NDcPP v1.0 Assurance Activity Report for Dell Networking Platforms

Transcription

1 NDcPP v1.0 for Dell Networking Platforms Version v1.8 June 12, 2017 Produced by: Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme The Developer of the TOE: Dell Inc. The Security Target was developed by: CygnaCom Solutions The TOE Evaluation was sponsored by: Dell Inc.

2 Table of Contents 1.1 INTRODUCTION REFERENCES TARGET OF EVALUATION Platform Equivalence SECURITY FUNCTIONAL REQUIREMENTS SECURITY AUDIT (FAU) FAU_GEN.1 Audit Data Generation and FAU_GEN.2 User Identity association TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FAU_STG.1 Protected audit trail storage TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FAU_STG_EXT.1 Protected audit event Storage TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities CRYPTOGRAPHIC SUPPORT (FCS) SFR: FCS_CKM.1 Cryptographic Key Generation TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SFR: FCS_CKM.2 Cryptographic Key Establishment TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SFR: FCS_CKM_EXT.4 Cryptographic Key Destruction TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SFR: FCS_COP.1(1) Cryptographic Operation (for AES data encryption/decryption) TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SFR: FCS_COP.1(2) Cryptographic Operation (Signature Generation and Verification) TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SFR: FCS_COP.1(3) Cryptographic Operation (Hash Algorithms) TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SFR: FCS_COP.1(4) Cryptographic Operation (Keyed-Hash Algorithm) TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SFR: FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation) TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FCS_SSHS_EXT.1 SSH SERVER FCS_SSHS_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities of 77

3 2.3.2 FCS_SSHS_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FCS_SSHS_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FCS_SSHS_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FCS_SSHS_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FCS_SSHS_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FCS_SSHS_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FCS_TLSC_EXT.2 EXTENDED: TLS CLIENT PROTOCOL WITH AUTHENTICATION FCS_TLSC_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FCS_TLSC_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FCS_TLSC_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FCS_TLSC_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FCS_TLSC_EXT TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities IDENTIFICATION AND AUTHENTICATION (FIA) FIA_PMG_EXT.1 Password Management TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FIA_UIA_EXT.1 User Identification and Authentication TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FIA_UAU_EXT.2 Password-based Authentication Mechanism FIA_UAU.7 Protected Authentication Feedback TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FIA_X509_EXT.1 X.509 Certificate Validation of 77

4 TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FIA_X509_EXT.2 X.509 Certificate Authentication TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FIA_X509_EXT.3 Extended: X509 Certificate Requests TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SECURITY MANAGEMENT (FMT) FMT_MOF.1(1)/Trusted Update TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FMT_MTD.1 Management of TSF Data TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FMT_SMF.1 Specification of Management Functions TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FMT_SMR.2 Restrictions on security roles TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities PROTECTION OF THE TSF (FPT) FPT_SKP_EXT.1 Protection of Secret Key Parameters (for reading of all symmetric keys) TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FPT_APW_EXT.1 Protection of Administrator Passwords TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FPT_TST_EXT.1 TSF Testing TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FPT_TUD_EXT.1 Trusted Update TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities FPT_STM.1 Reliable Time Stamps TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities TOE ACCESS (FTA) SFR: FTA_SSL_EXT.1 TSF-initiated Session Locking TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SFR: FTA_SSL.3 TSF-initiated Termination TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SFR: FTA_SSL.4 User-initiated Termination of 77

5 TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SFR: FTA_TAB.1 Default TOE Access Banners TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities TRUSTED PATH/CHANNELS (FTP) FTP_ITC.1 Inter-TSF Trusted Channel TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SFR: FTP_TRP.1 Trusted Path TSS Assurance Activities Guidance Assurance Activities Testing Assurance Activities SECURITY ASSURANCE REQUIREMENTS SAR: ASE_CCL.1 SECURITY TARGET EVALUATION Assurance Activities SAR: ADV_FSP.1 BASIC FUNCTIONAL SPECIFICATION Assurance Activities SAR: AGD_OPE.1 OPERATIONAL USER GUIDANCE Assurance Activities SAR: AGD_PRE.1 PREPARATIVE PROCEDURES Assurance Activities SAR: ALC_CMC Assurance Activities SAR: ALC_CMS Assurance Activities SAR: ATE_IND.1 INDEPENDENT TESTING - CONFORMANCE Assurance Activities SAR: AVA_VAN.1 VULNERABILITY SURVEY Assurance Activities...76 APPENDIX A - TESTING ENVIRONMENT...77 Table of Figures FIGURE 1: TESTING TOPOLOGY of 77

