公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 ZXCTN 6000 Series Access Routers Running ZXROSng Operating System Security Target ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 1 TABLE OF CONTENTS 1 ST INTRODUCTION.....................................................................................................................4 1.1 ST IDENTIFICATION............................................................................................................4 1.1.1 ST Title ...........................................................................................................................4 1.1.2 References.....................................................................................................................4 1.2 TOE IDENTIFICATION.........................................................................................................4 1.3 TOE OVERVIEW...................................................................................................................6 1.3.1 Intended usage and security features of the TOE ...................................................6 1.3.2 Non-TOE components..................................................................................................7 1.4 TOE DESCRIPTION .............................................................................................................8 1.4.1 Physical scope ..............................................................................................................8 1.4.2 Logical scope.................................................................................................................9 1.4.3 Evaluated Configuration...............................................................................................9 2 CONFORMANCE CLAIMS .......................................................................................................12 2.1 COMMON CRITERIA (CC) CONFORMANCE................................................................12 3 SECURITY PROBLEM DEFINITION.......................................................................................13 3.1 THREAT ..................................................................................................................................13 3.2 ASSUMPTION..........................................................................................................................13 3.2.1 Personnel Assumptions .............................................................................................14 3.2.2 Physical Environment Assumptions.........................................................................14 3.2.3 Operational Assumptions...........................................................................................14 3.3 ORGANIZATIONAL SECURITY POLICIES.....................................................................14 4 SECURITY OBJECTIVES .........................................................................................................16 4.1 SECURITY OBJECTIVES FOR THE TOE.......................................................................16 4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT .................................................16 5 SECURITY REQUIREMENTS ..................................................................................................18 5.1 SECURITY FUNCTIONAL REQUIREMENTS ................................................................18 5.1.1 Overview ......................................................................................................................18 5.1.2 Security Functional Requirements ...........................................................................20 5.2 SECURITY ASSURANCE REQUIREMENTS.................................................................28 5.2.1 Security Assurance Requirements ...........................................................................28 6 TOE SUMMARY SPECIFICATION...........................................................................................29 6.1 TOE SECURITY FUNCTIONS ..........................................................................................29 6.1.1 Security Auditing .........................................................................................................29 6.1.2 Identification & Authentication...................................................................................30 6.1.3 Security Management ................................................................................................32 6.1.4 TOE Access.................................................................................................................34 6.1.5 User data protection ...................................................................................................35 6.1.6 Trusted Channel..........................................................................................................37 ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 2 7 RATIONALE.................................................................................................................................38 7.1 RATIONALE FOR SECURITY OBJECTIVES .................................................................38 7.1.1 Rationale for Security Objectives for the TOE........................................................38 7.1.2 Rationale for Security Objectives for the Environment..........................................38 7.2 SECURITY REQUIREMENTS RATIONALE ...................................................................39 7.2.1 Rationale for TOE security functional requirements ..............................................39 7.2.2 Rationale for Security Assurance Requirements ...................................................41 7.2.3 Functional Requirement Dependencies Rationale ................................................41 8 APPENDIX ...................................................................................................................................44 8.1 DOCUMENT TERMINOLOGY....................................................................................................44 ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 3 LIST OF TABLES Table 1 – ZXCTN 6000 Series Models........................................................................6 Table 2 – ZTE Operation System version Information..............................................8 Table 3 – Evaluated Configuration.............................................................................11 Table 4 – Threat............................................................................................................13 Table 5 – Personnel Assumption................................................................................14 Table 6 – Physical Assumption...................................................................................14 Table 7 – Operational Assumption.............................................................................14 Table 8 – Organizational Security Policy ..................................................................15 Table 9 – Security Objective .......................................................................................16 Table 10 – Security Objective for the environment..................................................17 Table 11 – TOE Security Functional Requirements.................................................20 Table 12 – Security Assurance Requirements (EAL 2 +) .......................................29 Table 13 – Mapping of Security Objectives to Threats/OSP..................................38 Table 14 – Mapping of Assumptions to Security Objectives for the Operational Environment ..........................................................................................................39 Table 15 – Mapping of Security Functional Requirements to TOE Security Objectives..............................................................................................................40 Table 16 – Mapping of the rationale of TOE Security Requirements to Objectives. .................................................................................................................................41 Table 17 – Security Functional Requirement Dependencies.................................43 Table 18 – Document Terminology.............................................................................46 ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 4 1 ST INTRODUCTION 1.1 ST IDENTIFICATION 1.1.1 ST Title ZXCTN 6000 Series Access Routers Running ZXROSng Operating System Security Target v3.1 1.1.2 References The following documentation was used to prepare this ST. [CCp1] Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and general model, dated September 2012, Version 3.1 Revision 4 Final, CCMB- 2012-09-001 [CCp2] Common Criteria for Information Technology Security Evaluation – Part 2: Security functional requirements, dated September 2012, Version 3.1 Revision 4 Final, CCMB- 2012-09-002 [CCp3] Common Criteria for Information Technology Security Evaluation – Part 3: Security assurance requirements, dated September 2012, Version 3.1 Revision 4 Final, CCMB- 2012-09-003 [CEM] Common Evaluation Methodology for Information Technology Security Evaluation, dated September 2012, Version 3.1 Revision 4 Final, CCMB- 2012-09-004 1.2 TOE IDENTIFICATION This Security Target describes the ZXCTN 6000 Series of Access Router running v3.10.10 Build 12. The TOE consists of the following: Model Interface Description Type ZXCTN 608-GF Contains service interfaces and management & auxiliary interfaces Service interfaces:  2x 1 Gbps Optical Ethernet  2x 1 Gbps Electrical Ethernet  2x 1 Gbps Combo Ethernet Management & Auxiliary interfaces:  1x Fast Ethernet LCT (Local craft terminal interface)  1x Mini USB console interface Access Router ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 5 ZXCTN 608-GE/G K 608-GE is fan free design whereas 608-GK contains a fan inside. Both routers contain service interfaces and management & auxiliary interfaces Service interfaces:  4x 1 Gbps Optical Ethernet  2x 1 Gbps Electrical Ethernet  2x E1 Interfaces Management & Auxiliary interfaces:  1x Fast Ethernet LCT (Local craft terminal interface)  1x Mini USB console interface ZXCTN 6120E-XK /XF Both routers contains service interfaces and management & auxiliary interfaces Service interfaces:  2x 10 Gbps Optical Ethernet  4x 1 Gbps Optical Ethernet  4x 1 Gbps Electrical Ethernet  4x 1 Gbps Combo Ethernet Management & Auxiliary interfaces:  1x Fast Ethernet LCT (Local craft terminal interface)  1x Mini USB console interface  1x Fast Ethernet external alarm  1x Fast Ethernet BITS/GPS interface The 6120E-XK supports the additional interface of E1. ZXCTN 6120S Contains 1 main control board slot that supports the following control boards: SMDE SMDE(BS61) Contains 2 available LIC card slots that support the following LIC cards: OIXG1 OIXG2 OIX6G OIGE8 EIGE8 OEIGE8 OEIGE OEIFE8 E1E16-75 E1E16-120 OIS4 ZXCTN 6150 Contains 2 main control board slots for 1+1 redundancy the slots support the following control boards: SME SME(BS61) Contains 6 available LIC card slots that support the ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 6 following LIC cards: OIXG1 OIXG2 OIX6G OIGE8 EIGE8 OEIGE8 OEIGE OEIFE8 E1E16-75 E1E16-120 OIS4 ZXCTN 6180 Contains 2 main control board slots for 1+1 redundancy the slots support the following control boards: SMF Contains 10 available LIC card slots that support the following LIC cards: OIXG1 OIXG2 OIX6G OIGE8 EIGE8 OEIGE8 OEIGE OEIFE8 E1E16-75 E1E16-120 OIS4 Table 1 – ZXCTN 6000 Series Models The major difference between models is the type, capacity and number of the physical interfaces. See Appendix 8.1 for a breakdown of ports available on each Main control board and LIC. 1.3 TOE OVERVIEW 1.3.1 Intended usage and security features of the TOE A ROUTER enables the delivery of metro Ethernet services and high-density service-aware Ethernet aggregation over IP/ MPLS-based networks. The supported protocols are layer 2 / layer 3 encapsulation and Internet Protocol (IP), and Ethernet. Other protocols may be supported by the product, but are not evaluated (see section 1.4.3). The major security features of the TOE are:  Handling of packet flows using the OSPFv2, and BGPv4 protocols  Local and remote administration  Authentication, either in the TOE or through TACACS+ or RADIUS.  Administrator Profiles to permit or deny access to a hierarchical branch or ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 7 specific commands.  Audit  Management and configuration of the TOE  Mitigate DoS attacks 1.3.2 Non-TOE components The TOE requires the following IT in its environment: A local or remote console for administration (required) At least one is needed, but both are allowed.  For a local console: Any platform that supports terminal emulation to the ANSI X3.64 standard;  For a remote console, any platform that supports terminal emulation to the ANSI X3.64 standard and the ssh protocol. An SNMP/SYSLOG server for logging (required) This may be two platforms or one combined platform.  For the SNMP server, any platform that supports RFC 3411-RFC 3418 (SNMPv3)  For the SYSLOG server, any platform that supports RFC 3164 (SYSLOG Protocol); All logs are stored in the SNMP/SYSLOG and also in the logfile of the TOE. An NTP Server (required) Any platform that supports RFC 1305 (NTPv3) A RADIUS or TACACS+ server for AAA services (optional).  For the RADIUS Server, any platform that supports RFC 2865 (Authentication & Authorization) and RFC 2866 (Accounting) for RADIUS.  For the TACACS+ Server, any platform that supports TACACS+ Version 1.78 (DRAFT); At least two external networks and an internal network The major functionality of the TOE is to forward data packets along networks. There should be at least two distinct networks or network segments: commonly two LANs or WANs or a LAN and its ISP’s network. There should also be an internal network that connects the SNMP/SYSLOG server, the NTP server and the RADIUS/TACACS+ server to the TOE. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 8 1.4 TOE DESCRIPTION The TOE is a ZXCTN 6000 Series of Access Router running v3.10.10 Build 12. A ROUTER is a device with Layer-2 switch and offers Layer-3 capabilities. As a Layer 2 switch – it analyzes incoming frames, makes forwarding decisions based on information contained in the frames, and forwards the frames toward the destination. The layer-3 enabled switch supports routing of the traffic. Routers may create or maintain a table of the available routes and their conditions and use this information along with distance and cost algorithms to determine the best route for a given packet. Routing protocols include BGPv4 and OSPFv2. 1.4.1 Physical scope The TOE consists of: o ZXCTN 6000 Series Access Router  ZXCTN 608-GF, V3.10.10, Build version 12  ZXCTN 608-GE, V3.10.10, Build version 12  ZXCTN 608-GK, V3.10.10, Build version 12  ZXCTN 6120E-XK, V3.10.10, Build version 12  ZXCTN 6120E-XF, V3.10.10, Build version 12  ZXCTN 6120S,V3.10.10, Build version 12  ZXCTN 6150,V3.10.10, Build version 12  ZXCTN 6180, V3.10.10, Build version 12 TOE software v3.10.10B12 comprises of a Linux kernel, ZTE’s embedded Linux and ZXROSng operating system. The following table details the product software that makes up TOE software. TOE Product Software ZXROSng Operating system ZTE Carrier Grade Embedded Linux Linux Kernel 608-GF/GE/GK V3.10.10B12 v4.00.30R3 CGEL_V5.0.1.30 3.10.55 6120S V3.10.10B12 v4.00.30R3 CGEL_V_3.04.10.P6.F5 2.6.21 6150 V3.10.10B12 v4.00.30R3 CGEL_V_3.04.10.P6.F5 2.6.21 6180 V3.10.10B12 v4.00.30R3 CGEL_V_3.04.10.P6.F5 2.6.21 6120E-XF/XK V3.10.10B12 v4.00.30R3 CGEL_V4.03.20_P6B3 2.6.32 Table 2 – ZTE Operation System version Information o Guidance  Operational User Guidance ZXCTN 6000 Series Access Router, v2.0  Preparative User Guidance ZXCTN 6000 Series Access Router, v2.0 ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 9 1.4.2 Logical scope The TOE is connected to an internal (trusted) network and two or more external (untrusted) networks. The external networks are the networks to be switched/routed and support the primary function of the TOE: the handling of packet flows from one network to another. Typically, packet flows are passed through the internetworking device and forwarded to their configured destination. The packet flows can be manipulated and monitored as well. Routing protocols used are OSPFv2, and BGPv4. The internal network may contain the following entities:  A RADIUS or TACACS+ Server for Identification & Authentication (optional)  A SNMP/SYSLOG server for logging (required)  An NTP Server for external time synchronization (required)  A local console for management or a remote console for management. This remote console connects with the TOE through ssh. (required) The TOE provides the following services:  Handling of packet flows: as described above using the OSPFv2, and BGPv4 protocols which can prevent the communication with trusted routers from modification, insertion and replay errors. Packet flows can be restricted to come only from authorized sources and/or go to authorized destinations.  Local (through a console port) and remote (protected through SSH) access to the TOE for administrators. These sessions are dropped after a configurable amount of total session time or after a configurable amount of idle time to prevent access to unattended open sessions.  Authentication: Access permission is controlled using: TACACS+; RADIUS; or local authentication. A profile, which is based on administrator name and password configurations, is applied for the administrator authorization processes. This ST addresses only the client-side support of RADIUS and TACACS+: the servers themselves are out-of-scope.  Profiles: Administrator profiles are configured to permit or deny access to a hierarchical branch or specific commands.  Audit: The TOE provides an audit feature for actions related to authentication attempts and administrator actions  Management: The TOE offers administrators the capability to configure the TOE (primarily the packet flow handling and audit features).  Mitigate DoS attacks through use of real-time statistics capabilities 1.4.3 Evaluated Configuration The TOE has many features that can be configured to be on or off. The table below lists these features and shows whether they are:  Evaluated: this means that the feature can be enabled, and it will work securely. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 10  Not Permitted: this means that the feature may not be enabled, as this will endanger the security of the entire TOE. Not Evaluated: this means that the feature can be enabled, that enabling this feature will not endanger the security of the other features, but the evaluation has not determined whether the feature itself will work securely. Feature Description Evaluated Not Permitted Not Evaluated AAA TACACS+ RADIUS (Remote Access Dial-In User Service) X ACL Access control lists. X DHCP Dynamic Host Control Protocol (DHCP) enables you to automatically assign reusable IP addresses to DHCP clients. X IGMP Internet group management protocol. X X IPv6 Internet protocol version 6 X Media Types (non-Ether net) MPLS, PPP, PPPoE, SDH X NAT Network Address Translation X sFlow Sampled Flow X NTP Network Time Protocol X QoS Quality of Service features X STP Spanning tree protocol X Routing Protocols Permitted OSPFv2: Open Shortest Path First (OSPFv2) Mode 2 X BGPv4: Border Gateway Protocol X Static Routing Static Routing Table X SSHv1 SSH version 1 client and server support X X SSHv2 SSH version 2 client and server support. X SNMPv2 Simple Network Management Protocol (SNMP): X X SNMPv3 Simple Network Management Protocol (SNMP): X SYSLOG Configuration and delivery of SYSLOG messages. X Telnet Not permitted in the evaluated configuration: Legacy unencrypted protocol for remote administration. X X ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 11 FTP / TFTP Not permitted in the evaluated configuration: Legacy unencrypted protocol for remote administration. X X VLAN Virtual LAN X Mitigate DoS attack Denial of service X VPN Not permitted in the evaluated configuration: WebVPN, IPSec, IKE, L2TP (Layer 2 Tunneling Protocol). X X Table 3 – Evaluated Configuration ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 12 2 CONFORMANCE CLAIMS 2.1 COMMON CRITERIA (CC) CONFORMANCE This ST conforms to:  CC, version 3.1R4, as defined by [CCp1], [CCp2], [CCp3] and [CEM].  CC Part 2 as CC Part 2 conformant  CC Part 3 as CC Part 3 conformant This ST conforms to no Protection Profile. This ST conforms to EAL 2 + ALC_FLR.2, and to no other packages. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 13 3 SECURITY PROBLEM DEFINITION In order to clarify the nature of the security problem that the TOE is intended to solve, this section describes the following: 1. Any known or assumed threats to the assets against which specific protection within the TOE or its environment is required 2. Any organizational security policy statements or rules with which the TOE must comply 3. Any assumptions about the security aspects of the environment and/or of the manner in which the TOE is intended to be used. This chapter identifies threats as T.THREAT, assumptions as A.ASSUMPTION and policies as P.POLICY. 3.1 Threat A threat consists of a threat agent, an asset and an adverse action of that threat agent on that asset. 1. Threat agents are entities that can adversely act on assets – the threat agents in the threats below are unauthorized user, network attacker, authorized user and 2. Assets are entities that someone places value upon – the assets are access to network services, 3. Adverse actions are actions performed by a threat agent on an asset – the adverse actions are: unauthorized changes to configuration, both network routing configuration and management configuration. THREAT DESCRIPTION T.AUDIT_REVIEW Actions performed by users may not be known to the administrators due to actions not being recorded or the audit records not being reviewed prior to the machine shutting down, or an unauthorized administrator modifies or destroys audit data. T.NO_PRIVILEGE An unauthorized user may gain access to inappropriately view, tamper, modify, or delete TOE Security Functionality data. T.MEDIATE An unauthorized entity may send impermissible information through the TOE which results in the exploitation of resources on the network. T.NO_AUTH _SESSION A user may gain unauthorized access to an unattended session and alter the TOE security configuration. T.NO_AUTH_ACCESS An unauthorized user gains management access to the TOE and alter the TOE security configuration. Table 4 – Threat 3.2 Assumption The assumptions are ordered into three groups: Personnel Assumptions, Physical Environment Assumptions, and Operational Assumptions. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 14 3.2.1 Personnel Assumptions ASSUMPTION DESCRIPTION A.NO_EVIL&TRAIN The authorized administrators are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the TOE documentation, including the administrator guidance; however, they are capable of error. The administrators are trained in the appropriate use of the TOE. Table 5 – Personnel Assumption 3.2.2 Physical Environment Assumptions ASSUMPTION DESCRIPTION A.CONNECTIVITY All TOE external interfaces except for the network traffic/data interface are attached to the internal (trusted) network. This includes: 1. RADIUS, TACACS+ server interface (optional) 2. SNMP/SYSLOG interface (required) 3. NTP interface (required) 4. SSH interface for remote client (at least one of the local or remote administration client is required) A.PHYSICAL The TOE will be located in an environment that provides physical security to prevent unauthorized physical access, commensurate with the value of the IT assets protected by the TOE and uninterruptible power, temperature control required for reliable operation. Table 6 – Physical Assumption 3.2.3 Operational Assumptions ASSUMPTION DESCRIPTION A.REMOTE_AUTH External authentication services will be available via either RADIUS/TACACS+, or both when the TOE is configured to use remote authentication. A.TIMES External NTP services will be available. Table 7 – Operational Assumption 3.3 ORGANIZATIONAL SECURITY POLICIES This section describes the organizational security policies to be enforced with respect to the TOE environment.. OSP DESCRIPTION P.USERS The TOE is administered by one or more Administrators who have been granted rights to administer the TOE. All administrators are “vetted” to ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 15 help ensure their trustworthiness, and administrator connectivity to the TOE is restricted. P.ROUTE The TOE must be able to accept routing data from trusted routers Table 8 – Organizational Security Policy ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 16 4 SECURITY OBJECTIVES This chapter describes the security objectives for the TOE and the TOE’s operating environment. The security objectives are divided between TOE Security Objectives (i.e., security objectives addressed directly by the TOE) and Security Objectives for the Operating Environment (i.e., security objectives addressed by the IT domain or by non-technical or procedural means). 4.1 SECURITY OBJECTIVES FOR THE TOE OBJECTIVES DESCRIPTION O.AUDIT_REVIEW The TOE will provide the privileged administrators and authentication administrators the capability to review Audit data and will restrict audit review to administrators who have been granted explicit read-access. The TOE will generate audit records which will include the time that the event occurred and the identity of the administrator performing the event. O.MANAGE The TOE must provide services that allow effective management of its functions and data and restrict access to the TOE Management functions to the privileged administrators and authentication administrators. O.IDAUTH The TOE must uniquely identify and authenticate the claimed identity of all administrative users before granting management access. O.MEDIATE The TOE shall control the flow of information among its network connections according to routing rules and BGPv4/OSPFv2 routing protocols which prevent the communication with trusted routers from modification, insertion and replay errors. O.TOE_ACCESS The TOE will provide mechanisms that control an administrator’s logical access to the TOE and to deny access to unattended session to configure the TOE. O.ROUTE The TOE shall be able to accept routing data from trusted routers according to BGPv4/OSPFv2. Table 9 – Security Objective 4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT The following IT security objectives for the environment are to be addressed by the operational environment via technical means. OBJECTIVES DESCRIPTION OE.TIMES NTP server will be available to provide accurate/synchronized time services to the TOE. OE.CONNECTIVITY All TOE external interfaces except for the network traffic/data interface are attached to the internal (trusted) network. This includes: 1. RADIUS, TACACS+ server interface (optional) 2. SNMP, SYSLOG interface (required) ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 17 3. NTP interface (required) 4. SSH interface for remote client (at least one of the local or remote administration client is required) OE.NO_EVIL&TRAIN The authorized administrators are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the TOE documentation, including the administrator guidance; however, they are capable of error. The administrators are trained in the appropriate use of the TOE. OE.PHYSICAL The operational environment provides the TOE with appropriate physical security to prevent unauthorized physical access, commensurate with the value of the IT assets protected by the TOE and uninterruptible power, temperature control required for reliable operation. OE.USERS All administrators are “vetted” to help ensure their trustworthiness, and administrator connectivity to the TOE is restricted. Non-administrative entities may have their packets routed by the TOE, but that is the extent of their authorization to the TOE's resources. Table 10 – Security Objective for the environment ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 18 5 SECURITY REQUIREMENTS The CC permits four types of operations to be performed on security functional requirements: selection, assignment, refinement, and iteration. These operations are identified in this ST in the following manner: a. Selection: Indicated by surrounding brackets and italicized text, e.g., [selected item]. b. Assignment: Indicated by surrounding brackets and regular text, e.g., [assigned item]. c. Refinement: Indicated by underlined text, e.g., refined item for additions or strikethrough text, e.g., refined item for deleted items. d. Iteration: Indicated by assigning a number at the functional component level, for example: FMT_MTD.1.1 (1), FMT_MTD.1.1 (2), FMT_MTD.1.1 (3), FMT_MTD.1.1 (4) refer to separate instances of the FMT_MTD.1 security functional requirement component. 