, Suite 100
Linthicum, MD 21090
1 | P a g e
Contents
1 Introduction ........................................................................................................................................... 3
2 Intended Audience ................................................................................................................................ 3
3 Terminology .......................................................................................................................................... 3
4 References ............................................................................................................................................. 4
5 Evaluated Configuration of the TOE .................................................................................................... 4
5.1 TOE Components .......................................................................................................................... 4
5.2 Supporting Environmental Components ....................................................................................... 5
5.3 Assumptions .................................................................................................................................. 6
5.4 Communications Protocols and Services ...................................................................................... 6
6 Secure Acceptance, Installation, and Configuration ............................................................................. 7
6.1 Enable Logging ............................................................................................................................. 8
6.2 Set up the SSH Server ................................................................................................................... 8
6.3 Set up the SFTP Client .................................................................................................................. 8
6.4 Set up the SFTP Server ................................................................................................................. 8
6.5 Enable FIPS Mode ........................................................................................................................ 9
6.6 Configuring SSH Algorithms........................................................................................................ 9
6.7 In-Band Management Configuration .......................................................................................... 13
7 Secure Management of the TOE ......................................................................................................... 13
7.1 Authenticating to the TOE .......................................................................................................... 13
7.2 User Lockout ............................................................................................................................... 14
7.3 Managing Users .......................................................................................................................... 14
7.4 Password Management ............................................................................................................... 15
7.5 Login Banner .............................................................................................................................. 15
7.6 Session Termination .................................................................................................................... 15
7.6.1 Admin Logout ..................................................................................................................... 15
7.6.2 Termination from Inactivity ................................................................................................ 15
7.7 System Time Configuration ........................................................................................................ 16
7.8 Secure Updates ............................................................................................................................ 16
8 Auditing .............................................................................................................................................. 16
8.1 Audit Storage .............................................................................................................................. 28
2 | P a g e
9 SFR Assurance Activities ................................................................................................................... 28
10 Operational Modes .......................................................................................................................... 30
11 Additional Support .......................................................................................................................... 30
Table of Tables
Table 5-1: TOE Models ................................................................................................................................ 5
Table 5-2: Supporting Environmental Components ..................................................................................... 5
Table 8-1: NDPP Auditable Events ............................................................................................................ 28
3 | P a g e
1 Introduction
Ciena Carrier Ethernet Solutions 3900/5100 Series is a network switch that receives data from an external
source and forwards that data to one or many ports. Carrier Ethernet provides a way to deliver Ethernet
services across many networks while providing bandwidth management. CES operates on quality-of-
service (QoS) capabilities and virtual switching functions to deliver different amounts of data to various
ports. CES also contains next-generation Ethernet features that transport different Ethernet services
through fiber or copper connections. The Target of Evaluation (TOE) is the general network device
functionality (I&A, auditing, security management, trusted communications, etc.) of the switch,
consistent with the claimed Protection Profile.
2 Intended Audience
This document is intended for administrators responsible for installing, configuring, and/or operating CES
devices. Guidance provided in this document allows the reader to deploy the product in an environment
that is consistent with the configuration that was evaluated as part of the product’s Common Criteria (CC)
testing process. It also provides the reader with instructions on how to exercise the security functions that
were claimed as part of the CC evaluation.
The reader is expected to be familiar with the Security Target for Ciena Carrier Ethernet Solutions
3900/5100 Series version 6.14 and the general CC terminology that is referenced in it. This document
references the Security Functional Requirements (SFRs) that are defined in the Security Target document
and provides instructions for how to perform the security functions that are defined by these SFRs. The
CES product as a whole provides a great deal of security functionality but only those functions that were
in the scope of the claimed PP are discussed here. Any functionality that is not described here or in the
Ciena Carrier Ethernet Solutions 3900/5100 Series Security Target was not evaluated and should be
exercised at the user’s risk.
3 Terminology
In reviewing this document, the reader should be aware of the terms listed below. These terms are also
described in the Ciena Carrier Ethernet Solutions 3900/5100 Series Security Target.
CC: stands for Common Criteria. Common Criteria provides assurance that the process of specification,
implementation and evaluation of a computer security product has been conducted in a rigorous and
standard and repeatable manner at a level that is commensurate with the target environment for use.
SFR: stands for Security Functional Requirement. An SFR is a security capability that was tested as part
of the CC process.
TOE: stands for Target of Evaluation. This refers to the aspects of the Ciena Carrier Ethernet Solutions
3900/5100 Series products that contain the security functions that were tested as part of the CC evaluation
process.
4 | P a g e
4 References
The following security-relevant documents are included with the TOE. This is part of the standard
documentation set that is provided with the product. Documentation that is not related to the functionality
tested as part of the CC evaluation is not listed here.
[1] 39XX/51XX SAOS 6.14 Product Fundamentals - 009-3257-006
[2] 39XX/51XX SAOS 6.14 Administration and Security - 009-3257-006
[3] 39XX/51XX SAOS 6.14 Configuration - 009-3257-008
[4] 39XX/51XX SAOS 6.14 Command Reference - 009-3257-010
[5] Hardware Installation and Start-up Manuals – names vary based on individual hardware
models, reference [1] for the full list
[6] 39XX/51XX SAOS 6.14 System Event Reference - 009-3257-024
[7] 39XX/51XX SAOS 6.14 Advanced Ethernet Configuration - 009-3257-040
[8] 39XX/51XX SAOS 6.14 Fault, Logging, and Performance Management - 009-3257-009
[9] 39XX/51XX SAOS 6.14 Advanced OAM Configuration - 009-3257-044
[10] 39XX/51XX SAOS 6.14 Software Management and Licensing - 009-3257-018
[11] 39XX/51XX SAOS 6.x Planning, Engineering, and Ordering Guide - 009-3299-029
The following document was created in support of the Ciena Carrier Ethernet Solutions 3900/5100 Series
CC evaluation:
[12] Ciena Carrier Ethernet Solutions 3900/5100 Series Common Criteria Security Target
5 Evaluated Configuration of the TOE
This section lists the components that have been included in the TOE’s evaluated configuration, whether
they are part of the TOE itself, environmental components that support the security behavior of the TOE,
or non-interfering environmental components that were present during testing but are not associated with
any security claims:
5.1 TOE Components
The TOE is a family of standalone network appliances. Each model of the TOE can run independently
and all models have the same SAOS 6.14 software. The only security-relevant differences between the
models are the processor type used and the presence or absence of a local Ethernet management port.
There is no functional difference in the behavior of each model based on the processor type; this only
affects how the SAOS 6.14 software image was built and is transparent to an administrator of the TOE.
The presence of absence of a dedicated Ethernet management port similarly does not affect the ability to
administer the TOE, but it does require remote administration to be performed in-band through a data
plane interface if no dedicated interface exists.