6 1.1 Introduction This document summarizes the evaluation results of a specific Target of Evaluation (TOE), Dell Networking Platforms running Dell Networking OS v9.11 conforming to the collaborative Protection Profile for Network Devices Version 1.0, by listing the assurance activities and associated results as performed by the evaluators. 1.2 References The following table provides information needed to identify and to control the Security Target (ST), the Target of Evaluation (TOE), and other evidence used in this evaluation. Table 1: Guidance and Reference Documents Item Identifier Short Form Security Target Dell Networking Platforms Security Target Version 1.3, June 8, Protection Profile collaborative Protection Profile for Network Devices Version 1.0, 25 February 2015 (NDcPP) Supporting Document Evaluation Activities for Network Device cpp Version 1.0, February 2015 User Guidance Dell Networking OS Configuration Guide for the Z9100-ON System 9.11(0.0) Dell Networking OS Configuration Guide for the C9000 System 9.11(0.0) Dell Networking OS Configuration Guide for the S3048-ON System 9.11(0.0) Dell Configuration Guide for the S4048-ON System 9.11(0.0) Dell Configuration Guide for the S3100-ON System 9.11(0.0) Dell 9.11(0.0) Configuration Guide for the S5000 Switch Dell Configuration Guide for the S6000 System 9.11(0.0) Dell Configuration Guide for the S6010-ON System 9.11(0.0) Dell Configuration Guide for the S6100-ON System 9.11(0.0) Configuration for Common Criteria NDcPP v1.0 Evaluated Dell Networking OS 9.11, , Rev. A02 [ST] [PP] [SD] [ADMIN] [CC Guide] Test Report NDcPP DELL Test Report v0.9, June 12, 2017 [TSTRPT] 1.3 Target of Evaluation The TOE is the Dell Networking Platforms running Dell Networking OS v9.11 that consist of S-Series, C- Series, and Z-Series switches and includes the following appliances: Dell Networking S-Series S3124 Dell Networking S-Series S3124P Dell Networking S-Series S3124F 6 of 77

7 Dell Networking S-Series S3148 Dell Networking S-Series S3148P Dell Networking S-Series S3048-ON Dell Networking S-Series S4048-ON Dell Networking S-Series S4048T-ON Dell Networking S-Series S5000 Dell Networking S-Series S6010-ON Dell Networking S-Series S6100-ON Dell Networking C-Series C9010 and C1048P port extender Dell Networking Z-Series Z9100-ON Platform Equivalence The TOE is a computer appliance that includes both hardware and software components. The software is Dell EMC Networking OS 9.11, which consist of a hardened operating system and application software. The operating system, based on a *nix kernel, is shared across all evaluated platforms. The application software is composed of subsystems designed to implement operational security management, and networking functionality. Hardware dependencies While different appliance models use different enclosures, the actual differences are: the bridge to switching fabric microprocessor network port layouts CPU architecture. The TOE appliances use one of the following CPU architectures: ARM Cortex A9, Intel Atom, or FreeScale PowerPC e500. Difference in TOE binaries The TOE binaries (source code complied for the target CPU architecture) implement a consistent set of Security Functionality (SF) across all appliance models. The application software is based on a common code base of a modular nature. The key difference between binaries for appliance models is the set of hardware-specific drivers. All TOE platforms implement a uniform control plane architecture. For the data plane, configuration code controls platform specific features. While all modules are part of the binary, only modules applicable to the specific platform s hardware are enabled. Each instance of Dell EMC Networking OS 9.11 is produced from the same code base and compiled into binary for the specific CPU architecture. Difference in libraries There is no difference in the libraries. The TOE uses a consistent set of libraries and third-party software that is universally implemented across all platforms. Management interface The management interface is implemented using a Command Line Interface (CLI) integrated with OpenSSH and local console ports. The only differences between management options for appliances is related to managing switching fabric, which is not SF-related. That is, all management functionality is identical, except for specific switching functionality related to the switching hardware present in a specific model. Functional differences There are no SF-related functional differences between appliance models. The only difference is switching functionality the number and type of ports, the switching fabric bandwidth, and an enclosure to support physical network ports. 7 of 77

8 The TOE implements the following Security Functionality: Security Audit Cryptographic Support Identification and Authentication Security Management Protection of the TOE Security Function (TSF) TOE Access Trusted Path/Channels The TOE s Security Functionality is associated with the following modules: CLI (Identification and Authentication, Security Management, TOE Access, Trusted Path) Management Interface (Security Audit, Security Management) Operating System (Protection of TSF) Cryptographic Library (Cryptographic Support) Each SF is implemented by Dell EMC Networking OS with application code combined with a known set of libraries running on it. The Dell EMC Networking OS v9.11 relies exclusively on the Dell OpenSSL Cryptographic Library Version 2.4 operating in FIPS mode to implement all cryptographic security functionality. The Dell OpenSSL Cryptographic Library Version 2.4 is CMVP (#2496) certified and covered by the following CAVP certificates: AES: # 4320 RSA: # 2334 SHS: # 3556 DRBG: # 1376 HMAC: # 2853 CVL: # 1047 These CAVP certificates claim the appropriate operational environment and cryptographic modes. Configuration for Common Criteria NDcPP v1.0 Evaluated Dell Networking OS 9.11 (CC Guide) is a comprehensive configuration guide applicable to all TOE models. This document contains explanations of security-relevant features and details secure configuration. This guide was closely followed during product testing and was found to be an accurate and useful source of information about TOE. 8 of 77

