Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 1 Huawei S Series Ethernet Switches V200R003 Security Target Version: 1.0 Last Update: 2013-07-17 Author: Huawei Technologies Co., Ltd. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 2 Revision record Date Revision Version Change Description Author 2013-04-08 0.1 Initial Draft Ye Yanfei, Lv Rui 2013-04-10 0.2 Update 1.4.1.2 Ye Yanfei 2013-04-15 0.3 Processed Lab Comments Jason Chen 0.4/0.5 Obsolete, and not issued 2013-04-24 0.6 Integrated L3 differences between models. Jason Chen 2013-05-15 0.7 Update according to EORs Jason Chen 2013-05-23 0.8 Update to add more TOEs and complete software/ guidance list Jason Chen 2013-07-17 1.0 Final version. Changed references to correct versions. Finalized layout Jason Chen, Yao Junning Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 3 Table of Contents TABLE OF CONTENTS .................................................................................................................. 3 LIST OF TABLES ............................................................................................................................ 5 LIST OF FIGURES .......................................................................................................................... 6 1 INTRODUCTION .................................................................................................................. 7 1.1 Security Target Identification............................................................................7 1.2 TOE Identification ............................................................................................7 1.3 Target of Evaluation (TOE) Overview ............................................................12 1.4 TOE Description ............................................................................................12 1.4.1 Architectural overview .............................................................................12 1.4.2 Scope of Evaluation ..................................................................................16 1.4.3 Summary of Security Features.................................................................27 1.4.4 TSF and Non-TSF data.............................................................................30 2 CC CONFORMANCE CLAIM............................................................................................. 32 3 TOE SECURITY PROBLEM DEFINITION......................................................................... 33 3.1 Threats ..........................................................................................................33 3.1.1 Threats....................................................................................................33 3.1.2 Threats Components...............................................................................33 3.2 Assumptions..................................................................................................34 3.2.1 Environment of use of the TOE ...............................................................34 4 SECURITY OBJECTIVES.................................................................................................. 36 4.1 Objectives for the TOE...................................................................................36 4.2 Objectives for the Operational Environment...................................................36 4.3 Security Objectives Rationale ........................................................................37 4.3.1 Coverage ................................................................................................37 4.3.2 Sufficiency...............................................................................................37 5 EXTENDED COMPONENTS DEFINITION........................................................................ 40 6 SECURITY REQUIREMENTS ........................................................................................... 41 6.1 Conventions ......................................................................................................41 6.2 TOE Security Functional Requirements.............................................................41 6.2.1 Security Audit (FAU) ...................................................................................41 6.2.2 Cryptographic Support (FCS)......................................................................42 6.2.3 User Data Protection (FDP) ........................................................................44 6.2.4 Identification and Authentication (FIA) ........................................................47 Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 4 6.2.5 Security Management (FMT) ......................................................................48 6.2.6 Protection of the TSF (FPT)........................................................................49 6.2.7 Resource utilization (FRU)..........................................................................49 6.2.8 TOE access (FTA) ......................................................................................50 6.2.9 Trusted Path/Channels (FTP) .....................................................................50 6.3 Security Functional Requirements Rationale .................................................51 6.3.1 Sufficiency and coverage ..........................................................................51 6.3.3 Security Requirements Dependency Rationale .........................................52 6.4 Security Assurance Requirements.................................................................54 6.5 Security Assurance Requirements Rationale .................................................54 7 TOE SUMMARY SPECIFICATION .................................................................................... 55 7.1 TOE Security Functional Specification...........................................................55 7.1.1 Authentication .........................................................................................55 7.1.2 Access Control........................................................................................55 7.1.3 L2 Traffic Forwarding ..............................................................................56 7.1.4 L3 Traffic Forwarding ..............................................................................56 7.1.5 Auditing...................................................................................................57 7.1.6 Communication Security..........................................................................58 7.1.7 ACL.........................................................................................................58 7.1.8 Security Management ...............................................................................59 7.1.9 Cryptographic functions...........................................................................60 7.1.10 Time......................................................................................................60 7.1.11 SNMP Trap .............................................................................................61 7.1.12 STP.........................................................................................................61 8 ABBREVIATIONS, TERMINOLOGY AND REFERENCES ............................................... 62 8.1 Abbreviations.................................................................................................62 8.2 Terminology...................................................................................................62 8.3 References ....................................................................................................63 Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 5 List of Tables Table 1: Naming rules of Box Switch..................................................................................9 Table 2: Naming rules of Chassis Switch...........................................................................9 Table 3: The device list of Huawei S Series Ethernet Switches.......................................12 Table 4: Model Specifications...........................................................................................23 Table 5: Chassis Switch Interfaces Specifications...........................................................24 Table 6: Box Switch Interfaces Specifications..................................................................25 Table 7 List of software and guidance..............................................................................25 Table 8: Access Levels .....................................................................................................28 Table 9: Mapping Objectives to Threats...........................................................................37 Table 10: Mapping Objectives for the Environment to Threats, Assumptions .................37 Table 11: Sufficiency analysis for threats .........................................................................39 Table 12: Sufficiency analysis for assumptions................................................................39 Table 13: SFR sufficiency analysis...................................................................................52 Table 14: Dependencies between TOE Security Functional Requirements....................54 Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 6 List of Figures Figure 1: Naming rules of Box Switch................................................................................8 Figure 2: Naming rules of Chassis Switch .........................................................................9 Figure 3: TOE Physical architecture of Box Switch .........................................................13 Figure 4: TOE Physical architecture of Chassis Switch...................................................14 Figure 5: TOE Software architecture................................................................................15 Figure 6: TOE logical scope .............................................................................................26 Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 7 1 Introduction This Security Target is for the evaluation of Huawei S Series Ethernet Switches V200R003. 1.1 Security Target Identification Name: Huawei S Series Ethernet Switches V200R003 Security Target Version: 1.0 Publication Date: 2013-07-17 Author: Huawei Technologies Co., Ltd. 1.2 TOE Identification Name: Huawei S Series Ethernet Switches Version: V200R003 At the core of Huawei S Series Ethernet Switches is Versatile Routing Platform (VRP). Product software version V200R003 runs on VRP software Version 5 Release 13, the software version of data plane is V200R003. Huawei S Series Ethernet Switches are classified into Box Switches and Chassis Switches based on their physical forms. The forward capacity of Chassis Switches is larger than Box Switches and Chassis Switches can use different LPU (Line Processing Unit) to provide different ports with various types, but there is no difference in security functionality. Huawei S Series Ethernet Switches can be classified into Layer 2 Switches and Layer 3 Switches based on their function. Layer 2 Switches support Ethernet forwarding. Layer 3 Switches support both Ethernet forwarding and IP forwarding. Huawei S Series Ethernet Switches can be classified into Provider Switches (SX300 Series) and Enterprise Switches (SX700 Series). The difference between Provider Switches and Enterprise Switches is that they are sold in difference markets, the models are functionally identical. There are some minor security differences between the various series: not all series support all functionality:  The S23xx-EI/S53xx-LI and S27XX-EI/S57XX-LI do not support L3 forwarding  The S53xx-SI and S57xx-SI only support static routing and no OSPF/BGP Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 8 The naming rules examples of Huawei S Series Box Switches are as follows: Figure 1: Naming rules of Box Switch Identifier Description A Product brand. B Switch C Product series.  “23” indicates the S2300 series.  "53" indicates the S5300 series.  "63" indicates the S6300 series.  “27” indicates the S2700 series  "57" indicates the S5700 series.  "67" indicates the S6700 series. D Maximum number of interfaces. E Uplink interface type:  C: A device supports interface cards. There can be two or four uplink interfaces on an interface subcard.  