Common Criteria Avaya VSP Series Addendum Release 1.6

Transcription

1 Common Criteria Avaya VSP Series Addendum Release 1.6 1

2 2

3 3

4 Contents 1. Introduction Target of Evaluation Cryptographic Support Operational Environment Overview IT Infrastructure Delivery Configuring Compliance using ACLI Enabling Enhanced Secure Mode non-jitc Configuring SSH Compliance Configuring TLS/HTTPS Compliance Configuring NTP Server using ACLI Configure the TOE Clock Configuring Banner and Message of the Day Configuring External Audit Server Configuring IPsec Checking TOE Software Version Updating TOE Software Configuring Compliance using Enterprise Device Manager (EDM) Adding a User using EDM SSH Compliance Using EDM Configuring NTP Server using EDM Configure the TOE Clock Setting the Banner Configuring External Audit Server Checking TOE Software Version Audit Functionality Viewing Audit Records Self-Tests Appendix A: IKE/IPSEC Configuration IKE/IPSEC Configuration with Authentication type as Pre-shared key DUT Configs... 40

5 Radius Server configurations IKE/IPSEC Configuration with Authentication type as Digital Certification DUT Configs Radius Server configurations

6 1. Introduction 1.1. Target of Evaluation The Targets of Evaluation (TOEs) are the Avaya VSP 8000, Avaya VSP 7000 and the Avaya VSP 4000 switches running software version The devices were tested in the evaluated configuration for the following models. VSP-4450GSX-PWR+ VSP-7254XTQ VSP-8284XSQ This guide describes how to configure the TOE in the evaluated configuration. The security function includes tasks related to product security; for example, the management and protection of resources from unauthorized or detrimental access and use. Configuration settings include settings for IPsec, SSH and TLS Cryptographic Support All cryptographic functions in the TOE are provided by the Mocana Cryptographic Module Suite B software version 6.4.1f. The table below lists the algorithm certificates issued by the CAVP. Cryptographic Method Use within the TOE CAVP Certificate # RSA Signature Services Used in TLS session establishment 2219 Used in SSH session establishment Used in IPsec session establishment Used in secure software update SP A CTR_DRBG Used in TLS session establishment 1232 Used in SSH session establishment Used in IPsec session establishment SHS Used to provide TLS traffic integrity verification 2679 Used to provide SSH traffic integrity verification Used to provide IPsec traffic integrity verification Used in secure software update HMAC-SHS Used to provide TLS traffic integrity verification 2679 Used to provide SSH traffic integrity verification Used to provide IPsec traffic integrity verification AES Used to encrypt TLS traffic 4100 Used to encrypt SSH traffic Used to encrypt IPsec traffic SP A Used in TLS session establishment 971 Used in SSH session establishment Used in IPsec session establishment DSA Used in support of SP A 1140 The TOE runs Mentor Graphics Linux 4.0 Table 1: Provided Cryptography 6

7 2. Operational Environment 2.1. Overview In their evaluated configurations the TOE platforms are designed to support management functions through remote CLI and remote GUI. They also support communication with an NTP Server and Secure Communication with other IT entities such as a Syslog Server, Certificate Authority, OCSP Server and AAA. The switch supports IPv6, however, the evaluated configuration was performed on an IPv4 network IT Infrastructure The following IT infrastructure elements are assumed to be present: At least one VSP series appliance Gateway/Router Workstation In addition, for the evaluated configuration the TOE is configured to communicate with the following: Syslog Server OCSP Server NTP Server AAA Server Certificate Authority 2.3. Delivery The TOE is delivered via commercial carrier (either FedEx or UPS). The TOE will contain a packing slip with the serial numbers of all shipped devices. The receiver must verify that the hardware serial numbers match the serial numbers listed in the packing slip. 7

8 3. Configuring Compliance using ACLI This section will provide instructions to properly configure the device to operate in a manner that is consistent with the NDcPP through the ACLI. The ACLI can be accessed through either the local console port or remotely over SSH Enabling Enhanced Secure Mode non-jitc Enabling enhanced secure mode allows the switch to support the following authentication access levels for local authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System Plus (TACACS+) authentication: Administrator Privilege Operator Auditor Security Feature Authentication Password Length Password Rules Audit Logs SNMPv3 EDM (GUI) Table 2: Enhanced Secure Enhanced Secure Mode non-jitc Role Based: admin/privilege/operator/security/auditor Minimum of 8 characters with exception of Admin user. Admin requires a minimum of 15 characters. 2 upper case, 2 lower case, 2 numeric & 2 special character. (1 is configurable but 2 is default) Authorized users are able to View/Modify/Delete Audit Logs Password rules apply to SNMPv3 Auth &Priv. SNMPv3 is required (V1/V2 disabled) Site Admin to enable/disable The Administrator access level is enabled by default at the inception of enhanced secure mode. All other users are disabled and need to be configured. To enable enhanced secure mode, you must first change the boot flag from the configure terminal. Next, you must save the configuration and reboot the switch. VSP-4450GSX-PWR+:1(config)#% boot config flags enhancedsecuremode non-jitc Warning: Enhancedsecure-mode flag is enabled Warning: Please save configuration and reboot the switch for this to take effect. VSP-4450GSX-PWR+:1(config)#% save config CP-1: Save config to file /intflash/config.cfg successful. CP-1: Save license to file /intflash/premier.dat successful. VSP-4450GSX-PWR+:1(config)#% exit VSP-4450GSX-PWR+:1#% boot -y After reboot: Login: admin Password: ***** 8