9 2 Security Functional Requirements 2.1 Security Audit (FAU) FAU_GEN.1 Audit Data Generation and FAU_GEN.2 User Identity association TSS Assurance Activities TSS Assurance Activities: Application Note 2: The TSS should identify what information is logged to identify the relevant key for the administrative task of generating/import of, changing, or deleting of cryptographic keys. TSS Implementation Details/Results: The ST, Section 7.1 states that the following information is logged when cryptographic keys are handled: the date and time, the type of event, the subject identity (e.g. IP address or UserID), and the outcome are logged. As documented in the TSS section, the TOE implements and audits the following relevant operations: Generation and destruction of a public and associated private key Installation and removal of a trusted root or intermediate authority certificate Generation of CSR and import of a signed certificate Association of a public RSA key with an administrative identity Guidance Assurance Activities Guidance Assurance Activities: (1) The evaluator shall check the guidance documentation and ensure that it lists all of the auditable events and provides a format for audit records. (2) Each audit record format type must be covered, along with a brief description of each field. (3) The evaluator shall check to make sure that every audit event type mandated by the cpp is described and that the description of the fields contains the information required in FAU_GEN1.2, and the additional information specified in the table of audit events. (4) The evaluator shall also make a determination of the administrative actions that are relevant in the context of the cpp. (5) The evaluator shall examine the guidance documentation and make a determination of which administrative commands, including subcommands, scripts, and configuration files, are related to the configuration (including enabling or disabling) of the mechanisms implemented in the TOE that are necessary to enforce the requirements specified in the cpp. The evaluator shall document the methodology or approach taken while determining which actions in the administrative guide are security relevant with respect to the cpp. (6) The evaluator may perform this activity as part of the activities associated with ensuring that the corresponding guidance documentation 9 of 77

10 Guidance Implementation Details/Results: (1) The evaluator checked the CC Guide, Appendix D- Auditable Events and noted a list of all mandatory auditable events along with a number of examples. The guidance also explains audit record format and provides a brief description of each field. (2) The evaluator checked the CC Guide, and noted that it lists all of the TOE s audit event types. The evaluator crosschecked this list with the ST, Table 11 to ensure that every audit event mandated by the NDcPP is described. Each audit record contains the following information: date and time of the event, type of event, subject identity, and the outcome (success or failure). All audit events follow this consistent format. Audit records, when stored and displayed by the TOE, follow the following format: PRI Version Timestamp HostName APP-Name ProcID MSGID Strucured-Data MSG For example, here is how successful login of sysadmin administrator is recorded: Oct 6 16:33:43: dv-fedgov-s5000-1: %SEC-6-LOGIN_SUCCESS:Login successful for user sysadmin on line vty0 ( ) (3) The evaluator verified that every audit event type mandated by the cpp is described and that the description of the fields contains all the necessary information. The CC Guide, Appendix D, Auditable Events (p.83 p.92) list all relevant audit records. See mapping table below for details. Requirement Auditable Events Additional Audit Record Contents Guidance Location FAU_GEN.1 Start-up/shut down None CC Guide, Appendix D, Auditable Events, p FAU_GEN.2 None None n/a FAU_STG_EXT.1 None None n/a FCS_CKM.1 None None n/a FCS_CKM.2 None None n/a FCS_CKM.4 None None n/a FCS_COP.1(1) None None n/a FCS_COP.1(2) None None n/a FCS_COP.1(3) None None n/a 10 of 77

11 FCS_COP.1(4) None None n/a FCS_RBG_EXT.1 None None n/a FIA_PMG_EXT.1 None None n/a FIA_UIA_EXT.1 FIA_UAU_EXT.2 All use of identification and authentication mechanism. All use of identification and authentication mechanism. Provided user identity, origin of the attempt (e.g., IP address). Origin of the attempt (e.g., IP address). FIA_UAU.7 None None n/a CC Guide, Appendix D, Auditable Events, p.84 CC Guide, Appendix D, Auditable Events, p.84 FIA_X509_EXT.1 Unsuccessful attempt to validate a certificate Reason for failure CC Guide, Appendix D, Auditable Events, p FIA_X509_EXT.2 None None n/a FIA_X509_EXT.3 None None n/a FMT_MOF.1(1)/TrustedUpdate FMT_MTD.1 Any attempt to initiate a manual update. All management activities of TSF data. None CC Guide, Appendix D, Auditable Events, p.85 None CC Guide, Appendix D, Auditable Events, p.86 FMT_SMF.1 None None n/a FMT_SMR.2 None None n/a FPT_SKP_EXT.1 None None n/a FPT_APW_EXT.1 None None n/a FPT_TST_EXT.1 None None n/a FPT_TUD_EXT.1 Initiation of update; result of the update attempt (success or failure) No Additional information. FPT_STM.1 Changes to time. The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address). FTA_SSL_EXT.1 Any attempts at unlocking of an interactive session. None CC Guide, Appendix D, Auditable Events, p.87 CC Guide, Appendix D, Auditable Events, p.87 The TOE does not support session locking. 11 of 77