5 | P a g e
Platform 3903 /
3904 /
3905
3916 3930-
900/910
3931-
900/91
0
3932 /
3930-
930
3938
(Smart
NID)
3942 5142 CN
5150
5160
1G/10G RJ-
45
0 0 0 0 0 2 0 0 0 0
1G/10G
SFP+
0 0 2 2 2 2 4 4 0 24
10/100/1000
M RJ-45
0 0 0 4 0 8 0 0 0 0
100M/1G
SFP
2 4 4 4 4 8 0 20 48 0
XFP 0 0 0 0 0 0 0 0 4 0
Combo RJ-
45/SFP
3903 - 1
3904 - 2
3905 - 2
2 4 0 4 0 20 0 0 0
CPU 2x800
MHz
ARM
Cortex
A9
2x500
MHz
Cavium
5220
4x600
MHz
Cavium
5230
2x600
MHz
Cavium
5220
4x600
MHz
Cavium
5230
6x1 GHz
Cavium
6335
4x1 GHz
Cavium
6230
6x1 GHz
Cavium
6335
4x600
MHz
Cavium
5230
6x1 GHz
Cavium
6335
Ethernet
Management
Port
N N Y N Y Y Y Y Y Y
Power
Options
AC, DC AC, DC AC, DC
(modular)
AC, DC
(modular)
AC, DC
(modular)
AC AC, DC AC, DC
(modular)
AC, DC
(modular)
AC, DC
(modular)
Table 5-1: TOE Models
Note that a more extensive description of each model is provided in [1] and in each individual manual
referenced in [5].
5.2 Supporting Environmental Components Component Definition
Audit Server A file server running the secure file transfer protocol (SFTP) that is used by the TOE to securely
transmit audit data to a remote storage location.
Management
Workstation
Any general-purpose computer that is used by an administrator to manage the TOE. The TOE
can be managed remotely, in which case the management workstation requires an SSH client, or
locally, in which case the management workstation must be physically connected to the TOE
using the serial port and must use a terminal emulator that is compatible with serial
communications.
NTP Server A system that provides an authoritative and reliable source of time using network time protocol
(NTP).
Update Server A server running the secure file transfer protocol (SFTP) that is used as a location for storing
product updates that can be transferred to the TOE.
Table 5-2: Supporting Environmental Components
Note that switched traffic is not addressed by the security requirements of the claimed Protection Profile
so the only use of data plane interfaces was to perform in-band management of the TOE.
6 | P a g e
5.3 Assumptions
In order to ensure the product is capable of meeting its security requirements when deployed in its
evaluated configuration, the following conditions must be satisfied by the organization, as defined in the
claimed Protection Profile:
No general purpose computing capabilities: The Ciena CES product must only be used for its
intended purpose. General purpose computing applications, especially those with network-visible
interfaces, may compromise the security of the product if introduced.
Physical security: The Ciena CES product does not claim any sort of physical tamper-evident or
tamper-resistant security mechanisms. Therefore, it is necessary to deploy the product in a locked
or otherwise physically secured environment so that it is not subject to untrusted physical
modification.
Trusted administration: The Ciena CES product does not provide a mechanism to protect
against the threat of a rogue or otherwise malicious administrator. Therefore, it is the
responsibility of the organization to perform appropriate vetting and training for security
administrators prior to granting them the ability to manage the product.
5.4 Communications Protocols and Services
In the evaluated configuration, the SSH protocol was tested for remote administration and secure transfer
of audit data (which uses SSH as part of SFTP). The Telnet protocol is excluded from the evaluated
configuration of the CES product because it does not provide security for data in transit. The product
supports numerous communications protocols that were not considered to be part of the Target of
Evaluation because they provide functionality that were outside the scope of the Security Target. These
protocols are facilitated by processes on the CES device that support their implementation and include the
following:
ARP
BFD
CFM
DHCP
DHCPv6
802.1X
GMPLS
ISIS
LDP
LLDP
MPLS
MSTP
NDP
NETCONF
NTP
OSPF
PBB-TE
7 | P a g e
PBT
RADIUS
RSTP
RSVP-TE
SNMP
TACACS
Information about the configuration and usage of these protocols can be found in the standard Ciena
documentation for the product.
6 Secure Acceptance, Installation, and Configuration
Documentation for how to order and acquire the TOE is described in section 8 of [11]. This section also
lists the physical part numbers that are associated with each model. When receiving delivery of a TOE
model, this documentation should be checked as part of the acceptance procedures so that the correctness
of the hardware can be verified. Additionally, [11] can be referenced for physical requirements such as
power and environmental operating conditions in order to minimize the risk of compromise of TOE
functionality due to an improper physical environment. The TOE comes with the SAOS operating system
installed on it by default, but if additional validation is necessary, an administrator may acquire the
software image separately from Ciena and perform a software upgrade to the known version.
Physical installation and first-time setup of the TOE can be accomplished by following the steps outlined
in [5]. Regardless of the specific device being installed, the SAOS software is functionally identical so
secure management for each device is described in the remainder of this document. Note that these steps
can be performed using the initial default user account.
Upon the startup of the TOE, multiple Power-On Self Tests (POSTs) are run. The POSTs provide
environmental monitoring of the TOE’s components, in which early warnings can prevent whole
component failure. The following self-tests are performed:
Software integrity: hashed and validated against a known SHA-256 value which in storage that
can only be modified when a software update is performed.
Cryptographic module integrity: the cryptographic algorithm implementation is run through
known answer tests to ensure they are operating properly.
Hardware integrity: the field-programmable gate arrays (FPGAs) and data plane hardware are
tested for correct operation.
In the event that a self-test fails, the TOE will automatically reboot. If the TSF has been corrupted or the
hardware has failed such that rebooting will not resolve the issue, an administrator (Admin or Super) will
need to factory reset the TOE and/or replace the failed hardware component.
Once the TOE has fully booted, follow the steps in section 7.3 to change the password of the default user
account. Now verify the version of software operating on the TOE by issuing a “system show” command
and compare the displayed version to the expected version. If the version is not what is expected then
follow the instructions in Section 7.8 to obtain and install the correct software image from Ciena.
8 | P a g e
Note that the syntax ‘config save’ and ‘configuration save’ are used interchangeably in the reference
documentation. These are parsed by the TOE as identical and equivalent commands.
6.1 Enable Logging
In the evaluated configuration, all auditable events are logged by entering the following commands. Note
that there is logging to flash and logging to ram. The following shows the commands for flash.
1. Turn on logging to flash to the default filter:
2. Log flash add filter default all-mgrs
3. Log flash set filter default severity critical, major, minor, warning, config, info
6.2 Set up the SSH Server
To enable the SSH server for secure remote administration, enter the following commands:
1. ssh server key generate
2. ssh server enable
3. ssh server show
4. configuration save
6.3 Set up the SFTP Client
The TOE includes an SFTP client that must be set up in order to transfer audit data to a remote file server
via SFTP. It is enabled using the following commands:
1. system security log transfer set sftp-server <IP address> login-id <username> echoless-password
2. Enter password for the desired username when prompted
3. system security log transfer set dest-path <desired destination path to transfer files>
4. system security log transfer show
5. system security log transfer now
6. system security log show
7. config save
The command ‘system security log transfer now’ can be used to initiate a transfer of all log files. If the
connection is interrupted during a log transfer, the TOE will automatically continue the secure log transfer
over SSH once the connection is re-established.
Note that this requires that the other end of the connection be a network-accessible SFTP server running
on port 22 and that it is configured to support the SSH configuration.