9 This is an initial attempt using the default user name and password. Please change the user name and password to continue. Enter the New password : ***************** Re-enter the New password : *****************(Administrator01*-) Password changed successfully Figure 1: Password Configuration Make sure to save configuration regularly when making changes to the device with the save config command. This will ensure that in the case of a power outage or reboot the changes are not lost. 9

10 3.2. Configuring SSH Compliance The user will need to follow these instructions to ensure that SSH is properly configured to operate in a compliant manner. The device supports ciphers that are not NDcPP compliant and they will need to be disabled before the device is considered to be functioning in a manner that is compliant with the NDcPP. Configuring SSH for NDcPP compliance (SSH is disabled by default, SSH must be disabled before making any configuration changes.) Figure 2:Default (Non-Compliant) SSH The only compliant authentication types supported by the device are hmac-sha1 and hmac-sha256. The user must disable the other types for compliance. Figure 3:Authentication Type The user must also disable several encryption types for the device to operate in compliance with the NDcPP. The default encryption-types are as follows: 10

11 Figure 4: Encryption Type All ciphers must be disabled except the following two: aes128-cbc aes256-cbc Figure 5: Disabling Encryption Type The user must also set the proper key authorization method. By default, the device supports: DSA (non-compliant) RSA DSA will need to be disabled. Figure 6: DIsabling Key Authorization Type The device supports the following two key exchange methods, one of which is non-compliant: Diffie-hellman-group1-sha1 (non-compliant) Diffie-hellman-group14-sha1 Disabling the non-compliant method is done as follows: Figure 7: Disabling Key Exchange Method 11

12 Once configuration is complete, the boot flag must be enabled for SSH. An example is shown below: Figure 8: Enable SSHD Proper configuration of SSH for compliance will have the following parameters; Figure 9: Compliant SSH Configuration Make sure to save configuration regularly when making changes to the device with the save config command. This will ensure that in the case of a power outage or reboot the changes are not lost. 12

13 3.3. Configuring TLS/HTTPS Compliance This section explains how to configure the devices TLS/HTTPS capabilities to function in a manner which is compliant with the NDcPP. This functionality is disabled by default and needs to be enabled. The web interface (Enterprise Device Manager, EDM) is used to access the device securely through a browser. The following screenshot shows the default, which is disabled, instance of the web interface settings. Figure 10: Default Web Server/HTTPS 13

14 The following screenshot shows the commands necessary to enable the web interface. Once this setting is turned on, the user will be able to access the device from a web browser through a secure connection. Figure 11: Web Server Enabled When Web-Server is enabled, by default, secure-only is enabled and TLS version 1.2 is used. The default user name and password are admin/password. They should be change immediately. The user can change the web user interface password as follows: Figure 12: Web Server Password 14

15 Make sure to save configuration regularly when making changes to the device with the save config command. This will ensure that in the case of a power outage or reboot the changes are not lost Configuring NTP Server using ACLI The device can be configured to communicate with an NTP server in order to maintain the clock. 1. Enter global configuration mode: a. Enable b. Configure terminal 2. Add the NTP server a. ntp server <ip.address> 3. Set ntp time interval a. ntp interval <#> (in minutes) 4. Enable NTP a. ntp Figure 13: NTP Configuration 5. If the user wishes to see the NTP server status a. show ntp server Figure 14: NTP Status Make sure to save configuration regularly when making changes to the device with the save config command. This will ensure that in the case of a power outage or reboot the changes are not lost. 15

16 3.5. Configure the TOE Clock The clock set command is used to manually update the time and date on the TOE. Figure 15: Clock Set 3.6. Configuring Banner and Message of the Day The show banner command shows the banner and Message of the day before configuration 1. show banner Figure 16: Show Banner 2. These steps show how to configure the banner. a. enable b. configure terminal c. banner insert string (sets the banner message) d. banner custom (enables the custom banner message) Figure 17: Banner Configuration 16

17 3. These steps show how to configure the message of the day. a. enable b. configure terminal c. banner motd insert string d. banner displaymotd Figure 18: Show Banner 3.7. Configuring External Audit Server This configures the TOE to securely export audit records to an external server. Audit records are protected in transmission by TLS. Any records that are exported are also stored on the TOE for local viewing at the same time. 1. Create a new syslog host with the following commands. a. Syslog host 1 b. Syslog host 1 address [IP of syslog server] c. Syslog host 1 secure-forwarding mode TLS d. Syslog host 1 secure-forwarding tcp-port 6514 e. Syslog host 1 enable The switch sends syslog records to the syslog server via syslog messages encrypted via TLS over TCP (RFC 5425) the syslog server which the TOE connects must be capable of TLS over TCP communications When a switch is configured for syslog server, syslog records are transferred immediately. If the connection with the syslog server is broken or the syslog server is full the switch will not retransmit the syslog records after normal connectivity is resumed. When the local audit storage is full, the oldest audit records are drop. There is no method to configure any other behavior. 17