5.1 SECURITY FUNCTIONAL REQUIREMENTS This section provides functional and assurance requirements that must be satisfied by a compliant TOE. These requirements consist of functional components from Part 2 of the CC and an Evaluation Assurance Level (EAL) containing assurance requirements from Part 3 of the CC. The security requirements consist of two groups of requirements: a. the security functional requirements (SFRs): a translation of the security objectives for the TOE into a standardized language; and b. the security assurance requirements (SARs): a description of how assurance is to be gained that the TOE meets the SFRs. 5.1.1 Overview The security functional requirements for this ST consist of the following components from Part 2 of the CC. CC Part 2 Security Functional Components Identifier Name FAU_GEN.1 Audit data generation FAU_GEN.2 User identity association FAU_SAR.1 Audit review FAU_STG.1 Protected audit trail storage ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 19 FAU_STG.4 Prevention of audit data loss FDP_IFC.1(1) Subset information flow control (unauthenticated policy) FDP_IFF.1(1) Simple security attributes (unauthenticated policy) FDP_IFC.1(2) Subset information flow control (export policy) FDP_IFF.1(2) Simple security attributes (export policy) FDP_UIT.1 Data exchange integrity FIA_AFL.1 Authentication failure handling FIA_SOS.1 Verification of secrets FIA_UAU.2 User authentication before any action FIA_UAU.5 Multiple authentication mechanisms FIA_UID.2 User identification before any action FMT_MOF.1 Management of security functions behaviour FMT_MSA.1 Management of security attributes FMT_MSA.3 Static attribute initialization FMT_MTD.1(1) Management of TSF data FMT_MTD.1(2) Management of TSF data FMT_MTD.1(3) Management of TSF data FMT_MTD.1(4) Management of TSF data FMT_SMF.1 Specification of management functions FMT_SMR.1 Security roles FTA_SSL.3 TSF-initiated termination FTA_TSE.1 TOE session establishment FTP_ITC.1(1) Trusted channel for SSH client FTP_ITC.1(2) Trusted channel for RADIUS/TACACS+ server ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 20 FTP_ITC.1(3) Trusted channel for NTP Table 11 – TOE Security Functional Requirements 5.1.2 Security Functional Requirements 5.1.2.1 FAU_GEN.1 Audit data generation FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [selection, choose one of: minimum, basic, detailed, not specified] level of audit; refined away and [Alarm log: The security event source is all events that affect attempts to breach system:  authentication alarm  user management alarm  RADIUS alarm log  NTP alarm log  Command log: all activities performed by the administrator are recorded in Command log.] FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a. Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b. For each audit event type, based on the auditable event definitions of the functional components included in the ST [none]. Application Note: There is no success / failure concept for Alarm log. Therefore no outcome (success or failure) for alarm log. 5.1.2.2 FAU_GEN.2 User identity association FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. Application Note: The Command log record is associated with an administrator. The other types of log are associated with unauthenticated user/application. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 21 5.1.2.3 FAU_SAR.1 Audit review FAU_SAR.1.1 The TSF shall provide [authorised administrators] with the capability to read [all audit data] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. 5.1.2.4 FAU_STG.1 Protected audit trail storage FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorised deletion. FAU_STG.1.2 The TSF shall be able to [prevent] unauthorised modifications to the stored audit records in the audit trail. 5.1.2.5 FAU_STG.4 Prevention of audit data loss FAU_STG.4.1 The TSF shall [overwrite the oldest stored audit records] and [no other actions] if the audit trail is full. 5.1.2.6 FDP_IFC.1(1) Subset information flow control (unauthenticated) FDP_IFC.1.1 The TSF shall enforce the [UNAUTHENTICATED SFP] on [ a. subjects: each IT entity that sends and receives information through the TOE to one another; b. information: network packets sent through the TOE from one subject to another; and c. operations: route/filter packets]. 5.1.2.7 FDP_IFC.1(2) Subset information flow control (export policy) FDP_IFC.1.1 The TSF shall enforce the [EXPORT SFP] on [ a. subjects: each IT entity that receives information from the TOE; b. information: events sent from the TOE to SNMP trap and SYSLOG servers; and c. operations: send events]. 5.1.2.8 FDP_IFF.1(1) Simple security attributes (unauthenticated) FDP_IFF.1.1 The TSF shall enforce the [UNAUTHENTICATED SFP] based on the following types of subject and information security attributes: [security subject attributes: a. IP network address and port of source subject; b. IP network address and port of destination subject; c. transport layer protocol and their flags and attributes (UDP, TCP); d. network layer protocol (IP, ICMP); ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 22 e. interface on which traffic arrives and departs; and f. routing protocols (BGPv4, OSPFv2) and their configuration and state.] Application Note: The TOE only accepts routing information from other routers with trusted IPs configured by the administrators. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [ a. the identity of the source subject is in the set of source subject identifiers (i.e., addresses); b. the identity of the destination entity is in the set of destination entity identifiers (i.e., addresses); c. the information security attributes match the attributes in an information flow policy rule (contained in the information flow policy rule set defined by the Administrator) according to the following algorithm  First match algorithm for filtering rule. When multiple policy names are specified, the policies shall be executed in the order they are specified. The first policy that matches is applied;  Longest-prefix match algorithm for routing rule. When the maximum prefix length of the destination address is matched to the configured rule. the selected information flow policy rule specifies that the information flow is to be permitted]. . FDP_IFF.1.3 The TSF shall enforce the [rule: when the semi-connection statistics information of the TCP SYN flood exceeds configured threshold, the TOE suppresses these attacks]. FDP_IFF.1.4 The TSF shall explicitly authorize an information flow based on the following rules: [none]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [ a. the TOE shall reject requests for access or services where the source identity of the information received by the TOE is not included in the set of source identifiers for the source subject; b. The TOE shall reject requests for access or services where the source identity of the information received by the TOE specifies a broadcast identity; c. The TSF shall reject requests for access or services where the ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 23 presumed source identity of the information received by the TOE specifies a loopback identifier. d. The TSF shall drop requests in which the information received by the TOE does not correspond to an entry in the routing table. e. The TSF shall deny information flows that do not conform to their associated published protocol specification (e.g., RFCs for supported router protocols)]. 5.1.2.9 FDP_IFF.1(2) Simple security attributes (export policy) FDP_IFF.1.1 The TSF shall enforce the [EXPORT SFP] based on the following types of subject and information security attributes: [Source subject security attributes: source network identifier; and Destination subject security attributes: a. SYSLOG server IP address; b. UDP port used to send the SYSLOG message; c. SYSLOG Facility Code; d. SYSLOG Severity Threshold; e. IP address of the SNMP trap receiver; f. UDP port used to send the SNMP trap; g. SNMPv3 used to format the SNMP notification; and h. Security name and level for SNMPv3 trap receivers]. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [ a. the identity of the destination subject is in the set of destination identifiers; b. the information security attributes match the security attributes defined by the administrator according to the following algorithm (ALL the security attributes must match); and c. the selected information flow policy rule specifies that the information flow is to be permitted]. FDP_IFF.1.3 The TSF shall enforce the [none]. FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following rules: [none]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [none]. 5.1.2.10 FDP_UIT.1 Data exchange integrity FDP_UIT.1.1 The TSF shall enforce the [assignment: access control SFP(s) ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 24 and/or information flow control SFP(s)] to [transmit and receive] routing data to/from trusted routers in a manner protected from [modification, insertion and replay errors]. FDP_UIT.1.2 The TSF shall be able to determine on receipt of user data, whether [selection: modification, deletion, insertion, replay] has occurred. refined away. Application Note: In order to protect the routing data from modification, insertion and replay error, Only OSPFv2 mode 2 and BGPv4 routing protocols are allowed to ensure the integrity. There is no need to protect the confidentiality of the routing data. 5.1.2.11 FIA_AFL.1 Authentication failure handling FIA_AFL.1.1 The TSF shall detect when [an administrator configurable positive integer within [a range of values 3 – 16]] unsuccessful authentication attempts occur related to [any claimed administrator ID attempting to authenticate to the TOE]. FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [met], the TSF shall [at the option of the Administrator prevent the administrators except the administrator from performing activities that require authentication until an action is taken by the Administrator, or until an Administrator defined time period (within a range of values 1 -1440 minutes) has elapsed]. 