6.4 Set up the SFTP Server
The SFTP server allows the TOE to securely accept software updates via SFTP. It is enabled using the
following commands:
1. system server sftp enable
2. system server sftp show
3. configuration save
9 | P a g e
If the connection is interrupted during a software update download, the TOE will automatically continue
the software update download over SSH once the connection is re-established.
6.5 Enable FIPS Mode
Enabling FIPS mode allows the TOE to use only approved cipher suites for SSH communications and to
perform cryptographic self-tests on system startup. Note that when this mode is enabled, if any self-test
fails during system startup, the system will not become operational. If this happens, the system is
unusable and will have to be recovered and reloaded.
FIPS mode is enabled using the following commands:
1. system security set security-mode normal encryption-mode fips-140-2 software-signing-mode on
2. configuration save
3. chassis restart
Note: The TOE must be run in the FIPS mode of operation. The use of the cryptographic engine in any
other mode was not evaluated nor tested during the CC evaluation of the TOE.
6.6 Configuring SSH Algorithms
The specific algorithms allowed by SSH in the evaluated configuration need to be enabled and the others
disabled, otherwise users can log in with the wrong algorithms. The following SSH algorithms are
supported in the evaluated configuration:
Key Exchange: diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-
sha2-nistp521
Encryption: aes128-cbc, aes256-cbc
MAC: hmac-sha1, hmac-sha1-256
Public Key Authentication: ssh-rsa
While the CES product supports several other cryptographic algorithms in support of SSH
communications, these were not within the scope of the Security Target so they were not evaluated or
tested during the CC testing for the product.
Disabling Algorithms for SSH:
The following show command provides information on the various SSH algorithms supports for SSH.
They include key-exchange, encryption, mac and public key authentication algorithms.
3904> ssh server algorithm show
+------------------- SSH SERVER KEX ALGORITHM CONFIGURATION -------------------+
| Algorithm Name | Priority | Admin State | Oper State |
+----------------------------------------+----------+-------------+------------+
| curve25519-sha256@libssh.org | 1 | Disabled | Disabled |
| ecdh-sha2-nistp256 | 2 | Enabled | Enabled |
| ecdh-sha2-nistp384 | 3 | Enabled | Enabled |
| ecdh-sha2-nistp521 | 4 | Enabled | Enabled |
| diffie-hellman-group-exchange-sha256 | 5 | Disabled | Disabled |
| diffie-hellman-group-exchange-sha1 | 6 | Disabled | Disabled |
10 | P a g e
| diffie-hellman-group14-sha1 | 7 | Enabled | Enabled |
| diffie-hellman-group1-sha1 | 8 | Disabled | Disabled |
+----------------------------------------+----------+-------------+------------+
--------------- SSH SERVER ENCRYPTION ALGORITHM CONFIGURATION ----------------+
| Algorithm Name | Priority | Admin State | Oper State |
+----------------------------------------+----------+-------------+------------+
| aes128-ctr | 1 | Disabled | Disabled |
| aes192-ctr | 2 | Disabled | Disabled |
| aes256-ctr | 3 | Disabled | Disabled |
| arcfour256 | 4 | Disabled | Disabled |
| arcfour128 | 5 | Disabled | Disabled |
| aes128-gcm@openssh.com | 6 | Disabled | Disabled |
| aes256-gcm@openssh.com | 7 | Disabled | Disabled |
| chacha20-poly1305@openssh.com | 8 | Disabled | Disabled |
| aes128-cbc | 9 | Enabled | Enabled |
| 3des-cbc | 10 | Disabled | Disabled |
| blowfish-cbc | 11 | Disabled | Disabled |
| cast128-cbc | 12 | Disabled | Disabled |
| aes192-cbc | 13 | Disabled | Disabled |
| aes256-cbc | 14 | Enabled | Enabled |
| arcfour | 15 | Disabled | Disabled |
| rijndael-cbc@lysator.liu.se | 16 | Disabled | Disabled |
+----------------------------------------+----------+-------------+------------+
+------------------- SSH SERVER MAC ALGORITHM CONFIGURATION -------------------+
| Algorithm Name | Priority | Admin State | Oper State |
+----------------------------------------+----------+-------------+------------+
| hmac-md5-etm@openssh.com | 1 | Disabled | Disabled |
| hmac-sha1-etm@openssh.com | 2 | Disabled | Disabled |
| umac-64-etm@openssh.com | 3 | Disabled | Disabled |
| umac-128-etm@openssh.com | 4 | Disabled | Disabled |
| hmac-sha2-256-etm@openssh.com | 5 | Disabled | Disabled |
| hmac-sha2-512-etm@openssh.com | 6 | Disabled | Disabled |
| hmac-ripemd160-etm@openssh.com | 7 | Disabled | Disabled |
| hmac-sha1-96-etm@openssh.com | 8 | Disabled | Disabled |
| hmac-md5-96-etm@openssh.com | 9 | Disabled | Disabled |
| hmac-md5 | 10 | Disabled | Disabled |
| hmac-sha1 | 11 | Enabled | Enabled |
| umac-64@openssh.com | 12 | Disabled | Disabled |
| umac-128@openssh.com | 13 | Disabled | Disabled |
| hmac-sha2-256 | 14 | Enabled | Enabled |
| hmac-sha2-512 | 15 | Disabled | Disabled |
| hmac-ripemd160 | 16 | Disabled | Disabled |
| hmac-ripemd160@openssh.com | 17 | Disabled | Disabled |
| hmac-sha1-96 | 18 | Disabled | Disabled |
| hmac-md5-96 | 19 | Disabled | Disabled |
+----------------------------------------+----------+-------------+------------+
+-------- SSH SERVER PUBLIC-KEY-AUTHENTICATION ALGORITHM CONFIGURATION --------+
| Algorithm Name | Admin State | Oper State |
+---------------------------------------------------+-------------+------------+
| ssh-dss | Disabled | Disabled |
| ssh-rsa | Enabled | Enabled |
11 | P a g e
| ssh-ed25519 | Disabled | Disabled |
| ecdsa-sha2-nistp256 | Disabled | Disabled |
| ecdsa-sha2-nistp384 | Disabled | Disabled |
| ecdsa-sha2-nistp521 | Disabled | Disabled |
+---------------------------------------------------+-------------+------------+
When FIPS mode is enabled, some of these are automatically disabled. Others need to be enabled or
disabled manually in order to conform to the evaluated configuration defined in [12].
To enable/disable selected algorithms for the SSH server, the commands below can be used.
Configuration of the SSH client uses the same syntax except that ‘client’ is used instead of ‘server’ in all
cases.
Note that these commands represent sample syntax used to enable/disable arbitrarily chosen ciphers;
consult [12] and any site-specific security policies you may have to use these commands to configure the
product in a manner that is appropriate for your environment.