18 3.8. Configuring IPsec The TOE to use IPsec to securely communicate with an external authentication server. A summary of all of the required steps is given below. Detailed instructions on carrying them out for both IPv4 and IPv6 are provided in Appendix A. 1. Create and assign an IP address to a TOE interface. 2. Create an IPsec policy with the following parameters: a. ipsec policy [policy name] b. ipsec policy [policy name] raddr [remote address] c. ipsec policy [policy name] laddr [local address] d. ipsec policy [policy name] protocol [udp/tcp] sport any dport any e. ipsec policy [policy name] action permit f. ipsec policy [policy name] admin enable 3. Create an IPsec security-association with key mode as automatic. The following parameters are used: a. ipsec security-association [association name] b. ipsec security-association [association name] spi [spi value] c. ipsec security-association [association name] key-mode automatic d. ipsec security-association [association name] auth-algo [SHA1/SHA2] e. ipsec security-association [association name] encrpt-algo AES-CBC f. ipsec security-association [association name] lifetime seconds Link the IPsec policy and the IPsec security-association using the following command: a. ipsec policy [policy name] security-association [association name] 5. Attach the IPsec policy to the interface and enable IPsec using the following commands: a. Int [interface name] [interface id] b. ip ipsec policy [policy name] dir both c. ip ipsec enable d. exit 6. Create an IKE profile and an IKE policy using the following parameters: a. ike profile [profile name] b. ike profile [profile name] dh-group modp2048 c. ike profile [profile name] encrypt-algo aescbc d. ike profile [profile name] hash-algo [sha/sha256] e. ike profile [profile name] encrypt-key-len [128/256] f. ike profile [profile name] lifetime-sec [lifetime in seconds] g. ike policy [policy name] laddr [local address] raddr [remote address] h. ike policy [policy name] dpd-timeout 300 i. ike policy [policy name] p2-pfs disable use-ike-group enable dh-group modp1024 j. ike policy [policy name] auth-method pre-shared-key k. ike policy [policy name] pre-sharked key [key] l. ike policy [policy name] profile ikeprofile m. ike policy [policy name] enable 18

19 More detailed instructions for configuring IPsec, along with instructions for configuring a RADIUS server are in Appendix A. While the supports supports configuration of IKE/IPsec via the TOE GUI the evaluated configuration only configures IKE/IPsec via the TOE CLI. 19

20 3.9. Checking TOE Software Version The command show software detail is used to query the TOE software version. Figure 19: Show Software Version 20

21 3.10. Updating TOE Software The following steps are used to update the software running on the TOE. 1. Use the copy command to move an update onto the TOE s intflash directory. 2. Run the software add and software activate commands to extract the update and place it in the TOE s boot flash. 3. Reboot the TOE. Running the show software command should show that the new software version is now being used. The TOE update verified via a 2048-bit RSA/SHA-256 digital signature. This verification happens automatically during the update process. 21

22 4. Configuring Compliance using Enterprise Device Manager (EDM) This section will provide instructions on configuring compliance using Enterprise Device Manager. This software is built into the switch and can be access through form a web browser. Web-Server is disabled by default, please refer to section 3.3 of this document to make this option available. Before you begin: Ensure the switch is running Note the IP address of the switch Ensure you have enabled the web server using the ACLI 1. Open your desired web browser and in the IP address bar, enter the IP address of the device using the following format; Error! Hyperlink reference not valid.> 2. This will bring you to the screen below, where you will enter the username and password. Default username/password are admin/password Figure 20: Login Page A new EDM user should be configured immediately. Only one EDM user is supported. 22

23 4.1 Adding a User using EDM Once the user has logged on for the first time. It is recommended that the default username and password be changed. 1. Expand the security folder Figure 21: Security Folder 2. Expand the control path folder Figure 22: Control Path 23

24 3. Click on General and go to the Web tab Figure 23: Web Tab a. This where you make some changes, such as; i. The username and password ii. Inactivity timeout iii. TLS version (only version 1.1 and 1.2 are compliant) iv. Secure only (https, must be enabled for compliance) b. Click apply for changes to be saved 4.2 SSH Compliance Using EDM 1. Look on the left side of the browser and expand the security folder 24

25 Figure 24: Security Folder 2. Expand the Control Path Folder Figure 25: Control Path Folder 3. Click on SSH 25

26 Figure 26: Enable SSH a. The user must first set Enable to false then click apply (it will be highlighted) in order to make any changes. The proper configuration is as follows; i. V2only ii. RsaAuth iii. PassAuth iv. sftp (optional) v. hmacsha1 vi. aes128cbc vii. aes256cbc viii. diffiehellmangroup14sha1 4. Once the updates have been made, click apply (it will be highlighted) for the changes to be saved 26

27 Figure 27: Apply SSH Changes a. The user will then set Enable to true then click apply (it will be highlighted) 4.3 Configuring NTP Server using EDM 1. Expand the Edit folder 2. Click on NTP 3. Click on the Server tab 4. Click on insert 27

28 Figure 28: NP Configuration 5. Add the IP address of the server 6. Make sure enable is checked 7. Click Insert 28

29 Figure 29: NTP Server Configuration 8. Click on the Globals tab 9. Set interval 10. Check enable 11. Click Apply Figure 30: NTP Interval 4.4 Configure the TOE Clock To manually set the time and date on the TOE navigate to Configuration -> Edit -> Chassis in EDM. Select the User Set Time tab and enter time and date information. 29

30 Figure 31: Clock Configuration 4.5 Setting the Banner 1. From the EDM main menu, expand the security folder 2. Expand Control path folder 3. Click on general 4. Scroll down to the bottom of the main window 5. Enter a Custom banner message 6. Check the Custom Banner Enable box 7. Click apply 30

31 Figure 32: Banner Configuration 4.6 Configuring External Audit Server This configures the TOE to securely export audit records to an external server. Audit records are protected in transmission by TLS. Any records that are exported are also stored on the TOE for local viewing. 1. From the EDM main page go to Configuration -> Edit -> Diagnostics -> System Log 2. Click on the System Log tab. 31

