Compliant Product - Ciena 6500 Packet-Optical Platform
Certificate Date: 2018.09.30CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10922-2018
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
The Ciena 6500 S-Series and D-Series Packet Optical Platform is a family of standalone hardware devices that provide OSI Layer 0/1/2 network traffic management services. The 6500 series platforms enable users to direct traffic to designated ports, giving them control of network availability for specific services.
The TOE is the Ciena 6500 Packet Optical Platform Series containing 14 models together with the shelf processor (SP2 or SPAP2): NTK503LA (SPAP2), NTK503PA (SP2), NTK503KA (SPAP2), NTK503RA (SP2), NTK503BA (SP2), NTK503CA (SP2), NTK503CC (SP2), NTK503GA (SP2), NTK503AD (SP2), NTK503BD (SP2), NTK503CD (SP2), NTK503SA (SP2), NTK603AA (SP2), NTK603AB (SP2). Each of these devices runs software release 12.3 and provides identical security functionality to one another.
The following lists components and applications in the environment that the TOE relies upon in order to function properly:
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The Ciena 6500 Packet Optical Platform was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Ciena 6500 Packet Optical Platform Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in September 2018. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID10922-2018 prepared by CCEVS.
The TOE provides extensive auditing capabilities. The TOE creates audit records for events related to security relevant events including authentication (success and failure, remote and local), cryptographic key management, session establishment (success and failure) and session termination, including for SSH communications. In addition, all actions corresponding to management functions are audited.
The TOE records, for each audited event, the date and time of the event, the type of event, the subject’s claimed identity, and the outcome (success or failure) of that event. Depending on the specific type of event, additional data may be included in the audit record.
Audit data is stored locally and is pulled by a remote audit server via an automated script, using SFTP over an SSH trusted channel. The local audit data keeps the most recent records by overwriting the oldest records when the maximum size threshold of the file is met. No filesystem access is allowed to ensure protection of local audit data from deletion or modification.
The TOE provides cryptography in support of SSH for remote administration, remote storage of audit data, and secure download of TOE updates. Diffie-Hellman group 14 asymmetric key generation and key establishment used by the TSF conforms to RFC 3526, Section 3. The TOE uses CAVP-validated cryptographic algorithms to ensure that appropriately strong cryptographic algorithms are used for these trusted communications. Cryptographic keys are overwritten by zeroes by the TOE when they are no longer needed for their purpose. The TOE collects entropy from a third-party hardware entropy source contained within the device to ensure sufficient randomness for secure key generation.
Identification and Authentication
All users must be identified and authenticated by the TOE before being allowed to perform any actions on the TOE, except viewing a banner. The TOE provides complexity rules that ensure that user-defined passwords will meet a minimum-security strength through the set of supported characters and configurable minimum password length. As part of connecting to the TOE locally, using the management workstation, password data is obfuscated as it is inputted.
The TOE detects when a configurable number of failed authentication attempts are made by a remote user. Once this threshold of between 2 and 20 attempts has been met the TSF will automatically lock a user’s account. The user’s account can be unlocked after a configurable time period of between 0 and 7200 seconds or can be unlocked by a Security Administrator with sufficient UPC level (privilege).
The TSF provides the TL1 interface for performing management functions remotely or locally. Also, the Security Administrator can use the Site Manager to pass commands to the TL1 interface. The functions that a Security Administrator can perform on the TL1 interface are determined by the Security Administrator’s UPC value. The Security Administrator is the only administrative role that has the ability to manage the TSF, so it is the only role that is within the scope of the TOE. Apart from the Security Administrator, other roles that perform network management related functionality are not considered part of the TSF.
Protection of the TSF
The TOE is expected to ensure the security and integrity of all data that is stored locally and accessed remotely. The TSF prevents the unauthorized disclosure of secret cryptographic data, and administrative passwords are hashed using SHA-256. The TOE maintains system time with its local hardware clock. TOE software updates are acquired using SFTP and initiated using the TL1 interface. Software updates are digitally signed to ensure their integrity. The TSF also validates its correctness through the use of self-tests for both cryptographic functionality and integrity of the system software.
The TOE can terminate inactive sessions after a Security Administrator-configurable time period. The TOE also allows users to terminate their own interactive session. Once a session has been terminated, the TOE requires the user to re-authenticate to establish a new session. The TOE can also display a configurable banner on the TL1 interface that is displayed prior to use of any other security-relevant functionality.
The Security Administrator establishes a trusted path to the TOE for remote administration using SSH. An audit server establishes a trusted channel (SSH) to the TOE to pull audit data from the TOE using SFTP. The TOE establishes a trusted channel (SSH) for downloading software updates from the update server using SFTP.