Enable/Disable Key Exchange Algorithms
Disabling Key-Exchange Algorithms
3942> ssh server algorithm kex disable algorithm <TAB>
curve25519-sha256@libssh.org
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
3942> ssh server algorithm kex disable <algorithm>
Enabling Key-Exchange Algorithms
3942> ssh server algorithm kex enable algorithm <TAB>
curve25519-sha256@libssh.org
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
3942> ssh server algorithm kex disable algorithm
Enable/Disable Encryption Algorithms
3942> ssh server algorithm encryption disable algorithm <TAB>
3des-cbc aes256-gcm@openssh.com
aes128-cbc arcfour
aes128-ctr arcfour128
aes128-gcm@openssh.com arcfour256
aes192-cbc blowfish-cbc
aes192-ctr cast128-cbc
12 | P a g e
aes256-cbc chacha20-poly1305@openssh.com
aes256-ctr rijndael-cbc@lysator.liu.se
3942> ssh server algorithm encryption disable algorithm 3des-cbc,aes128-cbc
3942> ssh server algorithm encryption enable algorithm <TAB>
3des-cbc aes256-gcm@openssh.com
aes128-cbc arcfour
aes128-ctr arcfour128
aes128-gcm@openssh.com arcfour256
aes192-cbc blowfish-cbc
aes192-ctr cast128-cbc
aes256-cbc chacha20-poly1305@openssh.com
aes256-ctr rijndael-cbc@lysator.liu.se
3942> ssh server algorithm encryption enable algorithm 3des-cbc,aes128-cbc
Enable/Disable MAC Algorithms
3942*> ssh server algorithm mac enable algorithm <TAB>
hmac-md5 hmac-sha1-etm@openssh.com
hmac-md5-96 hmac-sha2-256
hmac-md5-96-etm@openssh.com hmac-sha2-256-etm@openssh.com
hmac-md5-etm@openssh.com hmac-sha2-512
hmac-ripemd160 hmac-sha2-512-etm@openssh.com
hmac-ripemd160-etm@openssh.com umac-64-etm@openssh.com
hmac-ripemd160@openssh.com umac-64@openssh.com
hmac-sha1 umac-128-etm@openssh.com
hmac-sha1-96 umac-128@openssh.com
hmac-sha1-96-etm@openssh.com
3942*> ssh server algorithm mac enable algorithm hmac-md5
3942*> ssh server algorithm mac disable algorithm <TAB>
hmac-md5 hmac-sha1-etm@openssh.com
hmac-md5-96 hmac-sha2-256
hmac-md5-96-etm@openssh.com hmac-sha2-256-etm@openssh.com
hmac-md5-etm@openssh.com hmac-sha2-512
hmac-ripemd160 hmac-sha2-512-etm@openssh.com
hmac-ripemd160-etm@openssh.com umac-64-etm@openssh.com
hmac-ripemd160@openssh.com umac-64@openssh.com
hmac-sha1 umac-128-etm@openssh.com
hmac-sha1-96 umac-128@openssh.com
hmac-sha1-96-etm@openssh.com
3942*> ssh server algorithm mac disable algorithm hmac-md5
Enable/Disable Public Key Authentication Algorithms
3942*> ssh server algorithm public-key-authentication enable algorithm <TAB>
ecdsa-sha2-nistp256 ecdsa-sha2-nistp521 ssh-ed25519
ecdsa-sha2-nistp384 ssh-dss ssh-rsa
3942*> ssh server algorithm public-key-authentication enable algorithm ssh-dss
3942*> ssh server algorithm public-key-authentication disable algorithm <TAB>
ecdsa-sha2-nistp256 ecdsa-sha2-nistp521 ssh-ed25519
ecdsa-sha2-nistp384 ssh-dss ssh-rsa
3942*> ssh server algorithm public-key-authentication disable algorithm ssh-dss
13 | P a g e
6.7 In-Band Management Configuration In order to perform remote administration of systems that lack a dedicated Management Ethernet Port, it
is necessary to configure one or more data plane interfaces to direct traffic to the management plane of the
TOE. This is known as in-band management. This section describes the steps that are necessary to
perform in order to enable remote administration on these systems using a representative example that
makes the following assumptions:
DHCP is not used to obtain an IP address for the remote interface.
The factory default IP address and subnet for the remote interface is 0.0.0.0:0.0.0.0. These values
will be entered if the system is reset to factory defaults.
The default priority for the remote management interface defaults to 7 and is not configurable.
Ensure DHCP is disabled.
3942> dhcp client disable
Modify the remote management interface configuration.
3942> interface remote set {[ip], [vlan], [gateway]}
Note that you can change the IPv4 gateway in the same command line as the IP address to avoid loss of
connectivity due to mismatch between IP and gateway. If you specified a gateway IP address in the
previous command, skip to the last step.
Configure a default gateway.
3942> interface set gateway <IpAddress>
Validate that your changes were made.
3942> interface remote show
Save and complete the process.
3942> configuration save
7 Secure Management of the TOE
The following sections provide information on managing TOE functionality that is relevant to the claimed
Protection Profile. Note that this information is largely derived from [3] and [4], minus the specific
actions that are required as part of the ‘evaluated configuration’. The administrator is encouraged to
reference these documents in full in order to have in-depth awareness of the security functionality of the
CES product family, including functions that may be beyond the scope of this evaluation.
7.1 Authenticating to the TOE
Users must authenticate to the TOE in order to perform any management functions. Section 8.4 of the ST
discusses the process in which the TOE authenticates users via the CLI. Section 8.8.2 of the ST also
discusses the trusted channels that are invoked in order to send the data securely.
14 | P a g e
Local users log in to the Command line interface (CLI) using username and password defined locally to
the TOE, while remote users can log in via the CLI using username and either password or SSH public
key. User authentication information that is sent remotely via the CLI is protected using SSHv2.
Procedure 5.2 of [2] provides instructions for connecting to the TOE using Telnet. In the evaluated
configuration, telnet for remote access must be disabled in favor of SSH. To connect to the TOE over
SSH, the administrator must make sure the SSH server is configured as per section 6.2. The administrator
can connect using a valid username/password or can connect using public key-based authentication by
performing the following steps:
1. On the SSH client system, generate a new client key pair.
2. Export the public key into a file called <user>.pk2
3. Place this file in the system’s SFTP server under the root directory
4. On the TOE, run the following command to transfer and install the key for <user>: ‘ssh server key
install user <user> sftp-server <ip address> login-id <sftp user> echoless-password’
Note that the TOE has role based authentication. Only a user with Super level privileges can manage
other users. The following are the three roles supported by the TOE:
Super: Have access to all ports on the TOE regardless of the lock-level and can perform all
configuration commands. Accounts in this group are used to manage secure access to the switch
through the creation, deletion and modification of user accounts. Although users in this group can
also make significant system state changes, and modify the configuration, the primary purpose of
this group is user account maintenance. This is the only operational group with access to all user
administration commands.
Admin: Accounts in this group are used to make significant system state changes and modify the
system configuration.
Limited: Accounts in this group are used primarily in system monitoring and in the gathering of
information about the configuration and performance of the system. A restricted command set
protects user accounts in this group from changing the state of the system in a significant way or
changing the system configuration.
7.2 User Lockout
By default, the TOE does not lock out a user for an idle interactive session unless configured to do so. In
the evaluated configuration, this is enabled and set to the desired length of time by using the following
commands (Admin or Super level privileges required):
system shell set global-inactivity-timer on
system shell set global-inactivity-timeout <number of minutes>
7.3 Managing Users
Users can be created with the following command:
user create user <username> access-level <limited|admin|super> echoless-password
The CLI will collect the password in an interactive prompt after this command is entered. This prevents
password data from being displayed in the command log.
