The TOE is the FortiSwitch 5203B Advanced Telecommunications Computing Architecture (ATCA) compliant hub/switch blade running version 5.0.7 of the FortiOS code housed inside an ATCA chassis. The blade contains one FortiTRNG entropy source for the purposes of seeding the validated cryptographic module with Entropy. The TOE is configured in stand-alone Accelerated Packet Forwarding and Policy Enforcement configuration using the validated cryptography offered in “FIPS/CC mode”. The TOE is designed to provide layer 3 switching services, Virtual Domains (vDOMs), vLAN segregation and network connectivity to devices connected to the chassis.
","evaluation_configuration":"","security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4.
\r\nThe validation team found that the evaluation showed that the product satisfies all of the functional requirements and assurance requirements stated in the Security Target (ST). CGI ITSL verified that the product met all the security requirements and Assurance Activities contained in the NDPP (including errata #2). The evaluation was completed in November 2014. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
","environmental_strengths":"The TOE is capable of generating and securely transmitting Security Audit logs to a remote, trusted FortiAnalyzer server for further processing and review. The TOE will generate auditable events as specified in the NDPP which may help indicate a number of potential security concerns including resonance, password guessing and tampering with the trusted paths and channels. For all auditable events the TOE will associate a user (either IP address or with administrative credentials) to the session and use this identifier for all logging to the audit server.
\r\nAn authorized administrator may delete the local audit trail. An authorized administrator may configure additional auditable events, configure the back-up of audit data to an external FortiAnalyzer source and manage audit data storage.
\r\nThe auditing function is supported by reliable timestamps provided by the TOE.
\r\nThe TOE’s cryptographic modules are FIPS PUB 140-2 validated and meet Security Level 1 overall and Security Level 2 for cryptographic module ports and interfaces, roles, services and authentication, and design assurance. The TOE is capable of generating cryptographic keys using a properly seeded random bit generator in order to provide cryptographic services to the network. The TOE is also capable of importing cryptographic keys and certificates from outside the TOE boundary. These keys are zeroized when no longer required and the TOE offers a function to zeroize these keys on demand.
\r\nThe TOE is designed such that the cryptographic keys and other critical security parameters are not exposed through the various interfaces made available to the TOE administrator(s). Passwords including administrative passwords and pre-shared keys are stored on the TOE in the configuration file. These passwords and the configuration file itself are encrypted by the TOE using a cryptographic key generated by the TOE upon initialization and displayed in ciphertext only. Certificates are not viewable from any interface and may only be imported to the TOE through the GUI which is a cryptographically protected trusted and validated channel.
\r\nThe TOE ensures that all information is zeroized on allocation of memory to ensure that all memory is cleared of residual information prior to being written to. Keys and CSP’s are zeroized per the FIPS 140-2 module validations.
\r\nAll administration requires authentication by the user identification and password mechanism. Administration may either be performed locally using the Local Console CLI or remotely using the Network Web-Based GUI. When authenticating locally or remotely the TOE supports complex, configurable password rules and supports complex character sets.
\r\nWhen authenticating over the GUI remote authentication data is protected via an encrypted trusted path between the TOE and administrator. Any individual attempting to log on for an interactive session will be shown a warning message that they must accept prior to being presented with a prompt to attempt their authentication.
\r\nThe TOE provides remote and local administrative interfaces that permit role based administration to configure and manage the TOE both locally and remotely. When fully initialized and configured the TOE is connected to two or more networks and remote administration data flows from a Network Management Station to the TOE. On the TOE hardware model there is also a Local Console that can be connected to from within the physically secured area described within table 7 of the NDPP and consists of a physical serial interface to the TOE.
\r\nAn administrator account is associated with an access profile, which determines the permissions of the individual administrator. Additionally, each FortiOS™ install comes with a default administrator account with all permissions, which may not be deleted. The term ‘authorized administrator’ is used throughout this ST to describe an administrator given the appropriate permission to perform tasks as required.
\r\nThese administration tasks include, but are not limited to configuring appropriate cryptographic protocols available for negotiation, the capacity to query the version information and the ability to update the TOE to a new version.
\r\nInter-TSF communications are protected to ensure availability, confidentiality and detection of modification. This is accomplished through the usage of cryptographic communications for any and all communications with remote IT entities, other components of the TOE and remote administrators. By default detection of modification and audit logging are enabled on TLS connections.
\r\nThe TOE prevents the reading of all administrator passwords, pre-shared keys, symmetric keys and private keys through obscuring them with a one-way function prior to storing them into the TOE configuration file. These keys are not viewable through the TSFI’s directly. They are available only as an encrypted value within the configuration file that may be backed up by the administrator.
\r\nThe TOE is capable of querying its current version and displaying it back to the administrator via the trusted interfaces. The TOE also provides a method to verify updates and update the TOE through any of the administrative interfaces. Updates to the TOE software are verified by the TOE during the initial phase of the update process. During this process the TOE verifies that the candidate update is signed by the developer’s 2048 bit RSA signature in order to ensure the authenticity of the update. This cryptographic key is used for all FIPS firmware images.
\r\nThe TOE maintains its own timestamp that are free from outside interference. This timestamp is used for the purposes of generating audit logs and other time-sensitive operations on the TOE including cryptographic key regeneration intervals.
\r\nThe TOE implements a number of self-tests on start-up to ensure the correct operation and configuration of the TOE. These include but are not limited to hardware and entropy source self-tests, checksums of the firmware binaries and correct operation of the FIPS approved cryptographic module. Additionally the TOE maintains ongoing health tests associated with the FIPS cryptographic module and the hardware noise source.
\r\nThe TOE is capable of terminating both local and remote administrative sessions upon detection of administrator inactivity. The TOE is also capable of terminating a remote session upon request from a remote administrator such as when a request to logout is received.
\r\nThe TOE provides administrators with a configurable warning banner prior to initiating any interactive session with the administrator.
\r\nA cryptographically protected trusted communications channel is required for all communications with the audit server. For the purposes of auditing the TOE is capable of securing its FortiAnalyzer audit server communications via TLS. The TOE or the remote peer may initiate this cryptographically protected channel.
\r\nThe TOE will ensure that HTTPS is used for a trusted path between the TOE and the trusted remote administrator. This path will be used for both the initial administrator authentication and all remote administration requests and is terminated upon session timeout or explicit request from an administrator.
","features":[]}