The Target of Evaluation (TOE) is the Arista 7150 Series; 7150S-24, 7150S-52, 7150S-64 with EOS V4.12.0.5. The following models were evaluated:
\r\n| \r\n Hardware Models \r\n | \r\n|
| \r\n Part Number \r\n | \r\n\r\n Description \r\n | \r\n
| \r\n DCS-7150S-24-F \r\n | \r\n\r\n Arista 7150, 24x1/10G SFP+ switch, front-to-rear airflow, 2x AC PSU \r\n | \r\n
| \r\n DCS-7150S-24-R \r\n | \r\n\r\n Arista 7150, 24x1/10G SFP+ switch, rear-to-front airflow, 2x AC PSU \r\n | \r\n
| \r\n DCS-7150S-24# \r\n | \r\n\r\n Arista 7150, 24x1/10G SFP+ switch, no fans, no PSU \r\n | \r\n
| \r\n DCS-7150S-24-CL# \r\n | \r\n\r\n Arista 7150, 24x1/10G SFP+ switch, high precision clock, no fans, no PSU \r\n | \r\n
| \r\n DCS-7150S-24-CLD# \r\n | \r\n\r\n Arista 7150, 24x1/10G SFP+ switch, high precision clock, 50GB SSD, no fans, no PSU \r\n | \r\n
| \r\n DCS-7150S-52-CL-F \r\n | \r\n\r\n Arista 7150, 52x1/10G SFP+ switch, high precision clock, front-to-rear airflow, 2x AC PSU \r\n | \r\n
| \r\n DCS-7150S-52-CL-R \r\n | \r\n\r\n Arista 7150, 52x1/10G SFP+ switch, high precision clock, rear-to-front airflow, 2x AC PSU \r\n | \r\n
| \r\n DCS-7150S-52-CL# \r\n | \r\n\r\n Arista 7150, 52x1/10G SFP+ switch, high precision clock, no fans, no PSU \r\n | \r\n
| \r\n DCS-7150S-52-CLD# \r\n | \r\n\r\n Arista 7150, 52x1/10G SFP+ switch, high precision clock, 50GB SSD, no fans, no PSU \r\n | \r\n
| \r\n DCS-7150S-64-CL-F \r\n | \r\n\r\n Arista 7150, 48x1/10G SFP+ & 4xQSFP+ switch, high precision clock, front-to-rear airflow, 2x AC PSU \r\n | \r\n
| \r\n DCS-7150S-64-CL-R \r\n | \r\n\r\n Arista 7150, 48x1/10G SFP+ & 4xQSFP+ switch, high precision clock, rear-to-front airflow, 2x AC PSU \r\n | \r\n
| \r\n DCS-7150S-64-CL# \r\n | \r\n\r\n Arista 7150, 48x1/10G SFP+ & 4xQSFP+ switch, high precision clock, no fans, no PSU \r\n | \r\n
| \r\n DCS-7150S-64-CLD# \r\n | \r\n\r\n Arista 7150, 48x1/10G SFP+ & 4xQSFP+ switch, high precision clock, 50GB SSD, no fans, no PSU \r\n | \r\n
| \r\n Hardware Version (identical for all models) \r\n | \r\n|
| \r\n CPU: 03.02, Hardware: 04.00, Security Chip: R5H30211 \r\n | \r\n\r\n Security hardware built into all Arista 7150 models. \r\n | \r\n
| \r\n Software \r\n | \r\n|
| \r\n Arista EOS Version 4.12.0.5 \r\n | \r\n\r\n Modular switch OS that separates switch state from protocol processing and application logic \r\n | \r\n
\r\n
The TOE is a Network Device that provides layer 2, 3, and 4 Ethernet network management and interconnectivity. The Ethernet management layers refer to the Open Systems Interconnection (OSI) model layers. They refer to the data link, network, and transport layers respectively. It also contains a modern Linux-based operating system that allows for complex management solutions. It is designed with high performance electronics to meet the needs of latency-critical applications such as financial Electronic Communication Networks (ECNs) or High Performance Computing (HPC) clusters.
\r\nThe TOE can direct and filter network packets based on the contents within each of these layers. It is also capable of supporting many modern layer-specific traffic management features including the following unevaluated features:
\r\nThe TOE supports remote administration over the Secure Shell v2 (SSHv2) protocol that supports cryptographic encryption and authentication using FIPS-certified algorithms. Remote administration is configured using an internal role-based access control system that allows for flexible administrator permissions and capabilities.