P: A device has optical interfaces.  TP: A device has combo interfaces supporting optical and electrical interfaces. F Supports Power over Ethernet (PoE). If this letter is not displayed, PoE is not supported. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 9 G Software version type:  EI: enhanced version, supporting enhanced features  SI: standard version, supporting basic features  HI: advanced version, supporting high-performance Operation, Administration, and Maintenance (OAM) and built-in real-time clock (RTC)  LI: simplified version H Downlink interface type. The value 24S indicates that 24 downlink interfaces are optical interfaces. If this letter is not displayed, all downlink interfaces are electrical interfaces. I Powering mode:  AC: alternating current power  DC: direct current power If this letter is not displayed,the power is AC . J The device has monitoring interfaces. If this letter is not displayed,the monitoring interface is not supported. Table 1: Naming rules of Box Switch The naming rules examples of Huawei S Series Chassis Switches are as follows: Figure 2: Naming rules of Chassis Switch Identifier Description A Product brand. B Switch C Product series.  "77" indicates the S7700 series.  "93" indicates the S9300 series  "97" indicates the S9700 series D The capability of LPU numbers. Table 2: Naming rules of Chassis Switch The TOE scope has been limited in terms of evaluated configurations by choosing the most relevant configurations of each series as can be found in the table below. For each series, the minimum number of models has been selected in order to cover all the functionality that shall be tested as required by CC. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 10 The following table shows the evaluated devices. Device Series Device Name S2700 S2750-20TP-PWR-EI-AC S2750-28TP-EI-AC S2750-28TP-PWR-EI-AC S2751-28TP-PWR-EI-AC S5700 S5710-108C-PWR-HI S5700-28C-HI S5700-28C-HI-24S S5710-28C-EI S5710-52C-EI S5710-28C-PWR-EI-AC S5710-52C-PWR-EI-AC S5710-52C-PWR-EI S5700-28C-EI S5700-28C-EI-24S S5700-52C-EI S5700-28C-PWR-EI S5700-52C-PWR-EI S5700-24TP-SI-AC S5700-24TP-SI-DC S5700-48TP-SI-AC S5700-48TP-SI-DC S5700-24TP-PWR-SI S5700-48TP-PWR-SI S5700-28C-SI S5700-52C-SI S5700-28C-PWR-SI S5700-52C-PWR-SI S5700-26X-SI-12S-AC S5700-10P-LI-AC S5700-10P-PWR-LI-AC S5700-28P-LI-AC S5700-28P-LI-DC S5700-52P-LI-AC S5700-52P-LI-DC S5700-28P-PWR-LI-AC S5700-52P-PWR-LI-AC S5700-28X-LI-AC S5700-28X-LI-DC S5700-52X-LI-AC S5700-52X-LI-DC S5700-28X-PWR-LI-AC Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 11 S5700-52X-PWR-LI-AC S5700S-28P-LI-AC S5700S-52P-LI-AC S5700-28X-LI-24S-DC S5700-28X-LI-24S-AC S6700 S6700-48-EI S6700-24-EI, S7700 S7703, S7706, S7706-POE S7712 S7712-POE S9700 S9703 S9703FCC S9706 S9706FCC S9712 S9712FCC S2300 S2350-28TP-PWR-EI-AC S2350-20TP-PWR-EI-AC S2350-28TP-EI-AC S5300 S5300-10P-LI-AC S5300-28P-LI-AC S5300-28P-LI-DC S5300-52P-LI-AC S5300-52P-LI-DC S5324TP-SI-DC, S5324TP-SI-AC, S5324TP-PWR-SI, S5348TP-SI-DC S5348TP-SI-AC, S5348TP-PWR-SI, S5328C-SI, S5328C-PWR-SI, S5352C-SI, S5352C-PWR-SI, S5328C-EI, S5328C-PWR-EI, S5328C-EI-24S, S5310-28C-EI S5352C-EI, S5352C-PWR-EI, Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 12 S5310-52C-EI S5328C-HI, S5328C-HI-24S S6300 S6348-EI, S6324-EI, S9300 S9303 S9306 S9312 S9303E S9306E S9312E Table 3: The device list of Huawei S Series Ethernet Switches Sponsor: Huawei Developer: Huawei Certification ID: Keywords: Huawei, VRP, Versatile Routing Platform, Ethernet Switches 1.3 Target of Evaluation (TOE) Overview Huawei S Series Ethernet Switches V200R003, the TOE, provides high-end networking capacities for telecom and enterprise core networks. It consists of both hardware and software. At the core of each switch is the Versatile Routing Platform (VRP), the software for managing and running the router’s networking functionality. VRP provides extensive security features. These features include different interfaces with according access levels for administrators; enforcing authentications prior to establishment of administrative sessions with the TOE; auditing of security-relevant management activities; as well as the correct enforcement of routing decisions to ensure that network traffic gets forwarded to the correct interfaces. The Forwarding Engine is the actual hardware providing network traffic processing capacity. The TOE requires some non-TOE hardware/software, this may be found in section 1.4.2.2. 1.4 TOE Description 1.4.1 Architectural overview This section will introduce the Huawei S Series Ethernet Switches V200R003 from a physical architectural view and a software architectural view. Huawei S Series Ethernet Switches can be classified into Box Switches and Chassis Switches. They have different physical and software architecture. Box Switches adopt Centralized processing, Control plane and data forwarding plane are in the one board; Chassis Switches adopt distributed processing, control plane is in the SRU/MCU, data Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 13 forwarding plane is in the LPU. In the software architectural, VRP uses VP(Virtual Path) to connect control plane and data forwarding plane, to avoid the difference between Box Switches and Chassis Switches. Box Switches include: S2300, S5300, S6300, S2700, S5700, S6700 Chassis Switches include: S7700, S9300, S9700 1.4.1.1 Physical Architecture 1.4.1.1.1 Physical Architecture of Box Switch Figure 3: TOE Physical architecture of Box Switch Figure 3 shows the physical architecture of Box Switch of the TOE with the AC /DC -input power supply modules (*1) . The physical architecture includes the following systems:  Power system  Fan system  CPU(Control Process Unit)  Forwarding Engine All systems are in the integrated cabinet. The power system works in 1+1 backup mode (*2) . The functional host system processes data. In addition, it monitors and manages the entire system, including the power system. *1: Device lists which support both AC and DC power: S5700-28C-HI,S5700-28C-HI-24S,S5710-28C-EI,S5710-52C-EI,S5700-28C-EI,S5700 -28C-EI-24S,S5700-52C-EI,S5700-28C-SI,S5700-52C-SI,S5328C-SI,S5352C-SI,S53 28C-EI,S5328C-EI-24S,S5310-28C-EI,S5352C-EI,S5310-52C-EI,S5328C-HI,S5328C- HI-24S, S5710-108C-PWR-HI *2: Device lists which support 1+1 backup power (others only support one power): S5700-28C-HI,S5700-28C-HI-24S,S5710-28C-EI,S5710-52C-EI,S5710-28C-PWR-EI- AC,S5710-52C-PWR-EI-AC,S5710-52C-PWR-EI,S5700-28C-EI,S5700-28C-EI-24S,S 5700-52C-EI,S5700-28C-PWR-EI,S5700-52C-PWR-EI,S5700-24TP-PWR-SI,S5700-4 8TP-PWR-SI,S5700-28C-SI,S5700-52C-SI,S5700-28C-PWR-SI,S5700-52C-PWR-SI, Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 14 S6700-48-EI,S6700-24-EI,,S5324TP-PWR-SI,S5348TP-PWR-SI,S5328C-SI,S5328C- PWR-SI,S5352C-SI,S5352C-PWR-SI,S5328C-EI,S5328C-PWR-EI,S5328C-EI-24S,S 5310-28C-EI,S5352C-EI,S5352C-PWR-EI,S5310-52C-EI,S5328C-HI,S5328C-HI-24S, S6348-EI,S6324-EI, S5710-108C-PWR-HI 1.4.1.1.2 Physical Architecture of Chassis Switch Figure 4: TOE Physical architecture of Chassis Switch Figure 2 shows the physical architecture of the TOE with the AC/DC-input power supply modules. The physical architecture includes the following systems:  Power system  Fan system  MCU/SRU  Switch fabric  LPU  Forwarding Engine All the systems are in the integrated cabinet. The power system works in 1+1 backup mode. The functional host system (MCU/SRU) is the target of this evaluation and following introductions will focus on the functional host system only. The functional host system is composed of the system backplane, SRUs/MCUs, and LPUs. SRU/MCU are the boards hosting the VRP which provides control and management functionalities. MCU also embeds a clock module as a source of system time. LPU is the board containing the forwarding engine and responsible for network traffic processing. Generally SRU/MCU are called MCU for simplicity in case of brief introduction. The functional host system processes data. In addition, it monitors and manages the entire system, including the power distribution system, heat dissipation system. 1.4.1.2 Software Architecture Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 15 Figure 5: TOE Software architecture In terms of the software, the TOE’s software architecture consists of three logical planes to support centralized forwarding and control and distributed forwarding mechanism.  Data plane  Control and management plane  Monitoring plane Note that the monitoring plane is to monitor the system environment by detecting the voltage, controlling power-on and power-off of the system, and monitoring the temperature and controlling the fan. The monitoring plane is not considered security-related thus will not be further covered. The control and management plane is the core of the entire system. It controls and manages the system. The control and management unit processes protocols and signals, configures and maintains the system status, and reports and controls the system status. The data plane is responsible for high speed processing and non-blocking switching of Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 16 data packets. It encapsulates or decapsulates packets, forwards IPv4/IPv6 packets, performs Quality of Service (QoS) and scheduling, completes inner high-speed switching, and collects statistics. Figure 5 shows a brief illustration of the software architecture of the TOE. The VRP is the control and management platform that runs on the SRU/MCU. The VRP supports IPv4/IPv6, and routing protocols such as Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), calculates routes, generates forwarding tables, and delivers routing information to the LPU(s). The VRP includes Service Control Plane (SCP), System Manage Plane (SMP), General Control Plane (GCP) and other TSF, non-TSF sub-systems. There is one difference between the software architecture of Box Switch and the Chassis Switch: in Box Switches the LPU and VP are done in SW, but in Chassis Switches, this is done in HW. Note that for the S23xx-EI/S53xx-LI and S27xx-EI/S57xx-LI (who do not support L3 forwarding) and the S53xx-SI and S57xx-SI (who only support static routing), the software architecture is identical, but the commands required to support non-existing functionality will simply return error messages. 1.4.2 Scope of Evaluation This section will define the scope of the Huawei S Series Ethernet Switches V200R003 to be evaluated. 1.4.2.1 Physical scope The physical boundary of the TOE is the actual switch system itself -- in particular, the functional host system. The power distribution system and heat dissipation system are part of the TOE but not to be evaluated because they are security irrelevant. The TOE provides several models. These models differ in their modularity and throughput by supplying more slots in hosting chassis, but they offer exchangeable forwarding unit modules, switch fabrics, and use the same version of software. The following models will be covered during this evaluation: Model Types Typical System Configuration and Physical Parameters S2300 Item Typical Configuration Remark Processing unit Main frequency: 1GHZ - SDRAM 256MB - Flash 200MB - CF card - - Switching capacity S2350-20TP-PWR-EI-AC:11.2Gbit/s S2350-28TP-EI-AC: 12.8 Gbit/s S2350-28TP-PWR-EI-AC:12.8 Gbit/s (bidirectional) - Forwarding capacity S2350-20TP-PWR-EI-AC: 8.33Mpps - Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 17 S2350-28TP-EI-AC: 9.52Mpps S2350-28TP-PWR-EI-AC: 9.52Mpps S5300 Item Typical Configuration Remark Processing unit Main frequency: 5300EI: 533MHZ 5300SI: 800MHZ 5300HI: 1GHZ 5300LI: 1GHZ 5310EI: 1GHZ - SDRAM 5300EI: 256MB 5300SI: 256MB 5300HI: 512MB 5300LI: 256MB 5310EI: 512MB - Flash 5300EI: 32MB 5300SI: 32MB 5300HI: 64MB 5300LI: 200MB 5310EI: 200MB - CF card - - Switching capacity 5324TP-SI: 48Gbit/s 5348TP-SI: 96Gbit/s 5328C-EI/SI: 128Gbit/s 5352C-EI/SI: 176Gbit/s 5300-28P-LI: 56Gbps 5300-52P-LI: 104Gbps 5300-28X-LI: 128Gbps 5300-10P-LI: 26Gbps (bidirectional) - Forwarding capacity 5324TP-SI: 35.7Mpps 5348TP-SI: 71.4Mpps 5328C-EI/SI: 95.2Mpps 5352C-EI/SI: 130.9Mpps 5300-28P-LI: 41.66Mpps 5300-52P-LI: 77.4Mpps 5300-28X-LI: 95.2Mpps 5300-10P-LI: 15Mpps - S6300 Item Typical Configuration Remark Processing unit Main frequency: 1 GHz - Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 18 SDRAM 512 MB - Flash 64 MB - CF card - - Switching capacity 6324: 480Gbit/s 6348: 960Gbit/s (bidirectional) - Forwarding capacity 6324: 