Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 1
Huawei SSeries Ethernet Switches
V200R008
Security Target
Version: 2.2
Last Update: 2016-10-21
Author: Huawei Technologies Co., Ltd.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 2
Revision record
Date
Revision
Version
Change Description Author
2016-01-28 0.1 Initial Draft Liu Canhong
2016-03-14 1.0
Final version. Changed references to
correct versions. Finalized layout
Liu Canhong
2016-04-18 1.1
ST physical scope update and L3
function description update
Liu Canhong
2016-05-09 1.2
Update linux distuibution
Update E600 discription in table 4
Fix typographical error
Update FCS_COP.1/AES
Update talble 4
Liu Canhong
2016-05-10 1.3
Change FIPS SP 800-67 and FIPS SP
800-38A to NIST SP 800-67 and NIST
SP 800-38A
Reinstate FCS_CKM.1/3DES
Liu Canhong
2016-05-12 1.4 Update 6.2.2.8 Liu Canhong
2016/5/26 1.5
Typo in table 4
Correct version in table 7
Liu Canhong
2016/7/8 1.6
Update guidance in table 7
Add S-telnet description in 7.1.6
Liu Canhong
2016/9/2 1.7
Change description “The TOE names
S-Telnet as SSH” into “The TOE
names SSH as S-Telnet”
Change version to
V200R008C00SPC500
Liu Canhong
2016/9/7 1.8 Update cryptographic suites Liu Canhong
2016/9/19 1.9
Update cryptographic suites for
OSPF/BGP in section 1.4.3.9 and
replacethe HMAC-MD5 to HMAC-SHA
Liu Canhong
2016/10/07 2.0 Update cryptographic Liu Canhong
2016/10/13 2.1 Update tpyo Liu Canhong
2016/10/21 2.2 Update AGD version Liu Canhong
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 3
Table of Contents
TABLE OF CONTENTS .......................................................................................................................3
LIST OF TABLES..................................................................................................................................5
LIST OF FIGURES................................................................................................................................5
1 INTRODUCTION ......................................................................................................................6
1.1 Security Target Identification.................................................................................. 6
1.2 TOE Identification.................................................................................................... 6
1.3 Target of Evaluation (TOE) Overview.................................................................... 11
1.4 TOE Description ..................................................................................................... 12
1.4.1 Architectural overview................................................................................... 12
1.4.2 Scope of Evaluation .......................................................................................... 16
1.4.3 Summary of Security Features ....................................................................... 28
1.4.4 TSF and Non-TSF data....................................................................................... 31
2 CC CONFORMANCE CLAIM ..............................................................................................31
3 TOE SECURITY PROBLEM DEFINITION........................................................................32
3.1 Threats ................................................................................................................... 32
3.1.1 Threats ............................................................................................................ 32
3.1.2 Threats Components ...................................................................................... 32
3.2 Assumptions .......................................................................................................... 33
3.2.1 Environment of use of the TOE ...................................................................... 33
4 SECURITY OBJECTIVES .....................................................................................................35
4.1 Objectives for the TOE........................................................................................... 35
4.2 Objectives for the Operational Environment ....................................................... 35
4.3 Security Objectives Rationale ............................................................................... 36
4.3.1 Coverage ......................................................................................................... 36
4.3.2 Sufficiency....................................................................................................... 36
5 EXTENDED COMPONENTS DEFINITION .......................................................................38
6 SECURITY REQUIREMENTS..............................................................................................38
6.1 Conventions ............................................................................................................... 38
6.2 TOE Security Functional Requirements .................................................................... 38
6.2.1 Security Audit (FAU) ........................................................................................... 38
6.2.2 Cryptographic Support (FCS) .............................................................................. 40
6.2.3 User Data Protection (FDP) ................................................................................ 41
6.2.4 Identification and Authentication (FIA)............................................................. 43
6.2.5 Security Management (FMT).............................................................................. 45
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 4
6.2.6 Protection of the TSF (FPT)................................................................................. 46
6.2.7 Resource utilization (FRU).................................................................................. 46
6.2.8 TOE access (FTA) ................................................................................................. 46
6.2.9 Trusted Path/Channels (FTP) ............................................................................. 47
6.3 Security Functional Requirements Rationale ....................................................... 47
6.3.1 Sufficiency and coverage.................................................................................. 47
6.3.3 Security Requirements Dependency Rationale............................................... 49
6.4 Security Assurance Requirements ........................................................................ 50
6.5 Security Assurance Requirements Rationale........................................................ 50
7 TOE SUMMARY SPECIFICATION.....................................................................................50
7.1 TOE Security Functional Specification................................................................... 50
7.1.1 Authentication................................................................................................ 50
7.1.2 Access Control................................................................................................. 51
7.1.3 L2 Traffic Forwarding...................................................................................... 51
7.1.4 L3 Traffic Forwarding...................................................................................... 52
7.1.5 Auditing........................................................................................................... 53
7.1.6 Communication Security ................................................................................ 53
7.1.7 ACL................................................................................................................... 54
7.1.8 Security Management ...................................................................................... 54
7.1.9 Cryptographic functions ................................................................................. 56
7.1.10 Time............................................................................................................... 56
7.1.11 SNMP Trap ...................................................................................................... 56
7.1.12 STP................................................................................................................... 57
8 ABBREVIATIONS, TERMINOLOGY AND REFERENCES ............................................57
8.1 Abbreviations......................................................................................................... 57
8.2 Terminology........................................................................................................... 58
8.3 References ............................................................................................................. 58
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 5
List of Tables
Table 1: Naming rules of Box Switch ...............................................................................................8
Table 2: Naming rules of Chassis Switch .........................................................................................8
Table 3: The device list of Huawei S Series Ethernet Switches........................................................9
Table 4: Model Specifications........................................................................................................23
Table 5: Chassis Switch Interfaces Specifications..........................................................................25
Table 6: Box Switch Interfaces Specifications................................................................................25
Table 7 List of software and guidance...........................................................................................26
Table 8: Access Levels....................................................................................................................29
Table 9: Mapping Objectives to Threats........................................................................................36
Table 10: Mapping Objectives for the Environment to Threats, Assumptions..............................36
Table 11: Sufficiency analysis for threats ......................................................................................37
Table 12: Sufficiency analysis for assumptions .............................................................................38
Table 13: SFR sufficiency analysis..................................................................................................49
Table 14: Dependencies between TOE Security Functional Requirements...................................50
List of Figures
Figure 1: Naming rules of Box Switch..............................................................................................7
Figure 2: Naming rules of Chassis Switch........................................................................................8
Figure 3: TOE Physical architecture of Box Switch ........................................................................12
Figure 4: TOE Physical architecture of Chassis Switch...................................................................14
Figure 5: TOE Software architecture .............................................................................................15
Figure 6: TOE logical scope............................................................................................................27
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 6
1 Introduction
This Security Target is for the evaluation of Huawei SSeries Ethernet
SwitchesV200R008.
1.1 Security TargetIdentification
Name: Huawei SSeries Ethernet SwitchesV200R008 Security Target
Version: 2.2
Publication Date:2016-10-21
Author: Huawei Technologies Co., Ltd.
1.2 TOE Identification
Name: Huawei S Series Ethernet Switches
Version: V200R008C00SPC500
At the core of Huawei SSeries Ethernet SwitchesisVersatile Routing Platform
(VRP).Product software version V200R008C00SPC500runs on VRP software
Version 5 Release 16, the software version of data plane is
V200R008C00SPC500.
HuaweiSSeries Ethernet Switches are classified into Box Switches and Chassis
Switches based on their physical forms. The forward capacity of Chassis Switches
is larger than Box Switches and Chassis Switches can use different LPU (Line
Processing Unit) to provide different ports with various types, but there is no
difference in security functionality.
HuaweiSSeries Ethernet Switchescan be classified into Layer 2 Switches and
Layer 3 Switches based on their function. Layer 2 Switches support Ethernet
forwarding. Layer 3 Switches support both Ethernet forwarding and IP forwarding.
HuaweiSSeries Ethernet Switchescan be classified into Provider Switches (SX3XX
Series), Enterprise Switches(SX7XXSeries) and Education Switches (E6XX
Series). The difference among Provider Switches, Enterprise Switches and
Education Switches is that they are sold in difference markets, the models are
functionally identical.
There are some minor security differences between the various series: not all
series support all functionality:
ï‚· The S23xx-EI/S53xx-LI and S27XX-EI/S57XX-LI do not support L3
forwarding
ï‚· The S53xx-SI, S57xx-SI and E6XX only support static routing and no
OSPF/BGP
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 7
The naming rules examplesof Huawei S Series Box Switches are as follows:
Figure 1: Naming rules of Box Switch
Identifier Description
A
Product series.
 “S23” indicates the S2300 series.
 “S27” indicates the S2700 series.
 “S5700/S5710” indicates the S5700 series.
ï‚· "S53/S5300/S5310" indicates the S5300 series.
ï‚· "S67" indicates the S6700 series.
 “S63” indicates the S6300 series
ï‚· "E6" indicates the E600 series.
 “S5720” indicates the S5720 series.
ï‚· "S5320" indicates the S5320 series.
ï‚· "S6720" indicates the S6720 series.
 “S6320” indicates the S6320 series
B Maximum number of interfaces.
C
Uplink port type:
ï‚· C: The product supports extended cards and its uplink
ports are provided by an extended card or are fixed 10GE
ports for S5xxx series or fixed 40GE ports for S6x20
series.
ï‚· PC: The product supports extended cards and its uplink
ports are provided by an extended card or are fixed GE
ports.
ï‚· X: The product has fixed 10GE uplink ports.
ï‚· P: The uplink ports of the product are fixed GE optical
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 8
ports.
ï‚· TP: The uplink ports of the product include combo ports
consisting of electrical and optical ports.
D
Supports Power over Ethernet (PoE).
If this letter is not displayed, PoE is not supported.
E
Device type:
ï‚· SI: standard version, supporting basic features
ï‚· EI: enhanced version, supporting enhanced features
ï‚· HI: advanced version, supporting high-performance
Operation, Administration, and Maintenance (OAM) and
built-in real-time clock (RTC)
ï‚· LI:lightweight version
F
Downlink interface type. The value 24S indicates that 24 downlink
interfaces are optical interfaces.