12 FTA_SSL.3 FTA_SSL.4 The termination of a remote session by the session locking mechanism. The termination of an interactive session. None The TOE does not support session locking. None CC Guide, Appendix D, Auditable Events p.87 FTA_TAB.1 None None n/a FTP_ITC.1 Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions. FTP_TRP.1 Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. FCS_SSHS_EXT.1 Failure of SSH session establishment SSH session establishment SSH session termination FCS_TLSC_EXT.2 Failure of TLs session establishment TLS session establishment TLS session termination Identification of the initiator and target of failed trusted channels establishment attempt. Identification of the claimed user identity. Reason for failure Non-TOE endpoint of connection (IP address) CC Guide, Appendix D, Auditable Events p.88 CC Guide, Appendix D, Auditable Events p.88 CC Guide, Appendix D, Auditable Events p.88 Reason for failure CC Guide, Appendix D, Auditable Events p.88 (4) The evaluator determined that the administrative actions that are relevant in the context of the cpp are defined by FMT_SMF.1 and the administrative actions necessary to put the TOE into evaluated configuration. (5) The evaluator examined the CC Guide, Appendix D and made the determination that administrative commands meet the requirements outlines in the cpp. The evaluator determined that configuration of the TOE into the evaluated configuration generates appropriate level of audit records. See table below for details. 12 of 77

13 Access Privilege Administrator Administrative Actions Start-up and shutdown of audit functions Command executed The local console always displays current audit events when the TOE is powered on. However, to enable logging of audit records the (conf) #logging extended command must be issued. This command generates appropriate audit record. See example below: Mapping to Guidance Section 5 Setting Up the Common Criteria Configuration, Configuring Logging p.40 Administrator Shut-down of audit functions T11:03:47Z dv-fedgovs SSH T11:03:47Z dv-fedgov-s SSH3 CONF - INFO:SUCCESSFUL logging extended by sysad from vty1 ( ) The audit functions operate at all times. However, it is possible to manually shut it down (and take the TOE out of evaluated configuration). The event generates the following audit record: Section 5 Setting Up the Common Criteria Configuration, Configuring Logging p.40 Administrator Administrator Configure RBAC mode Configure password complexity T11:03:47Z dv-fedgovs SSH T11:03:47Z dv-fedgov-s SSH3 CONF - INFO:SUCCESSFUL no logging extended by sysad from vty1 ( ) To enable RBAC mode both AAA Authentication and Authorization must be configured: (conf)#aaa authentication login default local (conf)#aaa authorization exec default local (conf)#aaa authorization role-only (conf)# password-attributes min-length 15 (conf)# password-attributes character-restriction lower 1 (conf)# password-attributes character-restriction upper 1 (conf)# password-attributes character-restriction numeric 1 (conf)# password-attributes character-restriction special-char 1 Section 5 Setting Up the Common Criteria Configuration, Configure AAA Authentication and Authorization, p.37 Appendix A Role - Based Access Control, p.56 Section 5 -Setting Up the Common Criteria Configuration, P of 77

14 Administrator TLS configuration When operating in FIPS mode, the system is restricted to only the TLS 1.2 protocol version and support the following cipher suites in line with the NIST SP A Rev 1 policy document Administrator SSH configuration When FIPS mode is enabled, the system uses SSHv2. Dell(conf)# ip ssh server enable Administrator FIPS mode To enable FIPS mode, issue the following command: (conf)#fips mode enable Administrator Audit server configuration To configure audit server (syslog), mutual trust based on X509 certificates must be issued to the TOE and the remote audit server. The command to enable logging to remote syslog server is as follows: B Appendix B X.509v3, p Section 5 -Setting Up the Common Criteria Configuration, p.34 Section 5 -Setting Up the Common Criteria Configuration, Enabling FIPS Mode, p.28 Section 5 -Setting Up the Common Criteria Configuration, Configuring SYSLOG Servers, p.43 Administrator Audit levels configurations (conf)#logging <syslogserver-name> secure port <port-number> The TOE supports multiple audit levels. In the evaluated configuration logging level should be set at 7. The command is as follows: (conf)#logging monitor 7 Section 5 -Setting Up the Common Criteria Configuration, Configuring Logging Level, p of 77