357Mpps 6348: 714Mpps - S2700 Item Typical Configuration Remark Processing unit Main frequency: 1GHZ - SDRAM 256MB - Flash 200MB - CF card - - Switching capacity S2750-20TP-PWR-EI-AC:11.2Gbit/s S2750-28TP-EI-AC: 12.8 Gbit/s S2750-28TP-PWR-EI-AC:12.8 Gbit/s S2751-28TP-PWR-EI-AC:12.8 Gbit/s (bidirectional) - Forwarding capacity S2750-20TP-PWR-EI-AC: 8.33Mpps S2750-28TP-EI-AC: 9.52Mpps S2750-28TP-PWR-EI-AC: 9.52Mpps S2751-28TP-PWR-EI-AC: 9.52Mpps - S5700 Item Typical Configuration Remark Processing unit Main frequency: 5700EI: 533MHZ 5700SI: 800MHZ 5700HI: 1GHZ 5700LI: 1GHZ 5710EI: 1GHZ 5710HI: 1GHz - SDRAM 5700EI: 256MB 5700SI: 256MB 5700HI: 512MB 5700LI: 256MB 5710EI: 512MB - Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 19 5710HI: 512MB Flash 5700EI: 32MB 5700SI: 32MB 5700HI: 64MB 5700LI: 200MB 5710EI: 200MB - CF card - - Switching capacity 5724TP-SI: 48Gbit/s 5748TP-SI: 96Gbit/s 5728C-EI/SI: 128Gbit/s 5752C-EI/SI: 176Gbit/s 5700-28P-LI: 56Gbps 5700-52P-LI: 104Gbps 5700-28X-LI: 128Gbps 5700-52X-LI: 256Gbps 5700-10P-LI: 26Gbps 5710-108C-HI: 672Gbs (bidirectional) - Forwarding capacity 5724TP-SI: 35.7Mpps 5748TP-SI: 71.4Mpps 5728C-EI/SI: 95.2Mpps 5752C-EI/SI: 130.9Mpps 5700-28P-LI: 41.66Mpps 5700-52P-LI: 77.4Mpps 5700-28X-LI: 95.2Mpps 5700-52X-LI: 132Mpps 5700-10P-LI: 15Mpps S5710-108C-HI: 504Mpps - S6700 Item Typical Configuration Remark Processing unit Main frequency: 1 GHz - SDRAM 512 MB - Flash 64 MB - CF card - - Switching capacity 6724: 480Gbit/s 6748: 960Gbit/s (bidirectional) - Forwarding capacity 6724: 357Mpps 6748: 714Mpps - S9303 S7703 Item Typical Configuration Remark Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 20 Processing unit Main frequency: 500 MHz - SDRAM 512 MB NVRAM 512 KB - CF card 512 MB CF cards with different capacities can be configured. Can be used as a mass storage device for storing data files. There are two CF cards on the SRU. Switching capacity 1440 Gbit/s - Forwarding capacity 540 Mpps - Max MCU slots 2 MCUs work in 1:1 redundancy. Max LPU slots 3 - Maximum interface rate per LPU 40*10 Gbit/s - S9306 S7706 Item Typical Configuration Remark Processing unit Main frequency: 700 MHz - SDRAM 1 GB NVRAM 512 KB - CF card 512 MB CF cards with different capacities can be configured. Can be used as a mass storage device for storing data files. There are two CF cards on the SRU. Switching capacity 2T Gbit/s - Forwarding capacity 1320 Mpps - Max SRU slots 2 SRUs work in 1:1 redundancy. Max LPU slots 6 - Maximum interface rate per LPU 40*10 Gbit/s - Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 21 S9312 S7712 Item Typical Configuration Remark Processing unit Main frequency: 700 MHz - SDRAM 1 GB NVRAM 512 KB - CF card 512 MB CF cards with different capacities can be configured. Can be used as a mass storage device for storing data files. There are two CF cards on the SRU. Switching capacity 2T Gbit/s - Forwarding capacity 1320 Mpps - Max SRU slots 2 SRUs work in 1:1 redundancy. Max LPU slots 12 - Maximum interface rate per LPU 40*10 Gbit/s - S9303E S9703 Item Typical Configuration Remark Processing unit Main frequency: 500 MHz - SDRAM 512 MB NVRAM 512 KB - CF card 512 MB CF cards with different capacities can be configured. Can be used as a mass storage device for storing data files. There are two CF cards on the SRU. Switching capacity 1440 Gbit/s - Forwarding capacity 540 Mpps - Max MCU slots 2 MCUs work in 1:1 redundancy. Max LPU slots 3 - Maximum 40*10 Gbit/s - Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 22 interface rate per LPU S9306E S9706 Item Typical Configuration Remark Processing unit Main frequency: 1.2G MHz - SDRAM 2GB NVRAM 512 KB - CF card 512 MB CF cards with different capacities can be configured. Can be used as a mass storage device for storing data files. There are two CF cards on the SRU. Switching capacity 3.84T Gbit/s - Forwarding capacity 2880 Mpps - Max SRU slots 2 SRUs work in 1:1 redundancy. Max LPU slots 6 - Maximum interface rate per LPU 40*10 Gbit/s - S9312E S9712 Item Typical Configuration Remark Processing unit Main frequency: 700 MHz - SDRAM 2 GB NVRAM 512 KB - CF card 512 MB CF cards with different capacities can be configured. Can be used as a mass storage device for storing data files. There are two CF cards on the SRU. Switching capacity 3.84T Gbit/s - Forwarding capacity 2880 Mpps - Max SRU slots 2 SRUs work in 1:1 redundancy. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 23 Max LPU slots 12 - Maximum interface rate per LPU 40*10 Gbit/s - Table 4: Model Specifications Table 3/4 details all physical interfaces available in TOE along with respective usage: Boards Supported Interfaces and Usage MCU/SRU The following list shows a collection of interfaces which might be used during this evaluation for all models. The description about indicators on panel can be found in the guidance.  CF card interface, connector type TYPE II compatible with TYPE I, is used to hold a CF card to store data files as a massive storage device. The CF card is inserted and sealed within the TOE and is to be accessed only by authorized personnel. User configuration profiles, paf and licensing files, log data, system software and patches if exist are stored in the CF card.  ETH interface, connector type RJ45, operation mode 10M/100M Base-TX auto-sensing, supporting half-duplex and full-duplex, compliant to IEEE 802.3-2002, used for connections initiated by users and/or administrators from a local maintenance terminal via SSH to perform management and maintenance operations. Management and maintenance on NMS workstation is not within the scope of this evaluation thus NMS related accounts should be disabled during the evaluation.  Console interface, connector type RJ45, operation mode Duplex Universal Asynchronous Receiver/Transmitter (UART) with electrical attribute RS-232, baud rate 9600 bit/s which can be changed as required, used for users and/or administrators to connect to console for the on-site configuration of the system. The following interfaces if available according to hardware specification, will be disabled during this evaluation.  BITS0 and BITS1 interface, connector type RJ45, used for External synchronous clock/time interface LPU Interfaces supported by LPU are listed as below. More details about these interfaces can be found in the guidance.  ETH interface, connector type RJ45, operation mode 10M/100M/1000M Base-TX auto-sensing, supporting half-duplex and full-duplex, used for receiving and transmitting network traffic.  FE interface, connector type LC/PC optical connector, compliant to SFP optical module 100M-FX, supporting full-duplex, used for receiving and transmitting network traffic.  GE interface, connector type LC/PC optical connector, compliant to SFP optical module 1000Base-X-SFP, supporting full-duplex, used for receiving and transmitting network traffic.  10GE interface, connector type LC/PC optical connector, compliant Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 24 to XFP optical module 10GBase LAN -XFP, supporting full-duplex, used for receiving and transmitting network traffic The following interfaces are supported by the TOE, but not to be evaluated in this evaluation.  POS interface, connector type LC/PC optical connector, compliant to SFP optical module OC-3c/STM-1c POS-SFP, supporting full-duplex, used for receiving and transmitting network traffic.  POS interface, connector type LC/PC optical connector, compliant to SFP optical module OC-12c/STM-4c POS-SFP, supporting full-duplex, used for receiving and transmitting network traffic.  POS interface, connector type LC/PC optical connector, compliant to SFP optical module OC-48c/STM-16c POS-SFP, supporting full-duplex, used for receiving and transmitting network traffic. The network traffic being received and transmitted by these interfaces, can be further described as non-TSF data (information flow to be forwarded to other network interfaces and information flow destined to TOE but not security-related) and TSF data (destined to TOE for control and management purpose and for security-related functionalities). The definition for non-TSF data and TSF data will be further explained in Chapter 1.4.4. Table 5: Chassis Switch Interfaces Specifications Supported Interfaces and Usage The following list shows a collection of interfaces which might be used during this evaluation for all models. The description about indicators on panel can be found in the guidance.  ETH interface, connector type RJ45, operation mode 10M/100M Base-TX auto-sensing, supporting half-duplex and full-duplex, compliant to IEEE 802.3-2002, used for connections initiated by users and/or administrators from a local maintenance terminal via SSH to perform management and maintenance operations. Management and maintenance on NMS workstation is not within the scope of this evaluation thus NMS related accounts should be disabled during the evaluation.  Console interface, connector type RJ45, operation mode Duplex Universal Asynchronous Receiver/Transmitter (UART) with electrical attribute RS-232, baud rate 9600 bit/s which can be changed as required, used for users and/or administrators to connect to console for the on-site configuration of the system.  MEH interface, connector type RJ45, operation mode 10M/100M Base-TX auto-sensing, supporting half-duplex and full-duplex, compliant to IEEE 802.3-2002, used for connections initiated by users and/or administrators from a local maintenance terminal via SSH to perform management and maintenance operations. Management and maintenance on NMS workstation is not within the scope of this evaluation thus NMS related accounts should be disabled during the evaluation.  FE interface, connector type LC/PC optical connector, compliant to SFP optical module 100M-FX, supporting full-duplex, used for receiving and transmitting network traffic. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 25  GE interface, connector type LC/PC optical connector, compliant to SFP optical module 1000Base-X-SFP, supporting full-duplex, used for receiving and transmitting network traffic.  10GE interface, connector type LC/PC optical connector, compliant to XFP optical module 10GBase LAN -XFP, supporting full-duplex, used for receiving and transmitting network traffic The network traffic being received and transmitted by these interfaces, can be further described as non-TSF data (information flow to be forwarded to other network interfaces and information flow destined to TOE but not security-related) and TSF data (destined to TOE for control and management purpose and for security-related functionalities). The definition for non-TSF data and TSF data will be further explained in Chapter 1.4.4. Table 6: Box Switch Interfaces Specifications The software and the guidance is listed in Table 7 Type Name Version Software Product software V200R003 VRP Version 5 Release 13 VxWorks 5.5.1 Guidance S2350&S5300&S6300 Series Ethernet Switches V200R003 Product Documentation V1.0 S5700&S6700 V200R003 Product Documentation V1.0 S7700&S9700 Smart&Core Routing Switch V200R003 Product Documentation V1.0 S9300&S9300E Terabit Routing Switch V200R003 Product Documentation V1.0 S9300&S9300E V200R003 Product Documentation V1.0 CC Huawei S Series Ethernet Switches V200R003 - AGD_OPE V1.0 CC Huawei S Series Ethernet Switches V200R003 - AGD_PRE V1.0 Table 7 List of software and guidance 1.4.2.2 Logical scope The logical boundary is represented by the elements that are displayed with a white background within the rectangle with dashed border. These elements are part of the Versatile Routing Platform (VRP), a software platform from view of software architecture, and the forwarding engine that processes the incoming and outgoing network traffic. Figure 5 shows the TOE’s logical scope with supporting network devices of the environment. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 26 Figure 6: TOE logical scope TOE can be classified into Layer 2 forwarding and Layer 3 forwarding based on traffic forwarding. All Switches support Layer 2 forwarding, S23XX-EI/S53XX-LI/S27XX-EI/ S57XX-LI Series Switches don’t support Layer 3 forwarding;S53XX-SI/S57XX-SI Series Switches only supports Layer 3 forwarding by static routes, don’t support routing protocol like OSPF/BGP. When working as Layer 2 forwarding devices, the forwarding engine of TOE will forward the traffic according to MAC address. The MAC table entry will be automatically created by forwarding engine when Layer 2 forwarding. When working as Layer 3 forwarding devices,The TOE controls the flow of IP traffic (datagrams) between network interfaces by matching information contained in the headers of connection-oriented or connectionless IP packets against routing table in forwarding engine. The routing table in forwarding engine is delivered from VRP’s routing unit whereas the routing table in VRP’s routing module can be statically configured or imported through Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 27 dynamic routing protocol such as BGP, Open Shortest Path First (OSPF). Note that BGP/OSPF functionality configuration must be performed via s secure channel enforcing SSH prior to routing table importing. System control and security managements are performed either through interfaces via a secure channel enforcing SSH. Based on physical scope and logical scope described so far, a list of configuration is to be added:  For management via the console, authentication is always enabled. Authentication mode is password. Length of password is no less than 8 characters  For management via the ETH interface in MCU/SRU, authentication is always enabled. Authentication mode is password. Length of password is no less than 8 characters  Service of TELNET and FTP are disabled in this evaluation.  Authentication of users via RSA when using SSH connections is supported. SSH server compatibility with version number less than 1.99 is considered a weakness, therefore to be disabled. The environment for TOE comprises the following components:  An optional Radius server providing authentication and authorization decisions to the TOE.  Other switches and routers used to connect the TOE for L2/L3 network forward, L3 switch providing routing information to the TOE via dynamic protocols, such as BGP, OSPF.  Local PCs used by administrators to connect to the TOE for access of the command line interface either through TOE’s console interface or TOE’s ETH interface via a secure channel enforcing SSH.  Remote PCs used by administrators to connect to the TOE for access to the command line interface through interfaces on LPU within the TOE via a secure channel enforcing SSH.  Physical networks, such as Ethernet subnets, interconnecting various networking devices. 1.4.3 Summary of Security Features 1.4.3.1 Authentication The TOE can authenticate administrative users by user name and password. VRP provides a local authentication scheme for this, or can optionally enforce authentication decisions obtained from a Radius server in the IT environment. Authentication is always enforced for virtual terminal sessions via SSH, and SFTP (Secured FTP) sessions. 1.4.3.2 Access Control The TOE controls access by levels. Four hierarchical access control levels are offered that can be assigned to individual user accounts: User level Level name Purpose Commands for access 0 Visit Network diagnosis and ping, tracert, Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 28 User level Level name Purpose Commands for access establishment of remote connections. language-mode, super, quit, display 1 Monitoring System maintenance and fault diagnosis. Level 0 and display, debugging, reset, refresh, terminal, send 2 Configurat ion Service configuration. Level 0, 1 and all configuration commands. 3 Managem ent System management (file system, user management, internal parameters …). All commands. Table 8: Access Levels The TOE can either decide the authorization level of a user based on its local database, or make use of Radius servers to obtain the decision whether a specific user is granted a specific level. If no authentication for the console is configured, it operates at level 3. 1.4.3.3 L2 Traffic Forwarding The TOE handles layer 2 forwarding policy at their core. The forwarding engine controls the flow of network packets by making (and enforcing) a decision with regard to the network interface that a packet gets forwarded to. These decisions are made based on a MAC table. The MAC table is either maintained by administrators (static MAC) or gets updated dynamically by MAC learning function when a unknown MAC address packet has been received. 1.4.3.4 L3 Traffic Forwarding The TOE handles forwarding policy at their core. The forwarding engine controls the flow of network packets by making (and enforcing) a decision with regard to the network interface that a packet gets forwarded to. These decisions are made based on a routing table. The routing table is either maintained by administrators (static routing) or gets updated dynamically by the TOE when exchanging routing information with peer routers, through OSP v2/v3 or BGPv4/4+. Notes: S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI Series Switches don’t support Layer 3 forwarding; S53XX-SI/S57XX-SI Series Switches only supports Layer 3 forwarding by static routes, they don’t support routing protocol like OSPF/BGP. 1.4.3.5 Auditing The TOE generates audit records for security-relevant management actions and stores the audit records in memory or CF card in the TOE.  By default all correctly input and executed commands along with a timestamp when they are executed are logged.  Attempts to access regardless success or failure are logged, along with user id, source IP address, timestamp etc.  For security management purpose, the administrators can select which events are Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 29 being audited by enabling auditing for individual modules (enabling audit record generation for related to functional areas), and by selecting a severity level. Based on the hard-coded association of audit records with modules and severity levels, this allows control over the types of audit events being recorded.  Output logs to various channels such as monitor, log buffer, trap buffer, file, etc.  Review functionality is provided via the command line interface, which allows administrators to inspect the audit log. 1.4.3.6 Communication Security The TOE provides communication security by implementing SSH protocol. Two versions of SSH: SSH1 (SSH1.5) and SSH2 (SSH2.0) are implemented. But SSH2 is recommended as it provides more secure and effectiveness in terms of functionality and performance, To protect the TOE from eavesdrop and to ensure data transmission security and confidentiality, SSH provides:  authentication by password and by RSA;  3DES/AES encryption algorithms;  Secure cryptographic key exchange. Besides default TCP port 22, manually specifying a listening port is also implemented since it can effectively reduce attack. SFTP is provided to substitute FTP which has known security issues. 1.4.3.7 ACL TOE offers a feature Access Control List (ACL) for filtering incoming and outgoing information flow to and from interfaces. The administrator can create, delete, and modify rules for ACL configuration to filter, prioritize, rate-limit the information flow destined to TOE or other network devices through interfaces by matching information contained in the headers of connection-oriented or connectionless packets against ACL rules specified. Source MAC address, Destination MAC address, Ethernet protocol type, Source IP address, destination IP address, IP protocol number, source port number if TCP/UDP protocol, destination port number if TCP/UDP protocol, TCP flag if TCP protocol, type and code if ICMP protocol, fragment flag etc., can be used for ACL rule configuration. 1.4.3.8 Security functionality management Security functionality management includes not only authentication, access level, but also managing security related data consisting of configuration profile and runtime parameters. According to security functionality management, customized security is provided. More functionalities include:  Setup to enable SSH  Setup to enable BGP, OSPF, ARP  Setup to enable audit, as well as suppression of repeated log records  Setup to change default rate limit plan 1.4.3.9 Cryptographic functions Cryptographic functions are required by security features as dependencies, where: 1) AES128 is used as default encryption algorithm for SSH; Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 30 2) 3DES and AES256 are used as optional encryption algorithm for SSH; 3) RSA is used in user authentication when user tries to authenticate and gain access to the TOE; 4) MD5 is used as option of HMAC algorithm for SSH packet verification; 5) MD5 is used as verification algorithm for packets of BGP and OSPF protocols from peer network devices; 1.4.3.10 SNMP Trap The Simple Network Management Protocol (SNMP) is a network management protocol widely used in the TCP/IP network. SNMP is a method of managing network elements through a network console workstation which runs network management software. A trap is a type of message used to report an alert or important event about a managed device to the NM Station. The TOE uses SNMP traps to notify a fault occurs or the system does not operate properly. 1.4.3.112 STP STP (Spanning-Tree Protocol) is a protocol used in the local area network (LAN) to eliminate loops. The S-switch devices enabled with STP communicate and find the loops in the network, and they block certain interfaces to eliminate loops. Due to the rapid increase of LAN, STP has become one of the most important LAN protocols. In the Layer 2 switching network, loops on the network cause packets to be continuously duplicated and propagated in the loops, leading to the broadcast storm, which exhausts all the available bandwidth resources and renders the network unavailable. In an STP region, a loop-free tree is generated. Thus, broadcast storms are prevented and redundancy is implemented. 1.4.4 TSF and Non-TSF data All data from and to the interfaces available on the TOE is categorized into TSF data and non-TSF data. The following is an enumeration of the subjects and objects participating in the policy. TSF data:  User account data, including the following security attributes: o User identities. o Locally managed passwords. o Locally managed access levels.  Audit configuration data.  Audit records.  Configuration data of security feature and functions  Routing and other network forwarding-related tables, including the following security attributes: o Network layer routing tables. o Link layer address resolution tables. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 31 o Link layer MAC address table. o BGP, OSPF databases.  Network traffic destined to the TOE processed by security feature and functions. Non-TSF data:  Network traffic to be forwarded to other network interfaces.  Network traffic destined to the TOE processed by non-security feature and functions. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 32 2 CC Conformance Claim This ST is CC Part 2 conformant and CC Part 3 conformant. The CC version of [CC] is 3.1R4. No conformance to a Protection Profile is claimed. No conformance rationale to a Protection Profile is claimed. The TOE claims EAL3+ augmented with ALC_CMC.4 (instead of ALC_CMC.3). Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 33 3 TOE Security problem definition 3.1 Threats The assumed security threats are listed below. The information assets to be protected are the information stored, processed or generated by the TOE. Configuration data for the TOE, TSF data (such as user account information and passwords, audit records, etc.) and other information that the TOE facilitates access to (such as system software, patches and network traffic routed by the TOE) are all considered part of information assets. 3.1.1 Threats T.UnwantedL2NetworkTraffic Unwanted L2 network traffic sent to the TOE will cause the MAC table gets updated dynamically by MAC learning function . This may due the MAC table overload. In the TOE Layer 2 switching network, loops on the network cause packets to be continuously duplicated and propagated in the loops, leading to the broadcast storm, which exhausts all the available bandwidth resources and renders the network unavailable. T.UnwantedL3NetworkTraffic Unwanted L3 network traffic sent to the TOE will not only cause the TOE’s processing capacity for incoming network traffic is consumed thus fails to process traffic expected to be processed, but an internal traffic jam might happen when those traffic are sent to the Control Plane. This may further cause the TOE to fail to respond to system control and security management operations. Routing information exchanged between the TOE and peer routes may also be affected due the traffic overload. T.UnauthenticatedAccess A user who is not an administrator gains access to the TOE. T.UnauthorizedAccess A user authorized to perform certain actions and access certain information gains access to commands or information he is not authorized for. T.Eavesdrop An eavesdropper (remote attacker) is able to intercept, and potentially modify or re-use information assets that are exchanged between TOE and LMT/RMT. 3.1.2 Threats Components  T.UnwantedL2NetworkTraffic o Threat agent: User who is not an administrator o Asset: TOE availability o Adverse action: Disturbance on TOE operation  T.UnwantedL3NetworkTraffic o Threat agent: User who is not an administrator Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 34 o Asset: TOE availability. o Adverse action: Disturbance on TOE operation.  