If this letter is not displayed, all downlink interfaces are electrical
interfaces.
G
Powering mode:
ï‚· AC: alternating current power
ï‚· DC: direct current power
ï‚· BAT: battery LAN switch
Some product models that support pluggable power modules are
sold with AC or DC power modules (standard configuration), and
their product names contain "-AC" or "-DC". However, the
silkscreen or nameplate on the chassis does not contain "-AC" or
"-DC"
Table 1: Naming rules of Box Switch
The naming rules examples of Huawei S Series Chassis Switches are as follows:
Figure 2: Naming rules of Chassis Switch
Identifier Description
A Product series.
ï‚· "127" indicates the S12700 series.
ï‚· "77" indicates the S7700 series.
ï‚· "93" indicates the S9300 series
ï‚· "97" indicates the S9700 series
D The capability of LPU numbers.
Table 2: Naming rules of Chassis Switch
The TOE scope has been limited in terms of evaluated configurations by choosing
the most relevant configurations of each series as can be found in the table below.
For each series, the minimum number of models has been selected in order to
cover all the functionality that shall be tested as required by CC.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 9
The following table shows the evaluateddevices.
Device Series Device Name
S2700
S2750-20TP-PWR-EI-AC
S2750-28TP-EI-AC
S2750-28TP-PWR-EI-AC
S2751-28TP-PWR-EI-AC
S5700
S5701-28X-LI-AC
S5701-28X-LI-24S-AC
S5700-28P-LI-BAT
S5700-28P-LI-4AH
S5700-28P-LI-24S-BAT
S5700-28P-LI-24S-4AH
S5700-52X-LI-48CS-AC
S5700-28TP-LI-AC
S5700-28TP-PWR-LI-AC
S5701-28TP-PWR-LI-AC
S5700S-28X-LI-AC
S5700S-52X-LI-AC
S5700S-28P-PWR-LI-AC
S5700-10P-LI-AC
S5700-10P-PWR-LI-AC
S5700-28P-LI-AC
S5700-28P-LI-DC
S5700-52P-LI-AC
S5700-52P-LI-DC
S5700-28P-PWR-LI-AC
S5700-52P-PWR-LI-AC
S5700-28X-LI-AC
S5700-28X-LI-DC
S5700-52X-LI-AC
S5700-52X-LI-DC
S5700-28X-PWR-LI-AC
S5700-52X-PWR-LI-AC
S5700S-28P-LI-AC
S5700S-52P-LI-AC
S5700-28X-LI-24S-DC
S5700-28X-LI-24S-AC
S5710-28X-LI-AC
S5710-52X-LI-AC
S5720
S5720-36C-EI-28S-AC
S5720-56C-EI-48S-AC
S5720-36C-EI-AC
S5720-36PC-EI-AC
S5720-56C-EI-AC
S5720-56PC-EI-AC
S5720-36C-PWR-EI-AC
S5720-56C-PWR-EI-AC
S5720-56C-PWR-EI-AC1
S5720-32X-EI-24S-AC
S5720-50X-EI-46S-AC
S5720-32X-EI-AC
S5720-32P-EI-AC
S5720-52X-EI-AC
S5720-52P-EI-AC
S5720-50X-EI-AC
S5720S-28P-SI-AC
S5720S-28X-SI-AC
S5720S-52P-SI-AC
S5720S-52X-SI-AC
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 10
S5720-28P-SI-AC
S5720-28X-SI-AC
S5720-52P-SI-AC
S5720-52X-SI-AC
S5720-28X-PWR-SI-AC
S5720-52X-PWR-SI-AC
S5720-52X-PWR-SI-ACF
S5720-56C-HI-AC
S5720-56C-PWR-HI-AC
S5720-32C-HI-24S-AC
S6720
S6720-30C-EI-24S-AC
S6720-54C-EI-48S-AC
S7700
S7703,
S7706,
S7706-POE
S7712
S7712-POE
S9700
S9703
S9703FCC
S9706
S9706FCC
S9712
S9712FCC
S12700
S12704
S12708
S12712
S2300
S2350-28TP-PWR-EI-AC
S2350-20TP-PWR-EI-AC
S2350-28TP-EI-AC
S2350-28TP-EI-DC
S5300
S5300-10P-LI-AC
S5300-28X-LI-24S-AC
S5300-28X-LI-24S-DC
S5300-28X-LI-AC
S5300-28X-LI-DC
S5300-52X-LI-AC
S5300-52X-LI-DC
S5300-28P-LI-BAT
S5300-28P-LI-4AH
S5300-28P-LI-24S-BAT
S5300-28P-LI-24S-4AH
S5300-52X-LI-48CS-AC
S5300-52X-LI-48CS-DC
S5300-28P-LI-AC
S5300-28P-LI-DC
S5300-52P-LI-AC
S5300-52P-LI-DC
S5320
S5320-36C-EI-28S-AC
S5320-36C-EI-28S-DC
S5320-56C-EI-48S-AC
S5320-56C-EI-48S-DC
S5320-36C-EI-AC
S5320-36C-EI-DC
S5320-36PC-EI-AC
S5320-36PC-EI-DC
S5320-56C-EI-AC
S5320-56C-EI-DC
S5320-56PC-EI-AC
S5320-56PC-EI-DC
S5320-36C-PWR-EI-AC
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 11
S5320-36C-PWR-EI-DC
S5320-56C-PWR-EI-AC
S5320-32X-EI-24S-AC
S5320-32X-EI-24S-DC
S5320-50X-EI-46S-AC
S5320-50X-EI-46S-DC
S5320-32X-EI-AC
S5320-32X-EI-DC
S5320-32P-EI-AC
S5320-32P-EI-DC
S5320-52X-EI-AC
S5320-52X-EI-DC
S5320-52P-EI-AC
S5320-52P-EI-DC
S5320-50X-EI-AC
S5320-50X-EI-DC
S5321-28P-SI-AC
S5321-28X-SI-AC
S5321-28X-SI-DC
S5321-52P-SI-AC
S5321-52X-SI-AC
S5321-52X-SI-DC
S5320-28P-SI-AC
S5320-28X-SI-AC
S5320-52P-SI-AC
S5320-52X-SI-AC
S5320-28X-PWR-SI-AC
S5320-52X-PWR-SI-AC
S6320
S6320-30C-EI-24S-AC
S6320-30C-EI-24S-DC
S6320-54C-EI-48S-AC
S6320-54C-EI-48S-DC
S9300
S9303
S9306
S9312
S9303E
S9306E
S9312E
E600
E628
E628-X
E652
E652-X
Table 3: The device list of Huawei S Series Ethernet Switches
Sponsor: Huawei
Developer: Huawei
Certification ID: SERTIT-088
Keywords: Huawei, VRP, Versatile Routing Platform, Ethernet Switches
1.3 Target of Evaluation (TOE) Overview
Huawei S Series Ethernet SwitchesV200R008C00SPC500, the TOE, provides
high-end networking capacities for telecom and enterprise core networks. It
consists of both hardware and software.
At the core of each switch is the Versatile Routing Platform (VRP), the software for
managing and running the router’s networking functionality.VRP provides extensive
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 12
security features. These features include differentinterfaces with according access
levels for administrators;enforcing authentications prior to establishment of
administrative sessions with the TOE; auditing of security-relevant management
activities; as well as the correct enforcement of routing decisions to ensure that
network traffic gets forwarded to the correct interfaces.
The Forwarding Engineis the actual hardware providing network traffic processing
capacity.
The TOE requires some non-TOE hardware/software, this may be found in section
1.4.2.2.
1.4 TOE Description
1.4.1 Architectural overview
This section will introduce the Huawei S Series Ethernet
SwitchesV200R008C00SPC500 from a physical architectural view and a software
architectural view.
Huawei S Series Ethernet Switches can be classified into Box Switches and
Chassis Switches. They have different physical and software architecture.Box
Switches adopt Centralized processing, Control plane and data forwarding plane
are in the one board; Chassis Switches adopt distributed processing, control plane
is in the SRU/MCU, data forwarding plane is in the LPU. In the software
architectural, VRP uses VP(Virtual Path) to connect control plane and data
forwarding plane, to avoid the difference between Box Switches and
ChassisSwitches.
Box Switches include:E600, S5320, S5720, S6320, S6720, S5300, S5700, S2300,
S2700
ChassisSwitches include: S12700, S7700, S9700, S9300
1.4.1.1 Physical Architecture
1.4.1.1.1 Physical Architecture of Box Switch
Figure 3: TOE Physical architecture of Box Switch
Figure 3shows the physical architecture of Box Switch of the TOE with the
AC/DC-input power supplymodules
(*1)
. The physical architecture includes the
following systems:
ï‚· Power system
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 13
ï‚· Fan system
ï‚· CPU(Control Process Unit)
ï‚· Forwarding Engine
All systems are in the integratedcabinet. The power system works in 1+1 backup
mode
(*2)
.
The functional host system processes data. In addition, it monitors and manages
the entiresystem, including the power system.