15 | P a g e
A user can be edited using the ‘user set’ command, which uses the same syntax as the ‘user create’
command described above. A user can be displayed or deleted using the commands ‘user show user
<username>’ and ‘user delete user <username>’, respectively.
Note that manipulation of user data requires the Super level privilege, but any user with Limited, Admin,
or Super privilege can view the attributes of another user (minus password-related data).
7.4 Password Management
Passwords can be composed using any combination of upper case and lower case letters, numbers and
special characters. The special characters that are supported include the following: “!”, “@”, “#”, “$”,
“%”, “^”, “&”, “*”, “(“, and “)”.
The password policy includes a configurable minimum length, which can be configured by an
administrator with Super level privileges to any value between 15 and 128 and in the evaluated
configuration. The minimum password length can be set using the command ‘user password-policy set
min-length <value>’. 128 characters is the maximum length for any password. In order to minimize the
risk of account compromise, it is recommended to use a password that includes a mixture of uppercase,
lowercase, numeric, and special characters and is not a common word or phrase, but is not so complex
that it must be written down in order to be remembered.
7.5 Login Banner
The login banner is created by using the banner command:
system shell banner create banner login <banner text>
The banner text can be deleted or edited using the same command as above with ‘delete banner’ and ‘edit
banner’, respectively, substituted for ‘create banner’. Note that if the ‘edit banner’ command is used, the
banner will only be edited for the specific interface from which the command was initiated. This can be
used if, for example, it is desired to use separate banners for local versus remote access. If synchronized
changes are desired, it is recommended to delete and then re-create the banner. Super level privileges are
required to perform these operations.
7.6 Session Termination
7.6.1 Admin Logout
An administrator can manually log out at any time by entering the ‘exit’ command. Note that if the
administrator is currently navigating a sub-menu, the ‘quit’ command will bring them up one level to the
previous menu. It may therefore be necessary to issue the ‘quit’ command multiple times before issuing
the ‘exit’ command to close the session.
7.6.2 Termination from Inactivity
Refer to section 7.2 above.
16 | P a g e
7.7 System Time Configuration
In the evaluated configuration of the TOE, the system time can either be set manually or by synchronizing
with an NTP server in the TOE’s Operational Environment. Admin or Super level privileges are required
to perform these operations. To set the time manually, the following command is used:
system set [date <yyyy-mm-dd>|<yy-mm-dd>|<mm-dd>] [time <hh:mm:ss>|<hh:mm>] [time-offset
<SECONDS: -43200..50400>] [timestamp <local|UTC>]
This allows the date and time to be set as well as the UTC offset (in seconds) and whether or not the
offset should be applied in audit log timestamps.
To configure NTP, there are several steps that must be performed, summarized below:
1. Configure the NTP client to use broadcast, multicast, or polling mode.
2. Define one or more NTP servers for the client to connect to using the selected mode.
3. Add the defined NTP servers to the NTP client’s server list.
4. Configuring NTP authentication, if required.
In order to maintain an accurate system time, [2] also includes procedures for clearing the drift file and
displaying the current NTP status.
These procedures are described in detail from Procedure 3-17 through Procedure 3-22 of [2].
7.8 Secure Updates
To maintain security throughout the lifecycle of the CES product, the TOE provides a mechanism to
apply software upgrades. The current version of the software can be displayed at any time using the
‘software show’ command. To upgrade the software, the new software image must be acquired from
Ciena and placed on an SFTP server in the environment. An administrator with Admin or Super level
privileges can then use the ‘software upgrade’ command to retrieve the software image from the server.
Configuration of the SFTP server is described in section 6.4 of this document and the process for
upgrading the TOE software is described in Procedure 4-6 of [10]. The TOE ensures the integrity of
Ciena updates through the use of a 2048-bit RSA certificate that is traceable back to Entrust root CA. An
update will not be applied until the TOE checks the validity of the update’s digital signature. If this
validation fails, the update is aborted and the software update is discarded automatically.
8 Auditing
In order to be compliant with Common Criteria, the TOE must audit the events in the table below. The
audit records that the TOE creates include the date and time, outcome of the event, event type, subject
identity and the source of the event. The show log or show logs command displays audit information. It is
possible to use regular expressions in the show log command to restrict the search.
Component Event Additional Information Audit Examples
FAU_GEN.1
su user logged out, system shutdown,
rebooted and becomes active, su user
logged back in
17 | P a g e
21: Sat Jan 1 00:03:04.428 2000 [local]
Sev:8 chassis(1): Local RS-232 User
su:User 'su' logged out from ttyS0 due to
shutdown
22: Sat Jan 1 00:03:05.000 2000 [local]
Sev:8 1 Shutdown
25: Sat Jan 1 00:01:06.000 2000 [local]
Sev:8 1 Active, MAC 00:23:8A:0B:D1:5E,
Chassis MAC 00:23:8A:0B:D1:40
26: Sat Jan 1 00:01:28.895 2000 [local]
Sev:8 chassis(1): Local RS-232 User
su:User 'su' successfully logged in from
ttyS0
FCS_SSH_EXT.
1
Failure to establish
an SSH session
Establishment/Termi
nation of an SSH
session
Reason for failure
Reason for failure
Non-TOE endpoint of
connection (IP address)
for both successes and
failures.
SSH Initial Configuration Audit Records:
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 1144 | Wed Jan 20 15:58:43 2016 |
su(super) ttyS0
|
| ssh server key generate
| | Wed Jan 20 15:58:44 2016 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 1145 | Wed Jan 20 15:58:47 2016 |
su(super) ttyS0
|
| ssh server enable
| | Wed Jan 20 15:58:47 2016 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 1146 | Wed Jan 20 15:59:07 2016 |
su(super) /ssh_shell_10.25.42.15:60059
|
| ! login su on /dev/pts/0
| | Wed Jan 20 15:59:07 2016 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 1147 | Wed Jan 20 15:59:13 2016 |
su(super) /ssh_shell_10.25.42.15:60059
|
| ssh server show
| | Wed Jan 20 15:59:15 2016 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
18 | P a g e
---------------------------+
Failure to establish an SSH session using
Triple-DES
- IP address of remote host
- Reason for failure
900: Sat Jan 1 00:04:41.570 2000 [local]
Sev:8 chassis(1): :SSHD sshd[1643]: fatal:
Unable to negotiate with 192.168.100.2: no
matching cipher found. Their offer: 3des-
cbc [preauth]
Successful SSH login
Audit Record of successful logon
148: January 1, 2000 22:56:35.205 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User su:User 'su' successfully logged in
from 192.168.100.2
Successful SSH logout:
301: Wed Jan 20 15:53:40.054 2016 [local]
Sev:8 chassis(1): SSH IP 10.25.42.15 User
su:User 'su' logged out from 10.25.42.15
SSH Termination:
302: Wed Jan 20 15:56:20.981 2016 [local]
Sev:8 chassis(1): SSH IP 10.25.42.15 User
su:User 'su' successfully logged in from
10.25.42.15
303: Wed Jan 20 15:56:27.676 2016 [local]
Sev:8 chassis(1): SSH IP 10.25.42.15 User
su:User 'su' logged out from 10.25.42.15
unexpectedly
FIA_UIA_EXT.