T.UnauthenticatedAccess o Threat agent: User who is not an administrator. o Asset: TOE integrity and availability, user data confidentiality. o Adverse action: access to the TOE.  T.UnauthorizedAccess o Threat agent: An unauthorized personnel: attacker or administrator without certain privileges. o Asset: TOE integrity and availability, user data confidentiality. o Adverse action: perform unauthorized actions and unauthorized access to TOE information and user data.  T.Eavesdrop o Threat agent: An eavesdropper (remote attacker) in the management network. o Asset: TOE integrity and availability, user data confidentiality and L3 network traffic. o Adverse action: intercept, and potentially modify or re-use information assets that are exchanged between TOE and LMT/RMT. 3.2 Assumptions 3.2.1 Environment of use of the TOE 3.2.1.1 Physical A.PhysicalProtection It is assumed that the TOE (including any console attached, access of CF card) is protected against unauthorized physical access. 3.2.1.2 Network Elements A.NetworkElements The environment is supposed to provide supporting mechanism to the TOE:  A Radius server for external authentication/authorization decisions;  Peer router(s) for the exchange of dynamic routing information;  A remote entities (PCs) used for administration of the TOE.  An SNMP Server used for collecting SNMP traps 3.2.1.3 Network Segregation A.NetworkSegregation It is assumed that the ETH interface in the TOE will be accessed only through an independent local network. This network is separate from the application (or, public) networks where the interfaces in the TOE are accessible. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 35 3.2.1.4 Authorized Administrators A.NoEvil The authorized administrators are not careless, willfully negligent or hostile, and will follow and abide by the instructions provided by the TOE documentation. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 36 4 Security Objectives 4.1 Objectives for the TOE The following objectives must be met by the TOE:  O.Forwarding (all series except S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI) The TOE shall forward network traffic (i.e., individual packets) only to the network interface that corresponds with a configured route for the destination IP address of the packet, or corresponds with a MAC address for the destination MAC address of the packet. When TOE works as Layer 2 forwarding device, users should be isolated between VLANs. And TOE can find the loops in the network, and block certain interfaces to eliminate loops.  O.Forwarding (S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI) The TOE shall forward network traffic (i.e., individual packets) only to the network interface that corresponds with a MAC address for the destination MAC address of the packet. Users should be isolated between VLANs. And TOE can find the loops in the network, and block certain interfaces to eliminate loops.  O.Communication The TOE must implement logical protection measures for network communication between the TOE and LMT/RMT from the operational environment.  O.Authorization The TOE shall implement different authorization levels that can be assigned to administrators in order to restrict the functionality that is available to individual administrators.  O.Authentication The TOE must authenticate users of its user access.  O.Audit The TOE shall provide functionality to generate audit records for security-relevant administrator actions.  O.Resource The TOE shall provide functionalities and management for assigning a priority (used as configured bandwidth), enforcing maximum quotas for bandwidth and MAC address table entries, to prevent internal collapse due to traffic overload.  O.Filter The TOE shall provide ACL or packet filter to drop unwanted L2 or L3 network traffic. 4.2 Objectives for the Operational Environment  OE.NetworkElements The operational environment shall provide securely and correctly working network devices as resources that the TOE needs to cooperate with. Behaviors of such network devices provided by operational environment shall be also secure and correct. For example, other routers for the exchange of routing information, PCs used for TOE administration, SNMP Servers and Radius servers for obtaining authentication and authorization decisions.  OE.Physical The TOE (i.e., the complete system including attached peripherals, such as a console, and CF card inserted in the Switch) shall be protected against unauthorized physical access.  OE.NetworkSegregation The operational environment shall provide segregation by deploying the management interface in TOE into an independent local -network. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 37  OE.Person Personnel working as authorized administrators shall be carefully selected for trustworthyness and trained for proper operation of the TOE. 4.3 Security Objectives Rationale 4.3.1 Coverage The following table provides a mapping of TOE objectives to threats and policies, showing that each objective is at least covered by one threat or policy. Objective Threat O.Forwarding T.UnwantedL2NetworkTraffic T. UnwantedL3NetworkTraffic O.Communication T.Eavesdrop O.Authentication T.UnauthenticatedAccess O.Authorization T.UnauthorizedAccess O.Audit T.UnauthenticatedAccess T.UnauthorizedAccess O.Resource T.UnwantedL2NetworkTraffic T.UnwantedL3NetworkTraffic O.Filter T.UnwantedL2NetworkTraffic T.UnwantedL3NetworkTraffic Table 9: Mapping Objectives to Threats The following table provides a mapping of the objectives for the operational environment to assumptions, threats and policies, showing that each objective is at least covered by one assumption, threat or policy. Environmental Objective Threat / Assumption OE.NetworkElements A.NetworkElements OE.Physical A.PhysicalProtection OE.NetworkSegregation A.NetworkSegregation OE.Person A.NoEvil Table 10: Mapping Objectives for the Environment to Threats, Assumptions 4.3.2 Sufficiency The following rationale provides justification that the security objectives are suitable to counter each individual threat and that each security objective tracing back to a threat, when achieved, actually contributes to the removal of that threat: Threat Rationale for security objectives to remove threats Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 38 T.UnwantedL2NetworkTraffic The L2 layer traffic should be isolated between VLANs. STP implementation assures an optimum forwarding path, preventing network from infinite loops, which can cause serious problems in the forwarding system and network efficiency. (O.Forwarding) MAC address limit configuration can avoid the overload of MAC table entry caused by fake MAC address attack.(O.Resource) ACL or Packet filter can deny unwanted L2 network traffic enter or pass TOE. (O.Filter) T.UnwantedL3NetworkTraffic (for all series except S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI) The threat that unwanted network traffic sent to TOE causing the TOE a management failure and internal traffic jam is countered by specifying static routes to filter those traffic (O.Forwarding). ACL can also be configured to limit the bandwidth of that traffic (O.Resource). ACL or Packet filter can deny unwanted L3 network traffic enter or pass TOE. (O.Filter) T.UnwantedL3NetworkTraffic (for S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI) The threat that unwanted network traffic sent to TOE causing the TOE a management failure and internal traffic jam is countered by specifying static routes to filter those traffic (O.Forwarding). ACL can also be configured to limit the bandwidth of that traffic (O.Resource). ACL or Packet Filter can deny unwanted L3 network traffic to enter the TOE T.UnauthenticatedAccess The threat of unauthenticated access to the TOE is countered by requiring the TOE to implement an authentication mechanism for its users (O.Authentication). In addition, login attempts are logged allowing detection of attempts and possibly tracing of culprits (O.Audit) T.UnauthorizedAccess The threat of unauthorized access is countered by requiring the TOE to implement an access control mechanism (O.Authorization). In addition, actions are logged allowing detection of attempts and possibly tracing of culprits (O.Audit) Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 39 T.Eavesdrop The threat of eavesdropping is countered by requiring communications security via SSH (protocol v.2) protocol for network communication between LMT/RMT and the TOE .To avoid middle attacks, public server key is pre-loaded to client (O.Communication). Table 11: Sufficiency analysis for threats The following rationale provides justification that the security objectives for the environment are suitable to cover each individual assumption, that each security objective for the environment that traces back to an assumption about the environment of use of the TOE, when achieved, actually contributes to the environment achieving consistency with the assumption, and that if all security objectives for the environment that trace back to an assumption are achieved, the intended usage is supported: Assumption Rationale for security objectives A.NetworkElements The assumption that the external network devices such as Radius server as an external authentication/authorization source, peer router for routing information exchange, and LMT/RMT for TOE control and management are addressed in OE.NetworkElements. A.PhysicalProtection The assumption that the TOE will be protected against unauthorized physical access is expressed by a corresponding requirement in OE.Physical. A.NetworkSegregation The assumption that the TOE is not accessible via the application networks hosted by the networking device is addressed by requiring just this in OE.NetworkSegregation. A.NoEvil The assumption that the personnel are not careless, willfully negligent, or hostile is addressed in OE.Person. Table 12: Sufficiency analysis for assumptions Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 40 5 Extended Components Definition No extended components have been defined for this ST. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 41 6 Security Requirements 6.1 Conventions The following conventions are used for the completion of operations:  Strikethrough indicates text removed as a refinement  (underlined text in parentheses) indicates additional text provided as a refinement.  Bold text indicates the completion of an assignment.  Italicised and bold text indicates the completion of a selection.  Iteration/N indicates an element of the iteration, where N is the iteration number/character. 6.2 TOE Security Functional Requirements 6.2.1 Security Audit (FAU) 6.2.1.1 FAU_GEN.1 Audit data generation FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the not specified level of audit; and c) The following auditable events: i. user activity 1. login, logout 2. operation requests ii. user management 1. add, delete, modify 2. password change 3. operation authority change 4. online user query 5. session termination iii. command group management 1. add, delete, modify iv. authentication policy modification v. system management 1. reset to factory settings vi. log management Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 42 1. log policy modification FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, interface (if applicable), workstation IP (if applicable), User ID (if applicable), and CLI command name (if applicable). 6.2.1.2 FAU_GEN.2 User identity association FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. 