5.1.2.12 FIA_SOS.1 Verification of secrets FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet: [ a. a minimum length of (6) characters; b. complexity requirements of: i) at least one (1) numeric character must be present in the password; and ii) at least one (1) special character must be present in the password. Special characters include: ~!@#$%^&*()_+|{}:”<>?`-=\[];’,./. iii) at least one (1) upper and one (1) lower case character c. an administrator defined number of days an administrator password is valid before the administrator must change their password. This parameter shall be used to force the administrator to change the password at the configured interval. The maximum number of days the password is valid shall be definable within a range of values of 15 – 365. d. either the administrator must change his password at the first ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 25 login, or the administrator is not forced to change his password at the first login, as configured by the administrator]. 5.1.2.13 FIA_UAU.2 User authentication before any action FIA_UAU.2.1 The TSF shall require each administrator to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that administrator. 5.1.2.14 FIA_UAU.5 Multiple authentication mechanisms FIA_UAU.5.1 The TSF shall provide [client RADIUS, TACACS+, and local authentication mechanisms] to support user authentication. FIA_UAU.5.2 The TSF shall authenticate any user's claimed identity according to the [authentication mechanism specified by the authorised user]. 5.1.2.15 FIA_UID.2 User identification before any action FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. 5.1.2.16 FMT_MOF.1 Management of security functions behaviour FMT_MOF.1.1 The TSF shall restrict the ability to [determine the behaviour of] the functions [TOE management/administration/security functions of a. Configuring Administrators; b. Configuring Login control; c. Configuring local/RADIUS/TACACS+ authentication; d. Configuring Password Management Parameters; e. Configuring ACL; f. Configuring Event logs; g. Configuring SNMP/SYSLOG; h. Configuring NTP; i. Configuring anti-DoS attack; j. Configuring CPU Protection Policies;] to [the Administrator]. 5.1.2.17 FMT_MSA.1 Management of security attributes FMT_MSA.1.1 The TSF shall enforce the [unauthenticated SFP and EXPORT SFP] to restrict the ability to [change default, query, modify, delete] the security attributes [defined in FDP_IFF.1.1(1) and FDP_IFF.1.1(2)] to [Administrator]. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 26 5.1.2.18 FMT_MSA.3 Static attribute initialization FMT_MSA.3.1 The TSF shall enforce the [unauthenticated SFP and EXPORT SFP] to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [administrators] to specify alternative initial values to override the default values when an object or information is created. 5.1.2.19 FMT_MTD.1(1) Management of TSF data FMT_MTD.1.1 The TSF shall restrict the ability to [modify, delete, [create, backup and restore]] the [configuration item and filtering rules] to [administrators]. 5.1.2.20 FMT_MTD.1(2) Management of TSF data FMT_MTD.1.1 The TSF shall restrict the ability to [modify] the [date/time] to [administrators]. 5.1.2.21 FMT_MTD.1(3) Management of TSF data FMT_MTD.1.1 The TSF shall restrict the ability to [empty] the [audit logs] to [administrators]. 5.1.2.22 FMT_MTD.1(4) Management of TSF data FMT_MTD.1.1 The TSF shall restrict the ability to [modify, delete [and create]] the [user account attributes] to [administrators]. Application Note: For all FMT_MTD.1: Each administrator has his privilege level. These SFRs are used to restrict the management scope for different administrator. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 27 5.1.2.23 FMT_SMF.1 Specification of management functions FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [ a. start-up and shutdown; b. create, modify, delete, and view configuration data; c. empty, and review the audit log; d. create, delete, modify, and view filtering rules; e. perform configuration backup and restore; f. user account management; g. modify date/time; h. trusted router management and i. security management functions listed in FMT_MOF.1 Management of security functions behavior]. 5.1.2.24 FMT_SMR.1 Security roles FMT_SMR.1.1 The TSF shall maintain the roles [administrator]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. Application Note: Although there is only one administrator role. However each administrator account has his privilege level and corresponding management scope. The management scope of each privilege level is configurable. All commands are assigned a required privilege level. The administrator can execute commands with required privilege levels lower than or equal to his privilege level. 5.1.2.25 FTA_SSL.3 TSF-initiated termination FTA_SSL.3.1 The TSF shall terminate an interactive session after a [administrator defined period of inactivity within a range of 1 to 1000 minutes]. 5.1.2.26 FTA_TSE.1 TOE session establishment FTA_TSE.1.1 The TSF shall be able to deny session establishment based on [maximum number of concurrent remote sessions on the node, values 15]. 5.1.2.27 FTP_ITC.1(1) Inter-TSF trusted channel (SSH) FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted IT product SSH client that is logically distinct from other communication channels and provides assured identification of its end points and protection of the communicated data from modification or disclosure. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 28 FTP_ITC.1.2 The TSF shall permit [the SSH client] to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall require the use of the trusted channel for [ a. user authentication, b. configure management]. 5.1.2.28 FTP_ITC.1(2) Inter-TSF trusted channel (RADIUS/TACACS+) FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted IT product RADIUS/TACACS+ server that is logically distinct from other communication channels and provides assured identification of its end points and protection of the communicated data from modification or disclosure. FTP_ITC.1.2 The TSF shall permit [the TSF] to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall require the use of the trusted channel for [user authentication]. 5.1.2.29 FTP_ITC.1(3) Inter-TSF trusted channel (NTP) FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted IT product NTP server that is logically distinct from other communication channels and provides assured identification of its end points and protection of the communicated data from modification or disclosure. FTP_ITC.1.2 The TSF shall permit [the TSF] to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall require the use of the trusted channel for [time synchronization,]. 5.2 SECURITY ASSURANCE REQUIREMENTS 5.2.1 Security Assurance Requirements The assurance requirements consist of EAL 2 + ALC_FLR.2 and are summarized in the following table: Assurance Class Assurance Components ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 29 Identifier Name ADV: Development ADV_ARC.1 Security architecture description ADV_FSP.2 Security-enforcing functional specification ADV_TDS.1 Basic design AGD: Guidance documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC: Life-cycle support ALC_CMC.2 Use of a CM system ALC_CMS.2 Parts of the TOE CM coverage ALC_DEL.1 Delivery procedures ALC_FLR.2 Flaw reporting procedures ATE: Tests ATE_COV.1 Evidence of coverage ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample AVA: Vulnerability Assessment AVA_VAN.2 Vulnerability analysis Table 12 – Security Assurance Requirements (EAL 2 +) 6 TOE SUMMARY SPECIFICATION 6.1 TOE SECURITY FUNCTIONS 6.1.1 Security Auditing The TOE provides an audit feature for actions related to operator authentication attempts and administrator actions  FAU_GEN.1 Audit data generation The ZXROSng records the start-up and shutdown of the audit function, security events and the activity of the administrator. Alarm logging: The security event source is all events that affect attempts to breach system security such as failed login attempts. Security events are generated by the security application. Command logging: all activities performed by the administrator are recorded in the ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 30 Command log. The TOE is configured to record all auditable events. Logs are configured in the following contexts: a. Log file — Log files contain log event message streams. b. SNMP trap groups — SNMP trap groups contain an IP address and community names which identify targets to send traps following specified events. c. SYSLOG — Information is sent to a SYSLOG host that is capable of receiving selected SYSLOG messages from a network element. Log level is associated with the Alarm log to control which events will be logged in the event log based on severity where log level shall be configured at least 6 (basic log level).  FAU_GEN.2 User identity association The ZXROSng is able to associate each auditable event with the identity of the administrator that caused the event. The Command log record is associated with an administrator. Other types of logs are associated with unauthenticated user/application.  