NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Brocade FastIron ICX Series Switch/Router 8.0.70 with IPSEC VPN

Date of Maintenance Completion:  2019.06.19

Product Type:    Virtual Private Network
   Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0
  Extended Package for VPN Gateways Version 2.1

Original Evaluated TOE:  2018.02.13 - Brocade FastIron ICX Series Switch/Router 08.0.70 with IPsec VPN Module

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

The changes are divided into three categories: New Security Related Features, New Non-Security Related Features and Bug Fixes. The subsections below help to justify that the changes have no security impact on the certified TOE.

The changes to the ST were to update the version of the software to the latest version and update the storage buffer size reference. The Release Notes were updated to include new versioning and features.

New Security Related Features:

The following describes each new security related feature and provides supporting rationale regarding security relevance and the impact, if any, on the evaluated TOE.

 

New Feature Description

Assessment

Unified FastIron Image (UFI) support added.

Related to FPT_TUD_EXT.1 – is consistent with what was tested and does not affect SFR.

Change in default local syslog buffer size.

Related to FAU_STG_EXT.1 the local buffer has been expanded.  The TSS has been updated to reflect the new value.  It does not affect as tested security functionality because the audit records are automatically sent to the remote syslog server so this local buffer is simply a backup.

no-login keyword addition to the RADIUS server definition. The keyword specifies that the RADIUS server cannot be used for login features such as TELNET, SSH, CONSOLE, EXEC, or Web-management

AAA.

 

Related to FIA_UAU_EXT.2 This keyword addition limits the use of the RADIUS server and does not impact the testing that was performed as part of the evaluation.

Default username and password - The administrator will be prompted to change the default password after logging in for the 1st time.

Related to FIA_UAU_EXT.1. The administrator will be prompted to create a new password after logging in. As the administrator is required to change the password in the evaluated configuration, the requirement is not impacted.

SSH enabled by default

Related to FCS_SSHS_EXT.1. As the evaluated configuration uses SSH, there is no impact.

ACL Related bugs:

·         Displaying properly

·         Not active on LAG interfaces

·         Hotswap related

·         Resource exhaustion related

 

Bugs related to ACLs were fixed.  The bugs were all functional in nature and do not impact the permit and deny rules for IPsec testing.

 

New Non-Security Related Features

Features and enhancements have been added to the updated software. See the following table for an analysis.

New Feature Description

Assessment

Ruckus SmartZone management

The SmartZone functionality is outside the scope of the NDcPP/VPNGWEP evaluation.

SAU Licensing.

SAU licensing is outside the scope of the evaluation.

Remote Switched Port Analyzer (RSPAN)

RSPAN is outside the scope of the evaluation.

HTTPS image and configuration download/upload

HTTPS functionality is outside the scope of the evaluation.

ip access-list command replaced the deprecated access-list command.

The access list command was not used during the evaluation so this change has no security impact on the evaluation.

Flexible Authentication enhancements:

·         Single / multiple host authentication

·         Tagged VM client authentication

·         MAC authentication support commands expanded.

·         New show authentication commands that integrate output for 802.1X and MAC authentication.

·         New commands: clear authentication sessions and clear authentication statistics.

Flexible authentication features are outside the scope of the evaluation as the administrator is restricted to the evaluated authentication methods. The new commands were not used in the evaluation.

Control Bridge (CB) stack and Campus Fabric (SPX) system configuration

CB /SPX configurations are outside the scope of the evaluation. 

Port Extender (PE) console authentication

The PE functionality is outside the scope of the evaluation.

LAG  The no versions of the multi-spx-port and mutli-spx-lag command are introduced.

This LAG functionality is outside the scope of the evaluation. 

ARP inspection The maximum number of static ARP inspection entries for the stack increased to 42,000

ARP functionality is outside the scope of the evaluation.

Manifest upgrade

This functionality uses TFTP which is not allowed in the evaluated configuration.

DHCP upgrades: DHCP auto-provisioning and  snooping scale enhancements

DHCP functionality is outside the scope of the evaluation.

IP Source Guard improvements/enhancements

IP Source Guard functionality is outside the scope of the evaluation

VLAN Enhancements

·         Configuration command enhancements

·         VLAN pre-provisioning

·         Max number of allowed VLANs increased

·         VLAN mapping enhancements

·         Multiple VLAN Registration Protocol support added

VLAN functionality is outside the scope of the evaluation

Link Aggregation Control Protocol (LACP) timeout change

LACP functionality is outside the scope of the evaluation

Cloudpath enhancements

Integration with Cloudpath was not included in the evaluation.

