New Hardware

Assessment

The ICX 7850 (ICX 7850-32Q, ICX 7850-48FS, ICX 7850-48F) family added.

The ICX 7850 family adds different port/power configurations options; neither of which are directly related the NDcPP requirements. The processor is the Quad-core ARM Cortex A57 1.6GHz which is already in the ST for the 7650 and addressed by the CAVP certificates. In addition, 7850 runs the same image as the 7650.

New Feature

Assessment

Unified FastIron Image (UFI) support added. 

This is consistent with what was evaluated. The difference is the administrator downloads one file instead of two.

Change in default syslog buffer size. The default value of dynamic syslog messages being logged is increased from 50 to 4,000

The evaluated configuration already had this applied.

no-login keyword addition to the RADIUS server definition.

This addition limits the use of the RADIUS server and does not impact the testing that was performed as part of the evaluation.

Default username and password - The device allows initial access only after using the default local username and password. ICX devices that are already deployed with a previous release and upgraded to 08.0.90 will not be affected by this change.

The Release Notes explain the administrator will be prompted to create a new password after logging in. Since the administrator is required to change the password, FIA_UAU_EXT.1 is not impacted.

SSH enabled by default.

The evaluated configuration uses SSH, therefore, this has no impact.

SmartZone Management added.

The SmartZone functionality is outside the scope of the NDcPP evaluation and is not in the ST.

MACsec support on the ICX 7850

The NDcPP evaluation did not address MACsec.

ICX7150, ICX7250, ICX7750, and ICX7850 Ethernet switches support for long-Reach Multimode (LRM) optics connections.

This is a functional change and has no impact on the NDcPP evaluation.

RFC 4560 updates.

RFC 4560 not addressed in an NDcPP evaluation.

Command added to reset device to factory settings.

Command resets the device and does not impact the evaluation results. 

Show version for bootcode - Modified command output includes a message which warns about any mismatch with the recommended u-boot version.

This is a functional change and has no impact on the NDcPP evaluation.

SAU licensing was added.

SAU licensing is outside the scope of the NDcPP evaluation

Remote Switched Port Analyzer (RSPAN) was added.

RSPAN is outside the scope of the NDcPP evaluation.

HTTPS image download and configuration download/upload.

HTTPS functionality is outside the scope of the NDcPP evaluation.

The access-list command has been deprecated.

Command was not used during the evaluation so this change has no security impact.

Flexible authentication enhancements added.

All flexible features are outside the scope of the evaluation. The administrator is restricted to the evaluated authentication methods.

ICX 7650 devices can be configured as a Control Bridge (CB) stack or standalone in a Campus Fabric (SPX) system. 1-Gbps SPX links are supported between ICX 7650 or ICX 7750 devices serving as CB units and connected PE units in a Campus Fabric network.

This is functional and outside the scope of the NDcPP evaluation. 

Port Extender (PE) console authentication redirect.

The PE functionality is outside the scope of the NDcPP evaluation.

Reconfiguring a live Campus Fabric (SPX) LAG via command.

This is functional and outside the scope of the NDcPP evaluation. 

ARP inspection entry increase.

ARP functionality is outside the scope of the NDcPP evaluation.

Manifest upgrade.

This functionality uses tftp which is not available in the evaluated configuration.

DHCP upgrades.

DHCP functionality is outside the scope of the NDcPP evaluation.

IP Source Guard scale improvements/enhancements.

IP SourceGuard functionality outside the scope of the NDcPP evaluation

VLAN Enhancements.

VLAN functionality is outside the scope of the NDcPP evaluation

Bridge Protocol Data Unit (BPDU) improved scaling.

BPDU functionality is outside the scope of the NDcPP evaluation

Link Aggregation Control Protocol (LACP) timeout change.

LACP functionality is outside the scope of the NDcPP evaluation

Cloudpath enhancements.

Integration with Cloudpath not included in the NDcPP evaluation.

Increased number of monitor ports           .

