The Target of Evaluation (TOE) is the:
\r\nArista 7050X Series; DCS-7050SX-128-F, DCS-7050SX-128-R; EOS V4.13.3.4
\r\nArista 7250X Series; DCS-7250QX-64-F, DCS-7250QX-64-R; EOS V4.13.3.4
\r\nArista 7300X Series; DCS-7316X-BND-F, DCS-7316X-BND-D-F, DCS-7316X-BND-R, DCS-7316X-BND-D-R, DCS-7308X-BND-F, DCS-7308X-BND-D-F, DCS-7308X-BND-R, DCS-7308X-BND-D-R, DCS-7304X-BND-F, DCS-7304X-BND-D-F, DCS-7304X-BND-R, DCS-7304X-BND-D-R, DCS-7300X-64S-LC, DCS-7300X-64T-LC, DCS-7300X-32Q-LC; EOS V4.13.3.4
\r\nArista 7500E Series; DCS-7508E-BND, DCS-7504E-BND, DCS-7508E-BND-D, DCS-7504E-BND-D, DCS-7500E-36Q-LC, DCS-7500E-72S-LC, DCS-7500E-48S-LC, DCS-7500E-12CM-LC; EOS V4.13.3.4
\r\nThe following models were evaluated:
\r\n| \r\n Hardware Models \r\n | \r\n|
| \r\n Part Number \r\n | \r\n\r\n Description \r\n | \r\n
| \r\n DCS-7050SX-128-F \r\n | \r\n\r\n Arista 7050, 96xSFP+ & 8xQSFP+ switch, front-to-rear air?ow and dual 750W AC power supplies \r\n | \r\n
| \r\n DCS-7050SX-128-R \r\n | \r\n\r\n Arista 7050, 96xSFP+ & 8xQSFP+ switch, rear-to-front air?ow and dual 750W AC power supplies \r\n | \r\n
| \r\n DCS-7250QX-64-F \r\n | \r\n\r\n Arista 7250, 64xQSFP+ switch, front-to-rear air?ow and dual 1100W AC power supplies \r\n | \r\n
| \r\n DCS-7250QX-64-R \r\n | \r\n\r\n Arista 7250, 64xQSFP+ switch, rear-to-front air?ow and dual 1100W AC power supplies \r\n | \r\n
| \r\n DCS-7316X-BND-F \r\n | \r\n\r\n Arista 7316X chassis bundle. Includes 7316 chassis, 6 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor (F-R) \r\n | \r\n
| \r\n DCS-7316X-BND-D-F \r\n | \r\n\r\n Arista 7316X chassis bundle. Includes 7316 chassis, 6 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor with SSD (F-R) \r\n | \r\n
| \r\n DCS-7316X-BND-R \r\n | \r\n\r\n Arista 7316X chassis bundle. Includes 7316 chassis, 6 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor (R-F) \r\n | \r\n
| \r\n DCS-7316X-BND-D-R \r\n | \r\n\r\n Arista 7316X chassis bundle. Includes 7316 chassis, 6 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor with SSD (R-F) \r\n | \r\n
| \r\n DCS-7308X-BND-F \r\n | \r\n\r\n Arista 7308X chassis bundle. Includes 7308 chassis, 4 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor (F-R) \r\n | \r\n
| \r\n DCS-7308X-BND-D-F \r\n | \r\n\r\n Arista 7308X chassis bundle. Includes 7308 chassis, 4 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor with SSD (F-R) \r\n | \r\n
| \r\n DCS-7308X-BND-R \r\n | \r\n\r\n Arista 7308X chassis bundle. Includes 7308 chassis, 4 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor (R-F) \r\n | \r\n
| \r\n DCS-7308X-BND-D-R \r\n | \r\n\r\n Arista 7308X chassis bundle. Includes 7308 chassis, 4 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor with SSD (R-F) \r\n | \r\n
| \r\n DCS-7304X-BND-F \r\n | \r\n\r\n Arista 7304X chassis bundle. Includes 7304 chassis, 2 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor (F-R) \r\n | \r\n
| \r\n DCS-7304X-BND-D-F \r\n | \r\n\r\n Arista 7304X chassis bundle. Includes 7304 chassis, 2 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor with SSD (F-R) \r\n | \r\n
| \r\n DCS-7304X-BND-R \r\n | \r\n\r\n Arista 7304X chassis bundle. Includes 7304 chassis, 2 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor (R-F) \r\n | \r\n