32 3. Select Insert to add a new syslog host. Figure 33: Insert Syslog Host 4. Enter the IP address, severity level and TCP port for the syslog server. Select TLS SecureForwardingMode. 5. Click Insert to save the server settings. The switch sends syslog records to the syslog server via syslog messages encrypted via TLS over TCP (RFC 5425) the syslog server which the switch connects must be capable of TLS over TLS communications When a switch is configured for syslog server, syslog records are transferred immediately. If the connection with the server is broken or the syslog server is full the switch will not retransmit the syslog records after normal connectivity is resumed. 32

33 When the local audit storage is full, the oldest audit records are drop. There is no method to configure any other behavior. 4.7 Checking TOE Software Version To determine the TOE s current software version, navigate to Configuration -> Edit -> Chassis in EDM select the Boot Config tab. The software version will be displayed. Figure 34: Software Version 33

34 5. Audit Functionality This section will provide instructions to properly configure the device to store and export audit records. The following types of audit records are recorded by the TOE: Start-up of the TOE from both cold boot and reboot, Shutdown of the TOE (when shut down from the local CLI, Remote CLI, and GUI), All administrative actions (both security relevant and non-security relevant) from the local CLI, Remote CLI, and GUI, IKE/IPsec session establishment with the syslog server, IKE/IPsec session closure with the syslog server, Errors during IKE/IPsec session establishment (e.g., algorithm mismatch), Remote administrative HTTPS/TLS connection establishment, Remote administrative HTTPS/TLS connection closure, Errors during Remote administrative HTTPS/TLS connection establishment, Remote administrative SSH connection establishment, Remote administrative SSH connection closure, Errors during Remote administrative SSH connection establishment, Generation of self-signed certificates, Import of certificates, Deletion of certificates, Successful authentication attempts (from the local CLI, Remote CLI, and GUI), Unsuccessful authentication attempts (from the local CLI, Remote CLI, and GUI), Unsuccessful certificate validation for the presence of the basicconstraints extension missing, Unsuccessful certificate validation for the CA flag is set to TRUE for all CA certificates, Unsuccessful certificate validation for trust chain verification failure, Unsuccessful certificate validation for revocation status, All attempts to update the TOE software, Changes to time, Start of a local administrative session, 34

35 End of a local administrative session, Administration session timeout (from the local CLI, Remote CLI, and GUI) Viewing Audit Records Audit records can be viewed on the TOE through the CLI. The show logging file detail command is used. Figure 35: View Audit Records The same format is used for records on the TOE and records that are exported to a syslog server. The following is an example of an audit record that was exported to an external server: :55:05 Local7.Info CP1 [12/13/16 10:54:52.940:EST] 0x a GlobalRouter WEB INFO SSL negotiation with client successful. Every audit log entry contains a time and date stamp, the identity of the user or process that generated an event and a description of the event. Each field has the following meaning: Time and date stamp: This is the time and date that the auditable event occurred. Identity of the user or process that generated an event: This is the user/process that was responsible for the generation of the audit event, the type of connection protocol used access the device (SSH, TLS, Serial/Console). Description of the event: This is a description of the event that took place, which are listed below; o Start-up of the TOE from both cold boot and reboot, o Shutdown of the TOE (when shut down from the CLI), Note: The audit functionality of the switch cannot be separately shutdown and started. Startup and shutdown of auditing is only facilitated by starting and stopping the switch o All administrative actions (both security relevant and non-security relevant) from the local CLI, Remote CLI, and GUI, o IKE/IPsec session establishment with the syslog server, o IKE/IPsec session closure with the syslog server, o Errors during IKE/IPsec session establishment (e.g., algorithm mismatch), o Remote administrative HTTPS/TLS connection establishment, o Remote administrative HTTPS/TLS connection closure, o Errors during Remote administrative HTTPS/TLS connection establishment, o Remote administrative SSH connection establishment, o Remote administrative SSH connection closure, 35

36 o o o o o o o o o o o o o o o o o o o Errors during Remote administrative SSH connection establishment, Generation of self-signed certificates, Import of certificates, Deletion of certificates, Successful authentication attempts (from the local CLI, Remote CLI, and GUI), Unsuccessful authentication attempts (from the local CLI, Remote CLI, and GUI), Unsuccessful certificate validation for the presence of the basicconstraints extension missing, Unsuccessful certificate validation for the CA flag is set to TRUE for all CA certificates, Unsuccessful certificate validation for trust chain verification failure, Unsuccessful certificate validation for revocation status, All attempts to update the TOE software, Changes to time, Start of a local administrative session, End of a local administrative session, Administration session timeout (from the local CLI, Remote CLI, and GUI), Execution of integrity test, Execution of cryptographic self-tests, Initiation of software update, Result of software update attempt. The following is an example of each field from an audit record drawn from the list of audit records above: CP1 [11/03/16 12:23:50.465:EDT] 0x000d GlobalRouter SSH INFO SSH session closed by user acumensec on host In this audit record, the following fields can be found: Time and Date Stamp: [11/03/16 12:23:50.465:EDT] Identity of the user or process that generated an event: acumensec on host Description of the event: SSH session closed by user The following table is an identification of the NDcPP audit event descriptions, Event Audit start/stop Administrative login from remote GUI Administrative login from remote CLI Administrative login from local CLI Configuration of local access banner from CLI Configuration of local access banner from GUI Configuration of remote CLI access banner from CLI Configuration of remote CLI access banner from GUI Event Description Chassis reset initiated from CLI Connected from X.X.X.X via EDM Logged in through SSH Connected via console port banner motd "<text of banner>" rcclicustombannertext.0 = TEST Banner Setup from Web GUI banner "<text of banner>" rcclicustombannertext.0 = TEST Banner Setup from Web GUI 36

