Compliant Product - Siemens RUGGEDCOM ROS v4.2.2.F running on the M969F, RS900F, RS900GF, RS900GPF, RS940GF, M2100F, RSG2100F, RSG2100PF, M2200F, RSG2200F, RSG2300F, RSG2300PF, RS400F, RS416F, RS416PF, RSG2488F switches
Certificate Date: 2018.08.21CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10877-2018
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
CC Testing Lab: COACT, Inc. Labs
The Siemens RUGGEDCOM switches provide Ethernet switching capabilities in a ruggedized enclosure for customer networks in virtually any environment and are primarily deployed in power distribution, refineries, or traffic control systems, etc.
The RUGGEDCOM switches are highly configurable and can be customized with a number of different line modules and power supply combinations. The line modules provide 10/100/1000BaseTX Ethernet, serial, and fiber interfaces that are used to send and receive user data. Customers choose a configuration that suits the targeted network and Siemens assembles the RUGGEDCOM switches according to the specific configuration.
The RUGGEDCOM switches are designed specifically to operate in the most adverse conditions and to withstand harsh environmental conditions including temperature and humidity extremes, shock, vibration, and electromagnetic interference.
The evaluated configuration includes the RUGGEDCOM Rugged Operating System (ROS) v4.2.2.F firmware running on the M2100F, M2200F, M969F, RSG2100F, RSG2100PF, RSG2200F, RSG2300F, RSG2300PF, RSG2488F, RS400F, RS416F, RS416PF, RS900F, RS900GF, RS900GPF, and RS940GF RUGGEDCOM switches developed and built by Siemens.
Security Evaluation Summary
The evaluation has been conducted in accordance with the provisions of the NIAP Common Criteria Evaluation and Validation Scheme. The Target of Evaluation has been evaluated using the Common Methodology for IT Security Evaluation (Version 3.1, Rev 4) for conformance to the Common Criteria for IT Security Evaluation (Version 3.1, Rev 4), as interpreted by the assurance activities contained in the CPP_ND_V2.0 + Errata 20180314.
The evaluation was performed by the COACT, Inc. Common Criteria Testing Laboratory (CCTL) in Columbia, Maryland, United States of America. The evaluation team determined that the product is both Common Criteria Part 2 Extended and Part 3 Conformant, and meets the assurance requirements set forth in the collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314 (CPP_ND_V2.0E).
The following summaries the security functionality of the Siemens RUGGEDCOM ROS V4.2.2.F.
The TOE generates audit records for security-relevant actions and records the identity of the administrator responsible for the action. To remotely and securely backup the audit logs, an Administrator can configure the syslog server to call into the TOE and request audit events be printed to the syslog server over a secure SSH connection. When local logs are filled, the TOE overwrites events in two possible ways: the oldest log record can be overwritten with the new log record or the oldest log file can be overwritten with the new log file.
The TOE contains cryptographic support that provides key generation, random bit generation, encryption/decryption, digital signature and secure hashing, key-hashing, and key establishment features in support of higher level cryptographic protocols including SSH and TLS. The TOE algorithms were validated through the Cryptographic Algorithm Validation Program (CAVP).
Identification and Authentication
The TOE verifies administrator credentials during the login process and ensures that only authorized administrators can gain access to configuration and management settings. The TOE displays an access banner prior to authentication. The TOE enforces an administrator configurable minimum password length and provides obscured feedback when passwords are being entered. After a configurable number of failed login attempts, authentication is blocked by disabling the authentication mechanism on the affected service until the configured lockout time expires. The TOE uses an X.509 certificate to support authentication for TLS/HTTPS. The server certificate and the trust anchor certificates are stored within a trust store on the TOE, and the revocation status of uploaded certificates is obtained from an external Online Certificate Status Protocol (OCSP) server.
The TOE provides a web interface and a terminal-based menu for administrators to manage the security functions, configuration, and other features of the TOE. The security management function specifies user roles with defined access for the management of the TOE components. Updating the TOE, modifying the configuration file, configuring the access banner, setting the inactivity timeout, configuring authentication failure parameters, configuring time and re-enabling the Administrator account are all functions restricted to the Security Administrator.
Protection of the TSF
The TOE invokes a set of self-tests each time the TOE is powered on to ensure that the TSF operates correctly. The TOE also provides a reliable timestamp for its own use. An Administrator can manually set the time for the TOE. A digital signature using an RSA public key is used to verify all software updates that are applied to the TOE. The TOE prevents an administrator from reading the keys stored in the TOE. Passwords are stored in obfuscated form to prevent them from being read in plaintext.
The TOE terminates local and remote management sessions after an administrator-configurable time period of inactivity. The TOE also provides administrators the capability to manually terminate the session prior to the inactivity timeout. After an administrator’s session is terminated, the administrator must log in again to regain access to TOE functionality. A login banner is displayed at the login screen of the web interface and prior to authentication over the terminal-based menu.
Trusted Path / Channels
The cryptographic functionality of the TOE provides the TOE the ability to create trusted paths and trusted channels. The TOE implements a trusted channel using SSHv2 between itself and a remote server to protect audit data in transit. Additionally, the TOE provides trusted paths between administrators and the web interface via TLS/HTTPS and the terminal-based menu via SSHv2.
Siemens Canada Ltd.