This is functional and outside the scope of the NDcPP evaluation

Enhancement of tab-based autocomplete.

This is functional and outside the scope of the NDcPP evaluation.

LLDP enabled by default.

LLDP functionality is outside the scope of the NDcPP evaluation

LAG between different default port speeds.

LAG functionality is outside the scope of the NDcPP evaluation

MSTP path-cost configuration.

MSTP functionality is outside the scope of the NDcPP evaluation

TCP MSS Adjustment feature.

Handling of TCP sessions is outside the scope of the NDcPP evaluation

Bidirectional Forwarding Detection (BFD) support added.

This is functional and outside the scope of the NDcPP evaluation

Dynamic Host Configuration Protocol version 6 (DHCPv6) Server configuration.

DHCP is outside the scope of the NDcPP evaluation

Forwarding Profiles.

This is functional and outside the scope of the NDcPP evaluation

IPv6 Neighbor Discovery (ND) Proxy support added.

This is functional and outside the scope of the NDcPP evaluation

Syslog messages for xSTP.

This is an extra audit message and not related to the evaluation.

Packet Statistics Enhancement.

This is functional and outside the scope of the NDcPP evaluation

Stacking Enhancements.

Stacking is outside the scope of the NDcPP evaluation

Multiple S-VLAN Support.

SVLAN functionality is outside the scope of the NDcPP evaluation

BPDU Scaling.

BPDU tunneling is outside the scope of the NDcPP evaluation

PoE Data Link Decoupling and PoE Updates and Related Syslog Messages.

Power management is outside the scope of the NDcPP evaluation

Debug Data Collection.

These are not audit logs and are used for connection issues.  These logs are is outside the scope of the NDcPP evaluation.

Link Dampening and Alarms.

Link dampening is outside the scope of the NDcPP evaluation.

Bug Fixes

Assessment

ACL Related bugs.

There are several ACL related bugs.  The NDcPP does not address ACL related functionality so these bugs are not security relevant in the context of the NDcPP evaluation.

802.1x Port-based Authentication Related bugs.

There are several 802.1x Port-based Authentication related bugs.  The NDcPP does not address 802.1x Port-based Authentication related functionality so these bugs are not security relevant in the context of the NDcPP evaluation.

Accounting feature with RADIUS method is enabled for user login.

This is a functional tracking item and outside the scope of NDcPP.

Authentication, Authorization and Accounting of login feature stops working.

This defect is applicable where only tacacs/radius server does not have a reliable connection. As secure radius has a connection established with a radius server, this defect is not relevant to the NDcPP evaluation. (note: it also restricts access and does not open access)

MAC-based authentication bugs.

MAC-based authentication is outside the scope of NDcPP.

Security vulnerability in web server due to a script.

The web server is not in the NDcPP configuration.

In FIPS-CC mode, Secure logging / Secure radius server connection establishment would fail.

This defect was introduced after 8.0.70 and fixed before 8.0.80 and hence not relevant to the NDcPP evaluation.

FlexAuth bug.

FlexAuth is not in the CC evaluated configuration so this bug is not an issue.

Pre-provisioned ACL configurations that apply to a PE.

Hotswapping functionality is outside the scope of the NDcPP evaluation.

SSH key files may get lost under defined circumstances.

This is a functional and not a security problem. The SSH key needed to be regenerated but did not create a security issue.

SSH session is abruptly terminated when x11 forwarding is enabled on client with any KEX method

X11 is not in the evaluated configuration.

SSH bug fixes for SSH hanging.

This is a functional and not a security problem.  The administrator needs to restart the SSH session.

SSH to ICX device connection failure bugs.

This is a functional and not a security problem.  The administrator needs to kill the SSH process and restart. 

SSH login hang.

This is a functional and not a security problem.  The administrator simply needs to attempt to log in again.

Recurring reset of the switch when FIPS mode is enabled.

This is a functional and not a security problem and it was fixed.

Other software bug fixes identified in the Release Notes.

These were functional and had no bearing on the security requirements as evaluated.