37 Event Configuration of remote GUI access banner from remote CLI Configuration of remote GUI access banner from GUI Creation of new administrative users Configuration of local admin session time out from CLI Configuration of local admin session time out from GUI Configuration of remote CLI session time out from CLI Configuration of remote CLI session time out from GUI Configuration of remote GUI session time out from CLI Configuration of remote GUI session time out from GUI Resetting passwords Failed authentication for local user (username/password) Successful authentication for local user (username/password) Failed authentication for remote user (SSH username/password) Successful authentication for remote user (SSH username/password) Failed authentication for remote user (TLS/HTTPS username/password) Successful authentication for remote user (TLS/HTTPS username/password) Failed authentication for remote user (SSH key authentication) Successful authentication for remote user (SSH key authentication) Unsuccessful attempt to validate a certificate because of missing basicconstraints extension Unsuccessful attempt to validate a certificate because CA flag is not set to TRUE for all CA certificates Unsuccessful attempt to validate a certificate because of trust chain validation failure Unsuccessful attempt to validate a certificate because revocation (OCSP) Manual changes to time NTP configuration The termination of a local CLI session by the session locking mechanism. Event Description banner "<text of banner>" rcclicustombannertext.0 = TEST Banner Setup from Web GUI password create-user operator<user> Cli timeout <timeout in seconds> CliTimeout.0 = <timeout in seconds> Cli timeout <timeout in seconds> CliTimeout.0 = <timeout in seconds> Web-server inactivity-timeout <timeout in seconds> WebInactivityTimeout.0 = <timeout in seconds> password create-user <user> Blocked unauthorized ACLI access Connected via console port Invalid username/password for user SSH user authentication succeeded for user Blocked unauthorized EDM access connected from X.X.X.X via EDM SSH RSA Public Key authentication failed for user SSH RSA Public Key authentication successful for user IKE ERROR Peer certificate validation failed with status: IKE CERT CHAIN NOT IN IKE TRUST ANCHOR ERROR isca Basic Constraint Value is False For Digital Certificate IKE ERROR Peer certificate validation failed with status: IKE CERT CHAIN NOT IN IKE TRUST ANCHOR The Certificate : <certificate name> Is In Revoked Status! Clock Time has been set successfully. Clock time has been set successfully Forced logout after CLI inactivity of <timeout in seconds> seconds 37

38 Event The termination of a remote GUI session by the session locking mechanism. The termination of a remote CLI session by the session locking mechanism. Termination of a local interactive session (closing a local CLI session) Termination of a remote CLI session (e.g., typing exit ) Termination of a remote GUI session (e.g., clicking logout) Initiation of an IKE/IPsec tunnel with a remote IT device Failure of an IPsec with a remote IT device Initiation of a TLS tunnel with a remote administrator Closure of a TLS tunnel with a remote administrator Failure of a TLS tunnel with a remote administrator Initiation of an SSH tunnel with a remote administrator Closure of an SSH tunnel with a remote administrator Failure of an SSH tunnel with a remote administrator Failure to establish a HTTPS Session. Successful SSH rekey Execution of integrity test Execution of cryptographic self-tests Initiation of software update Result of software update attempt Table 3: Audit Event Descriptions Event Description Connection from X.X.X.X timeout Forced log-out after cli session inactivity of <timeout in seconds> seconds. CONSOLE <user> logout SSH session closed Closed EDM IKE version:1 Phase-2 SA Created IKE CERT COMMON NAME MISMATCH. Common name from certificate:<certificate ID> configured common name: <common name> SSL negotiation with client successful SSL session closed WEB ERROR Fatal alert - SSL_ALERT_INTERNAL_ERROR detected during TLS negotiation SSH CLI session start SSH session closed by server SSH authentication ended unexpectedly for host WEB ERROR Fatal alert - SSL_ALERT_INTERNAL_ERROR detected during TLS negotiation SSH Server : Rekey initiated because transmitted data exceeds 1024 bytes Image Integrity verification passed. Mocana FIPS Power Up Self Test SUCCESSFUL *note* the FIPS reference does not imply FIPS certification but is only text of the log message associated with self-test execution Sending upgrade message to slots: 1. Version=<version of the upgrade image> image successfully upgraded to <version of the upgrade image> 38

39 6. Self-Tests All of the products self-tests are run automatically upon start-up. The following test are run: AES Known Answer Test HMAC Known Answer Test RNG/DRBG Known Answer Test SHA Known Answer Test RSA Signature Known Answer Test Software Integrity Test The failure of any of these tests will result in a product reboot. By forcing a reboot in the event of a failed test, the TOE prevents the use of any cryptographic functionality until all power-on tests have passed. 39

40 Appendix A: IKE/IPSEC Configuration IKE/IPSEC Configuration with Authentication type as Pre-shared key. Topology Client DUT Radius Server / 11:: / 11:: / 10:: / 10::2 DUT Configs Step 1. Create and assign ipv4 address to the GigabitEthernet/vlan/mgmtEthernet/ Loopback interface. For creating a router port (GigabitEthernet) and assign an ip address, execute the below commands: 1. interface gigabitethernet <slot/port> 2. brouter port <slot/port> vlan <vlan id> subnet <ip address/subnet> interface gigabitethernet 1/10 brouter port 1/10 vlan 100 subnet /24 exit For creating a vlan and assigning an ip address, execute the below commands: 1. vlan create <vlan id> type port-mstprstp <instance> 2. vlan members add <vlan id> <slot/port> 3. int vlan <vlan id> 4. ip address <ip address/subnet> vlan create 100 type port-mstprstp 0 vlan members add 100 1/10 int vlan 100 ip address /24 exit 40