1
All use of the
identification and
authentication
mechanism.
Provided user identity,
origin of the attempt
(e.g., IP address).
CLI: Audit records showing 4 login
attempts
good user good password
348: January 1, 2000 21:26:06.283 [UTC]
Sev:8 chassis(1): Local RS-232 User
su:User 'su' successfully logged in from
ttyS0
349: January 1, 2000 21:27:31.717 [UTC]
Sev:8 chassis(1): Local RS-232 User
su:User 'su' logged out from ttyS0
good user bad password
350: January 1, 2000 21:28:20.242 [UTC]
Sev:6 chassis(1): :User authentication failed
from IP ttyS0 user name 'su'
19 | P a g e
bad user good password
351: January 1, 2000 21:30:07.169 [UTC]
Sev:6 chassis(1): :User authenticationfailed
from IP ttyS0 user name 'xxxxx'
bad user bad password
352: January 1, 2000 21:31:34.309 [UTC]
Sev:6 chassis(1): :User authentication failed
from IP ttyS0 user name 'yyyyy'
Remote SSH audit records showing 4
login attempts:
good user good password
357: January 1, 2000 21:44:18.356 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User su:User 'su' successfully logged in
from 192.168.100.2
358: January 1, 2000 21:45:38.204 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User su:User 'su' logged out from
192.168.100.2
good user bad password
359: January 1, 2000 21:45:54.061 [UTC]
Sev:6 chassis(1): :User authentication failed
from IP shell user name 'su'
bad user good password
360: January 1, 2000 21:47:48.264 [UTC]
Sev:6
bad user bad password
chassis(1): :User authentication failed from
IP shell user name 'xxxxx'
361: January 1, 2000 21:49:02.442 [UTC]
Sev:6 chassis(1): :User authentication failed
from IP shell user name 'yyyyy'
FIA_UAU_EXT
.2
All use of the
authentication
mechanism.
Origin of the attempt
(e.g., IP address). See FIA_UIA_EXT.1
FPT_STM.1 Changes to the time.
The old and new values
for the time.
Origin of the attempt
(e.g., IP address).
The audit logs show the time was changed
manually back and then forward by the
ntp server
389: November 12, 2015 10:00:07.560
[UTC] Sev:6 chassis(1): :System time
changed backward by 1h56m11s
390: November 12, 2015 16:59:10.120
[UTC] Sev:6 chassis(1): :System time
changed forward by 6h56m53s
20 | P a g e
command-log file shows the commands
that were issued
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 327 | Thu Nov 12 11:56:11 2015 |
su(super) /ssh_shell_192.168.100.2:60708
|
| system set time 10:00:00
| | Thu Nov 12 10:00:00 2015 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 328 | Thu Nov 12 10:00:06 2015 |
su(super) /ssh_shell_192.168.100.2:60708
|
| system show date time
| | Thu Nov 12 10:00:06 2015 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 329 | Thu Nov 12 10:02:15 2015 |
su(super) /ssh_shell_192.168.100.2:60708
|
| ntp client add server 192.168.100.9
| | Thu Nov 12 10:02:18 2015 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 330 | Thu Nov 12 16:59:18 2015 |
su(super) /ssh_shell_192.168.100.2:60708
|
| ntp client enable server 192.168.100.9
| | Thu Nov 12 16:59:18 2015 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
FPT_TUD_EXT
.1
Initiation of update. No additional
information
Installation of a new software package
followed by a reboot
67: Tue Nov 17 14:02:13.522 2015 [local]
Sev:7 chassis(1): :Commencing with
software signature checking
68: Tue Nov 17 14:02:27.165 2015 [local]
Sev:7 chassis(1): :Software signature
21 | P a g e
checking passed
69: Tue Nov 17 14:09:59.426 2015 [local]
Sev:7 chassis(1): :Sw Xgrade Complete
operation: install result: Success
70: Tue Nov 17 14:09:59.427 2015 [local]
Sev:7 chassis(1): SSH IP 192.168.200.2
User su:Software manager package install
slot: 1, package: saos-06-14-00-0265
71: Tue Nov 17 14:11:51.724 2015 [local]
Sev:8 chassis(1): SSH IP 192.168.200.2
User su:User 'su' logged out from
192.168.200.2 due to shutdown
72: Tue Nov 17 14:11:52.000 2015 [local]
Sev:8 1 Shutdown
Commands that were executed:
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 133 | Tue Nov 17 14:01:29 2015 |
su(super) /ssh_shell_192.168.200.2:59690
|
| software install package-path
/tftpboot/CCTest/saos-06-14-00-
0265.signed package saos-06-14-00-0265
sftp-server 192.168.100.9 login-id ocadmin
echoless-password
| | Tue Nov 17 14:09:59 2015 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 134 | Tue Nov 17 14:11:41 2015 |
su(super) /ssh_shell_192.168.200.2:59690
|
| chassis reboot
| | Tue Nov 17 14:11:51 2015 |
|
+-------+--------------------------+-
FTA_SSL_EXT.
1
Any attempts at
unlocking of an
interactive session.
No additional
information.
See FIA_UIA_EXT.1 for local and
remote login attempts.
Locking of the local connection after a
configured timeout period of 3, 5 and 7
minutes
3 minute inactivity timeout
419: November 12, 2015 18:15:08.169
[UTC] Sev:8 chassis(1): Local RS-232 User
22 | P a g e
test1:User 'test1' successfully logged in
from ttyS0
420: November 12, 2015 18:18:11.924
[UTC] Sev:8 chassis(1): Local RS-232 User
test1:User 'test1' logged out from ttyS0 due
to inactivity
5 minute inactivity timeout
424: November 12, 2015 18:24:55.761
[UTC] Sev:8 chassis(1): Local RS-232 User
test1:User 'test1' successfully logged in
from ttyS0
425: November 12, 2015 18:29:57.804
[UTC] Sev:8 chassis(1): Local RS-232 User
test1:User 'test1' logged out from ttyS0 due
to inactivity
7 minute inactivity timeout
429: November 12, 2015 18:32:41.283
[UTC] Sev:8 chassis(1): Local RS-232 User
test1:User 'test1' successfully logged in
from ttyS0
430: November 12, 2015 18:39:44.364
[UTC] Sev:8 chassis(1): Local RS-232 User
test1:User 'test1' logged out from ttyS0 due
to inactivity
Commands that were issued:
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 365 | Thu Nov 12 18:09:11 2015 |
su(super) ttyS0
|
| system shell set global-inactivity-timer on
| | Thu Nov 12 18:09:11 2015 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 366 | Thu Nov 12 18:09:24 2015 |
su(super) ttyS0
|
| system shell set global-inactivity-timeout 3
| | Thu Nov 12 18:09:24 2015 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
23 | P a g e
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 378 | Thu Nov 12 18:24:33 2015 |
su(super) ttyS0
|
| system shell set global-inactivity-timeout 5
| | Thu Nov 12 18:24:33 2015 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
---------------------------------------------------+
| 385 | Thu Nov 12 18:32:31 2015 |
su(super) ttyS0
|
| system shell set global-inactivity-timeout 7
| | Thu Nov 12 18:32:31 2015 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
FTA_SSL.3 The termination of a
remote session by
the session locking
mechanism.