15 Administrator X.509 Certificate management An X.509v3 digital certificate is an electronic document used to prove ownership of a public key. It contains information about the key's identity, information about the key's owner, and the digital signature of an entity that has verified the certificate's content as correct. Appendix B X.509v3, p Certificate Authority (CA) The entity that verifies the contents of the digital certificate and signs it indicating that the certificate is valid and correct is called the Certificate Authority (CA). Certificate Signing Request (CSR) An entity that wants a signed certificate or a digital certificate requests one through a CSR. To install a CA certificate, enter the following command in EXEC Privilege mode: crypto ca-cert install {path} Administrator Verifying and applying updates To upgrade or downgrade the Dell Networking OS to release 9.11(0.0P9): Section 4 -Upgrading and Downgrading the Software, p.22 To verify the Dell Networking OS version running on the switch, use the show version command in EXEC Privilege mode. This command displays the current Dell Networking OS version information on the system. To validate the software image on the USB flash drive (after the image has been transferred to the system, but before the image has been installed), use the verify command in EXEC Privilege mode. This command calculates a hash value of the image file on the USB flash drive. To set the time and date for the switch hardware clock, use the following command in EXEC Privilege mode calendar set time month day year Administrator Configuring system time. Section 5 - Setting Up the Common Criteria Configuration, Configuring the System Date and Time p of 77

16 Administrator NTP server configuration To specify a key for authenticating the NTP server, use the ntp authentication-key command in CONFIGURATION mode. By default, NTP authentication is not configured. Appendix E - NTP, p Set an authentication key with encryption. ntp authentication-key 8 md5 0 <clear-text-key> Configure time-serving hosts using the following command: ntp server ip address key 1000 Set the authentication key. ntp trusted-key Dell(conf)#ntp trusted-key 1000 Administrator Administrator Administrator Configuring and modifying access banner. Termination of interactive remote session. Generating/import of cryptographic keys The following command will show the ntp status: do show ntp status To configure the banner issue the following command: (conf)#banner motd % <Text> % To configure the login lockout period, use the password-attributes max-retry number lockout-period minutes command in CONFIGURATION mode. Command for generating SSH-RSA key: dv-fedgov-s4810-3(conf)#crypto key generate rsa Section 5 - Setting Up the Common Criteria Configuration, Configuring the Banner, p.35 Section 5 - Setting Up the Common Criteria Configuration, p.33 Appendix D Auditable Events, p Installing all the CA certificates certificatesdv-fedgov-s4810-3#crypto ca-cert install flash://fedgov_cachain2.pem Installing all the system certificate and key keydv-fedgov-s4810-3#crypto cert install cert-file flash://dvfedgov-s v4cn.cert.pem key-file flash://mlkey.pem 16 of 77

17 Administrator Administrator Changing of cryptographic keys Deletion of cryptographic keys This is done automatically by the TOE when key rollover occurs. Deleting the system certificate: dv-fedgov-s4810-3#crypto cert delete Appendix D Auditable Events, p Appendix D Auditable Events, p Deleting CA certificate: dv-fedgov-s4810-3#crypto ca-cert delete all Administrator Administrative login When a system is configured using the factory default configuration, there is only one userid created on the system. This is the admin userid; it has no user role associated with it by default. You must create any additional userids you may want with associated user roles. Section 5 - Setting Up the Common Criteria Configuration, p.36 To create a userid on the TOE, use the username command in CONFIGURATION mode. Dell(conf)# username ccadmin sha-256 password role sysadmin Administrator User Password Reset User passwords cannot be reset, only set / created as new passwords. Administrator On-demand self-tests The TOE includes a suite of FIPS selftests that validate the integrity of the Dell OpenSSL Cryptographic Library and verify the implementation of the FIPS DRBG and the cryptographic algorithms. n/a Appendix D Auditable Events, p Self-test passed: 00:00:11: %STKUNIT0-M:CP %CRYPTO-5-FIPS_SELF_TEST_PASSED: [sysd] FIPS crypto module selftest passed Self-test failure: 00:00:11: %STKUNIT0-M:CP %CRYPTO-5-FIPS_SELF_TEST_FAILED: [sysd] FIPS crypto module selftest failed (6) The guidance document was closely followed during product testing and all administrative commands used during testing were adequately described in the guidance. 17 of 77

18 Testing Assurance Activities Testing Assurance Activities: (1) The evaluator shall test the TOE s ability to correctly generate audit records by having the TOE generate audit records for the events listed in the table of audit events and administrative actions listed above. This should include all instances of an event: for instance, if there are several different I&A mechanisms for a system, the FIA_UIA_EXT.1 events must be generated for each mechanism. (2) The evaluator shall test that audit records are generated for the establishment and termination of a channel for each of the cryptographic protocols contained in the ST. If HTTPS is implemented, the test demonstrating the establishment and termination of a TLS session can be combined with the test for an HTTPS session. (3) Logging of all activities related to trusted update should be tested in detail and with utmost diligence. (4) When verifying the test results, the evaluator shall ensure the audit records generated during testing match the format specified in the guidance documentation, and that the fields in each audit record have the proper entries. Note that the testing here can be accomplished in conjunction with the testing of the security mechanisms directly. Testing Implementation Details/Results: (1) The evaluation team confirmed throughout testing activities that appropriate audit records were generated, and that each audit record contained appropriate and accurate information. See the following table detailing SFRmandated audit records mapped to a specific test case within the Test Report where it was generated. SFR Auditable Events Test Case FAU_GEN.1 Start-up and shut-down of the audit functions. PP-1 FIA_UIA_EXT.1 All use of identification and authentication mechanism. PP-1 FIA_UAU_EXT.2 All use of identification and authentication mechanism. PP-3 FIA_X509_EXT.1 Unsuccessful attempt to validate a certificate PP-10, PP-11 FMT_MOF.1 Any attempt to initiate a manual update. PP-13 FMT_MTD.1 All management activities of TSF data. PP-1 FPT_TUD_EXT.1 Initiation of update Result of the update attempt (success or failure) FPT_STM.1 Changes to time PP-1 FTA_SSL_EXT.1 Any attempts at unlocking of an interactive session. PP-6 FTA_SSL.3 The termination of a remote session by the session locking mechanism. PP-6 FTA_SSL.4 The termination of an interactive session. PP-1 IT-1.2 and PP- 13 FTP_ITC.1 Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions. See TLS 18 of 77

