NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Ciena Carrier Ethernet Solutions (CES) 3900 series and 5100 series

Certificate Date:  2019.03.26

Validation Report Number:  CCEVS-VR-VID10921-2019

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314

CC Testing Lab:  Booz Allen Hamilton Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Ciena Carrier Ethernet Solutions 3900/5100 Series. The TOE is a family of standalone network hardware appliances that run on the Ciena Service Aware Operating System (SAOS) 6.17 with uniform security functionality between each of the hardware appliances. The exception being that the 5170 model which runs SAOS 8.6.1. SAOS is a Linux-based operating system.

Evaluated Configuration

The TOE is the Ciena Carrier Ethernet Solutions (CES) 3900/5100 Series family of network switches. The models evaluated are: 3903, 3904, 3905, 3906, 3916, 3926M, 3930-900/910, 3931-900/910, 3932, 3930-930, 3942, 5142, CN 5150, 5160, 5170. The TOE also includes the ‘advanced security’ license in its evaluated configuration, which allows the TOE to operate as an SSH server for secure remote administration.

The following lists components and applications in the environment that the TOE relies upon in order to function properly:

  • Management Workstation: Any general-purpose computer that is used by an administrator to manage the TOE. The TOE can be managed remotely, in which case the management workstation requires an SSH client, or locally, in which case the management workstation must be physically connected to the TOE using the serial port and must use a terminal emulator that is compatible with serial communications. Alternatively, the workstation can physically be connected to the TOE using the craft port, which is an Ethernet port through which the TOE can be managed locally using a SSH Client.
  • Audit Server: A general-purpose computer that runs a script to pull audit records from the TOE automatically, using the TL1 interface over SSH/secure file transfer protocol (SFTP).
  • Update Server:  A server that supports SSH/SFTP and that is used as a location for storing product updates that can be transferred to the TOE.
  • Certification Authority/OCSP Responder: A server that acts as a trusted issuer of digital certificates and identifies revoked certificates.
  • RADIUS Server: A system that is capable of receiving authentication requests using RADIUS over TLS and validating these requests against identity and credential data that is defined in a RADIUS directory.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The Ciena Carrier Ethernet Solution 3900/5100 Series was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Ciena Carrier Ethernet Solution 3900/5100 Series Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in March 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID10921-2019 prepared by CCEVS.

Environmental Strengths

Security Audit

The TOE contains mechanisms to generate audit data to record predefined events on the TOE. Each audit record contains the user information, time stamp, message briefly describing what actions were performed, outcome of the event, and severity. All audit record information is associated with the user of the TOE that caused the event where applicable. Locally-stored audit data is read-only with the exception of a Security Administrator capable of deleting logs. Audit data can be securely transmitted to a remote storage location using SFTP or to a remote syslog server using TLS.

Cryptographic Support

The TOE provides cryptography in support of TLS and SSH trusted communications. Asymmetric keys that are used by the TSF are generated in accordance with FIPS PUB 186-4 and RFC 3526. Keys are established according to NIST SP 800-56A Revision 2, NIST SP 800-56B Revision 1 and RFC 3526.

The TOE uses software-based cryptography to provide cryptographic services using the OpenSSL FIPS Object Module (FOM) version 2.0.12 with CMVP certificate #1747. Both SAOS 6.17 and SAOS 8.6.1 use OpenSSL module 2.0.12.

The TOE uses FIPS-validated cryptographic algorithms to provide cryptographic services. The TOE uses CAVP-validated cryptographic algorithms to ensure that appropriately strong cryptographic algorithms are used for these trusted communications:



Algorithm Cert


Cert. #



5419, 5665



1872, 2048



2114, 2287



1440, 1531



3589, 3770



2903, 3047



4350, 4539


The TOE collects entropy from a source contained within the device to ensure sufficient randomness for secure key generation. Cryptographic keys are destroyed when no longer needed.


Identification and Authentication

Users authenticate to the TOE as administrators either via the local console or remotely using SSH for management of the TSF. All users must be identified and authenticated to the TOE before being allowed to perform any actions on the TOE. Users are authenticated either through a locally-defined username/password combination, RADIUS, or through SSH public key-based authentication, depending on the configuration of the TSF and the method used to access the TOE. The TOE provides complexity rules that ensure that user-defined passwords will meet a minimum security strength. As part of connecting to the TOE locally using the management workstation, password data will be obfuscated as it is being input. When the configured amount of failed authentication attempts is reached, the user is locked out for configurable amount of time. The Super role can also manually unlock the user).

Security Management

The TOE maintains distinct roles for user accounts: Limited, Admin, and Super. These roles define the management functions authorized for each user on the TOE. A user who is assigned one of these roles is considered to be an administrator of the TOE, but the functions they are authorized to perform will differ based on the assigned role. The three roles are hierarchical, so each role has all of the privileges of the role(s) below it.

The Limited user is a read-only user, so any commands the user performs on the TOE will only allow the user to view different attributes and settings. The next level role is the Admin user who can perform all system configurations, set the time, configure cryptographic functionality, view/edit audit data, and initiate updates. Following the Admin role is the Super role. An administrator with the Super role can perform all system configurations including user management, including creating and deleting users on the TOE, transferring audit data to a remote location. All administration of the TOE can be performed locally using a management workstation with a terminal client, or remotely using an SSH remote terminal application.

Protection of the TSF

The TOE is expected to ensure the security and integrity of all data that is stored locally and accessed remotely. The TOE stores passwords in an obfuscated format. The cryptographic module prevents the unauthorized disclosure of secret cryptographic data, and administrative passwords are hashed using SHA-512. The TOE maintains system time via its local hardware clock which is manually set by an administrator. TOE software updates are acquired using SFTP and initiated using the CLI. The TOE software version is administratively verifiable and software updates are signed to provide assurance of their integrity. The TSF also validates its correctness through the use of self-tests for both cryptographic functionality and integrity of the system software.

TOE Access

The TOE can terminate inactive sessions after an administrator-configurable time period. The TOE also allows users to terminate their own interactive session. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. The TOE displays a configurable warning banner prior to use of the TSF.

Trusted Path/Channels

A trusted path is established to the TOE using SSHv2 for remote administration. The TOE establishes trusted channels for sending audit data to remote syslog server, for downloading software updates, and authenticating to the RADIUS server. Audit logs are sent to a remote syslog server using TLS or using SFTP (FTP over SSH) to a remote audit server. An SSH trusted channel is established to download updates using SFTP from an update server. The trusted channel to the RADIUS server is protected by TLS.

Vendor Information

Kevin Meagher
Site Map              Contact Us              Home