FAU_SAR.1 Audit review The administrator reads all the information in the log destinations (i.e., memory, or a file on the local file system) via CLI commands. The administrator executes the following log commands: a. Configuration Commands; b. Log File Commands; c. Alarm level filter Commands; d. SYSLOG Configuration Commands; e. SNMP Trap Groups; f. Show Commands;  FAU_STG.1, FAU_STG.4 Protected audit trail storage and Prevention of audit data loss The TOE protects stored audit records from unauthorized deletion and modifications; The TSF shall overwrite the oldest stored audit records in flash when the maximum allowed number of log files reached. 6.1.2 Identification & Authentication Authentication services can be handled either internally (fixed passwords) or through an external authentication service, such as a RADIUS or TACACS+ server. An operator’s authentication parameters must be valid before access is granted to administrative functions. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 31  FIA_AFL.1 Authentication failure handling (console) The following is defined by the administrator: (1) The number of unsuccessful login attempts allowed for the specified time. (2) The lockout period in minutes where the administrator is not allowed to login When the above situation is satisfied, that administrator is locked out from any further login within a specified period of time. However within the period of locking time, an administrator is allowed to unlock the locked account. Parameters are modifiable from the provided default values: a. The ZXROSng detects when unsuccessful authentication attempts meet an administrator configurable positive integer (within a range of values 3 – 16) b. When the defined number of unsuccessful authentication attempts has been met, the ZXROSng will at the option of the Administrator prevent activities that require authentication until an action is taken by the Administrator, or until an Administrator defined time period (within a range of values 1 - 1440 minutes) has elapsed.  FIA_SOS.1 Verification of secrets The verifications of secrets apply to all authentication methods: local console, and RADIUS and TACACS+. The password needs to satisfy the following requirements: a. A minimum length (characters) default 6 and within a range of 6-32, b. at least one upper and one lower case character; c. at least one numeric character must be present in the password; d. at least one special character must be present in the password. Special characters include: ~!@#$%^&*()_+|{}:”<>?`-=\[];’,./.  FIA_UAU.2 User authentication before any action The ZXROSng is configured to use RADIUS, TACACS+, and local/remote authentication to validate administrators requesting access to the network. The password authentication is processed between RADIUS and local or TACACS+ and local passwords are specifically configured. The order of TACACS+ and local can be configured. The allowed authentication models are listed below: a. Local only b. RADIUS only c. TACAS+ only d. RADIUS first, if RADIUS not response then local authentication e. TACACS+ first, if TACACS+ not response then local authentication f. Local first, if local authentication failed then TACACS+ authentication Authentication validates an administrator name and password combination when an administrator attempts to log in. When an administrator attempts to log in, the TOE sends an access request to a RADIUS, TACACS+, or local database. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 32  FIA_UID.2 User identification before any action The ZXROSng validates an administrator name and password combination when an administrator attempts to log in  FIA_UAU.5 Multiple authentication mechanisms The ZXROSng software supports three kinds of user authentication methods: Local Authentication, Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+). Authentication mechanism can be configured. Administrator can be authenticated any of the above authentication mechanisms based on the specification by authentication. 6.1.3 Security Management The TOE provides administrators with the capabilities to configure, monitor and manage the TOE to fulfill the Security Objectives. Security Management principles relate to Security Audit and Information Flow Control. Administrators configure the TOE via remote/local CLI.  FMT_MTD.1 Management of TSF Data Management of TSF Data (Configuration Item and Filtering Rule): The TOE restricts the ability to administer the router configuration item and filtering rule. The CLI provides a text-based interface from which the router configuration can be managed and maintained. From this interface, all TOE functions such as BGP and OSPF protocols can be managed. The TOE automatically routes traffic based on available routing information, much of which is automatically collected from the TOE environment. This CLI interface also provides the administrator with the ability to configure an external authentication server, such as a RADIUS or TACACS+ server. When this is assigned, a user can be authenticated to the external server instead of directly to the TOE. If authentication-order includes RADIUS or TACACS+, then these will be consulted in the configured order for all users. Management of TSF Data (Date/time): The TOE will allow only an administrator to modify the date/time setting on the appliance. Management of TSF Data (Audit logs): The TOE can be configured to clear audit logs and specify the log level by an administrator. Management of TSF Data (User Account): The TOE restricts the ability to administer user data to only administrators. The CLI provides administrators with a text-based interface from which all user data can be managed. From this interface new accounts can be created, and existing accounts can be modified or deleted. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 33  FMT_MOF.1 Management of security functions behavior The administrator will perform the following: a. Configure administrator profiles used to deny or permit access to CLI command tree permissions, or specific CLI commands. b. Configure authentication failure handling configurable integer of unsuccessful authentication attempts within configurable range of time, and configurable lock out period of time that occurs related to a administrator’s authentication. c. Configure authentication-order for local, RADIUS and TACACS+ authentication; Enables RADIUS or TACACS+ (TOE client-side). d. Configure password complexity [numeric] [special-character] [capital] [lowercase]; and configure password minimum-length value. e. Configure ACLs and controls where (e.g., from a specific network address or local management interface) administrators, and authorized IT entities access the TOE. f. Configures audit logs. g. Configure SNMP/SYSLOG h. Configure NTP i. Configure anti-DoS attack j. Configure CPU protection policies  FMT_MSA.1 Management of security attributes Simple security attributes (unauthenticated policy) The administrator specifies information flow policy rules (i.e., routing protocols and ingress/egress traffic filtering and peer filtering) that contain information security attribute values, and associate with that rule an action that permits the information flow or disallows the information flow. When a packet arrives at the source interface, the information security attribute values of the packet are compared to each information flow policy rule and when a match is found the action specified by that rule is taken. Subject and information security attributes used are: a. IP network address and port of source subject; b. IP network address and port of destination subject; c. transport layer protocol and their flags and attributes (UDP, TCP); d. network layer protocol (IP, ICMP); e. interface on which traffic arrives and departs; and Simple security attributes (export policy) The event log is configured to send events to one SYSLOG destination. SYSLOG destinations have the following properties: a. SYSLOG server IP address. b. The UDP port used to send the SYSLOG message. c. The SYSLOG Facility Code (0 - 23): default 16 (local 0). ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 34 d. The SYSLOG Severity Threshold (1 - 8) - events exceeding the configured level will be sent. The Administrator uses CLI syntax to configure the TOE to send SNMP trap. Subject and information security attributes used are: a. IP address of the SNMP trap receiver; b. UDP port used to send the SNMP trap; c. SNMPv3 used to format the SNMP notification; and d. Security name and level for SNMPv3 trap receivers;  FMT_MSA.3 Static attribute initialization By default, there is no routing/filter rule configured on the router for UNAUTHENTICATED SFP, also there is no log server setup for EXPORT SFP.  FMT_SMF.1 Specification of management functions The Administrator performs the following security management functions: a. start-up and shutdown; b. create, modify, delete, and view configuration data; c. empty, and review the audit log; d. create, delete, modify, and view filtering rules; e. perform configuration backup and restore; f. user account management; g. modify date/time; h. trusted router management and i. security management functions listed in FMT_MOF.1 Management of security functions behavior.  FMT_SMR.1 Security roles The ZXROSng allows all authorized administrators with the needed authority to configure and control the associated features. Only authenticated administrators are permitted to use or manage the TOE resources. Only authenticated administrators execute certain CLI commands. Authorization features allow administrators to configure administrator profiles which are used to limit what CLI commands are executed by the specific authenticated administrator. Once an administrator has been authenticated the ZXROSng is configured to perform authorization. Each command has a corresponding privilege level (0-15) which can be modified by the administrator. These levels associate with users. An authenticated user must belong to a certain privilege level. An authenticated administrator shall only execute commands allowed by his privilege level and cannot execute commands of higher level. 