*1: Device lists which support both AC and DC power:
S5700-28P-LI-BAT,S5700-28P-LI-24S-BAT,S5720-36C-EI-28S-AC,S5720-56C-EI
-48S-AC,S5720-36C-EI-AC,S5720-36PC-EI-AC,S5720-56C-EI-AC,S5720-56PC-E
I-AC,S5720-36C-PWR-EI-AC,S5720-56C-PWR-EI-AC,S5720-28P-SI-AC,S5720-2
8X-SI-AC,S5720-52P-SI-AC,S5720-52X-SI-AC,S5720-28X-PWR-SI-AC,S5720-52
X-PWR-SI-AC,S5720-56C-HI-AC,S5720-32C-HI-24S-AC,S6720-30C-EI-24S-AC,S
6720-54C-EI-48S-AC,S5300-28P-LI-BAT,S5300-28P-LI-24S-BAT,S5320-36C-EI-2
8S-AC,S5320-36C-EI-28S-DC,S5320-56C-EI-48S-AC,S5320-56C-EI-48S-DC,S53
20-36C-EI-AC,S5320-36C-EI-DC,S5320-36PC-EI-AC,S5320-36PC-EI-DC,S5320-
56C-EI-AC,S5320-56C-EI-DC,S5320-56PC-EI-AC,S5320-56PC-EI-DC,S5320-36C
-PWR-EI-AC,S5320-36C-PWR-EI-DC,S5320-56C-PWR-EI-AC,S5320-28P-SI-AC,
S5320-28X-SI-AC,S5320-52P-SI-AC,S5320-52X-SI-AC,S5320-28X-PWR-SI-AC,S
5320-52X-PWR-SI-AC,S6320-30C-EI-24S-AC,S6320-30C-EI-24S-DC,S6320-54C-
EI-48S-AC,S6320-54C-EI-48S-DC
*2: Device lists which support 1+1 backup power(others only support one power):
S5700-28P-LI-BAT,S5700-28P-LI-24S-BAT,S5720-36C-EI-28S-AC,S5720-56C-EI
-48S-AC,S5720-36C-EI-AC,S5720-36PC-EI-AC,S5720-56C-EI-AC,S5720-56PC-E
I-AC,S5720-36C-PWR-EI-AC,S5720-56C-PWR-EI-AC,S5720-56C-PWR-EI-AC1,S
5720-28P-SI-AC,S5720-28X-SI-AC,S5720-52P-SI-AC,S5720-52X-SI-AC,S5720-2
8X-PWR-SI-AC,S5720-52X-PWR-SI-AC,S5720-52X-PWR-SI-ACF,S5720-56C-HI-
AC,S5720-56C-PWR-HI-AC,S5720-32C-HI-24S-AC,S6720-30C-EI-24S-AC,S6720
-54C-EI-48S-AC,S5300-28P-LI-BAT,S5300-28P-LI-24S-BAT,S5320-36C-EI-28S-A
C,S5320-36C-EI-28S-DC,S5320-56C-EI-48S-AC,S5320-56C-EI-48S-DC,S5320-3
6C-EI-AC,S5320-36C-EI-DC,S5320-36PC-EI-AC,S5320-36PC-EI-DC,S5320-56C-
EI-AC,S5320-56C-EI-DC,S5320-56PC-EI-AC,S5320-56PC-EI-DC,S5320-36C-PW
R-EI-AC,S5320-36C-PWR-EI-DC,S5320-56C-PWR-EI-AC,S5320-28P-SI-AC,S53
20-28X-SI-AC,S5320-52P-SI-AC,S5320-52X-SI-AC,S5320-28X-PWR-SI-AC,S532
0-52X-PWR-SI-AC,S6320-30C-EI-24S-AC,S6320-30C-EI-24S-DC,S6320-54C-EI-
48S-AC,S6320-54C-EI-48S-DC
1.4.1.1.2 Physical Architecture of Chassis Switch
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 14
Figure 4: TOE Physical architecture of Chassis Switch
Figure 2 shows the physical architecture of the TOE with the AC/DC-input power
supplymodules. The physical architecture includes the following systems:
ï‚· Power system
ï‚· Fan system
ï‚· MCU/SRU/MPU
ï‚· Switch fabric(SFU only separated on S12700 series)
ï‚· LPU
ï‚· Forwarding Engine
All the systems are in the integratedcabinet. The power system works in 1+1
backup mode. Thefunctional host system(MCU/SRU/MPU) is the target of this
evaluation and following introductions will focus onthe functional host systemonly.
The functional host system is composed of the system backplane,
SRUs/MCUs/MPUs, SFUs, and LPUs.SRU/MCU/MPU are the boards hosting the
VRP which provides control and management functionalities. MCU also embeds a
clock module as a source of system time. LPU is the board containing the
forwarding engine and responsible for network traffic processing. Generally
SRU/MCU/MPUare called MCU for simplicity in case of brief introduction.
The functional host system processes data. In addition, it monitors and manages
the entiresystem, including the power distribution system, heat dissipation system.
1.4.1.2 Software Architecture
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 15
Figure 5: TOE Software architecture
In terms of the software, the TOE’s software architecture consists of three logical
planes to support centralized forwarding and control and distributed forwarding
mechanism.
ï‚· Data plane
ï‚· Control and management plane
ï‚· Monitoring plane
Note that the monitoring plane is to monitor the system environment by detecting
the voltage, controlling power-on and power-off of the system, and monitoring the
temperature and controlling the fan. The monitoring plane is not considered
security-related thus will not be further covered.
The control and management plane is the core of the entire system. It controls
and managesthe system. The control and management unit processes protocols
and signals, configuresand maintains the system status, and reports and controls
the system status.
The data plane is responsible for high speed processing and non-blocking
switching of datapackets. It encapsulates or decapsulates packets, forwards
IPv4/IPv6 packets, performsQualityof Service (QoS) and scheduling, completes
inner high-speed switching, and collects statistics.
Figure 5shows a brief illustration of the software architecture of the TOE.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 16
The VRP is the control and management platform that runs on the SRU/MCU. The
VRP supports IPv4/IPv6, and routing protocols such as Border Gateway Protocol
(BGP), Open Shortest Path First (OSPF), calculates routes, generates forwarding
tables, and delivers routing information to the LPU(s). The VRP includes Service
Control Plane (SCP), System Manage Plane (SMP), General Control Plane (GCP)
and other TSF, non-TSF sub-systems.
The OS is supplied for the commercial use of embedded real-time operating
system, a driving system for the CPU, and provide the basis for the VRP system
scheduling mechanism.
There is one difference between the software architecture of Box Switch and the
Chassis Switch: in Box Switches the LPU and VP are done in SW, but in Chassis
Switches, this is done in HW.
Note that for the S23xx-EI/S53xx-LI and S27xx-EI/S57xx-LI (who do not support L3
forwarding), the S53xx-SI, E6xx and S57xx-SI (who only support static routing), the
software architecture is identical, but the commands required to support
non-existing functionality will simply return error messages.
1.4.2 Scope of Evaluation
This section will define the scope of the Huawei SSeries Ethernet
SwitchesV200R008 to be evaluated.
1.4.2.1 Physical scope
The physical boundary of the TOE is the actual switch system itself -- in particular,
thefunctional host system.The power distribution system and heat dissipation
system are part of the TOE but not to be evaluated because they are security
irrelevant.
The TOE provides several models. These models differ in their modularity and
throughput by supplying more slots in hosting chassis, but they offer exchangeable
forwarding unit modules, switch fabrics, and use the same version of software. The
following models will be covered during this evaluation:
Model Types Typical System Configuration and Physical Parameters
S5300 Item Typical Configuration Remark
Processing unit Main frequency:
5300LI:1GHZ
-
SDRAM 5300LI: 256MB -
Flash 5300LI: 200MB -
CF card - -
Switching
capacity
5300-28P-LI:56Gbps
5300-52P-LI: 104Gbps
5300-28X-LI:128Gbps
5300-10P-LI:26Gbps
(bidirectional)
-
Forwarding
capacity
5300-28P-LI:41.66Mpps
5300-52P-LI: 77.4Mpps
5300-28X-LI:95.2Mpps
5300-10P-LI: 15Mpps
-
S5320 Item Typical Configuration Remark
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 17
Processing unit Main frequency:
S5320SI: 800MHz
S5320EI: 1GHz
-
SDRAM S5320SI: 512MB
S5320EI: 2GB
-
Flash S5320SI: 240MB
S5320EI: 340MB
-
CF card - -
Switching
capacity
S5320-28P-SI: 168Gbps
S5320-28X-SI: 168Gbps
S5320-52P-SI: 336Gbps
S5320-52X-SI: 336Gbps
S5320-32P-EI: 220Gbps
S5320-32X-EI: 220Gbps
S5320-36C-EI: 220Gbps
S5320-50X-EI: 260Gbps
S5320-52P-EI: 260Gbps
S5320-52X-EI: 260Gbps
S5320-56C-EI: 260Gbps
(bidirectional)
-
Forwarding
capacity
S5320-28P-SI: 41.7Mpps
S5320-28X-SI: 95.2Mpps
S5320-52P-SI: 77.4Mpps
S5320-52X-SI: 131Mpps
S5320-32P-EI: 47.6Mpps
S5320-36PC-EI:77.4Mpps
S5320-32X-EI: 101.2Mpps
S5320-36C-EI: 131Mpps
S5320-50X-EI: 128Mpps
S5320-52P-EI: 77.4Mpps
S5320-52X-EI: 131Mpps
S5320-56C-EI: 160.7Mpps
S5320-56PC-EI:107.1Mpps
-
S2300 Item Typical Configuration Remark
Processing unit Main frequency: 800MHz -
SDRAM 256 MB -
Flash 200 MB -
CF card - -
Switching
capacity
S2350-20TP: 11.2Gbit/s
S2350-28TP: 12.8Gbit/s
(bidirectional)
-
Forwarding
capacity
S2350-20TP: 8.33Mpps
S2350-28TP: 9.53Mpps
-
S6320 Item Typical Configuration Remark
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 18
Processing unit Main frequency:
S6320EI: 1.2GHz
-
SDRAM S6320EI: 2GB -
Flash S6320EI: 240MB -
CF card - -
Switching
capacity
S6320EI: 1.44Tbps
(bidirectional)
-
Forwarding
capacity
S6320-30C-EI: 714.2Mpps
S6320-54C-EI: 1071.4Mpps
-
S5700 Item Typical Configuration Remark
Processing
unit
Main frequency:
5700LI:1GHZ
-
SDRAM 5700LI:256MB -
Flash 5700LI:200MB -
CF card - -
Switching
capacity
5700-28P-LI:56Gbps
5700-52P-LI: 104Gbps
5700-28X-LI:128Gbps
5700-52X-LI:256Gbps
5700-10P-LI:26Gbps(bidirectional)
-
Forwarding
capacity
5700-28P-LI:41.66Mpps
5700-52P-LI: 77.4Mpps
5700-28X-LI:95.2Mpps
5700-52X-LI:132Mpps
5700-10P-LI: 15Mpps
S5710-108C-HI: 504Mpps
-
S5720 Item Typical Configuration Remark
Processing unit Main frequency:
S5720SI: 800MHz
S5720EI: 1GHz
S5720HI: 1.2GHz
-
SDRAM S5720SI: 512MB
S5720EI: 2GB
S5720HI: 4GB
-
Flash S5720SI: 240MB
S5720EI: 340MB
S5720HI: 400MB
-
CF card - -
Switching
capacity
S5720SI: 168Gbps
S5720-52P-SI: 336Gbps
S5720-52X-SI: 336Gbps
S5720-32P-EI: 220Gbps
-
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 19
S5720-32X-EI: 220Gbps
S5720-36C-EI: 220Gbps
S5720-50X-EI: 260Gbps
S5720-52X-EI: 260Gbps
S5720-56C-EI: 260Gbps
S5720HI:
265Gbps(bidirectional)
Forwarding
capacity
S5720-28P-SI: 41.7Mpps
S5720-28X-SI: 95.2Mpps
S5720-52P-SI: 77.4Mpps
S5720-52X-SI: 131Mpps
S5720-32P-EI: 47.6Mpps
S5720-36PC-EI: 77.4Mpps
S5720-52P-EI: 77.4Mpps
S5720-32X-EI: 101.2Mpps
S5720-56PC-EI: 107.1Mpps
S5720-50X-EI: 128Mpps
S5720-36C-EI: 131Mpps
S5720-52X-EI: 131Mpps
S5720-56C-EI: 160.7Mpps
S5720-32C-HI: 166.7Mpps
S5720-56C-HI: 190.5Mpps
-
S2700 Item Typical Configuration Remark
Processing unit Main frequency: 800MHz -
SDRAM 256 MB -
Flash 240 MB -
CF card - -
Switching
capacity
S2750-20TP: 11.2Gbps
S2750-28TP: 12.8Gbps
(bidirectional)
-
Forwarding
capacity
S2750-20TP: 8.33Mpps
S2750-28TP: 9.52Mpps
-
S6720 Item Typical Configuration Remark
Processing unit Main frequency:
S6720HI: 1.2GHz
-
SDRAM S6720HI: 2GB -
Flash S6720HI: 240MB -
CF card - -
Switching
capacity
S6720HI: 1.44Tbps
(bidirectional)
-
Forwarding
capacity
S6720-30C-EI: 714.2Mpps
S6720-54C-EI: 1071.4Mpps
-
S9303
S7703
Item Typical
Configuration
Remark
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 20
Processing unit Main frequency:
500 MHz
-
SDRAM 512 MB
CF card 512 MB CF cards with different
capacities can be
configured. Can be used as
a mass storage device for
storingdata files.