| \r\n DCS-7304X-BND-D-R \r\n | \r\n\r\n Arista 7304X chassis bundle. Includes 7304 chassis, 2 x 3000W PS, 4 Fabric modules with fans, 1x Supervisor with SSD (R-F) \r\n | \r\n
| \r\n DCS-7300X-64S-LC \r\n | \r\n\r\n Arista 7300X-64S linecard for 7300X Series, 48 port 10GbE SFP+ and 4 port 40GbE QSFP+ (spare) \r\n | \r\n
| \r\n DCS-7300X-64T-LC \r\n | \r\n\r\n Arista 7300X-64T linecard for 7300X Series, 48 port RJ45 10GBASE-T and 4 port 40GbE QSFP+ (spare) \r\n | \r\n
| \r\n DCS-7300X-32Q-LC \r\n | \r\n\r\n Arista 7300X-32Q linecard for 7300X Series, 32 port 40GbE QSFP+ (spare) \r\n | \r\n
| \r\n DCS-7508E-BND \r\n | \r\n\r\n Arista 7508E chassis bundle. Includes 7508 chassis, 4x2900PS, 6xFabric-E modules, 1xSupervisor-E \r\n | \r\n
| \r\n DCS-7504E-BND \r\n | \r\n\r\n Arista 7504E chassis bundle. Includes 7504 chassis, 4x2900PS, 6xFabric-E modules, 1xSupervisor-E \r\n | \r\n
| \r\n DCS-7508E-BND-D \r\n | \r\n\r\n Arista 7508E chassis bundle. Includes 7508 chassis, 4x2900PS, 6xFabric-E modules, 1xSupervisor-E-SSD \r\n | \r\n
| \r\n DCS-7504E-BND-D \r\n | \r\n\r\n Arista 7504E chassis bundle. Includes 7504 chassis, 4x2900PS, 6xFabric-E modules, 1xSupervisor-E-SSD \r\n | \r\n
| \r\n DCS-7500E-36Q-LC \r\n | \r\n\r\n 36 port 40GbE QSFP+ wire-speed line card for 7500E Series \r\n | \r\n
| \r\n DCS-7500E-72S-LC \r\n | \r\n\r\n 48 port 10GbE SFP+ & 2 x 100GbE SR10 Embedded MXP wire-speed line card for 7500E Series \r\n | \r\n
| \r\n DCS-7500E-48S-LC \r\n | \r\n\r\n 48 port 1/10GbE SFP+ wire-speed line card for 7500E Series \r\n | \r\n
| \r\n DCS-7500E-12CM-LC \r\n | \r\n\r\n 12 port 100GbE SR10 Embedded MXP wire-speed line card for 7500E Series \r\n | \r\n
| \r\n Hardware Version \r\n | \r\n|
| \r\n Arista 7050SX \r\nCPU Model: Intel(R) Pentium(R) CPU @ 1.50GHz, Security Chip: R5H30211, Forwarding ASIC: Linecard0/0: Chip: BCM56850 \r\n | \r\n\r\n Security hardware built into all Arista 7050SX models. \r\n | \r\n
| \r\n Arista 7250X Series \r\nIntel(R) Pentium(R) CPU @ 1.50GHz, Security Chip: R5H30211, Forwarding ASIC: Linecard x/y[1]: Chip: BCM56850 \r\n | \r\n\r\n Security hardware built into all Arista 7250X models. \r\n | \r\n
| \r\n Arista 7300X Series \r\nCPU Model: Intel(R) Xeon(R) CPU @ 2.60GHz, Security Chip: R5H30211, Forwarding ASIC: Linecard x/y1: Chip: BCM56850 \r\n | \r\n\r\n Security hardware built into all Arista 7300X models. \r\n | \r\n
| \r\n Arista 7500E Series \r\nCPU Model: Intel(R) Xeon(R) CPU @ 2.60GHz, Security Chip: R5H30211, Forwarding ASIC: Aradx/y1 Model: Arad \r\n | \r\n\r\n Security hardware built into all Arista 7500E models. \r\n | \r\n
| \r\n Software (identical for all models) \r\n | \r\n|
| \r\n Arista EOS Version 4.13.3.4 \r\n | \r\n\r\n Modular switch OS that separates switch state from protocol processing and application logic. \r\n | \r\n
\r\n
The TOE is a Network Device that provides layer 2, 3, and 4 Ethernet network management and interconnectivity. The Ethernet management layers refer to the Open Systems Interconnection (OSI) model layers. They refer to the data link, network, and transport layers respectively. It also contains a modern Linux-based operating system that allows for complex management solutions. It is designed with high performance electronics to meet the needs of latency-critical applications such as financial Electronic Communication Networks (ECNs) or High Performance Computing (HPC) clusters.
