NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - HPE Moonshot-180XGc, 45XGc, 45Gc switch

Certificate Date:  2016.02.17

Validation Report Number:  CCEVS-VR-VID10660-2016

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Network Devices Version 1.1

CC Testing Lab:  Gossamer Security Solutions

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is the Hewlett Packard Enterprise Moonshot-180XGc, 45XGc, 45Gc Switch Modules.  The Moonshot Switches are switch appliances that provide network connectivity for the following: Cloud computing, service providers, Web2.0, health care, Universities, Government agencies and for use in HPE enclosures. The Moonshot Switches include the HPE Comware V7.1 network operating system, which delivers enterprise grade resiliency and is designed for data center convergence with full support for IEEE Data Center Bridging (DCB) for lossless Ethernet, and Fibre Channel over Ethernet (FCoE) protocols. The switches support IETF industry standard TRILL (Transparent Interconnection of Lots of Links) that enables loop free large Layer 2 networks with multi-path support. The switch provides Intelligent Resilient Framework (IRF) which enables multiple switches to be virtualized and managed as a single entity with HPE's Intelligent Management Center (IMC). The IMC is not within the scope of the evaluation. Management of the IRF group can and should occur via any of the IRF group members by an authorized administrator using the CLI.

In the evaluated configuration, the switches can be deployed as a single switch device or alternately as a group of up to four devices connected using the HPE Intelligent Resilient Framework (IRF) technology to effectively form a logical switch device. The IRF technology requires that devices be directly connected to one another using an IRF stack using one or more dedicated Ethernet connections that are used to coordinate the overall logical switch configuration and also to forward applicable network traffic as necessary between attached devices. The IRF technology does not require that switches be co-located, but can be attached using standard LACP for automatic load balancing and high availability. Note that the IRF connections are not secured (e.g., using encryption) by the TOE, so the IRF group members must be collocated and the IRF connections need to be as protected as the IRF group devices themselves.

The Moonshot Switches support uplink modules and plug-in modules, which provide additional functionality (e.g., various numbers and types of network connection ports). All of the available plug-in modules are included in the evaluated configuration.

Evaluated Configuration

The evaluated configuration consists of the Hewlett Packard Enterprise Moonshot-180XGc, 45XGc, 45Gc Switch Modules.  The software on all models is Comware V7.1. Each Module can optionally use any of the following Uplink Modules since they do not affect any of the claimed security functions but rather serve to extend available network connectivity:

  • HPE Moonshot–4QSFP+ Uplink Module
  • HPE Moonshot-16SFP+ Uplink Module
  • HPE Moonshot-6SFP+ Uplink Module

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Hewlett Packard Enterprise Moonshot-180XGc, 45XGc, 45Gc Switch Modules TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  Gossamer Security Solutions determined that the evaluation assurance level (EAL) for the product is EAL 1.  The product, when delivered and configured as identified in the Preparative Procedures for CC NDPP Evaluated HPE Moonshot-180XGc, 45Gc and 45XGc Switch Module based on Comware V7.1, Version 1.1, February 9, 2016 document, satisfies all of the security functional requirements stated in the Hewlett Packard Enterprise Moonshot 180XGc, 45XGc, 45Gc Switch Modules (NDPP11e3) Security Target, Version 0.3, February 5, 2016.  The project underwent CCEVS Validator review.  The evaluation was completed in December 2015.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10660-2016) prepared by CCEVS.

Environmental Strengths

The logical boundaries of the Hewlett Packard Enterprise Moonshot-180XGc, 45XGc, 45Gc Switch Modules TOE are realized in the security functions that it implements. Each of these security functions is summarized below.

Security Audit - The TOE is designed to be able to generate logs for a wide range of security relevant events. The TOE can be configured to store the logs locally so they can be accessed by an administrator or alternately to send the logs to a designated syslog server

Cryptographic Support - The TOE includes NIST-validated cryptographic mechanisms that provide key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher level cryptographic protocols, including IPsec and SSHv2. Note that in the evaluated configuration, the TOE must be configured in FIPS mode to ensure that CAVP tested functions are used.  

User Data Protection - The TOE supports a wide variety of network access control functions. While implementing its network access control functions, the TOE is carefully designed to ensure that it doesn’t inadvertently reuse network or management data. This is accomplished primarily by clearing and zero-padding of memory structures and packet buffers when allocated. 

Identification and Authentication - The TOE requires users (i.e., administrators) to be successfully identified and authenticated before they can access any security management functions available in the TOE. The TOE offers both a locally connected console and a network accessible interface (SSHv2) for interactive administrator sessions.

The TOE supports the local (i.e., on device) definition of administrators with usernames and passwords. Additionally, the TOE can be configured to use the services of trusted RADIUS and TACACS+ servers in the operational environment to support, for example, centralized user administration.

Security Management - The TOE provides Command Line (CLI) commands (locally via a serial console or remotely via SSH) to access the available functions to manage the TOE security functions and network access control functions. Security management commands are limited to authorized users (i.e., administrators) only after they have been correctly identified and authenticated. The security management functions are controlled through the use of Admin Roles that can be assigned to TOE users.

TSF Protection - The TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its security features.

It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. The TOE uses a clock managed by the OS for reliable time clock information that the TOE uses (e.g., for log accountability).

The TOE uses cryptographic means to protect communication with remote administrators. When the TOE is configured to use the services of a Syslog server or authentication servers in the operational environment, the communication between the TOE and the operational environment component is protected using encryption.

The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE

TOE Access - The TOE can be configured to display a message of the day banner when an administrator establishes an interactive session and subsequently will enforce an administrator-defined inactivity timeout value after which the inactive session (local or remote) will be terminated.

Trusted Path/Channels - The TOE protects interactive communication with administrators using SSHv2 for CLI access. Using SSHv2, both integrity and disclosure protection is ensured. The TOE protects communication with network peers, such as a log server, and authentication servers (RADIUS and TACACS+) using IPsec connections to prevent unintended disclosure or modification of logs.

Vendor Information

Hewlett Packard Enterprise Company
Bob Pittman
Site Map              Contact Us              Home