There are two CF cards on
the SRU.
Switching
capacity
1.92 Tbps -
Forwarding
capacity
1440Mpps -
Max MCU slots 2 MCUs work in 1:1
redundancy.
Max LPU slots 3 -
Maximum
interface rate per
LPU
48*100Mbps
48*1Gbps
40*10Gbps
2*40Gbps
2*100Gbps/s
-
S9306
S7706
Item Typical
Configuration
Remark
Processing unit Main frequency:
1.5 GHz
-
SDRAM 4 GB
CF card -
Switching
capacity
3.84 Tbps -
Forwarding
capacity
2880Mpps -
Max SRU slots 2 SRUs work in 1:1
redundancy.
Max LPU slots 6 -
Maximum
interface rate per
LPU
48*100Mbps
48*1Gbps
40*10Gbps
2*40Gbps
2*100Gbps/s
-
S9312
S7712
Item Typical
Configuration
Remark
Processing unit Main frequency:
1.5 GHz
-
SDRAM 4 GB
CF card -
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 21
Switching
capacity
3.84 Tbps -
Forwarding
capacity
2880Mpps -
Max SRU slots 2 SRUs work in 1:1
redundancy.
Max LPU slots 12 -
Maximum
interface rate per
LPU
48*100Mbps
48*1Gbps
40*10Gbps
2*40Gbps
2*100Gbps/s
-
S9303E
S9703
Item Typical
Configuration
Remark
Processing unit Main frequency:
500 MHz
-
SDRAM 512 MB
CF card 512 MB CF cards with different
capacities can be
configured. Can be used as
a mass storage device for
storingdata files.
There are two CF cards on
the SRU.
Switching
capacity
2.88 Tbps -
Forwarding
capacity
2160Mpps -
Max SRU slots 2 MCUs work in 1:1
redundancy.
Max LPU slots 3 -
Maximum
interface rate per
LPU
48*100Mbps
48*1Gbps
48*10Gbps
8*40Gbps
2*100Gbps/s
-
S9306E
S9706
Item Typical
Configuration
Remark
Processing unit Main frequency:
1.2G MHz
-
SDRAM 2GB
CF card 512 MB CF cards with different
capacities can be
configured. Can be used as
a mass storage device for
storingdata files.
There are two CF cards on
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 22
the SRU.
Switching
capacity
6.72 Tbps -
Forwarding
capacity
2880Mpps -
Max SRU slots 2 SRUs work in 1:1
redundancy.
Max LPU slots 6 -
Maximum
interface rate per
LPU
48*100Mbps
48*1Gbps
48*10Gbps
8*40Gbps
2*100Gbps/s
-
S9312E
S9712
Item Typical
Configuration
Remark
Processing unit Main frequency:
1.2G MHz
-
SDRAM 2GB
CF card 512 MB CF cards with different
capacities can be
configured. Can be used as
a mass storage device for
storingdata files.
There are two CF cards on
the SRU.
Switching
capacity
8.64 Tbps -
Forwarding
capacity
3840Mpps -
Max SRU slots 2 SRUs work in 1:1
redundancy.
Max LPU slots 12 -
Maximum
interface rate per
LPU
48*100Mbps
48*1Gbps
48*10Gbps
8*40Gbps
2*100Gbps/s
-
S12700 Item Typical Configuration Remark
Processing unit Main frequency: 1.5G
MHz
-
SDRAM 4GB
CF card - -
Switching
capacity
S12704: 4.88 Tbps
S12708: 12.32 Tbps
S12712: 17.44 Tbps
-
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 23
Forwarding
capacity
S12704: 3120 Mpps
S12708: 6240 Mpps
S12712: 9120 Mpps
-
Max SRU slots 2 SRUs work in 1:1
redundancy.
Max LPU slots S12704: 4
S12708: 8
S12712: 12
-
Maximum
interface rate per
LPU
48*100Mbps
48*1Gbps
48*10Gbps
8*40Gbps
2*100Gbps/s
-
E600 Item Typical Configuration Remark
Processing unit Main frequency: 800 MHz -
SDRAM E600: 512MB -
Flash E600: 240MB -
CF card - -
Switching
capacity
E628: 168Gbps
E628-X: 168Gbps
E652: 336Gbps
E652-X: 336Gbps
(bidirectional)
-
Forwarding
capacity
E628: 41.664Mpps
E628-X: 95.232Mpps
E652: 77.376Mpps
E652-X: 130.944Mpps
-
Table 4: Model Specifications
Table 3/4 details all physical interfaces available in TOE along with respective
usage:
Boards Supported Interfaces and Usage
MCU/SRU The following list shows a collection of interfaces which might be
used during this evaluation for all models. The description about
indicators on panel can be found in the guidance.
ï‚· CF card interface, connector type TYPE II compatible with TYPE
I, isused to hold a CF card to store data files as a massive
storage device. The CF card is inserted and sealed within the
TOE and is to be accessed only by authorized personnel. User
configuration profiles, paf and licensing files, log data, system
software and patches if exist are stored in the CF card.
ï‚· ETH interface, connector type RJ45, operation mode 10M/100M
Base-TX auto-sensing, supporting half-duplex and full-duplex,
compliant to IEEE 802.3-2002, used for connections initiated by
users and/or administrators from a local maintenance terminal
via SSH to perform managementand maintenance operations.
Management and maintenance on NMS workstation is not within
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 24
the scope of this evaluation thus NMS related accounts should
be disabled during the evaluation.
ï‚· Console interface, connector type RJ45, operation mode Duplex
Universal Asynchronous Receiver/Transmitter (UART) with
electrical attribute RS-232, baud rate 9600 bit/s which can be
changed as required, used for users and/or administrators to
connect to console for the on-site configuration of the system.
The following interfaceswill be disabled during this evaluation if
available according to hardware specification.
ï‚· BITS0 and BITS1 interface, connector type RJ45, used for
External synchronous clock/time interface
LPU Interfaces supported by LPU are listed as below. More details about
these interfaces can be found in the guidance.
ï‚· ETH interface, connector type RJ45, operation mode
10M/100M/1000M Base-TX auto-sensing, supporting
half-duplex and full-duplex, used for receiving and transmitting
network traffic.
ï‚· FE interface, connector type LC/PC optical connector, compliant
to SFP optical module 100M-FX, supporting full-duplex, used for
receiving and transmitting network traffic.
ï‚· GE interface, connector type LC/PC optical connector, compliant
to SFP optical module1000Base-X-SFP, supporting full-duplex,
used for receiving and transmitting network traffic.
ï‚· 10GE interface, connector type LC/PC optical connector,
compliant to XFP optical module10GBase LAN-XFP, supporting
full-duplex, used for receiving and transmitting network traffic
ï‚· 40GE interface, connector type
LC/MPOopticalconnector,compliant to QSFP+ optical
module40GBase LAN -QSFP, supporting full-duplex, used for
receiving and transmitting network traffic
ï‚· 100GE interface, connector type
LC/MPOopticalconnector,compliant to CFP optical
module100GBase LAN -CFP, supporting full-duplex, used for
receiving and transmitting network traffic
The following interfaces are supported by the TOE, but not to be
evaluated in this evaluation.
ï‚· POS interface, connector type LC/PC optical connector,
compliant to SFP optical moduleOC-3c/STM-1c POS-SFP,
supporting full-duplex, used for receiving and transmitting
network traffic.