19 FTP_TRP.1 Initiation of the trusted path. See SSH Termination of the trusted path. Failure of the trusted path functions. FCS_SSHS_EXT.1 Failure to establish an SSH session PP-14 Successful SSH rekey FCS_TLSC_EXT.2 Failure to establish a TLS Session PP-17 (2) The evaluator confirmed that the audit records are generated during establishment and termination of a secure channel for the following claimed protocol(s): TLS, SSH. HTTPS is not implemented. (3) The evaluator tested the trusted update functionality by applying a legitimate update and noting that an appropriate audit record was generated. The evaluator attempted to apply a corrupted update and noted that the hash generated did not match posted hash, thus provided the visual warning to not trust the corrupted update. Based on these results, the evaluator determined that the trusted update functionality was audited sufficiently. See PP-5 Version Update test case for details. (4) During testing, the evaluator confirmed that audit records follow expected audit record format as described in the CC Guide, Appendix D Auditable Events, Log Record Format. 19 of 77

20 2.1.2 FAU_STG.1 Protected audit trail storage TSS Assurance Activities TSS Assurance Activities: (1) The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored locally and how these records are protected against unauthorized modification or deletion. (2) The evaluator shall ensure that the TSS describes the conditions that must be met for authorized deletion of audit records. TSS Implementation Details/Results: (1) The ST, Section 7.1 states that the TOE stores up to 512 audit records of audit data locally. The ST, Section 7.1 states that viewing and clearing of the local audit trail is restricted to Security Administrators using the appropriate CLI commands. There is no direct access to the local audit files, all access is conducted through the management interface that enforces access-control and action logging at all times thus preventing unauthorized access. (2) The ST, Section 7.1 states that the on-device audit records exist in a circular buffer and when the buffer gets full, the oldest message is overwritten first. TOE has a command to clear local logs, and that this command is restricted to authorized administrators Guidance Assurance Activities Guidance Assurance Activities: (1) The evaluator shall examine the guidance documentation to determine that it describes any configuration required for protection of the locally stored audit data against unauthorized modification or deletion. Guidance Implementation Details/Results: (1) The evaluator reviewed the CC Guide, Section 5 - Setting up Common Criteria Configuration, Configuring Logging Buffer Size, page 44 that describes how audit data is stored locally. The CC Guide, Section 5, Clearing Audit Logs, page 43, also detail that only authorized administrators are capable of modifying or deleting audit records and there is no direct access to the audit storage, thus preventing any unauthorized modification or deletion Testing Assurance Activities Testing Assurance Activities: The evaluator shall perform the following tests: (1) Test 1: The evaluator shall access the audit trail as an unauthorized administrator and attempt to modify and delete the audit records. The evaluator shall verify that these attempts fail. (2) Test 2: The evaluator shall access the audit trail as an authorized administrator and attempt to delete the audit records. The evaluator shall verify that these attempts succeed. The evaluator shall verify that only the records authorized for deletion are deleted. Testing Implementation Details/Results: (1) Test 1: The evaluator confirmed through testing that only authorized administrators had access to audit records. The TOE restricts all management functionality, including audit functionality, to authorized administrators. There is no access to the underlying file system outside of user directory, so file permissions enforced by the OS make it impossible to directly access log files. 20 of 77