6.2.1.3 FAU_SAR.1 Audit review FAU_SAR.1.1 The TSF shall provide users authorized per FDP_ACF.1 with the capability to read all information from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. 6.2.1.4 FAU_SAR.3 Selectable audit review FAU_SAR.3.1 The TSF shall provide the ability to apply selection of audit data based on filename. 6.2.1.5 FAU_STG.1 Protected audit trail storage FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorized deletion. FAU_STG.1.2 The TSF shall be able to prevent unauthorised modifications to the stored audit records in the audit trail. 6.2.1.6a FAU_STG.3 Action in case of possible audit data loss FAU_STG.3.1 The TSF shall delete the oldest files if the audit trail exceeds the size of the storage device. 6.2.2 Cryptographic Support (FCS) 6.2.2.1 FCS_COP.1/AES Cryptographic operation FCS_COP.1.1 The TSF shall perform symmetric de- and encryption in accordance Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 43 with a specified cryptographic algorithm AES CBC Mode and cryptographic key sizes 128bits, 256bits that meet the following: FIPS 197 6.2.2.2 FCS_COP.1/3DES Cryptographic operation FCS_COP.1.1 The TSF shall perform symmetric de- and encryption in accordance with a specified cryptographic algorithm 3DES Outer CBC Mode and cryptographic key sizes 168bits that meet the following: FIPS PUB46-3 6.2.2.3 FCS_COP.1/RSA Cryptographic operation FCS_COP.1.1 The TSF shall perform asymmetric authentication in accordance with a specified cryptographic algorithm RSASSA-PKCS-v1_5 with SHA1 and cryptographic key sizes configured (512bits-2048bits) that meet the following: RSA Cryptography Standard (PKCS#1) 6.2.2.4 FCS_COP.1/MD5 Cryptographic operation FCS_COP.1.1 The TSF shall perform authentication in accordance with a specified cryptographic algorithm MD5 and cryptographic key sizes none that meet the following: RFC 1321 6.2.2.5 FCS_COP.1/HMAC-MD5 Cryptographic operation FCS_COP.1.1 The TSF shall perform authentication in accordance with a specified cryptographic algorithm HMAC-MD5 and cryptographic key sizes 16 bytes that meet the following: RFC 2104 6.2.2.6 FCS_COP.1/DHKeyExchange Cryptographic operation FCS_COP.1.1 The TSF shall perform Diffie-Hellman key agreement in accordance with a specified cryptographic algorithm diffie-hellman-group1-sha1 and diffie-hellman-group-exchange-sha1 and cryptographic key sizes diffie-hellman-group1-sha1: 1024 bits Oakley Group 2, diffie-hellman-group-exchange-sha1: 1024bits to 8192bits that meet the following: RFC 4253/RFC4419 6.2.2.7 FCS_CKM.1/AES Cryptographic key generation FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm SSH key derivation and specified cryptographic key sizes 128bits, 256bits that meet the following: RFC 4253 6.2.2.8 FCS_CKM.1/3DES Cryptographic key generation Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 44 FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm SSH key derivation and specified cryptographic key sizes 168bits that meet the following: RFC 4253 6.2.2.9 FCS_CKM.1/RSA Cryptographic key generation FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm keygen method RSA and specified cryptographic key sizes configured (512bits-2048bits) that meet the following: RSA Cryptography Standard (PKCS#1) 6.2.2.10 FCS_CKM.1/DHKey Cryptographic key generation FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm keygen method DH Group Generation and specified cryptographic key sizes 1024bits to 8192 bits that meet the following: RFC4419 6.2.2.11 FCS_CKM.1/HMAC Cryptographic key generation FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm SSH key derivation and specified cryptographic key sizes 16 bytes that meet the following: RFC 4253 6.2.2.12 FCS_CKM.4/RSA Cryptographic key destruction FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method overwriting with 0 that meets the following: none 6.2.2.13 FCS_CKM.4/3DES-AES-HMAC Cryptographic key destruction FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method releasing memory so that it is eventually overwritten that meets the following: none 6.2.3 User Data Protection (FDP) 6.2.3.1 FDP_ACC.1 Subset access control FDP_ACC.1.1 The TSF shall enforce the VRP access control policy on users as subjects, and commands issued by the subjects targeting the objects. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 45 6.2.3.2 FDP_ACF.1 Security attribute based access control FDP_ACF.1.1 The TSF shall enforce the VRP access control policy to objects based on the following: a) users and their following security attributes: O. user level b) commands and their following security attributes: O. Command Groups FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: a) the user has been granted authorization for the commands targeted by the request, and b) the user is associated with a Command Group that contains the requested command FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: a) the user has been granted authorization for the commands targeted by the request, and b) the user is associated with a Command Group that contains the requested command FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules: a) the user has not been granted authorization for the commands targeted by the request, or b) the user is not associated with a Command Group that contains the requested command 6.2.3.3a FDP_DAU.1 Basic Data Authentication (for all series except S23XX-EI/S53XX-LIS27XX-EI/S57XX-LI) FDP_DAU.1.1 The TSF shall provide a capability to generate evidence that can be used as a guarantee of the validity of the authentication information of BGP, OSPF, SSH, SNMP .FDP_DAU.1.2 The TSF shall provide BGP, OSPF, SSH,SNMP with the ability to verify evidence of the validity of the indicated information. 6.2.3.3b FDP_DAU.1 Basic Data Authentication (for S23XX-EI/S53XX-LI/ S27XX-EI/S57XX-LI) FDP_DAU.1.1 The TSF shall provide a capability to generate evidence that can be used as a guarantee of the validity of the authentication information of SSH, SNMP .FDP_DAU.1.2 The TSF shall provide SSH,SNMP with the ability to verify evidence of Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 46 the validity of the indicated information. 6.2.3.4 FDP_IFC.1 Subset information flow control FDP_IFC.1.1 The TSF shall enforce the VRP information control policy(based on ACL) on the subject as network traffic, the ACL-defined information, the ACL-defined operations. 6.2.3.5a FDP_IFF.1 Simple security attributes (for all series except S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI) FDP_IFF.1.1 The TSF shall enforce the VRP information control policy(based on ACL) based on the following types of subject and information security attributes: the subject as network packets or frames, the information as source IP address, source destination IP address, transport protocol, source tcp or udp port number, destination tcp or port number, ICMP types or flags, source MAC address, destination MAC address, Ethernet protocol, VLAN-ID. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: the VRP information control policy, and the policy’s action is permit. FDP_IFF.1.3 The TSF shall enforce the bandwidth control, traffic statistic. FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following rules: the VRP information control policy, and the policy’s action is permit. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: the VRP information control policy, and the policy’s action is deny. 6.2.3.5b FDP_IFF.1 Simple security attributes (for S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI) FDP_IFF.1.1 The TSF shall enforce the VRP information control policy(based on ACL) based on the following types of subject and information security attributes: the subject as frames, the information as source MAC address, destination MAC address, Ethernet protocol, VLAN-ID. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 47 and controlled information via a controlled operation if the following rules hold: the VRP information control policy, and the policy’s action is permit. FDP_IFF.1.3 The TSF shall enforce the bandwidth control, traffic statistic. FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following rules: the VRP information control policy, and the policy’s action is permit. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: the VRP information control policy, and the policy’s action is deny. 6.2.4 Identification and Authentication (FIA) 6.2.4.1 FIA_AFL.1 Authentication failure handling (this does not apply to RADIUS authentication) FIA_AFL.1.1 The TSF shall detect when 3 unsuccessful authentication attempts occur since the last successful authentication of the indicated user identity FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met, the TSF shall terminate the session of the authentication user. 6.2.4.2 FIA_ATD.1 User attribute definition FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: a) user ID b) user level c) password 6.2.4.3 FIA_SOS.1 Verification of secrets FIA_SOS.1.1/a (for all series except S23XX-EI/S53xx-LI/SI and S27XX-EI/S57xx-LI/SI) The TSF shall provide a mechanism to verify that secrets meet for text string used as seeds for MD5 authentication for OSPF, they are case sensitive and contain no whitespace, no question mark. A cipher text mode should be used and the length of text string should be 16 to 392 characters. FIA_SOS.1.1/b (for all series except S23XX-EI/S53xx-LI/SI and S27XX-EI/S57xx-LI/SI) The TSF shall provide a mechanism to verify that secrets meet for password used as Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 48 seeds for MD5 authentication for BGP, they are case sensitive and contain no whitespace, no question mark. A cipher password mode should be used and the length of password should be 16 to 392 characters. FIA_SOS.1.1/c The TSF shall provide a mechanism to verify that secrets meet for password used as seeds for user authentication for SSH and they are case sensitive. A cipher password mode should be used and the length of password should be at least 8 characters long. Application Note: All passwords must contain at least two normal characters, two capitals, 2 numbers and 2 special characters. 6.2.4.4 FIA_UAU.2 User authentication before any action FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. 6.2.4.5 FIA_UID.2 User identification before any action FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. 6.2.5 Security Management (FMT) 6.2.5.1 FMT_MOF.1 Management of security functions behavior FMT_MOF.1.1 The TSF shall restrict the ability to determine the behavior of all the functions defined in FMT_SMF.1 to the administrator-defined roles. 6.2.5.2 FMT_MSA.1 Management of security attributes FMT_MSA.1.1/1 The TSF shall enforce the VRP access control policy to restrict the ability to query, modify the security attributes identified in FDP_ACF.1 and FIA_ATD.1 to the administrator-defined roles. FMT_MSA.1.1/2 The TSF shall enforce the VRP information control policy (based on ACL) to restrict the ability to query, modify, delete the security attributes identified in FDP_IFF.1 to the roles which can match the VRP information control policy(based on ACL) and the policy action is permit. 6.2.5.3 FMT_MSA.3 Static attribute initialization FMT_MSA.3.1/1 The TSF shall enforce the VRP access control policy to provide Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 49 restrictive default values for security attributes (Command Group associations) that are used to enforce the SFP. FMT_MSA.3.1/2 The TSF shall enforce the VRP information control policy (based on ACL) to provide restrictive default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow administrator-defined roles to specify alternative initial values to override the default values when an object or information is created. 6.2.5.4 FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: a) authentication, authorization, encryption 1 policy b) ACL policy c) user management d) definition of Managed Object Groups and Command Groups e) definition of IP addresses and address ranges that will be accepted as source addresses in client session establishment requests f) routing and forwarding, such as BGP (not for S23XX-EI/S53xx-LI/SI and S27XX-EI/S57xx-LI/SI), OSPF (not for S23XX-EI/S53xx-LI/SI and S27XX-EI/S57xx-LI/SI), ARP g) L2 forwarding, such as MAC, VLAN 6.2.5.5 FMT_SMR.1 Security roles FMT_SMR.1.1 The TSF shall maintain the roles: administrator-defined roles. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 6.2.6 Protection of the TSF (FPT) 6.2.6.1 FPT_STM.1 Reliable time stamps FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. 6.2.6.2 FPT_FLS.1 Fail secure FPT_FLS.1.1 The TSF shall preserve a secure state when the following types of failures occur: packets to enter in an infinite switching loop . 6.2.7 Resource utilization (FRU) 1 The encryption policy dictates which cryptographic algorithm / key length is used in which situation Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 50 6.2.7.1 FRU_PRS.1 Limited priority of service FRU_PRS.1.1 The TSF shall assign a priority (used as configured bandwidth) to each subject in the TSF. FRU_PRS.1.2 The TSF shall ensure that each access to controlled resources (bandwidth) shall be mediated on the basis of the subjects assigned priority. 6.2.7.2 FRU_RSA.1 Maximum quotas FRU_RSA.1.1 The TSF shall enforce maximum quotas of the controlled resource: bandwidth, MAC address table entries that subjects can use simultaneously 6.2.7.3 FRU_FLT.1 Degraded fault tolerance FRU_FLT.1.1 The TSF shall ensure the operation of Spanning Tree Protocol (STP) to cut off the loops when the following failures occur: packets to enter in an infinite loop. 6.2.8 TOE access (FTA) 6.2.8.1 FTA_SSL.3 TSF-initiated termination FTA_SSL.3.1 The TSF shall terminate an interactive session after a time interval of user inactivity which can be configured 6.2.8.2 FTA_TSE.1 TOE session establishment FTA_TSE.1.1 The TSF shall be able to deny session establishment based on a) authentication failure b) Source IP address. 6.2.9 Trusted Path/Channels (FTP) 6.2.9.1 FTP_TRP.1 Trusted path FTP_TRP.1.1 The TSF shall provide a communication path between itself and remote users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from modification, disclosure. FTP_TRP.1.2 The TSF shall permit remote users to initiate communication via the trusted path. FTP_TRP.1.3 The TSF shall require the use of the trusted path for remote management Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 51 6.3 Security Functional Requirements Rationale 6.3.1 Sufficiency and coverage The following rationale provides justification for each security objective for the TOE, showing that the security functional requirements are suitable to meet and achieve the security objectives: From this table, it can also be seen that each security functional requirement addresses at least one security objective. Security objectives Rationale O.Forwarding (all series except S23XX-EI/S53XX-LI and S27XX-EI/S57XX-LI) The goal of secure traffic forwarding is achieved by following: Prior to forwarding related service configuration, authentication (FIA_UID.2, FIA_UAU.2, FDP_DAU.1), authorization (FDP_ACC.1) and access control policy (FDP_ACF.1) are implemented and applicable. A trusted path (FTP_TRP.1) for forwarding related service configuration should be established for users, which also require Cryptographic Support (FCS_COP.1). Cryptographic Support (FCS_COP.1) are also required where routing information exchange takes place. In order to prevent packets to enter in an infinite loop, provoking slow performance to network (FRU_FLT.1, FPT_FLS.1) STP is implemented. O.Forwarding (S23XX-EI/S53XX-LI and S27XX-EI/S57XX-LI) The goal of secure traffic forwarding is achieved by following: Prior to forwarding related service configuration, authentication (FIA_UID.2, FIA_UAU.2, FDP_DAU.1), authorization (FDP_ACC.1) and access control policy (FDP_ACF.1) are implemented and applicable. A trusted path (FTP_TRP.1) for forwarding related service configuration should be established for users, which also require Cryptographic Support (FCS_COP.1). In order to prevent packets to enter in an infinite loop, provoking slow performance to network (FRU_FLT.1, FPT_FLS.1) STP is implemented. O.Audit The generation of audit records is implemented by FAU_GEN.1. Audit records are supposed to include timestamp (FPT_STM.1) and user identities (FAU_GEN.2) where applicable, which are supplied by the authentication mechanism (FIA_UID.2). Audit records are in a string format, regular expressions are provisioned to read and search these records (FAU_SAR.1, FAU_SAR.3). The protection of the stored audit records is implemented in FAU_STG.1. Functionality to delete the oldest audit file is provided if the size of the log files becomes larger than the capacity of the store device (FAU_STG.3). Management functionality for the audit mechanism is spelled out in FMT_SMF.1. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 52 O.Communication Communications security is implemented by a trusted path for remote users in FTP_TRP.1. FCS_COP.1 addresses the 3DES/AES encryption of SSH channels. FCS_CKM.1 addresses keys generation of 3DES/AES/RSA. FCS_CKM.4/RSA addresses key destruction of RSA. FCS_CKM.4 3DES/AES keys are session keys only, these are created and stored in a trunk of internal memory dynamically allocated within the TOE upon session establishment and are destroyed upon session termination. The allocated memory is freed as well. Management functionality to enable these mechanisms is provided in FMT_SMF.1. O.Authentication User authentication is implemented by FIA_UAU.2, FDP_DAU.1 and supported by individual user identifies in FIA_UID.2. The necessary user attributes (passwords) are spelled out in FIA_ATD.1. The authentication mechanism supports authentication failure handling (FIA_AFL.1), restrictions as to the validity of accounts for logon (FTA_TSE.1), automatic logout after inacitivty (FTA_SSL.3) and a password policy (FIA_SOS.1). A trusted path is provided (FTP_TRP.1) supported by cryptography (FCS_COP.1). Management functionality is provided in FMT_SMF.1. O.Authorization The requirement for access control is spelled out in FDP_ACC.1, and the access control policies are modeled in FDP_ACF.1. Unique user IDs are necessary for access control provisioning (FIA_UID.2), and user-related attributes are spelled out in FIA_ATD.1. Access control is based on the definition of roles as subject and functions as object(FMT_SMR.1, FMT_MOF.1), The termination of an interactive session is provided in FTA_SSL.3. management functionality for the definition of access control policies is provided (FMT_MSA.1, FMT_MSA.3, FMT_SMF.1). O.Resource The requirement for assigning a priority (used as configured bandwidth) is spelled out in FRU_PRS.1, enforcing the maximum quotas for bandwidth and limited the MAC address table entries is spelled out in FRU_RSA.1 O.Filter The requirement of ACL or packet filter is spelled out in FDP_IFF.1 and FDP_IFC.1. management functionality for the definition of ACL is provided (FMT_MSA.1, FMT_MSA.3, FMT_SMF.1). Table 13: SFR sufficiency analysis 6.3.3 Security Requirements Dependency Rationale Dependencies within the EAL3 package selected for the security assurance requirements have been considered by the authors of CC Part 3 and are not analyzed here again. The security functional requirements in this Security Target do not introduce Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 53 dependencies on any security assurance requirement; neither do the security assurance requirements in this Security Target introduce dependencies on any security functional requirement. The following table demonstrates the dependencies of SFRs modeled in CC Part 2 and how the SFRs for the TOE resolve those dependencies: Security Functional Requirement Dependencies Resolution FAU_GEN.1 FPT_STM.1 FPT_STM.1 FAU_GEN.2 FAU_GEN.1 FIA_UID.1 FAU_GEN.1 FIA_UID.2 FAU_SAR.1 FAU_GEN.1 FAU_GEN.1 FAU_SAR.3 FAU_SAR.1 FAU_SAR.1 FAU_STG.1 FAU_GEN.1 FAU_GEN.1 FAU_STG.3 FAU_STG.1 FAU_STG.1 FCS_COP.1 FCS_CKM.1 FCS_CKM.4 FCS_CKM.1 FCS_CKM.4 Except for MD-5 and DH-group1-SHA1. MD-5 uses no key and DH-group1-SHA1 uses fixed key value so the dependencies are unnecessary there. FCS_CKM.1 FCS_COP.1 FCS_CKM.4 FCS_COP.1 FCS_CKM.4 FCS_CKM.4 FCS_CKM.1 FCS_CKM.1 FDP_ACC.1 FDP_ACF.1 FDP_ACF.1 FDP_ACF.1 FDP_ACC.1 FMT_MSA.3 FDP_ACC.1 FMT_MSA.3 FDP_DAU.1 None FDP_IFC.1 FDP_IFF.1 FDP_IFF.1 FDP_IFF.1 FDP_IFC.1 FMT_MSA.3 FDP_IFC.1 FMT_MSA.3 FIA_AFL.1 FIA_UAU.1 FIA_UAU.2 FIA_ATD.1 None FIA_SOS.1 None FIA_UAU.2 FIA_UID.1 FIA_UID.2 FIA_UID.2 None FMT_MOF.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_MSA.1 [FDP_ACC.1 or FDP_IFC.1] FMT_SMR.1 FMT_SMF.1 FDP_ACC.1 FMT_SMR.1 FMT_SMF.1 FMT_MSA.3 FMT_MSA.1 FMT_SMR.1 FMT_MSA.1 FMT_SMR.1 FMT_SMF.1 None FMT_SMR.1 FIA_UID.1 FIA_UID.2 Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 54 FRU_PRS.1 None FRU_RSA.1 None FTA_SSL.3 None FTA_TSE.1 None FTP_TRP.1 None FTP_STM.1 None FRU_FLT.1 FPT_FLS.1 FPT_FLS.1 FPT_FLS.1 None Table 14: Dependencies between TOE Security Functional Requirements 6.4 Security Assurance Requirements The security assurance requirements for the TOE are the Evaluation Assurance Level 3 components augmented ALC_CMC.4 (instead of ALC_CMC.3), as specified in [CC] Part 3. No operations are applied to the assurance components. 6.5 Security Assurance Requirements Rationale The evaluation assurance level 3 augmented with ALC_CMC.4 (instead of ALC_CMC.3), has been chosen commensurate with the threat environment that is experienced by typical consumers of the TOE. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 55 7 TOE Summary Specification 7.1 TOE Security Functional Specification 7.1.1 Authentication The TOE can identify administrators by a unique ID and enforces their authentication before granting them access to any TSF management interfaces. Detailed functions include: 1) Support authentication via local password. This function is achieved by comparing user information input with pre-defined user information stored in memory. 2) Support authentication via remote RADIUS authentication server. This function is achieved by performing pass/fail action based on result from remote authentication server. 3) Support authenticate user login using SSH, by password authentication, RSA authentication, or combination of both. This function is achieved by performing authentication for SSH user based on method mentioned in 1). 4) Support logout when no operation is performed on the user session within a given interval. This function is achieved by performing count-down through timing related to clock function. 5) Support max attempts due to authentication failure within certain period of time. This function is achieved by providing counts on authentication failure. 6) Support limiting access by IP address. This function is achieved by comparing IP address of requesting session with configured value stored in memory. 7) Support for user individual attributes in order to achieve all the enumerated features: user ID, user level, and password. (FIA_AFL.1, FIA_ATD.1, FIA_UAU.2, FIA_UID.2, FTA_TSE.1, FTA_SSL.3, FCS_CKM.1,FCS_CKM.4) 7.1.2 Access Control The TOE enforces an access control by supporting following functionalities: 1) Support 16 access levels. This function is achieved by storing number as level in memory. 2) Support assigning access level to commands. This function is achieved by associating access level number with commands registered. 3) Support assigning access level to user ID. This function is achieved by associating access level number with user ID. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 56 4) Support limiting executing commands of which the access level is less or equal to the level of user. This function is achieved by performing an evaluation that level of commands is less or equal to level of user. This limitation of access also prevents users from accessing or deleting log files if they have insufficient rights. (FDP_ACC.1, FDP_ACF.1, FMT_MSA.1, FMT_MSA.3, FMT_SMR.1, FMT_MOF.1, FAU_STG.1) 7.1.3 L2 Traffic Forwarding The TOE forwards network traffic, enforcing decisions about the correct forwarding interface and assembling the outgoing network packets using correct MAC addresses: 1) Support traffic isolation with VLANs 2) Support MAC address learning automatically 3) Support Layer 2 traffic forwarding based on MAC table entry 4) Support to configure MAC address statically 5) Support to configure black hole MAC address statically 6) Support to limit the learning number of MAC address 7) Support to convert the MAC address learnt dynamically to static MAC address 8) Support MAC address flapping protection 9) In order to configure all the enumerated settings the user must be an authenticated user with administrator-defined role. (FRU_PRS.1, FRU_RSA.1,FMT_MSA.3) 7.1.4 L3 Traffic Forwarding The TOE forwards network traffic, enforcing decisions about the correct forwarding interface and assembling the outgoing network packets using correct MAC addresses: 1) Support ARP/BGP/OSPF protocol. This function is achieved by providing implementation of ARP/BGP/OSPF protocol. 