ï‚· POS interface, connector type LC/PC optical connector,
compliant to SFP optical moduleOC-12c/STM-4c POS-SFP,
supporting full-duplex, used for receiving and transmitting
network traffic.
ï‚· POS interface, connector type LC/PC optical connector,
compliant to SFP optical moduleOC-48c/STM-16c POS-SFP,
supporting full-duplex, used for receiving and transmitting
network traffic.
The network traffic being received and transmitted by these
interfaces, canbe further described as non-TSF data (information
flow to be forwarded to other network interfaces and information flow
destined to TOE but not security-related) and TSF data (destined to
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 25
TOE for control and management purpose and for security-related
functionalities). The definition for non-TSF data and TSF data will be
further explained in Chapter 1.4.4.
Table 5:Chassis Switch Interfaces Specifications
Supported Interfaces and Usage
The following list shows a collection of interfaces which might be used
during this evaluation for all models. The description about indicators on
panel can be found in the guidance.
ï‚· ETH interface, connector type RJ45, operation mode 10M/100M
Base-TX auto-sensing, supporting half-duplex and full-duplex,
compliant to IEEE 802.3-2002, used for connections initiated by
users and/or administrators from a local maintenance terminal via
SSH to perform management and maintenance operations.
Management and maintenance on NMS workstation is not within
the scope of this evaluation thus NMS related accounts should be
disabled during the evaluation.
ï‚· Console interface, connector type RJ45, operation mode Duplex
Universal Asynchronous Receiver/Transmitter (UART) with
electrical attribute RS-232, baud rate 9600 bit/s which can be
changed as required, used for users and/or administrators to
connect to console for the on-site configuration of the system.
ï‚· MEH interface, connector type RJ45, operation mode 10M/100M
Base-TX auto-sensing, supporting half-duplex and full-duplex,
compliant to IEEE 802.3-2002, used for connections initiated by
users and/or administrators from a local maintenance terminal via
SSH to perform management and maintenance operations.
Management and maintenance on NMS workstation is not within
the scope of this evaluation thus NMS related accounts should be
disabled during the evaluation.
ï‚· FE interface, connector type LC/PC optical connector, compliant to
SFP optical module 100M-FX, supporting full-duplex, used for
receiving and transmitting network traffic.
ï‚· GE interface, connector type LC/PC optical connector, compliant to
SFP optical module 1000Base-X-SFP, supporting full-duplex, used
for receiving and transmitting network traffic.
ï‚· 10GE interface, connector type LC/PC optical connector, compliant
to XFP optical module 10GBase LAN -XFP, supporting full-duplex,
used for receiving and transmitting network traffic
ï‚· 40GE interface, connector type LC/MPOopticalconnector,compliant
to QSFP+ optical module40GBase LAN -QSFP, supporting
full-duplex, used for receiving and transmitting network traffic
The network traffic being received and transmitted by these interfaces,
can be further described as non-TSF data (information flow to be
forwarded to other network interfaces and information flow destined to
TOE but not security-related) and TSF data (destined to TOE for control
and management purpose and for security-related functionalities). The
definition for non-TSF data and TSF data will be further explained in
Chapter 1.4.4.
Table 6: Box Switch Interfaces Specifications
The software and the guidance is listed in Table 7
Type Name Version
Software Product software V200R008C
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 26
00SPC500
VRP
Version 5
Release 16
VxWorks
(S2700\S5700\S7700\S9700\S2300\S5300\S9300)
5.5
Windriver(Linux kernel 2.6.34)
(S5720\S6720\S5320\S6320\E600\S12700)
4.3
Guidance
S2350&S5300&S6320 Series Ethernet Switches
V200R008(C00&C10) Product Documentation
03
S9300&S9300E Series Switches V200R008(C00&C10) Product
Documentation
04
S2750EI&S5700&S6720 Series Ethernet Switches V200R008C00
Product Documentation
02
S7700&S9700 Series Switches V200R008C00 Product
Documentation
02
S12700 Series Agile Switches V200R008C00 Product
Documentation
02
E600 教育网系列交换机 V200R008C00 产品文档 02
CC Huawei S Series Ethernet Switches V200R008 - AGD_OPE V0.5
CC Huawei S Series Ethernet Switches V200R008 - AGD_PRE V0.6
Table 7List of software and guidance
1.4.2.2 Logical scope
The logical boundary is represented by the elements that are displayed with a white
background within the rectangle with dashed border.
These elements are part of the Versatile Routing Platform (VRP), a software
platform from view of software architecture, and the forwarding engine that
processes the incoming and outgoing network traffic.
Figure 5 shows the TOE’s logical scope with supporting network devices of the
environment.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 27
Figure 6:TOE logicalscope
TOE can be classified into Layer 2 forwarding and Layer 3 forwarding based on
traffic forwarding. All Switches support Layer 2
forwarding,S23XX-EI/S53XX-LI/S27XX-EI/ S57XX-LI Series Switches don’t
support Layer 3 forwarding;S53XX-SI/S57XX-SI/E6XX Series Switches only
supports Layer 3 forwarding by static routes, don’t support routing protocol like
OSPF/BGP.
When working as Layer 2 forwarding devices,theforwarding engine of TOE will
forward the trafficaccording to MAC address. The MAC table entry will be
automatically created by forwarding engine when Layer 2 forwarding.
When working as Layer 3 forwarding devices，The TOE controls the flow of IP
traffic (datagrams) between network interfaces by matching information contained
in the headers of connection-oriented or connectionless IP packets against routing
table in forwarding engine.
The routing table in forwarding engine is delivered from VRP’s routing unit whereas
the routing table in VRP’s routing module can be statically configured or imported
through dynamic routing protocol such as BGP, Open Shortest Path First(OSPF).
Note that BGP/OSPF functionality configuration must be performed via s secure
channel enforcing SSH prior to routing table importing.
System control and security managements are performed either through interfaces
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 28
via a secure channel enforcing SSH.
Based on physical scope and logical scope described so far, a list of configuration
is to be added:
ï‚· For management via the console, authentication is always enabled.
Authentication mode is password. Length of password is no less than 8
characters
ï‚· For management via the ETH interface in MCU/SRU/MPU, authentication is
always enabled. Authentication mode is password. Length of password is no
less than 8 characters
ï‚· Service of TELNETand FTP are disabled in this evaluation.
ï‚· Authentication of users via RSA when using SSH connections is supported.
SSH server compatibility with version number less than 1.99 is considered a
weakness, therefore to be disabled.
The environment for TOE comprises the following components:
ï‚· An optional Radius server providing authentication and authorization decisions
to the TOE.
ï‚· Otherswitches and routersused to connect the TOE for L2/L3 network forward,
L3 switch providing routing information to the TOE via dynamic protocols, such
as BGP, OSPF.
ï‚· Local PCs used by administrators to connect to the TOE for access of the
command line interface either through TOE’s console interface or TOE’s ETH
interface via a secure channel enforcing SSH.
ï‚· Remote PCs used by administrators to connect to the TOE for access to the
command line interfacethrough interfaces on LPU within the TOE via a secure
channel enforcing SSH.
ï‚· Physical networks, such as Ethernet subnets, interconnecting various
networking devices.
1.4.3 Summary of Security Features
1.4.3.1 Authentication
The TOE can authenticate administrative users by user name and password.
VRP provides a local authentication scheme for this, or can optionally enforce
authentication decisions obtained from a Radius server in the IT environment.
Authentication is always enforced for virtual terminal sessions via SSH, and SFTP
(Secured FTP) sessions.
1.4.3.2 Access Control
The TOE controls access by levels. Four hierarchical access control levels are
offered that can be assigned to individual user accounts:
User
level
Level
name
Purpose Commands for
access
0 Visit Network diagnosis and
establishment of remote
connections.
ping, tracert,
language-mode,quit,
display
1 Monitoring System maintenance and
fault diagnosis.
Level 0 and display,
debugging, reset,
refresh, terminal, send
2 Configurat Service configuration. Level 0, 1 and all
configuration
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 29
User
level
Level
name
Purpose Commands for
access
ion commands.
3 Managem
ent
System management (file
system, user management,
internal parameters …).
All commands.
Table 8: Access Levels
The TOE can either decide the authorization level of a user based on its local
database, or make use of Radius servers to obtain the decision whether a specific
user is granted a specific level.
If no authentication for the console is configured, it operates at level 3.
1.4.3.3L2 Traffic Forwarding
The TOE handles layer 2 forwarding policy at their core. The forwarding engine
controls the flow of network packets by making (and enforcing) a decision with
regard to the network interface that a packet gets forwarded to.
These decisions are made based on a MAC table. The MAC table is either
maintained by administrators (static MAC) or gets updated dynamically by MAC
learning function when an unknown MAC address packet has been received.
1.4.3.4 L3 Traffic Forwarding
The TOE handles forwarding policy at their core. The forwarding engine controls
the flow of network packets by making (and enforcing) a decision with regard to the
network interface that a packet gets forwarded to.
These decisions are made based on a routing table. The routing table is either
maintained by administrators (static routing) or gets updated dynamically by the
TOE when exchanging routing information with peer routers, through OSPFv2/v3 or
BGPv4/4+.
S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI Series Switches don’t support Layer 3
forwarding;S53XX-SI/S57XX-SI/E6XX Series Switches only supports Layer 3
forwarding by static routes, don’t support routing protocol like OSPF/BGP.
1.4.3.5Auditing
The TOEgenerates audit records for security-relevant management actions and
stores the audit records in memory or CF card in the TOE.
ï‚· By default all correctly input and executed commands along with a timestamp
when they are executed are logged.
ï‚· Attempts to access regardless success or failure are logged, along with user id,
source IP address, timestamp etc.
ï‚· For security management purpose, the administrators can select which events
are being audited by enabling auditing for individual modules (enabling audit
record generation for related to functional areas), and by selecting a severity
level. Based on the hard-coded association of audit records with modules and
severity levels, this allows control over the types of audit events being
recorded.
ï‚· Output logs to various channels such as monitor, log buffer, trap buffer, file,
etc.
