{"product_id":10601,"v_id":10601,"product_name":"Hewlett Packard Enterprise 6125XLG Ethernet Blade Switch","certification_status":"Certified","certification_date":"2015-02-24T00:00:00Z","tech_type":"Network Device, Network Switch","vendor_id":{"name":"Hewlett Packard Enterprise Company","website":"www.hp.com"},"vendor_poc":"Bob Pittman","vendor_phone":"+1.508.467.0284","vendor_email":"bob.pittman@hp.com","assigned_lab":{"cctl_name":"Leidos Common Criteria Testing Laboratory"},"product_description":"<p>The HP 6125XLG Ethernet Blade Switch is a Gigabit Ethernet switch appliance that consists of hardware and software components. The software used is Comware Version 7.1.045, Release 2406 P01 and is a common code base of a modular nature with only the modules applicable for the specific hardware installed.</p>\r\n<p>The HP 6125XLG Ethernet Blade Switch features 240Gb uplink bandwidth; 160Gb available server side bandwidth; 4x10Gb QSFP+ ports; and either 1Gb or 10Gb SFP+ ports depending on the module inserted. Additionally, the switch provides dedicated 4x10GB internal cross-connect ports between adjacent switches; as well as wire speed switching and IPv6 support with full Layer 2 and Layer 3 features.&nbsp;&nbsp;</p>\r\n<p>The HP Intelligent Resilient Framework (IRF) is also supported for virtualization, such that up to four devices can be grouped together and managed as a single switch with a single IP address, which simplifies the deployment and management of top-of-rack switches, as well as reduces data center deployment and operating expenses.&nbsp; The IRF technology simplifies the architecture of server access networks, such that the switches can deliver unmatched scalability of virtualized access layer switches and flatter, two-tier FlexFabric networks using IRF. The IRF is not in the scope of the evaluation.</p>\r\n<p>The following modules, extending the physically available ports, are supported by the HP 6125XLG Ethernet Blade Switch and can optionally be used since they do not affect any of the claimed security functions but rather serve to extend available network connectivity:</p>\r\n<ul>\r\n<li>HP X120 1G SFP LC SX 850nm Transceiver JD118B</li>\r\n<li>HP X120 1G SFP LC LX 1310nm Transceiver JD119B</li>\r\n<li>HP X125 1G SFP LC LH40 1310nm Transceiver JD061A</li>\r\n<li>HP X120 1G SFP LC LH40 1550nm Transceiver JD062A</li>\r\n<li>HP X125 1G SFP LC LH70 1550nm Transceiver JD063B</li>\r\n<li>HP X120 1G SFP LC RJ45 T Transceiver JD089B</li>\r\n<li>HP BLc 1Gb SFP LC SX 850nm Transceiver</li>\r\n<li>HP BLc 1Gb SFP LC RJ45 T Transceiver</li>\r\n<li>HP X130 10G SFP+ LC SR 850nm Transceiver JD092B</li>\r\n<li>HP X130 10G SFP+ LC LRM 1310nm Transceiver JD093B</li>\r\n<li>HP X130 10G SFP+ LC LR 1310nm Transceiver JD094B</li>\r\n<li>HP X130 10G SFP+ LC ER 1550nm Transceiver JG234A</li>\r\n<li>HP BladeSystem c-Class 10G SFP+ LC SR 850nm Transceiver</li>\r\n<li>HP BladeSystem c-Class 10G SFP+ LC LR 1310nm Transceiver</li>\r\n<li>HP X140 40G QSFP+ MPO SR4 850nm Transceiver JG325A</li>\r\n</ul>","evaluation_configuration":"","security_evaluation_summary":"<p>The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the 6125XLG Ethernet Blade Switch was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.&nbsp; The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.&nbsp;&nbsp; The product, when delivered and configured as identified in the <em>Preparative Procedures for CC NDPP Evaluated Hewlett-Packard 6125XLG Network Switches based on Comware V7 </em>document, satisfies all of the security functional requirements stated in the&nbsp;<em>Hewlett-Packard Company 6125XLG Ethernet Blade Switch Security Target 2.0, February 19, 2015.&nbsp;&nbsp; </em>The project underwent CCEVS Validator review.&nbsp; The evaluation was completed in February, 2015.&nbsp; Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.</p>","environmental_strengths":"<p><strong><em>Security Audit</em></strong><strong></strong></p>\r\n<p class=\"Body\">The TOE is able to generate audit records of security relevant events. The TOE can be configured to store the audit records locally so they can be accessed by an administrator or alternately to send the audit records to a designated log server.</p>\r\n<p><strong><em>Cryptographic Support</em></strong><strong></strong></p>\r\n<p class=\"Body\">The TOE includes NIST-validated cryptographic mechanisms that provide key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher level cryptographic protocols, including IPsec and SSHv2.&nbsp; Note that to be in the evaluated configuration, the TOE must be configured in FIPS mode, which ensures the TOE&rsquo;s configuration is consistent with the FIPS 140-2 standard.</p>\r\n<p><strong><em>User Data Protection</em></strong></p>\r\n<p class=\"Body\">The TOE performs network switching and routing functions, passing network traffic among its various physical and logical (e.g., VLAN) network connections. While implementing applicable network protocols associated with network traffic forwarding, the TOE is designed to ensure that it does not inadvertently reuse data found in network traffic.</p>\r\n<p><strong><em>Identification and Authentication</em></strong><strong></strong></p>\r\n<p class=\"Body\">The TOE requires users (i.e., administrators) to be successfully identified and authenticated before they can access any security management functions available in the TOE. The TOE offers both a locally connected console and a network accessible interface (SSHv2) for interactive administrator sessions.</p>\r\n<p class=\"Body\">The TOE supports the local (i.e., on device) definition of administrators with usernames and passwords. Additionally, the TOE can be configured to use the services of trusted RADIUS and TACACS servers in the operational environment to support, for example, centralized user administration.</p>\r\n<p><strong><em>Security Management</em></strong><strong></strong></p>\r\n<p class=\"Body\">The TOE provides a CLI to access its security management functions. Security management commands are limited to administrators and are available only after they have provided acceptable user identification and authentication data to the TOE.</p>\r\n<p><strong><em>Protection of the TSF</em></strong><strong></strong></p>\r\n<p class=\"Body\">The TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its security features.</p>\r\n<p class=\"Body\">It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for log accountability).</p>\r\n<p class=\"Body\">The TOE uses cryptographic means to protect communication with remote administrators. When the TOE is configured to use the services of a Syslog server or authentication servers in the operational environment, the communication between the TOE and the operational environment component is protected using encryption.</p>\r\n<p class=\"Body\">The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.</p>\r\n<p><strong><em>TOE Access</em></strong><strong></strong></p>\r\n<p class=\"Body\">The TOE can be configured to display an informative banner that will appear prior to authentication when accessing the TOE via the console or SSH interfaces.&nbsp; The TOE subsequently will enforce an administrator-defined inactivity timeout value after which the inactive session will be terminated.</p>\r\n<p><strong><em>Trusted Path/Channels</em></strong><strong></strong></p>\r\n<p class=\"Body\">The TOE protects interactive communication with administrators using SSHv2 for CLI access. Using SSHv2, both integrity and disclosure protection is ensured.</p>\r\n<p class=\"Body\">The TOE protects communication with external IT entities, including audit and authentication servers, using IPsec connections, which prevent unintended disclosure or modification of data.</p>","features":[]}