\r\nThe TOE also supports storage and forwarding of detailed audit logs. The process that manages audit messages is capable of forwarding audit messages, encrypted using SSHv2, to any syslog-compatible network entity.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Arista 7150 Series; 7150S-24, 7150S-52, 7150S-64 with EOS V4.12.0.5 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. InfoGard Laboratories, Inc. determined that the evaluation assurance level (EAL) for the product is EAL 1. The product, when delivered configured as identified in the Common Criteria Guidance Supplement Arista 7150 Series 1/10 GbE SFP Ultra Low Latency Switch Guidance Documents AGD_OPE.1, AGD_PRE.1, Version 1.9, December 17, 2013 document, satisfies all of the security functional requirements stated in the Arista Networks Series 7150 Security Target, Version 1.9, December 23, 2013, Version 1.0. The project underwent CCEVS Validator review. The evaluation was completed in December 2013. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10523-2013, dated December 2013) prepared by CCEVS.
","environmental_strengths":"The security functions that define the logical boundaries of the Arista 7150 Series; 7150S-24, 7150S-52, 7150S-64 with EOS V4.12.0.5 TOE are summarized below.
\r\nSecurity Audit – The Arista EOS uses an internal syslog process that receives, stores, and forwards auditable events from all system processes. These events are then sent to an external audit server for storage for review by an administrator. The communication between the TOE and external audit server is protected by tunneling the syslog protocol through an encrypted SSH tunnel.
\r\nCryptographic support – The TOE includes cryptographic functions that provide key management, random bit generation, encryption/decryption, secure hashing, and asymmetric key generation features in support of SSH and trusted updates. The TOE algorithms were validated through the Cryptographic Algorithm Validation Program (CAVP).
\r\nUser data protection – The TOE protects user data by ensuring that all information flowing through the TOE is not re-used or accessible after transmission. By granular packet size tracking, padding, and overwriting, all data is made inaccessible by the TOE once the packet has been passed to its next destination.
\r\nIdentification and authentication – The TOE supports password authentication for administrative users over console and SSH. The TOE also supports RSA key-based authentication for administrative users over SSH. The TOE stores the local system administrator password locally using SHA-512 hashing and allows special characters and passwords in excess of 15 characters.
\r\nSecurity management – The TOE allows a remote administrator to manage the TOE using a local RS-232 console, or remotely using an SSHv2 session. The TOE provides a custom CLI interface to administer the TOE, which provides authentication and restricts the ability to manage the TOE to security administrators. The TOE also provides administrators with the ability to update the TOE and verify their integrity using SHA-512 hashing algorithm.
\r\nDuring initial configuration, the user must establish the Security Administrator role and assign administrators to this role.
\r\nProtection of the TSF – The TOE protects TSF data from disclosure using different cryptographic methods and security functionality.
\r\nPlaintext private keys used for SSH authentication are stored on internal flash which is not accessible to the Security Administrators. Local administrator passwords are stored by the TOE and kept in a hashed form so that they cannot be read in plaintext format.
\r\nThe TOE derives a reliable time source for logging and other system processes through the local NTP service. The exact time can be provided by setting the value locally, or through synchronizing the time from an external server via NTP.
\r\nWhen updating TSF functionality, a published cryptographic hash of the updated software is provided to the user to ensure the integrity of the software.
\r\nThe TOE is also able to verify that TSF protection is functioning properly by running a memory test at boot-time and several diagnostic tools throughout the operation of the TOE. During the EOS boot sequence the TOE also initializes the OpenSSL FIPS self-tests against each cryptographic algorithm supported by SSH.
\r\nTOE access – Administrative sessions to the TOE may be terminated by the administrator’s own actions or automatically after a specified time of inactivity. These termination features apply to both local and remote connections to the TOE.
\r\nThe TOE will also display a customizable warning message to the user during each administrative logon. The message is designed to serve as an advisory notice and consent warning regarding use of the TOE.
\r\nTrusted path/channels – The TOE implements and requires a secured method of communication between itself, audit servers, and remote administrators. The TOE utilizes SSHv2 to provide mutual authentication, encryption, and integrity protection for all trusted paths and channels.
","features":[]}