ï‚· Review functionality is provided via the command line interface, which allows
administrators to inspect the audit log.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 30
1.4.3.6 Communication Security
The TOE provides communication security by implementing SSH protocol. Two
versions of SSH: SSH1 (SSH1.5) and SSH2 (SSH2.0) are implemented. But SSH2
is recommendedas it provides more secure and effectiveness in terms of
functionality and performance,
To protect the TOE from eavesdrop and to ensure data transmission security and
confidentiality, SSH provides:
 authentication by password or by RSA;
 AES encryption algorithms;
 Secure cryptographic key exchange.
Besides default TCP port 22, manually specifying a listening port is also
implemented since it can effectively reduce attack.
SFTP is provided to substitute FTP which has known security issues.
1.4.3.7ACL
TOE offers a feature Access Control List (ACL) for filtering incoming and outgoing
information flow to and from interfaces.
The administrator can create, delete, and modify rules for ACL configuration to filter,
prioritize, rate-limit the information flow destined to TOE or other network devices
through interfaces by matching information contained in the headers of
connection-oriented or connectionless packets against ACL rules specified. Source
MAC address, Destination MAC address, Ethernet protocol type, Source IP
address, destination IP address, IP protocol number, source port number if
TCP/UDP protocol, destination port number if TCP/UDP protocol, TCP flag if TCP
protocol, type and code if ICMP protocol, fragment flag etc., can be used for ACL
rule configuration.
1.4.3.8 Security functionality management
Security functionality management includes not only authentication, access level,
but also managing security related data consisting of configuration profile and
runtime parameters. According to security functionality management, customized
security is provided.
More functionalities include:
 Setup to enable SSH
 Setup to enable BGP, OSPF, ARP
 Setup to enable audit, as well as suppression of repeated log records
 Setup to change default rate limit plan
1.4.3.9 Cryptographic functions
Cryptographic functions are required by security features as dependencies, where:
1) AES256 is used as encryption algorithm for SSH;
2) RSA is used in user authentication when user tries to authenticate and gain
access to the TOE;
3) MD5 is used as verification algorithm for packets of BGP and OSPF protocols
from peer network devices;
1.4.3.10 SNMP Trap
The Simple Network Management Protocol (SNMP) is a network management
protocol widely used in the TCP/IP network. SNMP is a method of managing
network elements through a network console workstation which runs network
management software.
A trap is a type of message used to report an alert or important event about a
managed device to the NM Station.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 31
The TOE uses SNMP traps to notify a fault occurs or the system does not operate
properly.
1.4.3.112STP
STP (Spanning-Tree Protocol) is a protocol used in the local area network (LAN) to
eliminate loops. The S-switch devices enabled with STP communicate and find the
loops in the network, and they block certain interfaces to eliminate loops. Due to the
rapid increase of LAN, STP has become one of the most important LAN protocols.
In the Layer 2 switching network, loops on the network cause packets to be
continuously duplicated and propagated in the loops, leading to the broadcast
storm, which exhausts all the available bandwidth resources and renders the
network unavailable.
In an STP region, a loop-free tree is generated. Thus, broadcast storms are
prevented and redundancy is implemented.
1.4.4TSF and Non-TSF data
All data from and to the interfaces available on the TOE is categorized into TSF
data and non-TSF data. The following is an enumeration of the subjects and
objects participating in the policy.
TSFdata:
ï‚· User account data, including the following security attributes:
o User identities.
o Locally managed passwords.
o Locally managed access levels.
ï‚· Audit configuration data.
ï‚· Audit records.
ï‚· Configuration data of security feature and functions
ï‚· Routing and other network forwarding-related tables, including the following
security attributes:
o Network layer routing tables.
o Link layer address resolution tables.
o Link layer MAC address table.
o BGP, OSPF databases.
ï‚· Network traffic destined to the TOE processed by security feature and
functions.
Non-TSF data:
ï‚· Network traffic to be forwarded to other network interfaces.
ï‚· Network traffic destined to the TOEprocessedby non-security feature and
functions.
2 CC Conformance Claim
This ST is CC Part 2 conformant and CC Part 3 conformant. The CC version of [CC]
is 3.1R4.
No conformance to a Protection Profile is claimed.
No conformance rationaleto a Protection Profile is claimed.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 32
The TOE claims EAL3+ augmented with ALC_FLR.2.
3 TOE Security problem definition
3.1 Threats
The assumed security threats are listed below.
The information assets to be protected arethe information stored, processed or
generated by the TOE. Configuration data for the TOE, TSF data (such as user
account information and passwords, audit records, etc.) and other information that
the TOE facilitates access to (such as system software, patches and network traffic
routed by the TOE) are all considered part of information assets.
3.1.1 Threats
T.UnwantedL2NetworkTraffic Unwanted L2 network traffic sent to the TOE will
causethe MAC table gets updated dynamically by
MAC learning function. This may due the MAC table
overload.
In the TOE Layer 2 switching network, loops on the
network cause packets to be continuously
duplicated and propagated in the loops, leading to
the broadcast storm, which exhausts all the
available bandwidth resources and renders the
network unavailable.
T.UnwantedL3NetworkTraffic Unwanted L3 network traffic sent to the TOE will
not only cause the TOE’s processing capacity for
incoming network traffic is consumed thus fails to
process traffic expected to be processed, but an
internal traffic jam might happen when those traffic
are sent to the Control Plane.
This may further cause the TOE to fail to respond to
system control and security management
operations.
Routing information exchanged between the TOE
and peer routes may also be affected due the traffic
overload.
T.UnauthenticatedAccess A user who is not an administratorgains access to
the TOE.
T.UnauthorizedAccess A user authorized to perform certain actions and
access certain information gains access to
commands or information he is not authorized for.
T.Eavesdrop An eavesdropper (remote attacker) is able to
intercept, and potentially modify or re-use
information assets that are exchanged between
TOE and LMT/RMT.
3.1.2Threats Components
ï‚· T.UnwantedL2NetworkTraffic
o Threat agent: User who is not an administrator
o Asset: TOE availability
o Adverse action: Disturbance on TOE operation
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 33
ï‚· T.UnwantedL3NetworkTraffic
o Threat agent: User who is not an administrator
o Asset: TOE availability.
o Adverse action: Disturbance on TOE operation.
ï‚· T.UnauthenticatedAccess
o Threat agent: User who is not an administrator.
o Asset: TOE integrity and availability, user data confidentiality.
o Adverse action: access to the TOE.
ï‚· T.UnauthorizedAccess
o Threat agent: An unauthorized personnel: attacker or administrator without
certain privileges.
o Asset: TOE integrity and availability, user data confidentiality.
o Adverse action: perform unauthorized actions and unauthorized access to TOE
information and user data.
ï‚· T.Eavesdrop
o Threat agent: An eavesdropper (remote attacker) in the management network.
o Asset:TOE integrity and availability, user data confidentiality and L3 network
traffic.
o Adverse action:intercept, and potentially modify or re-use information assets
that are exchanged between TOE and LMT/RMT.
3.2 Assumptions
3.2.1 Environment of use of the TOE
3.2.1.1 Physical
A.PhysicalProtection It is assumed that the TOE (including any console
attached, access of CF card) is protected against
unauthorized physical access.
3.2.1.2Network Elements
A.NetworkElements The environment is supposed to provide supporting
mechanism to the TOE:
ï‚· A Radiusserverfor external
authentication/authorization decisions;
ï‚· Peerrouter(s)for the exchange of dynamic
routing information;
ï‚· A remote entities (PCs) used for administration
of the TOE.
ï‚· An SNMP Server used for collecting SNMP
traps
3.2.1.3Network Segregation
A.NetworkSegregation It is assumed that the ETH interface in the TOE will
be accessed only through an independent local
network. Thisnetworkis separate from the
application (or, public) networks where the
interfaces in the TOE are accessible.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 34
3.2.1.4Authorized Administrators
A.NoEvil The authorized administrators are not careless,
willfully negligent or hostile, and will follow and abide
by the instructions provided by the TOE
documentation.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 35
4 Security Objectives
4.1 Objectives for the TOE
The following objectives must be met by the TOE:
ï‚· O.Forwarding (all series except S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI)
The TOE shall forward network traffic (i.e., individual packets) only to the
network interface that corresponds with a configured route for the destination
IP address of the packet, or corresponds with a MAC address for the
destination MAC address of the packet.When TOE works as Layer 2
forwarding device, users should be isolated between VLANs. And TOE can find
the loops in the network, and block certain interfaces to eliminate loops.
ï‚· O.Forwarding (S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI) The TOE shall
forward network traffic (i.e., individual packets) only to the network interface
that corresponds with a MAC address for the destination MAC address of the
packet. Users should be isolated between VLANs. And TOE can find the loops
in the network, and block certain interfaces to eliminate loops.
ï‚· O.CommunicationThe TOE must implement logical protection measures for
network communication between the TOE and LMT/RMT from the operational
environment.
ï‚· O.Authorization The TOE shall implement different authorization levels that
can be assigned to administrators in order to restrict the functionality that is
available to individual administrators.
ï‚· O.AuthenticationThe TOE must authenticate users of its user access.
ï‚· O.Audit The TOE shall provide functionality to generate audit records
for security-relevant administrator actions.
ï‚· O.Resource The TOE shall provide functionalities and management for
assigning a priority (used as configured bandwidth), enforcing maximum
quotas for bandwidthand MAC address table entries,to prevent internal
collapse due to traffic overload.
ï‚· O.Filter The TOE shall provide ACL or packet filter to drop unwanted L2
or L3 network traffic.
4.2 Objectives for the Operational Environment
ï‚· OE.NetworkElements The operational environment shall provide securely
and correctly workingnetwork devices as resources that the TOE needs to
cooperate with.Behaviors of such network devices provided by operational
environment shall be also secure and correct. For example, other routers for
the exchange of routing information, PCs used for TOE administration, SNMP
Servers and Radius servers for obtaining authentication and authorization
decisions.
ï‚· OE.Physical The TOE (i.e., the complete system including
attached peripherals, such as a console, and CF card insertedin the Switch)
shall be protected against unauthorized physical access.