Increased number of monitor ports

This is a functional change and outside the scope of the evaluation

Tab-based autocomplete enhancements

This is a functional change and outside the scope of the evaluation.

LLDP now enabled by default.

LLDP functionality is outside the scope of the evaluation

LAG Port Speed validation is performed as part of port addition to LAG

LAG functionality is outside the scope of the evaluation

MSTP path-cost configuration

MSTP functionality is outside the scope of the evaluation

MSS Adjustment feature prevents TCP sessions time out due to non-support of fragmentation.

Handling of TCP sessions is outside the scope of the evaluation

Bidirectional Forwarding Detection (BFD) rapidly detects link faults.

This is functional and outside the scope of the evaluation

Dynamic Host Configuration Protocol version 6 (DHCPv6) Server added

DHCP is outside the scope of the evaluation

Forwarding Profiles allow for the configuration of the Unified Forwarding Table

This is functional and outside the scope of the evaluation

IPv6 Neighbor Discovery (ND) Proxy support added

This is functional and outside the scope of the evaluation

Syslog messages for xSTP

Extra audit message not related to the evaluation.

Packet Statistics Enhancement allows the count packets of destined to the CPU based on programmable fields

This is functional and outside the scope of the evaluation

Stacking Enhancements

Stacking is outside the scope of the evaluation

 

Bug Fixes:

There are several bugs identified as being part of the security group.  See the following table for an analysis of each and why they are not relevant to the evaluation:

 

Bug Description

Assessment

802.1x Port-based Authentication Related bugs

There are several 802.1x Port-based Authentication related bugs.  The NDcPP/VPNGWEP does not address 802.1x Port-based Authentication functionality so the bugs are not security relevant in the context of the evaluation.

Accounting feature with RADIUS method is enabled for user login

This is a functional tracking item and outside the scope of NDcPP/VPNGWEP.

Authentication, Authorization and Accounting of login features like telnet, SSH, EXEC stops working after a few login and logouts

This defect is applicable where only the Tacacs / RADIUS server does not have a reliable connection. As secure radius has connection established with radius server, this defect is not relevant to the NDcPP/VPNGWEP evaluation. (note: a failure restricts access, and does not open access)

MAC-based authentication bugs.

MAC-based authentication is outside the scope of NDcPP/VPNGWEP.

Security vulnerability in web server due to a script

A web server is not in the evaluated configuration.

In FIPS-CC mode, Secure logging / Secure radius server connection establishment would fail. When device uses chain of certificates for OCSP validation to establish secure logging/secure radius server connection in FIPS-CC mode

This defect was introduced after 8.0.70 and fixed before 8.0.80 and hence not relevant to the evaluation.

Currently the system allows the user to configure PBR on the same interface where FlexAuth is also enabled and the user configured RADIUS to apply ACL on the FlexAuth session. Traffic forwarding is nondeterministic when PBR and dynamic ACLs are configured on the same interface

FlexAuth is not in the CC evaluated configuration so this bug is not an issue.

Pre-provisioned ACL configurations that apply to a PE are not properly applied on that PE during hot-swap

Hot-swap functionality is outside the scope of the NDcPP/VPNGWEP evaluation.

SSH key files may get lost when 1) Power Line Disturbance tests are run 2) EEC errors occur in the flash partition 3) Erasing of the flash partition 4) UBI file system corruption

This is a functional and not a security problem. The SSH key needed to be regenerated but did not create a security issue.

SSH session is abruptly terminated when x11 forwarding is enabled on client with any KEX method

X11 is not in the evaluated configuration.

 

 

 

 

Affected Developer Evidence:

 

Modifications were made to the Security Target to change the software version and to update the size of the local audit buffer. The Release Notes were updated to address version number, new or changed features and bug fixes.

 

Regression Testing:

 

The vendor performed regression testing to ensure correct operation of the updated software as a matter of course for each of the software releases (8.0.80 and 8.0.90).

 

Vulnerability Analysis:

 

The updates to software included security relevant fixes for documented CVEs. The CVE databases were searched again on 4.24.2019 to ensure known security vulnerabilities have been corrected.

 

The evaluator searched the following:

 

 

 

 

 

 

 

 

using the following search terms: "Brocade", "FastIron", "ICX", "openssl crypto", “ipsec”

 

The search resulted in 22 findings, none of which were found to be applicable to the TOE.

Vendor Information

Logo
Ruckus Wireless, Inc.
Julie Lu
650-265-4200
Julie.Lu@arris.com

www.ruckuswireless.com
Site Map              Contact Us              Home