41 For assigning an ip address to the mgmtethernet, execute the below commands: 1. interface mgmtethernet mgmt 2. ip address <ip address/subnet> interface mgmtethernet mgmt ip address /24 exit For assigning an ip address to the Loopback interface, execute the below commands: 1. interface loopback <id> 2. ip address <ip address/subnet> interface loopback 10 ip address /24 exit Step 2. Create an ipsec policy with Radius server ip as the remote address and switch ip as the local address ipsec policy <name> 2. ipsec policy <name> raddr <remote address> 3. ipsec policy <name> laddr <local address> 4. ipsec policy <name> protocol <udp/tcp> sport any dport any 5. ipsec policy <name> action permit 6. ipsec policy <name> admin enable ipsec policy SP1 ipsec policy SP1 raddr ipsec policy SP1 laddr ipsec policy SP1 protocol udp sport any dport any ipsec policy SP1 action permit ipsec policy SP1 admin enable Step 3. Create an ipsec security-association with the key mode set as automatic. 1. ipsec security-association <name> 2. ipsec security-association <name> spi <value> 3. ipsec security-association <name> key-mode automatic 4. ipsec security-association <name> auth-algo <auth-algo> 5. ipsec security-association <name> Encrpt-algo <encrypt- algo> 6. ipsec security-association <name> lifetime seconds 3600

42 ipsec security-association SA1 ipsec security-association SA1 spi 123 ipsec security-association SA1 key-mode automatic ipsec security-association SA1 auth-algo SHA1 ipsec security-association SA1 Encrpt-algo AES-CBC ipsec security-association SA1 lifetime seconds 3600 Step 4. Link the ipsec policy and ipsec security-association ipsec policy <policy name> security-association <SA name> ipsec policy SP1 security-association SA1 Step 5. Attach the ipsec policy to the interface and enable ipsec. 1. int <GigabitEthernet/vlan/mgmtEthernet/Loopback> <id> 2. ip ipsec policy <policy name> dir both 3. ip ipsec enable 4. exit 1. int GigabitEthernet 1/10 ip ipsec policy SP1 dir both ip ipsec enable exit 2. int vlan 100 ip ipsec policy SP1 dir both ip ipsec enable exit 3. int mgmtethernet mgmt ip ipsec policy SP1 dir both ip ipsec enable exit 4. int Loopback 10 ip ipsec policy SP1 dir both ip ipsec enable exit

43 Step 6. Create an ike profile and ike policy with the auth-method as pre-shared-key and server ip as the remote address and the switch ip as local address 1. ike profile <name> 2. ike profile <name> dh-group <dh-group> 3. ike profile <name> encrypt-algo <encrypt-algo> 4. ike profile <name> hash-algo <hash-algo> 5. ike profile <name> encrypt-key-len <length> 6. ike profile <name> lifetime-sec <seconds> 7. ike policy <name> laddr <local address> raddr <remote address> 8. ike policy <name> dpd-timeout ike policy <name> p2-pfs disable use-ike-group enable dh-group modp ike policy <name> auth-method pre-shared-key 11. ike policy <name> pre-shared-key <PSK key> 12. ike policy <name> profile ikeprofile 13. ike policy <name> enable ike profile ikeprofile ike profile ikeprofile dh-group modp2048 ike profile ikeprofile encrypt-algo aescbc ike profile ikeprofile hash-algo sha256 ike profile ikeprofile encrypt-key-len 128 ike profile ikeprofile lifetime-sec ike policy ikepolicy laddr raddr ike policy ikepolicy dpd-timeout 300 ike policy ikepolicy p2-pfs disable use-ike-group enable dh-group modp1024 ike policy ikepolicy auth-method pre-shared-key ike policy ikepolicy pre-shared-key ikekey ike policy ikepolicy profile ikeprofile ike policy ikepolicy enable Step 7. Radius server configurations in the switch 1. Configure a radius server with the source-ip as the switch ip and the server host address as the server ip. 1. radius server host <radius server ip> key <key> used-by cli source-ip <switch ip> radius server host key secret used-by cli source-ip Enable the sourceip flag and radius server. 1. radius enable

44 2. radius sourceip-flag Radius Server configurations Security Policy file Step 1. Create a file named SPD and add the following as per the configurations. 1. #!/sbin/setkey -f 2. spdadd <server ipaddress> <switch ip> <udp/tcp> -P out ipsec 3. <ah/esp>/transport//require; 4. spdadd <switch ip> <server ipaddress> <udp/tcp> -P in ipsec 5. <ah/esp>/transport//require; #!/sbin/setkey -f spdadd udp -P out ipsec <ah/esp>/transport//require; spdadd udp -P in ipsec <ah/esp>/transport//require; Pre-shared-key file Step 1. Create a file named psk.txt. Step 2. Add the switch ip and pre-shared key in the file in the following format. <switch address> <pre-shared-key> Step 3. Save the file with read-only permission (chmod 400 psk.txt) in the directory /etc/racoon/ ikekey 10::1 ikekey Racoon configuration file Step 1. Create a file named racoon.conf under the directory /etc/racoon/ and add the following: path pre_shared_key "/etc/racoon/psk.txt"; remote <switch ip> { exchange_mode main; nat_traversal off; doi ipsec_doi; dpd_delay 300; 44