ï‚· OE.NetworkSegregation Theoperational environment shall provide
segregation by deploying the management interface in TOE into an
independent local -network.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 36
ï‚· OE.Person Personnel working as authorized administrators
shall be carefully selected for trustworthyness and trained for proper operation
of the TOE.
4.3 Security Objectives Rationale
4.3.1 Coverage
The following table provides a mapping of TOE objectives to threats and policies,
showing that each objective is at least covered by one threat or policy.
Objective Threat
O.Forwarding T.UnwantedL2NetworkTraffic
T. UnwantedL3NetworkTraffic
O.Communication T.Eavesdrop
O.Authentication T.UnauthenticatedAccess
O.Authorization T.UnauthorizedAccess
O.Audit T.UnauthenticatedAccess
T.UnauthorizedAccess
O.Resource T.UnwantedL2NetworkTraffic
T.UnwantedL3NetworkTraffic
O.Filter T.UnwantedL2NetworkTraffic
T.UnwantedL3NetworkTraffic
Table 9: Mapping Objectives to Threats
The following table provides a mapping of the objectives for the operational
environment to assumptions, threats and policies, showing that each objective is at
least covered by one assumption, threat or policy.
Environmental Objective Threat / Assumption
OE.NetworkElements A.NetworkElements
OE.Physical A.PhysicalProtection
OE.NetworkSegregation A.NetworkSegregation
OE.Person A.NoEvil
Table 10: Mapping Objectives for the Environment to Threats, Assumptions
4.3.2 Sufficiency
The following rationale provides justification that the security objectives are suitable
to counter each individual threat and that each security objective tracing back to a
threat, when achieved, actually contributes to the removal of that threat:
Threat Rationale for security objectives to remove
threats
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 37
T.UnwantedL2NetworkTraffic The L2 layer traffic should be isolated between
VLANs. STP implementation assures an
optimum forwarding path, preventing network
from infinite loops, which can cause serious
problems in the forwarding system and network
efficiency. (O.Forwarding)
MAC address limit configuration can avoid the
overload of MAC table entry caused by fake
MAC address attack.(O.Resource)
ACL or Packet filter can deny unwanted L2
network traffic enter or pass TOE. (O.Filter)
T.UnwantedL3NetworkTraffic
(for all series except
S23XX-EI/S53XX-LI/S27XX-EI/
S57XX-LI)
The threat that unwanted network traffic sent to
TOE causing the TOE a management failure
and internal traffic jam is countered by
specifying static routes to filter those traffic
(O.Forwarding).
ACL can also be configured to limit the
bandwidth of that traffic (O.Resource).
ACL or Packet filter can deny unwanted L3
network traffic enter or pass TOE. (O.Filter)
T.UnauthenticatedAccess The threat of unauthenticated access to the
TOE is countered by requiring the TOE to
implement an authentication mechanism for its
users (O.Authentication).
In addition, login attempts are logged allowing
detection of attempts and possibly tracing of
culprits (O.Audit)
T.UnauthorizedAccess The threat of unauthorized access is countered
by requiring the TOE to implement an access
control mechanism (O.Authorization).
In addition, actions are logged allowing
detection of attempts and possibly tracing of
culprits (O.Audit)
T.Eavesdrop The threat of eavesdropping is countered by
requiring communications security via SSH
(protocol v.2) protocol for network
communication between LMT/RMT and the
TOE .To avoid middle attacks, public server key
is pre-loaded to client(O.Communication).
Table 11: Sufficiency analysis for threats
The following rationale provides justification that the security objectives for the
environment are suitable to cover each individual assumption, that each security
objective for the environment that traces back to an assumption about the
environment of use of the TOE, when achieved, actually contributes to the
environment achieving consistency with the assumption, and that if all security
objectives for the environment that trace back to an assumption are achieved, the
intended usage is supported:
Assumption Rationale for security objectives
A.NetworkElements The assumption that the external network devices
such as Radius server as an external
authentication/authorization source, peer router for
routing information exchange, and LMT/RMT for
TOE control and management are addressed in
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 38
OE.NetworkElements.
A.PhysicalProtection The assumption that the TOE will be protected
against unauthorized physical access is expressed
by a corresponding requirement in OE.Physical.
A.NetworkSegregation The assumption that the TOE is not accessible via
the application networks hosted by the networking
device is addressed by requiring just this in
OE.NetworkSegregation.
A.NoEvil The assumption that the personnel are not careless,
willfully negligent, or hostile is addressed in
OE.Person.
Table 12: Sufficiency analysis for assumptions
5 Extended Components Definition
No extended components have been defined for this ST.
6 Security Requirements
6.1 Conventions
ï‚· Strikethrough indicates text removed as a refinement
ï‚· (underlined text in parentheses) indicates
ï‚·
ï‚·
ï‚·
6.2TOE Security Functional Requirements
6.2.1Security Audit (FAU)
6.2.1.1 FAU_GEN.1 Audit data generation
a) Start-up and shutdown of the audit functions;
b) All auditable events for the not specified level of audit; and
c) The following auditable events:
i. user activity
1. login, logout
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 39
2. operation requests
ii. user management
1. add, delete, modify
2. password change
3. operation authority change
4. online user query
5. session termination
iii. command group management
1. add, delete, modify
iv. authentication policy modification
v. system management
1. reset to factory settings
vi. log management
1. log policy modification
a) Date and time of the event, type of event, subject identity (if applicable), and
the outcome (success or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the
functional components included in the PP/ST, interface (if applicable),
workstation IP (if applicable), User ID (if applicable), and CLI command
name (if applicable).
6.2.1.2 FAU_GEN.2 User identity association
6.2.1.3 FAU_SAR.1 Audit review
6.2.1.4 FAU_SAR.3 Selectable audit review
6.2.1.5 FAU_STG.1Protected audit trail storage
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 40
6.2.1.6a FAU_STG.3 Action in case of possible audit data loss
6.2.2Cryptographic Support (FCS)
6.2.2.1 FCS_COP.1/AES Cryptographic operation
6.2.2.2 FCS_COP.1/RSA Cryptographic operation
6.2.2.3 FCS_COP.1/DHKeyExchange Cryptographic operation
6.2.2.4 FCS_COP.1/HMAC-SHA256 Cryptographic operation
6.2.2.6 FCS_COP.1/MD5 Cryptographic operation
6.2.2.7FCS_CKM.1/AES Cryptographic key generation
6.2.2.8FCS_CKM.1/RSA Cryptographic key generation
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 41
6.2.2.9 FCS_CKM.1/DHKey Cryptographic key generation
6.2.2.10FCS_CKM.4/RSA Cryptographic key destruction
6.2.2.11FCS_CKM.4/AES-DHKey Cryptographic key destruction
6.2.3User Data Protection (FDP)
6.2.3.1FDP_ACC.1 Subset access control
6.2.3.2FDP_ACF.1 Security attribute based access control
a) users and their following security attributes:
O.
b) commands and their following security attributes:
O.
a) the user has beengranted authorization for the commands targeted by the
request, and
b) the user isassociated with a Command Group that contains the requested
command
FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 42
based on the following additional rules:
a) the user has beengranted authorization for the commands targeted by the
request, and
b) the user isassociated with a Command Group that contains the requested
command
FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on
the
following additional rules:
a) the user has not beengranted authorization for the commands targeted
by the request, or
b) the user isnotassociated with a Command Group that contains the
requested command
6.2.3.3aFDP_DAU.1 Basic Data Authentication (for all series except
S23XX-EI,S53XX-LI/SI,S27XX-EI,S57XX-LI/SI,E6XX)
6.2.3.3bFDP_DAU.1 Basic Data Authentication (for S23XX-EI/S53XX-LI/
S23XX-EI,S53XX-LI/SI,S27XX-EI,S57XX-LI/SI,E6XX)
6.2.3.4 FDP_IFC.1Subset information flow control
6.2.3.5a FDP_IFF.1Simple security attributes (for all series except
S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI)
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 43
6.2.3.5b FDP_IFF.1Simple security attributes
(forS23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI)
6.2.4Identification and Authentication (FIA)
6.2.4.1FIA_AFL.1 Authentication failure handling (this does not apply to
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 44
RADIUS authentication)
6.2.4.2 FIA_ATD.1 User attribute definition
a) user ID
b) user level
c) password
6.2.4.3FIA_SOS.1Verification of secrets
6.2.4.4 FIA_UAU.2 User authentication before any action
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 45
6.2.4.5FIA_UID.2 User identification before any action
6.2.5Security Management (FMT)
6.2.5.1 FMT_MOF.1 Management of security functions behavior
6.2.5.2 FMT_MSA.1 Management of security attributes
6.2.5.3 FMT_MSA.3 Static attribute initialization
6.2.5.4 FMT_SMF.1 Specification of Management Functions
a) authentication, authorization, encryption
1
policy
b) ACL policy
c) user management
d) definition of Managed Object Groups and Command Groups
e) definition of IP addresses and address ranges that will be acceptedas
source addresses in client session establishment requests
1
The encryption policy dictates which cryptographic algorithm / key length is used in which situation
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 46
f) routing and forwarding, such as BGP (not for
, OSPF(not
for , ARP
g) L2 forwarding, such as MAC, VLAN
6.2.5.5 FMT_SMR.1 Securityroles
6.2.6Protection of the TSF (FPT)
6.2.6.1 FPT_STM.1Reliable time stamps
6.2.6.2 FPT_FLS.1Fail secure
6.2.7Resource utilization(FRU)
6.2.7.1FRU_PRS.1Limited priority of service
6.2.7.2 FRU_RSA.1Maximum quotas
6.2.7.3FRU_FLT.1 Degraded fault tolerance
6.2.8TOE access (FTA)
6.2.8.1FTA_SSL.3 TSF-initiated termination
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 47
6.2.8.2 FTA_TSE.1 TOE session establishment
a) authentication failure
b) Source IP address.
6.2.9Trusted Path/Channels (FTP)
6.2.9.1FTP_TRP.1Trusted path
6.3Security Functional Requirements Rationale
6.3.1Sufficiency and coverage
The following rationale provides justification for each security objective for the TOE,
showing that the security functional requirements are suitable to meet and achieve
the security objectives: From this table, it can also be seen that each security
functional requirement addresses at least one security objective.
