Compliant Product - FlashArray//X running Purity//FA 5.3
The Target of Evaluation (TOE) is Pure Storage, Inc's (Pure Storage) FlashArray//X running Purity//FA 5.3. The TOE is an enterprise Network Attached Storage solution that includes a Linux-based operating system, SAN (Storage Area Network) protocols and interfaces (iSCSI, Fiber Channel, SAS), and custom software to provide network storage with high performance, reliability, usability, and efficiency.
The TOE consists of the following FlashArray//X (R2 and R3 families) hardware models:
FlashArray//X R2 Family:
· X10 R2
· X20 R2
· X50 R2
· X70 R2
· X90 R2
FlashArray//X R3 Family:
· X10 R3
· X20 R3
· X50 R3
· X70 R3
· X90 R3
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. Pure Storage FlashArray//X running Purity//FA 5.3 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5, April 2017. The TOE, when installed and configured per the instructions provided in the preparative and administrative guidance, satisfies all the security functional requirements stated in the FlashArray//X running Purity//FA 5.3 Security Target. The evaluation underwent CCEVS Validator review. The evaluation was completed in January 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11076-2021) prepared by CCEVS.
The logical boundary of the TOE includes those security functions implemented exclusively by the TOE. Each security function is summarized below.
- The TOE will audit all events and information defined in Table 3: Auditable Events in the Security Target.
- The TOE will also include the identity of the user that caused the event (if applicable), date and time of the event, type of event, and the outcome of the event.
- The TOE protects storage of audit information from unauthorized deletion.
- The TOE prevents unauthorized modifications to the stored audit records.
- The TOE can transmit audit data to an external IT entity using the Syslog over TLS protocol.
The TSF performs the following cryptographic operations:
- SSH for remote CLI administrative management of the TOE:
- Protocol versions: SSHv2 (Conforming to RFCs 4251-4254, 5656, and 6668)
- Public-Key Algorithms: SSH-RSA, 2048-bit RSA keys
- Data Encryption:
- AES-CBC-128, 128-bit, AES symmetric key
- AES-CBC-256, 256-bit AES symmetric key
- AES128-CTR, 128-bit AES symmetric key
- AES256-CTR, 256-bit AES symmetric key
- firstname.lastname@example.org, 128-bit AES symmetric key
- email@example.com, 256-bit AES symmetric key
- Data Integrity: hmac-sha1, hmac-sha2-256, hmac-sha2-512, “Implicit”
- Key Exchange: diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384,
- HTTPS for remote administrative management of the TOE:
- Protocol versions supporting: HTTPS/TLSv1.2 (Conforming to RFCs 2818 & 5246)
- Supporting the following TLS Ciphersuites:
The TSF zeroizes all plaintext secret and private cryptographic keys and CSPs once they are no longer required.
Identification and Authentication
- The TSF supports passwords consisting of alphanumeric and special characters.
- The TSF allows the security administrator to configure the minimum password length from 1 character to 100 characters.
- The TSF prevents offending Administrator accounts (FIA_AFL.1.1) from successfully establishing remote session using any authentication method that involves a password until an Administrator defined time period has elapsed.
- The TSF allows local administrators to re-enable user accounts locked by the FIA_AFL.1 functionality.
- The TSF requires all administrative users to authenticate before allowing the user to perform any actions other than:
o Display the warning banner in accordance with FTA_TAB.1,
o Respond to ICMP Echo Request,
o Respond to ARP requests with ARP replies,
o Make DNS Requests,
o Respond to HTTP Get Requests on TCP port 80 with a HTTP 301 ‘Moved Permanently’ Status, Code redirecting to TCP port 443,and
o Respond to TLS Client_Hello messages with TLS Server_Hello messages on TCP port 443.
- TSF data includes the following:
- All audit records generated to meet the auditing requirements of the Protection Profile;
- All user credentials (symmetric keys, private keys, keying material, username/password); and
- TSF Configuration data.
- The TSF includes four administrative roles within the Authorized Administrator role:
- Internal Administrator,
- Array Administrator,
- Storage Administrator; and
- Read-Only Administrator.
- All roles are considered authorized administrators for the remainder of this document.
- The device ships with three hard-coded users but allows for additional users to be created.
- The TOE provides management over HTTPS (remote), SSH (remote), and a local console.
- The TOE authenticates administrative users using a username/password combination or a username/SSH_RSA key combination.
- The TSF does not allow access to any administrative functions prior to successful authentication.
- The TOE also has the capability of being updated and verifying updates via published hash verification.
Protection of the TSF
- The TSF protects TSF data from disclosure when the data is transmitted between administrators and the TOE, and between the TOE and trusted IT entities.
- The TSF prevents the reading of secret and private keys.
- The TOE provides reliable time stamps for itself.
- The TOE runs a suite of self-tests during the initial start-up (upon power on) to demonstrate the correction operation of the TSF.
- The TOE provides a means to verify firmware/software updates to the TOE using a published hash mechanism to verify the candidate update package prior to installing the update.
- The TOE, for local interactive sessions, terminates the user’s session after an Authorized Administrator-specified period of session inactivity (applies to the local console).
- The TOE terminates a remote interactive session after an Authorized Administrator-configurable period of session inactivity (applies to SSH remote console and HTTPS remote web GUI console).
- The TOE allows Administrator-initiated termination of the Administrator’s own interactive session.
- Before establishing an administrative user session, the TOE can display an Authorized Administrator-specified advisory notice and consent warning message regarding unauthorized use of the TOE.
- The TOE uses TLS to provide a trusted communication channel between itself and all authorized IT entities that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data.
- The TOE permits the TSF, or the authorized IT entities, to initiate communication via the trusted channel.
- The TOE permits remote administrators to initiate communication via the trusted path. The TOE provides an HTTPS protected trusted path, as well as an SSH protected trusted path to administer the TOE.
- The TOE requires the use of the trusted path for initial administrator authentication and all remote administration actions.
Note: NTP functionality is unevaluated; Security Administrative users are instructed to disable NTP functionality in the evaluated configuration.
Pure Storage, Inc.