Compliant Product - Klas Fastnet Series Switches KlasOS 5.3
Certificate Date: 2021.08.18CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11188-2021
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
CC Testing Lab: Acumen Security
The TOE is the Klas Fastnet Series Switches KlasOS 5.3. It runs the KlasOS firmware, which provides connectivity to multiple devices contained within the same network segment. A real-time clock is present on all KlasOS devices. Authentication can be performed locally or over a trusted channel using SSH. All logs can be securely transferred to a syslog server. KlasOS provides a Command Line Interface (CLI) for device configuration. The Klas Fastnet switches range of products provide expandable, enterprise-grade, rugged mobility solutions.
The TOE also supports secure connectivity with several other IT environment devices, including:
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Klas Fastnet Series Switches KlasOS 5.3 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. The product, when delivered configured as identified in the Klas FastNet Series Switches Common Criteria Configuration Guide, satisfies all of the security functional requirements stated in the Klas Fastnet Series Switches Security Target. The project underwent CCEVS Validator review. The evaluation was completed in August 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE implements the following security functional requirements:
· Security Audit
· Cryptographic Support
· Identification and Authentication
· Security Management
· Protection of the TSF
· TOE Access
· Trusted Path/Channels
Each of these security functionalities are covered in more detail below.
The TOE generates audit events for all start-up and shutdown functions as well as all auditable events specified in the Security Target. Audit events are also generated for management actions specified in FAU_GEN.1. The TOE can store audit records locally and export them to an external syslog server using SSHv2. Each audit record contains the date and time of the event, type of event, subject identity, and other relevant data of the event. Only a Security Administrator can enable logging to a syslog server.
The operating system used is Klas OS v5.3.5. The TOE leverages OpenSSL 1.0.1u for cryptographic algorithms and OpenSSH 7.7p1 for SSH.
All users must be authenticated by the TOE prior to carrying out any administrative actions. The TOE supports password-based and public-key based authentication. An administrator can set a minimum password length on the TOE which can be a minimum of 15 characters.
The TOE supports local and remote management of its security functions including:
· Local console CLI administration
· Remote CLI administration via SSHv2
· Configurable banner displayable at login
· Timeouts to terminate administrative sessions after a set period of inactivity
· Timed user lockout after multiple failed authentication attempts
· Configurable authentication failure parameters
· Re-enabling locked accounts
· Configurable cryptographic parameters
The administrative user can perform all the above security related management functions.
The TOE protects all passwords, pre-shared keys, symmetric keys, and private keys from unauthorized disclosure. Passwords are stored as SHA 512 hashes. The TOE executes self-tests during initial start-up to ensure correct operation and enforcement of its security functions. The TOE internally maintains the date and time. An administrator can install software updates to the TOE after they are verified using a digital signature mechanism.
1.6 TOE Access
The TOE displays a customizable banner before any administrative session can be established with it. The TOE will terminate local or remote interactive sessions after a specified period of session inactivity configured by an administrator. An administrator can terminate their own interactive local or remote sessions.
The TOE supports SSH for secure communications with authorized IT entities such as syslog servers. The TOE supports SSHv2 (remote CLI) for secure remote administration.
Klas Telecom Inc.