\r\nThe TOE can direct and filter network packets based on the contents within each of these layers. It is also capable of supporting many modern layer-specific traffic management features including the following unevaluated features:
\r\nThe TOE supports remote administration over the Secure Shell v2 (SSHv2) protocol that supports cryptographic encryption and authentication using FIPS-certified algorithms. Remote administration is configured using an internal role-based access control system that allows for flexible administrator permissions and capabilities.
\r\nThe TOE also supports storage and forwarding of detailed audit logs. The process that manages audit messages is capable of forwarding audit messages, encrypted using SSHv2, to any syslog-compatible network entity.
\r\n\r\n
[1] Note: The output of “Forwarding ASIC” will vary in the number of linecards, and depend on how many and which linecards are populating the chassis. X and Y will be integers denoting each linecard in the configuration. All ASIC types for a specific TOE will always display the same chip or model type.
","evaluation_configuration":"","security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The Target of Evaluation (TOE) was Arista 7050X, 7250X, 7300X, and 7500E Series with EOS V4.13.3.4. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. InfoGard Laboratories, Inc. determined that the TOE meets the requirements in the Network Device Protection Profile, Version 1.1, June 8, 2012 with Security Requirements for Network Devices Errata #1, Version 1.0, December 19, 2013. The product, when delivered configured as identified in the Common Criteria Guidance Supplement Arista 7150, 7050X, 7250X, 7300X and 7500E Series Switches Guidance Documents AGD_OPE.1, AGD_PRE.1, Version 1.4, June 10, 2014 document, satisfies all of the security functional requirements stated in the Arista Networks 7050X, 7250X, 7300X and 7500E Series Security Target, Version 1.4, June 16, 2014. The project underwent CCEVS Validator review. The evaluation was completed in June 2014. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10559-2014, dated June 2014) prepared by CCEVS.
","environmental_strengths":"The security functions that define the logical boundaries of the Arista 7050X, 7250X, 7300X, and 7500E Series with EOS V4.13.3.4 TOE are summarized below.
\r\nSecurity Audit – The Arista EOS uses an internal syslog process that receives, stores, and forwards auditable events from all system processes. These events are then sent to an external audit server for storage for review by an administrator. The communication between the TOE and external audit server is protected by tunneling the syslog protocol through an encrypted SSH tunnel.
\r\nCryptographic support – The TOE includes cryptographic functions that provide key management, random bit generation, encryption/decryption, secure hashing, and asymmetric key generation features in support of SSH and trusted updates. The TOE algorithms were validated through the Cryptographic Algorithm Validation Program (CAVP).
\r\nUser data protection – The TOE protects user data by ensuring that
\r\nIdentification and authentication – The TOE supports password authentication for administrative users over console and SSH. The TOE also supports RSA key-based authentication for administrative users over SSH. The TOE stores the local system administrator password locally using SHA-512 hashing and allows special characters and passwords in excess of 15 characters.
\r\nSecurity management – The TOE allows a remote administrator to manage the TOE using a local RS-232 console, or remotely using an SSHv2 session. The TOE provides a custom CLI interface to administer the TOE, which provides authentication and restricts the ability to manage the TOE to security administrators. The TOE also provides administrators with the ability to update the TOE and verify their integrity using SHA-512 hashing algorithm.
\r\nDuring initial configuration, the user must establish the Security Administrator role and assign administrators to this role.
\r\nProtection of the TSF – The TOE protects TSF data from disclosure using different cryptographic methods and security-functionality.
\r\nPlaintext private keys used for SSH authentication are stored on internal flash which is not accessible to the Security Administrators. Local administrator passwords are stored by the TOE and kept in a hashed form so that they cannot be read in plaintext format.
\r\nThe TOE derives a reliable time source for logging and other system processes through the local NTP service. The exact time can be provided by setting the value locally, or through synchronizing the time from an external server via NTP.
\r\nWhen updating TSF functionality, a published cryptographic hash of the updated software is provided to the user to ensure the integrity of the software.
\r\nThe TOE is also able to verify that TSF protection is functioning properly by running a memory test at boot-time and several diagnostic tools throughout the operation of the TOE. During the EOS boot sequence the TOE also initializes the OpenSSL FIPS self-tests against each cryptographic algorithm supported by SSH.
\r\nTOE access – Administrative sessions to the TOE may be terminated by the administrator’s own actions or automatically after a specified time of inactivity. These termination features apply to both local and remote connections to the TOE.
\r\nThe TOE will also display a customizable warning message that is displayed to the user during each administrative logon. The message is designed to serve as an advisory notice and consent warning regarding use of the TOE.
\r\nTrusted path/channels – The TOE implements and requires a secured method of communication between itself, audit servers, and remote administrators. The TOE utilizes SSHv2 to provide mutual authentication, encryption, and integrity protection for the all trusted paths and channels.
","features":[]}