45 } proposal { } encryption_algorithm aes; hash_algorithm sha256; authentication_method pre-shared-key; dh_group modp2048; lifetime time 24 hour; sainfo address <server ip> <udp/tcp> address <switch ip> <udp/tcp> { encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; lifetime time 3600 secs; } path pre_shared_key "/etc/racoon/psk.txt"; remote { exchange_mode main; nat_traversal off; doi ipsec_doi; dpd_delay 300; } proposal { } encryption_algorithm aes; hash_algorithm sha256; authentication_method pre-shared-key; dh_group modp2048; lifetime time 24 hour; 45 sainfo address udp address udp { encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; lifetime time 3600 secs; } After creating the above three files in the radius server, execute the following commands: 1. setkey -F //To flush the previous policy entries from the server. 2. setkey -f SPD //This command will add the policy specified in the file SPD.

46 3. setkey -DP more and setkey -D //To view the configured policy in the server. 4. racoon -d -F -f racoon.conf //This command will start the racoon with configs from racoon.conf 5. Start the radius server using the command radius X. 6. Login to the switch using radius user. From the client machine, telnet/ssh to the DUT and login with any one of the radius users. ssh X <radius user>@<switch ipv4 > ssh X raduser@ or ssh X raduser@11::2 IKE/IPSEC Configuration with Authentication type as Digital Certification. Topology Root CA Client DUT Radius Server / 11:: / 11:: / 10:: / 10::2 DUT Configs Step 1. Create and assign ipv4 address to the GigabitEthernet/vlan/mgmtEthernet/ Loopback interface. For creating a brouter port (GigabitEthernet) and assigning an ip address, execute the below commands: 1. interface gigabitethernet <slot/port> 2. brouter port <slot/port> vlan <vlan id> subnet <ip address/subnet> interface gigabitethernet 1/10 brouter port 1/10 vlan 100 subnet /24 exit 46

47 For creating a vlan and assigning an ip address, execute the below commands: vlan create <vlan id> type port-mstprstp <instance> 2. vlan members add <vlan id> <slot/port> 3. int vlan <vlan id> 4. ip address <ip address/subnet> vlan create 100 type port-mstprstp 0 vlan members add 100 1/10 int vlan 100 ip address /24 exit For assigning an ip address to the mgmtethernet, execute the below commands: 1. interface mgmtethernet mgmt 2. ip address <ip address/subnet> interface mgmtethernet mgmt ip address /24 exit For assigning an ip address to the Loopback interface, execute the below commands: 1. interface loopback <id> 2. ip address <ip address/subnet> interface loopback 10 ip address /24 exit Step 2. Create an ipsec policy with Radius server ip as the remote address and the switch ip as local address. 1. ipsec policy <name> 2. ipsec policy <name> raddr <remote address> 3. ipsec policy <name> laddr <local address> 4. ipsec policy <name> protocol <udp/tcp> sport any dport any 5. ipsec policy <name> action permit 6. ipsec policy <name> admin enable

48 ipsec policy SP1 ipsec policy SP1 raddr ipsec policy SP1 laddr ipsec policy SP1 protocol udp sport any dport any ipsec policy SP1 action permit ipsec policy SP1 admin enable Step 3. Create an ipsec security-association with the key mode set to automatic. 1. ipsec security-association <name> 2. ipsec security-association <name> spi <value> 3. ipsec security-association <name> key-mode automatic 4. ipsec security-association <name> auth-algo <auth-algo> 5. ipsec security-association <name> Encrpt-algo <encrypt- algo> 6. ipsec security-association <name> lifetime seconds 3600 ipsec security-association SA1 ipsec security-association SA1 spi 123 ipsec security-association SA1 key-mode automatic ipsec security-association SA1 auth-algo SHA1 ipsec security-association SA1 Encrpt-algo AES-CBC ipsec security-association SA1 lifetime seconds 3600 Step 4. Link the ipsec policy and ipsec security-association 1. ipsec policy <policy name> security-association <SA name> ipsec policy SP1 security-association SA1 Step 5. Attach the ipsec policy to the interface and enable ipsec. 1. int <GigabitEthernet/vlan/mgmtEthernet/Loopback> <id> 2. ip ipsec policy <policy name> dir both 3. ip ipsec enable 4. exit 1. int GigabitEthernet 1/10 ip ipsec policy SP1 dir both ip ipsec enable exit 48

49 2. int vlan 100 ip ipsec policy SP1 dir both ip ipsec enable exit 3. int mgmtethernet mgmt ip ipsec policy SP1 dir both ip ipsec enable exit 4. int Loopback 10 ip ipsec policy SP1 dir both ip ipsec enable exit Step 6. Create a certificate with EJBCA. 1. Configure the subject as per the end entity registered with the EJBCA. 1. certificate subject common-name <name> 2. certificate subject < -id> 3. certificate subject unit <unit> 4. certificate subject organization <org name> 5. certificate subject locality <locality> 6. certificate subject province <province> 7. certificate subject country <country> certificate subject common-name newsub3 certificate subject test@mocana.com certificate subject unit Engineering certificate subject organization "Mocana Corporation" certificate subject locality "San Francisco" certificate subject province California certificate subject country US 2. Generate public & private key-pair. 1. certificate generate-keypair type rsa size Subject certificate can be offline or online. 1. To get Online Certificate from CA, Configure trustpoint CA and associate with the subject and key-pair a. certificate ca <name> common-name <name> b. certificate ca <name> key-name <key-name>