21 (2) Test 2: The evaluator logged in as an authorized administrator, deleted local audit records and observed that the local audit log was cleared out, except for the log entry indicating that log entries were deleted. See PP-2E for details. The TOE restricts all management functionality, including deleting audit records, to authorized administrators FAU_STG_EXT.1 Protected audit event Storage TSS Assurance Activities TSS Assurance Activities: (1) The evaluator shall examine the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided. (2) The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored locally; what happens when the local audit data store is full; and how these records are protected against unauthorized access. Note: If the TOE complies with FAU_STG_EXT.2 the evaluator shall verify that the numbers provided by the TOE according to the selection for FAU_STG_EXT.2 are correct when performing the tests for FAU_STG_EXT.1.3. (3) The evaluator shall examine the TSS to ensure that it details the behaviour of the TOE when the storage space for audit data is full. When the option overwrite previous audit record is selected this description should include an outline of the rule for overwriting audit data. If other actions are chosen such as sending the new audit data to an external IT entity, then the related behaviour of the TOE shall also be detailed in the TSS. TSS Implementation Details/Results: (1) The ST, Section 7.1 explains that audit records are transferred in real-time mode to the external audit server using the TLS protocol. (2) The ST, Section 7.1 explains that the TOE is designed to store up to 500 audit records. When the TOE s local audit storage becomes full, by default the oldest audit records are overwritten. Only authorized administrators can monitor this default behavior through the management interface. There is no direct access to the local audit storage. All local audit records are protected by the TOE s access control functionality. (3) The ST, Section 7.1 describes that following actions are possible when the TOE s local storage for audit data is full: Overwrite Oldest Audit Records This behavior is the default behavior according to the ST Guidance Assurance Activities Guidance Assurance Activities: (1) The evaluator shall also examine the guidance documentation to ensure it describes how to establish the trusted channel to the audit server, as well as describe any requirements on the audit server (particular audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed to communicate with the audit server. 21 of 77

22 (2) The evaluator shall also examine the guidance documentation to determine that it describes the relationship between the local audit data and the audit data that are sent to the audit log server. For example, when an audit event is generated, is it simultaneously sent to the external server and the local store, or is the local store used as a buffer and cleared periodically by sending the data to the audit server. (3) The evaluator shall also ensure that the guidance documentation describes all possible configuration options for FAU_STG_EXT.1.3 and the resulting behaviour of the TOE for each possible configuration. The description of possible configuration options and resulting behaviour shall correspond to those described in the TSS. Guidance Implementation Details/Results: (1) The CC Guide, Section 5, Setting Up the Common Criteria Configuration, Configuring SYSLOG Servers, pages 46-47, describes how to establish a trusted channel to the audit server using TLSv1.2 protocol. The version of the syslog server used was rsyslogd version The guidance lists compatible remote audit servers and details the configuration steps for each supported server and the protocol(s) to be used to communicate with that server. (2) The CC Guide,, Section 5, Setting Up the Common Criteria Configuration, Configuring SYSLOG Servers, page 46 describes how audit data is synchronized with the external audit server. The guidance states that when an audit event is generated, it is simultaneously sent to the external server and the local store. (3) The CC Guide, Section 5, Setting Up the Common Criteria Configuration describes TOE behavior when the TOE s local audit storage is fill. The internal buffer is circular and once it fills up, it stores new log messages by overwriting the oldest message first. Because the buffer is circular, it is not possible for the system to exhaust the buffer space Testing Assurance Activities Testing Assurance Activities: Testing of the trusted channel mechanism for audit will be performed as specified in the associated assurance activities for the particular trusted channel mechanism. The evaluator shall perform the following additional test for this requirement: Test 1: Test 2: (1) The evaluator shall establish a session between the TOE and the audit server according to the configuration guidance provided. (2) The evaluator shall then examine the traffic that passes between the audit server and the TOE during several activities of the evaluator s choice designed to generate audit data to be transferred to the audit server. The evaluator shall observe that these data are not able to be viewed in the clear during this transfer, and that they are successfully received by the audit server. (3) The evaluator shall record the particular software (name, version) used on the audit server during testing. 22 of 77

23 (1) The evaluator shall perform operations that generate audit data and verify that this data is stored locally. (2) The evaluator shall perform operations that generate audit data until the local storage space is exceeded and verifies that the TOE complies with the behaviour defined in FAU_STG_EXT.1.3. Depending on the configuration this means that the evaluator has to check the content of the audit data when the audit data is just filled to the maximum and then verifies that a) The audit data remains unchanged with every new auditable event that should be tracked but that the audit data is recorded again after the local storage for audit data is cleared (for the option drop new audit data in FAU_STG_EXT.1.3). b) The existing audit data is overwritten with every new auditable event that should be tracked according to the specified rule (for the option overwrite previous audit records in FAU_STG_EXT.1.3) c) The TOE behaves as specified (for the option other action in FAU_STG_EXT.1.3). Testing Implementation Details/Results: The evaluator followed the procedures outlined in the guidance to configure TOE audit functionality. Test 1: (1) The evaluator followed the CC Guide, Setting Up the Common Criteria Configuration, Configuring SYSLOG Servers to establish a secure session between the TOE and the audit server. Test 2: (2) The evaluator examined network traffic, observed a successful TLS protocol handshake followed by encrypted traffic, and concluded that a secure channel was successfully established between the TOE and the remote audit server. During this period, the evaluator observed audit records updated on the remote audit server and concluded that these audit records were sent as part of encrypted traffic. See test case PP-2 for details. (3) The evaluator used Wireshark v2.2.3 and network packet mirroring to view and capture relevant network traffic exchange between the TOE and the remote audit server running syslog-ng v (1) The evaluator used a script to repeatedly open administrative sessions using incorrect login credentials in order to fill the local audit log with records of failed login attempts. Prior to running the script, the evaluator issued a command to clear the local audit log. (2) The evaluator took note of the timestamp for the clear log audit log entry and observed its deletion when the local log filled with approximately 500 records. This observation confirmed that the oldest audit record was deleted first, which is consistent to how it is described in the ST. See test case PP-2C for details. 23 of 77

