NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Hewlett Packard Enterprise 7900 Series, 7500 Series, 5700 Series, 5130 EI Series, 5130 HI Series and 5510 HI Series Switches with Comware 7

Certificate Date:  2016.03.04

Validation Report Number:  CCEVS-VR-VID10671-2016

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Network Devices Version 1.1

CC Testing Lab:  Leidos Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Target of Evaluation (TOE) is the Hewlett Packard Enterprise 7900 Series, 7500 Series, 5700 Series, 5510 HI Series, 5130HI and 5130EI Series Switches, as follows:


Software Identification

Hardware Identification

HP 7900

Comware V7.1.045 R2138 P02

HP FlexFabric 7904 Switch Chassis (JG682A)

HP FlexFabric 7910 Switch Chassis (JG841A) with one or both of the following modules:

1.       HP FlexFabric 7910 – 7.2Tbps Fabric / Main Processing Unit (JG842A)

2.       HP FlexFabric 7910 --  2.4Tbps Fabric / Main Processing Unit (JH001A)

HP 7500

Comware V7.1.045 R7170

HP 7502 Switch Chassis (JD242C) with HP 7502 Main Processing Unit  (JH208A)

HP 7503 Switch Chassis (JD240C)

HP 7506 Switch Chassis (JD239C)

HP 7510 Switch Chassis (JD238C)

The 7503, 7506, 7506-V and 7510 require one of the following:

  • HP 7500 1.2Tbps Fabric w/ 2-port 40GbE for IRF-Only Main Processing Unit (JH207A), or
  • HP 7500 2.4Tbps Fabric w/ 8-port GbE/10GbE and 2-port 40GbE User Ports Main Processing Unit (JH209A)

HP 5700

Comware V7.1.045 R2423

HP FlexFabric 5700-40XG-2QSFP+Switch (JG896A)

HP FlexFabric 5700-48G-4XG-2QSFP+Switch (JG894A)

HP FlexFabric 5700-32XGT-8XG-2QSFP+ Switch (JG898A)

HP FlexFabric 5700-40XG-2QSFP+TAA-Compliant Switch (JG697A)

HP FlexFabric 5700-48G-4XG-2QSFP+TAA-Compliant Switch (JG895A)

HP FlexFabric 5700-32XGT-8XG-2QSFP+TAA-Compliant Switch (JG899A)

HP 5130 EI

Comware V7.1.045 R3109 P16

HP 5130-24G-4SFP+ EI Switch (JG932A)

HP 5130-24G-SFP-4SFP+ EI Switch (JG933A)

HP 5130-48G-4SFP+ EI Switch (JG934A)

HP 5130-24G-PoE+-4SFP+ (370W) EI Switch (JG936A)

HP 5130-48G-PoE+-4SFP+ (370W) EI Switch (JG937A)

HP 5130-24G-4SFP+ EI TAA-compliant Switch ( JG942A)

HP 5130-24G-SFP-4SFP+ EI TAA-compliant Switch (JG943A)

HP 5130-48G-4SFP+ EI TAA-compliant Switch (JG944A)

HP 5130-24G-PoE+-4SFP+ (370W) EI TAA-compliant Switch (JG946A)

HP 5130-48G-PoE+-4SFP+ (370W) EI TAA-compliant Switch  (JG947A)

HP 5130 HI

Comware V7.1.045 R1116

HP 5130-24G-4SFP+ HI Switch with 1 Slot (JH323A)

HP 5130-48G-4SFP+ HI Switch with 1 Slot (JH324A)

HP 5130-24G-PoE+-4SFP+ HI Switch with 1 Slot (JH325A)

HP 5130-48G-PoE+-4SFP+ HI Switch with 1 Slot (JH326A)

HP 5510 HI

Comware V7.1.045 R1118

HPE 5510 24G 4SFP+ HI 1-slot Switch (JH145A)

HPE 5510 24G PoE+ 4SFP+ HI 1-slot Switch (JH147A)

HPE 5510 24G SFP 4SFP+ HI 1-slot Switch (JH149A)

HPE 5510 48G 4SFP+ HI 1-slot Switch (JH146A)

HPE 5510 48G PoE+ 4SFP+ HI 1-slot Switch (JH148A)

Each device in the TOE is a stand-alone gigabit Ethernet switch that implements network layers 2 and 3 switching, service and routing operations.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Hewlett Packard Enterprise 7900 Series, 7500 Series, 5700 Series, 5510 HI Series, 5130 HI and 5130 EI Series Switches were evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 4. The product, when delivered and configured as identified in Preparative Procedures for CC NDPP Evaluated HPE 7900 Series, 7500 Series, 5700 Series, 5510HI Series, 5130HI and 5130EI Series Switch Modules based on Comware V7.1, satisfies all of the security functional requirements stated in Hewlett Packard Enterprise 7900 Series, 7500 Series, 5700 Series, 5130 EI Series, 5130 HI Series and 5510 HI Series Switches Security Target.  The project underwent CCEVS Validator review.  The evaluation was completed in February 2016.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

Security Audit

The TOE is able to generate audit records of security relevant events. The TOE can be configured to store the audit records locally so they can be accessed by an administrator or alternately to send the audit records to a designated log server.

Cryptographic Support

The TOE includes NIST-validated cryptographic mechanisms that provide key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher level cryptographic protocols, including IPsec and SSHv2.  Note that in the evaluated configuration, the TOE must be configured in FIPS mode, which ensures the TOE uses only FIPS-approved and NIST-recommended cryptographic algorithms.

User Data Protection

The TOE performs network switching and routing functions, passing network traffic among its various physical and logical network connections. While implementing applicable network protocols associated with network traffic forwarding, the TOE employs mechanisms to ensure that it does not inadvertently reuse data found in network traffic.

Identification and Authentication

The TOE requires users (i.e., administrators) to be successfully identified and authenticated before they can access any security management functions available in the TOE. The TOE offers both a locally connected console and a network accessible interface (SSHv2) for interactive administrator sessions.

The TOE supports the local (i.e., on device) definition of administrators with usernames and passwords. Additionally, the TOE can be configured to utilize the services of trusted RADIUS and TACACS+ servers in the operational environment to support, for example, centralized user administration.

Security Management

The TOE provides a Command Line Interface to access its security management functions. Security management commands are limited to administrators and are available only after they have provided acceptable user identification and authentication data to the TOE.

Protection of the TSF

The TOE implements a number of features to protect itself to ensure the reliability and integrity of its security features.
It protects data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (for example, for log accountability).

The TOE uses cryptographic means to protect communication with remote administrators. When the TOE is configured to use the services of a syslog server or authentication servers in the operational environment, the communication between the TOE and the operational environment component is protected using encryption.

The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms to ensure updates to the TOE will not introduce malicious or other unexpected changes in the TOE.

TOE Access

The TOE can be configured to display an informative banner that will appear prior to authentication when accessing the TOE via the console or SSH interfaces. The TOE can be configured to enforce an administrator-defined inactivity timeout value which, when exceeded, will terminate the inactive session.

Trusted Path/Channels

The TOE protects interactive communication with administrators using SSHv2 for CLI access. Using SSHv2, both integrity and disclosure protection is ensured.
The TOE protects communication with network peers, such as audit and authentication servers, using IPsec connections to prevent unintended disclosure or modification of data.

Vendor Information

Hewlett Packard Enterprise Company
Bob Pittman
Site Map              Contact Us              Home