50 c. certificate ca <name> ocsp-url <url> d. certificate ca <name> ca-url <url> e. certificate ca ej use-post <true/false> certificate ca ca common-name ca certificate ca ca key-name rsa_2048 certificate ca ca ocsp-url certificate ca ca ca-url certificate ca ca use-post true 2. Identity certificate can be obtained offline from CA and can be installed into the device for further usage. The identity certificated obtained offline must be placed into the /intflash/.cert/.offlinecert/ folder and can be installed with the command: a. certificate install-file <offline certificate file-name> Example : 3. Install offline CA & Root CA certificates. Get the offline CA certificate and copy it in /intflash/.cert/.offlinecacert/ and execute the below mentioned command - a. certificate ca <ca-name> install-file ca-filename <ca file-name> copy ca_cert.der /intflash/.cert/.offlinecacert certificate ca ca install-file ca-filename ca_cert.der 4. Get the root CA certificate and copy it in /intflash/.cert/.offlinerootcacert/ and execute the below mentioned command - a. certificate ca <ca-name> install-file root-ca-filename <root ca-file name> copy root_ca_cert.der /intflash/.cert/.offlinerootcacert/ certificate ca ca install-file root-ca-filename root_ca_cert.der 5. CA authentication a. certificate ca <ca-name> action caauth Example : certificate ca ca action caauth Identity certificate enrollment from CA

51 a. certificate ca <ca-name> action enroll Example : certificate ca ca action enroll Enter the Challenge password : 7. Install the identity certificate a. certificate ca <ca-name> action install Example : certificate ca ca action install Step 7. Create an ike profile and ike policy with the auth-method set to pre-shared-key and the server ip as the remote address and the switch ip as the local address. 1. ike profile <name> 2. ike profile <name> dh-group <dh-group> 3. ike profile <name> encrypt-algo <encrypt-algo> 4. ike profile <name> hash-algo <hash-algo> 5. ike profile <name> encrypt-key-len <length> 6. ike profile <name> lifetime-sec <seconds> 7. ike policy <name> laddr <local address> raddr <remote address> 8. ike policy <name> dpd-timeout ike policy <name> p2-pfs disable use-ike-group enable dh-group modp ike policy <name> auth-method digital-certificate revocation-check-method none 11. ike policy <name> profile ikeprofile 12. ike policy <name> enable ike profile ikeprofile ike profile ikeprofile dh-group modp2048 ike profile ikeprofile encrypt-algo aescbc ike profile ikeprofile hash-algo sha256 ike profile ikeprofile encrypt-key-len 128 ike profile ikeprofile lifetime-sec ike policy ikepolicy laddr raddr ike policy ikepolicy dpd-timeout 300 ike policy ikepolicy p2-pfs disable use-ike-group enable dh-group modp1024 ike policy ikepolicy auth-method digital-certificate revocation-check-method none ike policy ikepolicy profile ikeprofile ike policy ikepolicy enable Step 8. Radius server configurations in the switch Configure a radius server with source-ip as switch ip and the server host address as server ip. 51

52 1. radius server host <radius server ip> key <key> used-by cli source-ip <switch ip> radius server host key secret used-by cli source-ip Enable the sourceip flag and radius server. 1. radius enable 2. radius sourceip-flag Radius Server configurations Security Policy file Step 1. Create a file named SPD and add the following as per the configurations #!/sbin/setkey -f 2. spdadd <server ipaddress> <switch ip> <udp/tcp> -P out ipsec 3. <ah/esp>/transport//require; 4. spdadd <switch ip> <server ipaddress> <udp/tcp> -P in ipsec 5. <ah/esp>/transport//require; #!/sbin/setkey -f spdadd udp -P out ipsec <ah/esp>/transport//require; spdadd udp -P in ipsec <ah/esp>/transport//require; Racoon configuration file Step 1. Create a file named racoon.conf under the directory /etc/racoon/ and add the following: path certificate "/etc/racoon/cert"; remote <switch ip> { exchange_mode main; nat_traversal off; doi ipsec_doi; dpd_delay 300; verify_cert off; verify_identifier off; ca_type x509 ""; certificate_type x509 certfile privkeyfile; proposal { encryption_algorithm aes;

53 } } hash_algorithm sha256; authentication_method rsasig; dh_group modp2048; lifetime time 24 hour; sainfo address <server ip> <udp/tcp> address <switch ip> <udp/tcp> { encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; lifetime time 3600 secs; } path certificate "/etc/racoon/cert"; remote { exchange_mode main; nat_traversal off; doi ipsec_doi; dpd_delay 300; verify_cert off; verify_identifier off; ca_type x509 "cacert.pem"; certificate_type x509 "abcnew.pem" "local.key"; } proposal { encryption_algorithm aes; hash_algorithm sha256; authentication_method rsasig; dh_group modp2048; lifetime time 24 hour; } sainfo address udp address udp { encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; lifetime time 3600 secs; } After creating the above three files in the radius server, execute the following commands: 53

54 1. setkey -F //To flush the previous policy entries from the server. 2. setkey -f SPD //This command will add the policy specified in the file SPD. 3. setkey -DP more and setkey -D //To view the configured policy in the server. 4. racoon -d -F -f racoon.conf //This command will start the racoon with configs from racoon.conf 5. Start the radius server using the command radiusd X. 6. Login to the switch using radius user. From the client machine, telnet/ssh to the DUT and login with any one of the radius users. ssh X <radius user>@<switch ipv4 > ssh X raduser@ or ssh X raduser@11::2 54