2) Support routing information generation via OSPF protocol. This function is provided by implementation of OSPF protocol. 3) Support routing information generation via BGP protocol. This function is provided by implementation of BGP protocol. 4) Support routing information generation via manual configuration. This function is achieved by storing static routes in memory. 5) Support importing BGP/static routing information for OSPF. This function is provided by implementation of OSPF protocol. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 57 6) Support importing OSPF/static routing information for BGP. This function is provided by implementation of BGP protocol. 7) BGP support cryptographic algorithm MD5. This function is achieved by performing verification for incoming BGP packets using MD5 algorithm. 8) OSPF support cryptographic algorithm MD5. This function is achieved by performing verification for incoming OSPF packets using MD5 algorithm. 9) Support disconnection session with neighbor network devices. This function is achieved by locating and cleaning session information. 10) OSPF support routing information aggregation. This function is achieved by manipulating routes stored in memory. 11) OSPF support routing information filtering. This function is achieved by manipulating routes stored in memory. 12) Support ARP strict learning. This function is achieved by regulating ARP feature to accept entry generated by own ARP requests. 13) Support IPv4 traffic forwarding via physical interface. This function is achieved by making routing decision based on routes generated by BGP/OSPF/static configuration. 14) Support sending network traffic to VRP for central process where destination IP address is one of the interfaces’ IP addresses of the TOE. This is achieved by checking whether the traffic’s destination IP address is within the configured interfaces’ IP addresses in the TOE. If it is, the traffic will be sent to VRP in MCU for central process. (FIA_UAU.2, FTP_TRP.1, FCS_COP.1, FIA_SOS.1, FDP_DAU.1) Notes: S23XX-EI/S53XX-LI/S23XX-EI/S57XX-LI Series Switches don’t support Layer 3 forwarding;S53XX-SI/S57XX-SI Series Switches only supports Layer 3 forwarding by static routes, don’t support routing protocol like OSPF/BGP. 7.1.5 Auditing The TOE can provide auditing ability by receiving all types of logs and processing them according to user’s configuration: 1) Support classification based on severity level. This function is achieved where logging messages are encoded with severity level and output to log buffer. 2) Support enabling, disabling log output. This function is achieved by interpreting enable/disable commands and storing results in memory. Log output is performed based on this result. 3) Support redirecting logs to various output channels: monitor, log buffer, trap buffer, log file. This function is achieved by interpreting commands and storing results in memory or in log files in CF card. Log channel for output is selected prior to execution of redirecting. 4) Support log output screening, based on filename. This function is performed by providing filtering on output. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 58 5) Support querying log buffer. This function is achieved by performing querying operation with conditions input. 6) Support cleaning log buffer. This function is achieved by cleaning log buffer in memory. 7) Support to automatically remove oldest log files if audit files exceed the size of store device. (FAU_GEN.1, FAU_GEN.2, FAU_SAR.1, FAU_SAR.3, FAU_STG.3, FMT_SMF.1) 7.1.6 Communication Security The TOE provides communication security by implementing SSH protocol. Two versions of SSH: SSHv1 (SSH1.5) and SSHv2 (SSH2.0) are implemented. But SSH2 is recommended for most cases by providing more secure and effectiveness in terms of functionality and performance. SFTP is provided implementing secure . 1) Support SSHv1 and SSHv2. This function is achieved by providing implementation of SSHv1 and SSHv2. 2) Support diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1 as key exchange algorithm of SSH. This function is achieved by providing implementation of diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1 algorithm. 3) Support 3DES, AES encryption algorithm. This function is achieved by providing implementation of 3DES, AES algorithm. 4) Support HMAC-MD5 verification algorithm. This function is achieved by providing implementation of HMAC-MD5 algorithm. 5) Support using different encryption algorithm for client-to-server encryption and server-to-client encryption. This function is achieved by interpreting related commands and storing the result in memory. 6) Support Secure-FTP. This function is achieved by providing implementation of Secure-FTP. 7) Support for RSA key destruction, overwriting it with 0 (FCS_COP.1, FCS_CKM.1, FCS_CKM.4, FMT_SMF.1, FDP_DAU.1) 7.1.7 ACL The TOE supports Access Control List (ACL) to filter traffic destined to TOE to prevent internal traffic overload and service interruption. And the TOE also use ACL to deny unwanted network traffic to pass through itself. The TOE also uses the ACL to identify flows and perform flow control to prevent the CPU and related services from being attacked. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 59 1) Support enabling ACLs by associating ACLs to blacklist. This function is achieved by interpreting ACL configurations then storing interpreted value in memory. 2) Support screening, filtering traffic destined to CPU. This function is achieved by downloading blacklist ACL configurations into hardware. 3) Support rate limiting traffic based on screened traffic. This function is achieved by downloading configuration of rate into hardware. ( FRU_PRS.1, FRU_RSA.1, FDP_IFC.1, FDP_IFF.1) 7.1.8 Security Management The TOE offers management functionality for its security functions, where appropriate. This is partially already addressed in more detail in the previous sections of the TSS, but includes: • User management, including user name, passwords, etc. • Access control management, including the association of users and corresponding privileged functionalities. • Enabling/disabling of SSH for the communication between LMT clients and the TOE. • Defining IP addresses and address ranges for clients that are allowed to connect to the TOE. All of these management options are typically available via the LMT GUI. Detailed function specification include following: 1) Support Local configuration through console port. Parameters include console port baud rate, data bit, parity, etc; 2) Support configuration for authentication and authorization on user logging in via console port; 3) Support configuration for authentication mode and authorization mode on user logging in via console port; 4) Support remotely managing the TOE using SSH. 5) Support enabling, disabling S-FTP; 6) Support configuration on service port for SSH; 7) Support configuration on RSA key for SSH; 8) Support configuration on authentication type, encryption algorithm for SSH; 9) Support authenticate user logged in using SSH, by password authentication, RSA authentication, or combination of both; 10) Support configuration on logout when no operation is performed on the user session within a given interval; 11) Support configuration on max attempts due to authentication failure within certain period of time; Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 60 12) Support configuration on limiting access by IP address; 13) Support configuration on commands’ access level; 14) Support management on OSPF by enabling, disabling OSPF; 15) Support configuration on area, IP address range, authentication type of OSPF; 16) Support management on BGP by enabling, disabling BGP; 17) Support configuration on peer address, authentication type of BGP; 18) Support management on ARP by specifying static ARP entry, aging time and frequency of dynamical ARP entry. This function is achieved by interpreting commands input and storing value in memory. 19) Support management on log by enabling, disabling log output; 20) Support configuration on log output channel, output host; 21) Support configuration ACLs based on IP protocol number, source and/or destination IP address, source and/or destination port number if TCP/UDP; 22) Support enabling, disabling SNMP Agent and Trap message sending function; 23) Support enabling, disabling the switch to Send an Alarm Message of a Specified Feature to the NM Station ; 24) Support setting the Source Interface, Queue Length and Lifetime of Trap message; 25) Support enabling, disabling STP function . Above functions are achieved by providing interpreting input commands and storing result of interpreting in memory. Some results like routes generated, ACLs will be downloaded into hardware to assist forwarding and other TSF functions. (FMT_SMF.1, FTP_TRP.1) 7.1.9 Cryptographic functions Cryptographic functions are required by security features as dependencies. The following cryptographic algorithms are supported: 1) Support AES128/AES256/3DES/RSA algorithms. This is achieved by providing implementations of AES128/AES256/3DES/RSA algorithms. 2) Support MD5/HMAC-MD5 algorithms. This is achieved by providing implementations of MD5/HMAC-MD5 algorithms. 3) Support for RSA key destruction overwriting it with 0 (FCS_COP.1, FCS_CKM.4) 7.1.10 Time The TOE supports its own clock, to support logging and timed log-outs. Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 61 (FPT_STM.1, FTA_SSL.3) 7.1.11 SNMP Trap The TOE uses SNMP traps to notify a fault occurs or the system does not operate properly. 1) Support management on trap by enabling, disabling trap output; 2) Support configuration on trap output interface, output host; 3) Support configuration on trap based on fault categories, fault functionality, or modules where the faults occur. 4) Support SNMPv3 which provides: a) Encrypted communication using AES algorithm. b) Packet authentication using MD5 algorithms (FPT_STM.1, FDP_DAU.1) 7.1.12 STP The TOE supports Spanning Tree Protocol (STP) to cut off the potential loops on the network and provide Link redundancy. 1) Support blocking a certain interface to prevent replication and circular propagation of packets on the network. 2) Support sending configuration BPDUs and Hello packets to detect link faults with a certain time. 3) Support delay for interface status transition to prevent transient loops. 4) Support configuration on max aging time to specifies the aging time of BPDUs, (FRU_FLT.1, FPT_FLS.1) Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 62 8 Abbreviations, Terminology and References 8.1 Abbreviations ACL Access Control List CC Common Criteria CLI Command Line Interface GUI Graphical User Interface LMT Local Maintenance Terminal LPU Line Process Unit MCU Main Control Unit NTP Network Time Protocol PP Protection Profile RMT Remote Maintenance Terminal SFR Security Functional Requirement SFU Switching Fabric Unit SNMP Simple Network Management Protocol SPU Service Process Unit SRU Switch Router Unit ST Security Target STP Spanning-Tree Protocol TOE Target of Evaluation TSF TOE Security Functions VP Virtual Path VRP Versatile Routing Platform 8.2 Terminology This section contains definitions of technical terms that are used with a meaning specific to this document. Terms defined in the [CC] are not reiterated here, unless stated otherwise. Administrator: An administrator is a user of the TOE who may have been assigned specific administrative privileges within the TOE. This Huawei S Series Ethernet Switches V200R003 Security Target Huawei Technologies Co., Ltd. Page 63 ST may use the term administrator occasionally in an informal context, and not in order to refer to a specific role definition – from the TOE’s point of view, an administrator is simply a user who is authorized to perform certain administrative actions on the TOE and the objects managed by the TOE. User: A user is a human or a product/application using the TOE. 8.3 References [CC] Common Criteria for Information Technology Security Evaluation. Part 1-3. September 2012. Version 3.1 Revision 4. [CEM] Common Methodology for Information Technology Security Evaluation. September 2012. Version 3.1 Revision 4.