No additional
information.
Locking on a remote session after 3, 5, 7
minutes
472: January 1, 2000 00:03:03.909 [UTC]
Sev:7 chassis(1): SSH IP 192.168.100.2
User su:System Global Inactivity Timer
Enable
473: January 1, 2000 00:03:11.703 [UTC]
Sev:7 chassis(1): SSH IP 192.168.100.2
User su:System Global Inactivity Timeout
Set 3
487: January 1, 2000 00:27:38.086 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User test1:User 'test1' successfully logged in
from 192.168.100.2
488: January 1, 2000 00:30:49.324 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User test1:User 'test1' logged out from
192.168.100.2 due to inactivity
490: January 1, 2000 00:32:44.252 [UTC]
Sev:7 chassis(1): SSH IP 192.168.100.2
User su:System Global Inactivity Timeout
Set 5
491: January 1, 2000 00:32:46.032 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User su:User 'su' logged out from
24 | P a g e
192.168.100.2
492: January 1, 2000 00:32:58.343 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User test1:User 'test1' successfully logged in
from 192.168.100.2
493: January 1, 2000 00:38:06.485 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User test1:User 'test1' logged out from
192.168.100.2 due to inactivity
495: January 1, 2000 00:41:25.887 [UTC]
Sev:7 chassis(1): SSH IP 192.168.100.2
User su:System Global Inactivity Timeout
Set 7
496: January 1, 2000 00:41:29.435 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User su:User 'su' logged out from
192.168.100.2
497: January 1, 2000 00:41:35.381 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User su:User 'su' successfully logged in
from 192.168.100.2
498: January 1, 2000 00:48:37.164 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User su:User 'su' logged out from
192.168.100.2 due to inactivity
Commands that were executed:
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 433 | Sat Jan 1 00:03:03 2000 | su(super)
/ssh_shell_192.168.100.2:62766
|
| system shell set global-inactivity-timer on
| | Sat Jan 1 00:03:03 2000 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 434 | Sat Jan 1 00:03:11 2000 | su(super)
/ssh_shell_192.168.100.2:62766
|
| system shell set global-inactivity-timeout 3
| | Sat Jan 1 00:03:11 2000 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
25 | P a g e
---------------------------+
| 465 | Sat Jan 1 00:32:44 2000 | su(super)
/ssh_shell_192.168.100.2:63114
|
| system shell set global-inactivity-timeout 5
| | Sat Jan 1 00:32:44 2000 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 469 | Sat Jan 1 00:41:25 2000 | su(super)
/ssh_shell_192.168.100.2:63202
|
| system shell set global-inactivity-timeout 7
| | Sat Jan 1 00:41:25 2000 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
FTA_SSL.4 The termination of
an interactive
session.
No additional
information.
Login and exit for a local session
501: January 1, 2000 01:04:53.733 [UTC]
Sev:8 chassis(1): Local RS-232 User
test1:User 'test1' successfully logged in
from ttyS0
502: January 1, 2000 01:04:58.426 [UTC]
Sev:8 chassis(1): Local RS-232 User
test1:User 'test1' logged out from tty S0
Login and exit for a remote SSH session
506: January 1, 2000 01:08:51.446 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User test1:User 'test1' successfully logged in
from 192.168.100.2
507: January 1, 2000 01:09:44.274 [UTC]
Sev:8 chassis(1): SSH IP 192.168.100.2
User test1:User 'test1' logged out from
192.168.100.2
FTP_ITC.1 Initiation of the
trusted channel.
Termination of the
trusted channel.
Failure of the trusted
channel functions.
Identification of the
initiator and target of
failed trusted channels
establishment attempt.
See FCS_SSH_EXT.1 to see failure of
trusted channel attempt.
Trusted Channel: TOE to Update Server
(SFTP Server) software package upgrade
118: November 16, 2015 19:45:45.250
[UTC] Sev:8 chassis(1): Local RS-232 User
su:User 'su' successfully logged in from
26 | P a g e
ttyS0
119: November 16, 2015 19:47:43.059
[UTC] Sev:7 chassis(1): :Sw Xgrade
Complete operation: protect result:
Unknown error
120: November 16, 2015 19:52:05.343
[UTC] Sev:7 chassis(1): :Commencing with
software signature checking
121: November 16, 2015 19:52:22.475
[UTC] Sev:7 chassis(1): :Software signature
checking passed
122: November 16, 2015 19:53:57.469
[UTC] Sev:7 chassis(1): :Sw Xgrade
Complete operation: other result: Success
123: November 16, 2015 19:53:57.471
[UTC] Sev:7 chassis(1): Local RS-232 User
su:Software manager package install slot: 1,
package: saos-06-14-00-0265
Software package upgrade command
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
| 577 | Mon Nov 16 19:51:54 2015 |
su(super) ttyS0
|
| software install defer-activation package-
path /tftpboot/CCTest/saos-06-14-00-
0265.signed package saos-06-14-00-0265
sftp-server 192.168.100.9 login-id ocadmin
echoless-password
| | Mon Nov 16 19:53:57 2015 |
|
+-------+--------------------------+---------------
----------------------------------
Audit Server data transfer via SFTP
448: Tue Nov 17 19:53:43.000 2015 [local]
Sev:8 SFTP upload
/mnt/sysfs/seclog/secLog.1447062878 to
192.168.100.9 as
/tftpboot/CCTest/5142/2C-39-C1-94-A2-
80.1447062878: Success
Audit server commands:
27 | P a g e
----------------------+
| 624 | Tue Nov 17 19:33:06 2015 |
su(super) /ssh_shell_192.168.100.2:60987
|
| system security log transfer set sftp-server
192.168.100.9 login-id ocadmin echoless-
password
| | Tue Nov 17 19:33:14 2015 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
---------------------------+
----------------------+
| 631 | Tue Nov 17 19:53:36 2015 |
su(super) /ssh_shell_192.168.100.2:60987
|
| system security log transfer now
| | Tue Nov 17 19:53:36 2015 |
|
+-------+--------------------------+---------------
-----------------------------------------------------
Successful file transfer to SFTP server:
January 20, 2016 15:43:45.284 [local]
Sev:7 chassis(1): SSH IP 10.25.42.15 User
su:Beginning upload of file /tmp/test1.txt to
SFTP server 10.33.22.79
January 20, 2016 15:43:46.331 [local]
Sev:7 chassis(1): SSH IP 10.25.42.15 User
su:Successfully uploaded file /tmp/test1.txt
to SFTP server 10.33.22.79, remote file
test1.txt
January 20, 2016 15:43:46.331 [local]
Sev:8 chassis(1): SSH IP 10.25.42.15 User
su:File transfer result: DownloadManager:
File /tmp/test1.txt transferred successfully to
ip 10.33.22.79
Termination of SFTP file transfer to
SFTP server due to failure:
January 20, 2016 15:48:39.437 [local]
Sev:7 chassis(1): SSH IP 10.25.42.15 User
su:Beginning upload of file /tmp/test1.txt to
SFTP server 10.33.22.79
January 20, 2016 15:48:47.891 [local]
Sev:6 chassis(1): SSH IP 10.25.42.15 User
su:Unable to upload file /tmp/test1.txt to
SFTP server 10.33.22.79: Remote access
denied
January 20, 2016 15:48:47.892 [local]
Sev:8 chassis(1): SSH IP 10.25.42.15 User
su:File transfer result: DownloadManager:
Could not transfer /tmp/test1.txt to host
10.33.22.79
28 | P a g e
FTP_TRP.1 Initiation of the
trusted channel.