24 2.2 Cryptographic Support (FCS) Dell Networking Platforms SFR: FCS_CKM.1 Cryptographic Key Generation TSS Assurance Activities TSS Assurance Activities: The evaluator shall ensure that the TSS identifies the key sizes supported by the TOE. If the ST specifies more than one scheme, the evaluator shall examine the TSS to verify that it identifies the usage for each scheme. TSS Implementation Details/Results: The TOE performs cryptographic key generation via the OpenSSL Cryptographic Library Version 2.4, which was tested according to the Cryptographic Algorithm Validation Program (CAVP) and was awarded a certificate covering RSA-based key establishment. The ST, Section (FCS_CKM.1) states that the TOE generates the following key sizes: 2048 bits, 3072 bits that meet the following schemes: RSA schemes using cryptographic key sizes of 2048-bit or greater that meet the following: FIPS PUB 186-4, Digital Signature Standard (DSS), Appendix B.3 This matches the ST, Section 7.2 (TSS) that identifies asymmetric key generation algorithm in Table Guidance Assurance Activities Guidance Assurance Activities: The evaluator shall verify that the AGD guidance instructs the administrator how to configure the TOE to use the selected key generation scheme(s) and key size(s) for all uses defined in this PP. Guidance Implementation Details/Results: The CC Guide, Section 5, Setting Up Common Criteria Configuration, Generate SSH Server RSA Host Keys, Page 31 instructs the administrator how to configure the TOE to use RSA keys with a cryptographic key size of 2048 bits Testing Assurance Activities Testing Assurance Activities: N/A Testing Implementation Details/Results: The evaluator verified that the TOE implements key generation as validated by the FIPS CAVP for RSA #2334 using the exact version of the cryptographic module following appropriate installation and usage guidance. This validates the claim of conformance for asymmetric key generation to FIPS SFR: FCS_CKM.2 Cryptographic Key Establishment TSS Assurance Activities TSS Assurance Activities: The evaluator shall ensure that the supported key establishment schemes correspond to the key generation schemes identified in FCS_CKM.1.1. If the ST specifies more than one scheme, the evaluator shall examine the TSS to verify that it identifies the usage for each scheme. 24 of 77

25 TSS Implementation Details/Results: The TOE implements the following RFC-compliant protocols: SSH, TLS supporting RSA-based (RSA CAVP #2334) key derivation. The TOE follows recommendations outlined in the NIST SP B Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography requirements as part of RSA-based key establishment. However, to support RFC-compliant secure channel protocols the TOE implements NIST SP TLS and SSH key derivation functions (KDF). The key derivation is validated by SP KDF (CVL #1047) Guidance Assurance Activities Guidance Assurance Activities: The evaluator shall verify that the AGD guidance instructs the administrator how to configure the TOE to use the selected key establishment scheme(s). Guidance Assurance Activities Details/Results: The key derivation schema supported by the TOE is not directly configurable by the administrator; instead, it is tied to RFC-compliant protocol implementation. The CC Guide, Section 5, Setting Up the Common Criteria Configuration, Enabling SSH and Disabling Telnet describes how to configure SSH protocol Testing Assurance Activities Testing Assurance Activities: The evaluator shall verify the implementation of the key establishment schemes of the supported by the TOE. The evaluator shall verify that the TSS describes whether the TOE acts as a sender, a recipient, or both for RSA-based key establishment schemes. Testing Assurance Activities Details/Results: During testing, the evaluator observed successful negotiation of TLS and SSH with RSA and concluded that the claimed key derivation, utilized according to RFC specifications of the protocol, is supported by the TOE. The evaluator verified ST, Section 7.2, detail that the TOE acts as a sender of secret keying material for RSA key establishment SFR: FCS_CKM_EXT.4 Cryptographic Key Destruction TSS Assurance Activities TSS Assurance Activities: (1) The evaluator shall check to ensure the TSS lists each type of plaintext key material and its origin and storage location. (2) The evaluator shall verify that the TSS describes when each type of key material is cleared (for example, on system power off, on wipe function, on disconnection of trusted channels, when no longer needed by the trusted channel per the protocol, etc.). (3) The evaluator shall also verify that, for each type of key, the type of clearing procedure that is performed (cryptographic erase, overwrite with zeros, overwrite with random pattern, or block erase) is listed. If different types of memory are used to store the materials to be protected, the evaluator shall check to ensure that the TSS describes the clearing procedure in terms of the memory in which the data are stored (for example, "secret keys stored on flash are cleared by overwriting once with zeros, while secret keys stored on the internal persistent storage device are cleared by overwriting three times with a random pattern that is changed before each write"). 25 of 77