NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Ciena Waveserver Ai Rel 1.3

Certificate Date:  2019.06.26

Validation Report Number:  CCEVS-VR-VID10967-2019

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314

CC Testing Lab:  Acumen Security

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Ciena Waveserver (herein referred to as the TOE) Ai Rel 1.3 is a network device which offers ultra-high capacity connections between data centre locations thus reducing the network costs for both enterprises and content providers. The Wavesever Ai utilizes the Ciena’s WaveLogic Ai technology. The Waveserver Ai uses the WCS2 hardware.

Evaluated Configuration


The TOE in the evaluated configuration consists of the platform as stated in Table 1.

Waveserver Ai Appliance


ARM Cortex-A53

Client ports

Up to 24 x QSFP28 (24 x 100GbE)

Line Ports

Up to 2.4 Tb/s; Line ports support single carrier 100 Gb/s, 200 Gb/s, 300 Gb/s or 400 Gb/s


Single rack unit

Power Supply

AC or DC power

AC input voltage range: 100 Vac to 264 Vac DC input voltage range: -40 Vdc to -72 Vdc Power consumption:  0.4 W/Gb

Environment Characteristics

Normal operating temperature:  0 °C to +40 °C (32 °F to 104 °F)

Table 1 Waveserver Ai appliance


The TOE supports secure connectivity with other IT environment device as stated in Table 2.




NTP server (optional)


The TOE supports communication with an NTP server to synchronize date and time.

Syslog server


The TOE exports audit events to an external syslog server via TLS v1.2 protocol.

Radius server


The TOE supports secure communication to RADIUS server via TLS v1.2 protocol.

Management workstation with Web Browser/SSH client


This includes any IT Environment Management workstation with a Web Browser and a SSH client installed that is used by the TOE.


NOTE: The web browser is not in scope of the evaluation but the secure HTTPS/TLS connection to the WebUI was evaluated and tested.

Certificate Authority server


The Certificate Authority is used for creation and management of X509 certificates to be used with the TOE.

Table 2 IT Components


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Ciena Waveserver Ai Rel 1.3 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The Waveserver Ai uses the WCS2 hardware. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. The product, when delivered configured as identified in the Ciena Waveserver Ai Rel 1.3 Common Criteria Guidance document 6 19 2019, satisfies all of the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review.  The evaluation was completed on June 26, 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below.

  1. Security Audit
  2. Cryptographic Support
  3. Identification and Authentication
  4. Security Management
  5. Protection of the TSF
  6. TOE Access
  7. Trusted Path/Channels


Security Audit

The TOE generates audit events for all start-up and shut-down functions, and all auditable events related to AES, RSA, ECDSA, KAS/CVL, HMAC, SHS, DRBG, CVL SSHv2, CVL TLSv1.2. Audit events are also generated for management actions specified in FAU_GEN.1. The TOE is capable of storing audit events locally and exporting them to an external syslog server using TLS v1.2 protocol. Each audit record contains the date and time of event, type of event, subject identity, and the relevant data of the event. The syslog server supports the following severity levels: emergency, alert, error, warning, notice, info and debug. In order to enable the logging to syslog server, a user must be logged in with an administrative access privilege.

Cryptographic Support

The TOE provides cryptographic support for key generation, key establishment, data encryption and decryption, signature generation, key destruction, hashing, keyed hash, random bit generation, and for SSH and TLS protocols. The operating system is Linux Kernel v4.9. The TOE leverages the Waveserver Ai WCS-2 FW Crypto Library 2 for its cryptographic functionality.

Identification and authentication

The TOE supports Role Based Access Control. All users must be authenticated to the TOE prior to carrying out any management actions. The TOE supports password based authentication and public key based authentication. Based on the assigned role, a user is granted a set of privileges to access the system.

Security Management

The TOE supports local and remote management of its security functions including:

o Local console CLI administration 

o Remote CLI administration via SSHv2 

o Timed user lockout after multiple failed authentication attempts

o Password configurations.

o Role Based Access Control – Superuser (Security Administrator), Admin and limited user (User)

o Configurable banners to be displayed at login

o Timeouts to terminate administrative sessions after a set period of inactivity

o Protection of secret keys and passwords

Protection of the TSF

The TOE protects all passwords, pre-shared keys, symmetric keys and private keys from unauthorized disclosure. Passwords are stored in encrypted format. Passwords are stored as SHA-512 salted hash value as per standard Linux approach. The TOE executes self-tests during initial start-up to ensure correct operation and enforcement of its security functions. An administrator can install software updates to the TOE. The TOE internally maintains the date and time.

TOE Access

Prior to establishing an administration session with the TOE, a banner is displayed to the user. The banner messaging is customizable. The TOE will terminate an interactive session after 10 minutes of session inactivity. An administrator can terminate their GUI session by clicking on the logout button. A user can terminate their local CLI session and remote CLI session by entering exit at the prompt.

Trusted path/Channels

The TOE supports TLS v 1.2 for secure communication to the following IT entities: Syslog server and Radius server. The TOE supports HTTPS/TLS ( WebUI ) and SSH v2 ( remote CLI ) for secure remote administration.

NOTE: The web browser is not in scope of the evaluation but the secure HTTPS/TLS connection to the WebUI was evaluated and tested.


Vendor Information

Ciena Corporation
Sik Heng Foo
Site Map              Contact Us              Home