6.1.4 TOE Access Mechanisms place controls on administrator’s sessions. Local and remote ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 35 administrator’s sessions are dropped after an Administrator-defined time period of inactivity. Dropping the connection of a local and remote session (after the specified time period) reduces the risk of someone accessing the local and remote machines where the session was established, thus gaining unauthorized access to the session.  FTA_SSL.3 TSF-initiated termination The ZXROSng allows configuring login control parameters for console and remote administration sessions. The ZXROSng has the ability to terminate stale connections. The ZXROSng terminates interactive session after an administrator defined period of inactivity with a default value of 30 minutes, and within a range of 1 to 1000 minutes. And the ZXROSng can config mandatory termination absolute-time within from 1 to 10000 minutes. This idle-time parameter configures the idle timeout for console, or remote sessions before the session is terminated by the system. The idle-time and absolute-time would reduce the chance for the unauthorized administrators to access the TOE through an unattended opened session. By default, an idle console, or remote session times out after thirty (30) minutes of inactivity. This timer is set for all session.  FTA_TSE.1 TOE session establishment The ZXROSng will deny session establishment after 15 active sessions is reached. An administrator can configure ACLs to refuse to establishment of a connection, to ensure only connections from trusted address or port is trustable. The ZXROSng has a direct connection via the physical RS232 console interface and a remote console connection to perform security management functions. 6.1.5 User data protection The TOE provides an Information Flow Control mechanism that supports control of the flow of traffic generated by the network devices. The Information Flow Control Policies are configured on each network devices to allow traffic to only flow between the authorized sources and authorized destinations. Also the TOE provide exporting log to SYSLOG and SNMP servers.  FDP_IFC.1(1) Subset information flow control (unauthenticated policy) The TOE enforces an UNAUTHENTICATED SFP whereby the network packets sent and/or received through the TOE to IT entity.  FDP_IFC.1(2) Subset information flow control (export policy) The TOE enforces an EXPORT SFP whereby information events are sent from the TOE to SNMP trap and SYSLOG destinations. The TOE will only send audit and management data to properly configured destinations  FDP_IFF.1(1) Simple security attributes (unauthenticated policy) ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 36 The TOE supports routing of the traffic that is permitted by the information flow policies. All traffic passing through the router is processed by the ACL attached to the interface/protocol. The ACL is processed top-down, with processing continuing until the first match is made. All traffic that successfully passed the ACLs is processed by the routing tables. The routing table is processed based on longest-prefix matching algorithm. The routing table may be statically updated by an administrator or dynamically through routing protocols. The TOE suppresses the attacks when the statistics of semi-connection of the TCP SYN flood exceeds configured threshold (Anti-DoS). Subject and information security attributes used are: a. IP network address and port of source subject; b. IP network address and port of destination subject; c. transport layer protocol and their flags and attributes (UDP, TCP); d. network layer protocol (IP, ICMP); e. interface on which traffic arrives and departs; and f. routing protocols and their configuration and state.  FDP_IFF.1(2) Simple security attributes (export policy) The TOE also enforces an EXPORT SFP whereby information events are sent from the TOE to SNMP trap and SYSLOG destinations. Subject and information security attributes used are: a. [Source subject security attributes: source network identifier; and b. Destination subject security attributes: i) IP address of SYSLOG server; ii) UDP port used to send the SYSLOG message; iii) SYSLOG Facility Code; iv) SYSLOG Severity Threshold; v) Set of destination network identifiers; vi) IP address of the SNMP trap receiver; vii) UDP port used to send the SNMP trap; viii)SNMPv3 used to format the SNMP notification; and ix) Security name and level for SNMPv3 trap receivers For SNMP traps sent packet through the port of the TOE, the source IP address of the trap is the port IP address of the TOE. The SYSLOG protocol is used to convey event notification messages. Parameters are defined identified in RFC 3164 The SYSLOG Protocol which describes the format of a SYSLOG message. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 37  FDP_UIT.1 Data exchange integrity In order to exchange routing information in a secure manner the TOE provides MD5 checksum to ensure the data integrity for the permitted routing protocols of OSPFv2 mode 2 and BGPv4. 6.1.6 Trusted Channel The TOE provide secure channel for RADIUS/TACACS+ server, NTP server and the remote terminal to connect to the TOE.  FTP_ITC.1 The TSF shall provide a communication channel between itself and a remote administration client. Secure remote administration is provided by SSH. The communication between TOE and RADIUS/TACACS+/NTP server is protected by the trusted channel. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 38 7 RATIONALE 7.1 RATIONALE FOR SECURITY OBJECTIVES 7.1.1 Rationale for Security Objectives for the TOE This section provides a mapping of TOE security objectives to those threats/OSP that the TOE is intended to counter. Since the Security Objectives for the TOE were derived directly from the threats/OSP there is a one to one mapping between them. It is also clear since the Security Objectives for the TOE are simply a restatement of the applicable threat/OSP, that each objective is suitable to meet its corresponding threat/OSP. O.AUDIT_REVIEW O.MANAGE O.IDAUTH O.MEDIATE O.TOE_ACCESS O.ROUTE T.AUDIT_REVIEW X T.NO_PRIVILEGE X T.MEDIATE X T.NO_AUTH _SESSION X T.NO_AUTH_ACCESS X P.ROUTE X Table 13 – Mapping of Security Objectives to Threats/OSP 7.1.2 Rationale for Security Objectives for the Environment This section provides a mapping of environment security objectives to those assumptions that must be met. Since the Security Objectives for the Operational environment were derived directly from the Assumptions there is a one to one mapping between them. It is also clear since the Security Objectives for the Operational environment are simply a restatement of the applicable assumption, that each objective is suitable to meet its corresponding assumption. OE.NO_EVIL&TRAIN OE.CONNECTIVITY OE.PHYSICAL OE.TIMES OE.USERS ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 39 A.NO_EVIL&TRAIN X A.CONNECTIVITY X A.PHYSICAL X A.TIMES X P.USERS X Table 14 – Mapping of Assumptions to Security Objectives for the Operational Environment 7.2 SECURITY REQUIREMENTS RATIONALE 7.2.1 Rationale for TOE security functional requirements The following table provides the correspondence mapping between security objectives for the TOE and the requirements that satisfy them. O.AUDIT_REVIEW O.MANAGE O.IDAUTH O.MEDIATE O.TOE_ACCESS O.ROUTE FAU_GEN.1 X FAU_GEN.2 X FAU_SAR.1 X FAU_STG.1 X FAU_STG.4 X FDP_IFC.1(1) X FDP_IFF.1(1) X FDP_IFC.1(2) X FDP_IFF.1(2) X FDP_UIT.1 X FIA_AFL.1 X FIA_SOS.1 X FIA_UAU.2 X FIA_UAU.5 X FIA_UID.2 X FMT_MOF.1 X FMT_MSA.1 X X FMT_MSA.3 X X FMT_MTD.1(1) X FMT_MTD.1(2) X FMT_MTD.1(3) X FMT_MTD.1(4) X FMT_SMF.1 X FMT_SMR.1 X FTA_SSL.3 X FTA_TSE.1 X FTP_ITC.1(1) X X FTP_ITC.1(2) X ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 40 FTP_ITC.1(3) X Table 15 – Mapping of Security Functional Requirements to TOE Security Objectives The following table presents a mapping of the rationale of TOE Security Requirements to Objectives. OBJECTIVES SFR Rationale O.AUDIT_REVIEW The TOE will provide the privileged administrators and authentication administrators the capability to review Audit data and will restrict audit review to administrators who have been granted explicit read-access. The TOE will generate audit records which will include the time that the event occurred and the identity of the administrator performing the event. This objective is met by:  FAU_GEN.1 and FAU_GEN.2 outline what events must be audited and if possible an user identity is associated.  FAU_SAR.1 requires that the audit trail can be read.  FAU_STG.1 requires that unauthorised deletion or modification of audit records does not occur, and thus helps to maintain accountability for actions  FAU_STG.4 requires that audit data loss be prevented when the audit trail is full.  FTP_ITC.1(3) requires that the timestamp is protected by trusted channels.  FDP_IFC.1(2) & FDP_IFF.1(2) requires that the TOE shall send audit events to an external SYSLOG server & an external SNMP server O.MANAGE The TOE must provide services that allow effective management of its functions and data and restrict access to the TOE Management functions to the privileged administrators and authentication administrators. This objective is met by:  FMT_MOF.1 allows the authorized users (roles) to manage the behavior of functions in the TSF that use rules or have specified conditions that may be manageable.  