Termination of the
trusted channel.
Failures of the
trusted path
functions.
Identification of the
claimed user identity.
See FTP_ITC.1
Table 8-1: NDPP Auditable Events
The following is an example of an audit record that CES produces.
366: January 1, 2000 22:03:53.585 [UTC] Sev:8 chassis(1): SSH IP 192.168.100.2 User su:User 'su'
successfully logged in from 192.168.100.2
It can be seen from the example record that this includes a timestamp value (January 1, 2000
22:03:53.585 [UTC]), the process causing the log to be generated (SSH), the IP address of the event
(192.168.100.2), the user causing the event to occur (su), the action (logged in), and the result of the event
(successful[ly]). It also includes non-security relevant data of a sequence number (366), severity level (8),
and number of the chassis on which the event occurred (1).
8.1 Audit Storage
Once enabled (see section 6.1), log records are stored locally by default. Section 6.3 provides instructions
on how to set up and verify an SFTP client connection to a remote file server that can be used to transfer
audit data. An administrator with Super level privilege can transfer audit data using the ‘system security
log transfer now’ command. Administrators are encouraged to back up audit data regularly so that there is
organizational visibility into the behavior of the CES device.
9 SFR Assurance Activities
In this section we identify the SFR assurance activities and specify where in the Ciena documentation this
information can be found.
FAU_GEN.1 – Section 8 of this document lists the security-relevant auditable events for the TOE and
provides sample audit data for each event. Additionally, a comprehensive list of the ‘system events’ that
are considered to be auditable events for the CES product is provided in [6]. This includes both security-
relevant and non-security-relevant events. [8] provides a general overview of the log format under ‘Event
logging configuration’.
The instructions for configuring logging are described in section 11 of [8]. The actions in Ciena’s
documentation that are considered to be security-relevant are those that are directly applicable to
satisfying the functionality described in the Security Target [12]. Other product functionality such as
configuration of networks and Quality of Service (QoS) for traffic that is traveling through the TOE’s
data plane interface is considered to be non-interfering with respect to the secure operation of the TSF.
FAU_STG_EXT.1 – In the evaluated configuration, collected audit data is stored persistently in local
memory. See section 6.1 of this document for configuration instructions. The steps in section 6.3 indicate
how to enable a remote audit server and securely transfer audit data to it using SSH. Command log data is
29 | P a g e
stored in the /flash1/log/CmdLog.[0-4]. It can be transmitted to the remote audit server using SSH via the
‘system xftp putfile’ command.
The procedures for establishing a trusted channel to the audit server are described in section 6 of this
document.
FCS_SSH_EXT.1.4 – Section 6.6 of this document provides instructions for how to configure the TOE
to implement SSH in a manner that is consistent with the Security Target.
FCS_SSH_EXT.1.6 – See FCS_SSH_EXT.1.4
FCS_SSH_EXT.1.7 – See FCS_SSH_EXT.1.4
FIA_PMG_EXT.1 – Password management is described in section 7.4 of this document.
FIA_UIA_EXT.1 – Creating usernames and passwords is described in section 7.3 of this document. SSH
server configuration is described in section 6.2 of this document. Authenticating to the TOE for both
password-based and public key-based authentication is described in section 7.1 of this document.
Section 7.5 of this document provides instructions on how to configure the pre-authentication login
banner. There is no other method by which a user or administrator can view or interact with TSF data
prior to authentication.
FMT_MTD.1 – The TOE has a fixed set of administrative roles with a fixed set of privileges which is
summarized in section 7.1 of this document. [4] also provides a comprehensive listing of administrative
commands and the minimum level of privilege required to execute each of them.
FMT_SMR.2 – Configuration of the TOE can occur locally via the serial console or remotely over the
dedicated Management Ethernet Port (if available) or data plane interface via in-band management.
Section 6.7 of this document provides instructions on how to set up in-band management. Section 6.2 of
this document provides instructions on how to set up the SSH server for remote administration. Section
7.1 of this document provides instructions for how to log in to the TOE once an appropriate connection
has been set up.
FPT_STM.1 – Procedure 4-2 of [2] provides instructions on how to manually set the system time.
Procedures 3-17 through 3-22 of [2] provide instructions on how to set up and administer NTP. These
activities are also summarized in section 7.7 of this document.
FPT_TST_EXT.1 – Section 6.5 of this document references procedures for enabling FIPS mode, which
also enables the use of self-tests by the TOE during boot. In the event that a self-test fails, the TOE will
automatically reboot. If the TSF has been corrupted or the hardware has failed such that rebooting will not
resolve the issue, an administrator will need to factory reset the TOE and/or replace the failed hardware
component.
FPT_TUD_EXT.1 – Section 7.8 of this document summarizes the method by which software upgrades
are applied and verified. The ‘software upgrade’ command in [4] describes the syntax for performing a
system upgrade. The general instructions for acquiring, verifying, and performing trusted updates are
described in detail in [10].
FTA_SSL_EXT.1, FTA_SSL.3, FTA_SSL.4 – There is no specific assurance activity. However, the
assurance activity for testing requires the tester to follow the operational guidance to configure the system
30 | P a g e
inactivity period. Section 7.6 of this document provides information on manual and automatic session
termination activities.
FTA_TAB.1 – There is no specific assurance activity. However, the assurance activity for testing
requires the tester to follow the operational guidance to configure the banner. Section 7.5 of this
document provides instructions on how to configure the login banner.
FTP_ITC.1 – Section 10 of [2] provides information on all of the trusted communications used by the
TOE. Sections 6.3 and 6.4 of this document provide instructions for configuring the TOE and remote
SFTP server for trusted communications.
FTP_TRP.1 – Section 10 of [2] provides information on all of the trusted communications used by the
TOE. Section 6.2 of this document includes instructions for how to configure the TOE’s SSH server to
allow for secure remote administration.
10 Operational Modes
The device has two configurable settings for its operational modes: security mode and encryption mode.
In order to enable the secure configuration for each of these modes, the following commands are issued:
system security set security-mode enhanced
system security set encryption-mode fips
Note that enabling enhanced security mode also performs a factory reset on the device. There is no
separate error mode or other degraded mode of operation in the event that a cryptographic self-test fails;
instead, the device will reboot and attempt to automatically repair the error state. If this fails to correct the
error state, it may be necessary to perform a factory reset on the device or to load a new software image.
11 Additional Support
Ciena provides technical support for its products if needed. Customers can register for a support account
at www.ciena.com/support. Additionally, direct support can be reached toll-free in North America at 1-
800-243-6224.
top related