FMT_MSA.1 and FMT_MSA.3 assist in effective security attribute management.  FMT_MTD.1 restricts the administrator’s ability to modify the TSF data.  FMT_SMF.1 lists the security management functions that must be controlled.  FMT_SMR.1 defines the roles on which access decisions are based.  FTP_ITC.1(1) requires that a trusted channel between the TSF and the remote client be provided for remote administration. O.IDAUTH The TOE must uniquely identify and authenticate the claimed identity of all administrative users before granting management access. This objective is met by:  FIA_AFL.1 requires that the TSF be able to terminate the session establishment process after a specified number of unsuccessful user authentication attempts. It also requires that, after termination of the session establishment process, the TSF be able to disable the user account or the point of entry (e.g. workstation) from which the attempts were made until an administrator-defined condition occurs.  FIA_SOS.1 specifies metrics for authentication to restrict access.  FIA_UAU.2 ensures that users are authenticated to the TOE to restrict access. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 41  FIA_UAU.5 was selected to ensure that appropriate authentication mechanisms can be selected to restrict access.  FIA_UID.2 ensures that users are identified to the TOE to restrict access.  FTP_ITC.2(2) requires that a trusted channel between the TSF and the RADIUS/TACACS+ be provided for user authentication. O.MEDIATE The TOE shall control the flow of information among its network connections according to routing rules and BGPv4/OSPFv2 routing protocol This objective is met by:  FDP_IFC.1(1) identifies the entities involved in the unauthenticated Information Flow Control SFP (i.e. TOE sending packets).  FDP_IFF.1(1) identifies the conditions under which information is permitted to flow between entities (the unauthenticated Information Flow Control SFP).  FMT_MSA.1 restricts the ability to modify, delete, or query the parameters for the unauthenticated SFP to an administrator.  FMT_MSA.3 ensures that there is a default-deny policy for the unauthorized SFP. O.TOE_ACCESS The TOE will provide mechanisms that control an administrator’s logical access to the TOE and to explicitly deny access to specific administrators when appropriate. This objective is met by:  FTA_SSL.3 The TOE will terminate an interactive session after an administrator defined time interval of administrator inactivity.  FTA_TSE.1 provides requirements for denying user’s access to the TOE based on attributes.  FTP_ITC.1(1) requires that a trusted channel between the TSF and the remote client be provided for remote administration. O.ROUTE The TOE shall be able to accept routing data from trusted routers according to BGPv4/OSPFv2. This objective is met by:  FDP_UIT.1 transmits and receives routing data to/from trusted routers in a manner protected from modification, insertion and replay errors. Table 16 – Mapping of the rationale of TOE Security Requirements to Objectives. 7.2.2 Rationale for Security Assurance Requirements The ST requires EAL 2 augmented with ALC_FLR.2 assurance. EAL 2 augmented with ALC_FLR.2 was chosen because it is based upon good commercial development practices with thorough functional testing. EAL 2 provides the developers and users a moderate level of independently assured security in conventional commercial TOE. ALC_FLR.2 demonstrates a sound regime for addressing identified security flaws. 7.2.3 Functional Requirement Dependencies Rationale The following table presents a mapping of the TOE Security Requirements dependencies. SFR Dependency SATISFIED ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 42 FAU_GEN.1 FPT.STM.1 This is satisfied in the operational environment by OE.Times. FAU_GEN.2 FAU_GEN.1 FIA_UID.1 Y FIA_UID.1 Hierarchical to FIA_UID.2 FAU_SAR.1 FAU_GEN.1 Y FAU_STG.1 FAU_GEN.1 Y FAU_STG.4 FAU_STG.1 Y FDP_IFC.1(1) FDP_IFF.1(1) Y FDP_IFC.1(2) FDP_IFF.1(2) Y FDP_IFF.1(1) FDP_IFC.1(1) FMT_MSA.3 Y FDP_IFF.1(2) FDP_IFC.1(2) FMT_MSA.3 Y FDP_UIT.1 FDP_ACC.1/FDP_IFC.1 FTP_ITC.1/FTP_TRP.1 1. The dependency on FDP_ACC.1/FDP_IFC.1 is unnecesssary since the reference to the policy was refined away. Defining a whole policy to restate FDP_UIT.1 was considered unnecessary. 2. The dependency on FTP_ITC.1 is unnecessary since this SFR specifies confidentiality of the channel data and this is not required. 3. The dependency on FTP_TRP.1 is unnecessary, since a trusted router is not a user but a trusted IT product. There is no applicable dependency. Y FIA_AFL.1 FIA_UAU.1 Y FIA_UAU.1 Hierarchical to FIA_UAU.2 FIA_SOS.1 No dependencies Y FIA_UAU.2 FIA_UID.1 Y FIA_UAU.5 No dependencies Y ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 43 FIA_UID.2 No dependencies Y FMT_MOF.1 FMT_SMR.1 FMT_SMF.1 Y FMT_MSA.1 FDP_IFC.1 FMT_SMR.1 FMT_SMF.1 Y FMT_MSA.3 FMT_MSA.1 FMT_SMR.1 Y FMT_MTD.1(1) FMT_SMR.1 FMT_SMF.1 Y FMT_MTD.1(2) FMT_SMR.1 FMT_SMF.1 Y FMT_MTD.1(3) FMT_SMR.1 FMT_SMF.1 Y FMT_MTD.1(4) FMT_SMR.1 FMT_SMF.1 Y FMT_SMF.1 No dependencies Y FMT_SMR.1 FIA_UID.1 Y FTA_SSL.3 No dependencies Y FTA_TSE.1 No dependencies Y FTP_ITC.1(1) No dependencies Y FTP_ITC.1(2) No dependencies Y FTP_ITC.1(3) No dependencies Y Table 17 – Security Functional Requirement Dependencies There are no unsatisfied dependencies. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 44 8 Appendix 8.1 LIC Interfaces Main control boards: Main control boards Ports supported SMDE SMDE(BS61) Service interfaces:  2x 10 Gbps Optical Ethernet  4x 1 Gbps Optical Ethernet  2x 1 Gbps Electrical Ethernet  1x E1 16-pin Management & Auxiliary interfaces:  1x Fast Ethernet LCT (Local craft terminal interface)  1x Fast Ethernet Qx  1x Fast Ethernet external alarm  1x Fast Ethernet BITS Interface  2x Fast Ethernet GPS Interface SME SME(BS61) Management & Auxiliary interfaces:  1x Fast Ethernet LCT (Local craft terminal interface)  1x Fast Ethernet Qx  1x Fast Ethernet BITS Interface  2x Fast Ethernet GPS Interface SMF Management & Auxiliary interfaces:  1x Fast Ethernet LCT (Local craft terminal interface)  1x Fast Ethernet GPS Interface LIC cards: LIC cards Ports supported OIXG1  1x 10 Gbps Ethernet optical interface OIXG2  2x 10 Gbps Ethernet optical interface OIX6G  1x 1Gbps Ethernet optical interface  6x 1 Gbps Electrical Ethernet OIGE8  8x 1 Gbps Ethernet optical interface EIGE8  8x 1 Gbps Electrical Ethernet OEIGE8  4x 1 Gbps Electrical Ethernet and 4x 1 Gbps Ethernet optical interface OEIGE  4x 1 Gbps Electrical Ethernet or 4x 1 Gbps Ethernet optical interface OEIFE8  4x 100 Mbps Electrical Ethernet and 4x 100 M bps Ethernet optical interface ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 45 E1E16-75  4x 1 Gbps Electrical Ethernet  4x 1 Gbps Ethernet optical interface  1x SCSI 50-pin angle solder socket (female) used for E1 electrical signals E1E16-120  1x SCSI 50-pin angle solder socket (female) used for E1 electrical signals OIS4  4x 10 Gbps Ethernet optical interface 8.2 Document Terminology The following terms are listed here to aid the reader of the ST: ACL Access Control List It is filter policy applied on ingress or egress to a service device on an interface to control the traffic access. ATM Asynchronous Transfer Mode ATM is a standardized digital data transmission technology. ATM is a cell-based switching technique that uses asynchronous time division multiplexing. BGP Border Gateway Protocol The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems (AS). It is described as a path vector protocol. BGP does not use traditional IGP metrics, but makes routing decisions based on path, network policies and/or rulesets. CLI Command Line Interface A text based administrator interface to configure a IT node. LAN Local Area Network A system designed to interconnect computing devices over a restricted geographical area (usually a couple of kilometers) MAC Media Access Control A media-specific access control protocol within IEEE802 specifications. The protocol is for medium sharing, packet formatting, addressing, and error detection. MPLS Multi-Protocol Label Switching MPLS technology implements the delivery of highly scalable, differentiated, end-to-end IP and VPN services. The technology allows core network routers to operate at higher speeds without examining each packet in detail, and allows differentiated services. OSPF Open Shortest Path First A link-state routing algorithm that is used to calculate routes based on the number of routers, transmission speed, delays and route cost. ZXCTN 6000 Series Access Routers Running ZXROSng ST 公开▲ 本文中的所有信息均为中兴通讯股份有限公司内部信息,不得向外传播。 46 RADIUS Remote Authentication Dial-In User Service A client/server security protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize access to the requested system or service. RFC Request for Comments An Internet Engineering Task Force (IETF) memorandum on Internet systems and standards QoS Quality of Service A set of performance parameters that characterize the traffic over a given connection TCP Transmission Control Protocol TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. TACACS+ Terminal Access Controller Access Control System Plus An authentication protocol that allows a remote access server to forward an administrator's logon password to an authentication server to determine whether access is allowed to a given system. UDP User Datagram Protocol UDP is transport layer protocol which do not guarantee delivery of data VPN Virtual Private Network A way to provide secure and dedicated communications between a group of private servers over public Internet. Table 18 – Document Terminology