Security
objectives
Rationale
O.Forwarding
The goal of secure traffic forwarding is achieved by
following:
Prior to forwarding related service configuration,
authentication (FIA_UID.2, FIA_UAU.2, FDP_DAU.1),
authorization (FDP_ACC.1) and access control policy
(FDP_ACF.1) are implemented and applicable.
A trusted path (FTP_TRP.1) for forwarding related
service configuration should be established for users,
which also require Cryptographic Support (FCS_COP.1).
Cryptographic Support(FCS_COP.1) are also required
where routing information exchange takes place.
In order to prevent packets to enter in an infinite loop,
provoking slow performance to network (FRU_FLT.1,
FPT_FLS.1) STP is implemented.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 48
O.Audit
The generation of audit records is implemented by
FAU_GEN.1. Audit records are supposed to include
timestamp (FPT_STM.1) and user identities (FAU_GEN.2)
where applicable, which aresupplied by the
authentication mechanism (FIA_UID.2). Audit records
are in a string format,regularexpressions are
provisioned to read and search theserecords (FAU_SAR.1,
FAU_SAR.3). The protection of the stored audit records
is implemented in FAU_STG.1. Functionality to delete
the oldest audit file is provided if the size of the log
files becomes larger than the capacity of the store
device (FAU_STG.3). Management functionality for the
audit mechanism is spelled out in FMT_SMF.1.
O.Communication
Communications security is implemented by a trusted
path for remote users in FTP_TRP.1. FCS_COP.1 addresses
the AES encryption of SSH channels.FCS_CKM.1 addresses
keys generation of AES/RSA. FCS_CKM.4/RSA addresses key
destruction of RSA.
FCS_CKM.4AESkeys are session keys only, these are
created and stored in a trunk of internal memory
dynamically allocatedwithin the TOE upon session
establishment and are destroyed upon session
termination. The allocated memory is freed as
well.Management functionality to enable these
mechanisms is provided in FMT_SMF.1.
O.Authentication
User authentication is implemented by FIA_UAU.2,
FDP_DAU.1 and supported by individual user identifies
in FIA_UID.2. The necessary user attributes (passwords)
are spelled out in FIA_ATD.1. The authentication
mechanism supports authentication failure handling
(FIA_AFL.1), restrictions as to the validity of
accounts for logon (FTA_TSE.1), automatic logout after
inacitivty (FTA_SSL.3) and a password policy
(FIA_SOS.1).A trusted path is provided (FTP_TRP.1)
supported by cryptography (FCS_COP.1). Management
functionality is provided in FMT_SMF.1.
O.Authorization
The requirement for access control is spelled out in
FDP_ACC.1, and the access control policies are modeled
in FDP_ACF.1. Unique user IDs are necessary foraccess
control provisioning (FIA_UID.2), and user-related
attributes are spelled out in FIA_ATD.1. Access control
is based on the definition of roles as subject and
functions as object(FMT_SMR.1, FMT_MOF.1), The
termination of an interactive session is provided in
FTA_SSL.3. management functionality for the definition
of access control policies is provided (FMT_MSA.1,
FMT_MSA.3, FMT_SMF.1).
O.Resource
The requirement for assigning a priority(used as
configured bandwidth)is spelled out inFRU_PRS.1,
enforcing the maximum quotas for bandwidth and limited
the MAC address table entries is spelled out inFRU_RSA.1
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 49
O.Filter
The requirement of ACL or packet filter is spelled out
in FDP_IFF.1 and FDP_IFC.1. management functionality
for the definition of ACL is provided (FMT_MSA.1,
FMT_MSA.3, FMT_SMF.1).
Table 13: SFR sufficiency analysis
6.3.3 Security Requirements Dependency Rationale
Dependencies within the EAL3 package selected for the security assurance
requirements have been considered by the authors of CC Part 3 and are not
analyzed here again.
The security functional requirements in this Security Target do not introduce
dependencies on any security assurance requirement; neither do the security
assurance requirements in this Security Target introduce dependencies on any
security functional requirement.
The following table demonstrates the dependencies of SFRs modeled in CC Part 2
and how the SFRs for the TOE resolve those dependencies:
Security
Functional
Requirement
Dependencies Resolution
FAU_GEN.1 FPT_STM.1 FPT_STM.1
FAU_GEN.2
FAU_GEN.1
FIA_UID.1
FAU_GEN.1
FIA_UID.2
FAU_SAR.1 FAU_GEN.1 FAU_GEN.1
FAU_SAR.3 FAU_SAR.1 FAU_SAR.1
FAU_STG.1 FAU_GEN.1 FAU_GEN.1
FAU_STG.3 FAU_STG.1 FAU_STG.1
FCS_COP.1
FCS_CKM.1
FCS_CKM.4
FCS_CKM.1
FCS_CKM.4
Except for MD-5, HMAC-SHA256 use no
key , so the dependencies are
unnecessary there.
FCS_CKM.1
FCS_COP.1
FCS_CKM.4
FCS_COP.1
FCS_CKM.4
FCS_CKM.4 FCS_CKM.1 FCS_CKM.1
FDP_ACC.1 FDP_ACF.1 FDP_ACF.1
FDP_ACF.1
FDP_ACC.1
FMT_MSA.3
FDP_ACC.1
FMT_MSA.3
FDP_DAU.1 None
FDP_IFC.1 FDP_IFF.1 FDP_IFF.1
FDP_IFF.1
FDP_IFC.1
FMT_MSA.3
FDP_IFC.1
FMT_MSA.3
FIA_AFL.1 FIA_UAU.1 FIA_UAU.2
FIA_ATD.1 None
FIA_SOS.1 None
FIA_UAU.2 FIA_UID.1 FIA_UID.2
FIA_UID.2 None
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 50
FMT_MOF.1
FMT_SMF.1
FMT_SMR.1
FMT_SMF.1
FMT_SMR.1
FMT_MSA.1
[FDP_ACC.1 or
FDP_IFC.1]
FMT_SMR.1
FMT_SMF.1
FDP_ACC.1
FMT_SMR.1
FMT_SMF.1
FMT_MSA.3
FMT_MSA.1
FMT_SMR.1
FMT_MSA.1
FMT_SMR.1
FMT_SMF.1 None
FMT_SMR.1 FIA_UID.1 FIA_UID.2
FRU_PRS.1 None
FRU_RSA.1 None
FTA_SSL.3 None
FTA_TSE.1 None
FTP_TRP.1 None
FTP_STM.1 None
FRU_FLT.1 FPT_FLS.1 FPT_FLS.1
FPT_FLS.1 None
Table 14: Dependencies between TOE Security Functional Requirements
6.4Security Assurance Requirements
The security assurance requirements for the TOE are the Evaluation Assurance
Level 3 components augmented ALC_FLR.2, as specified in [CC] Part 3. No
operations are applied to the assurance components.
6.5Security Assurance Requirements Rationale
The evaluation assurance level 3 augmented with ALC_FLR.2, has been chosen
commensurate with the threat environment that is experienced by typical
consumers of the TOE.
7 TOE Summary Specification
7.1TOE Security Functional Specification
7.1.1 Authentication
The TOE can identify administrators by a unique ID and enforces their
authentication before granting them access to any TSF management
interfaces.Detailed functions include:
1) Support authentication via local password. This function is achieved by
comparing user information input with pre-defined user information stored in
memory.
2) Support authentication via remote RADIUS authentication server. This function
is achieved by performing pass/fail action based on result from remote
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 51
authentication server.
3) Support authenticate user login using SSH, by password authentication, RSA
authentication, or combination of both. This function is achieved by performing
authentication for SSH user based on method mentioned in 1).
4) Support logout when no operation is performed on the user session within a
given interval. This function is achieved by performing count-down through
timing related to clock function.
5) Support max attemptsdue to authentication failure within certain period of time.
This function is achieved by providing counts on authentication failure.
6) Support limiting access by IP address. This function is achieved by comparing
IP address of requesting session with configured value stored in memory.
7) Support for user individual attributes in order to achieve all the enumerated
features: user ID, user level, and password.
(FIA_AFL.1, FIA_ATD.1, FIA_UAU.2, FIA_UID.2, FTA_TSE.1, FTA_SSL.3,
FCS_CKM.1,FCS_CKM.4)
7.1.2 Access Control
The TOE enforces an access control by supporting following functionalities:
1) Support 16 access levels. This function is achieved by storing number as level
in memory.
2) Support assigning access level to commands. This function is achieved by
associating access levelnumberwith commands registered.
3) Support assigning access level to user ID. This function is achieved by
associating access level number with user ID.
4) Support limiting executing commands of which the access level is less or equal
to the level of user. This function is achieved by performing an evaluation that
level of commands is less or equal to level of user. This limitation of access
also prevents users from accessing or deleting log files if they have insufficient
rights.
(FDP_ACC.1, FDP_ACF.1, FMT_MSA.1, FMT_MSA.3, FMT_SMR.1, FMT_MOF.1,
FAU_STG.1)
7.1.3 L2 Traffic Forwarding
The TOE forwards network traffic, enforcing decisions about the correct forwarding
interface and assembling the outgoing network packets using correct MAC
addresses:
1) Support traffic isolation with VLANs
2) Support MAC address learning automatically
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 52
3) Support Layer 2 traffic forwarding based on MAC table entry
4) Support to configure MAC addressstatically
5) Support to configure black hole MAC address statically
6) Support to limit the learning number of MAC address
7) Support to convert the MAC address learnt dynamically to static MAC address
8) Support MAC address flapping protection
9) In order to configure all the enumerated settingsthe user must be an
authenticated user with administrator-defined role.
(FRU_PRS.1, FRU_RSA.1,FMT_MSA.3)
7.1.4L3 Traffic Forwarding
The TOE forwards network traffic, enforcing decisions about the correct forwarding
interface and assembling the outgoing network packets using correct MAC
addresses:
1) Support ARP/BGP/OSPF protocol. This function is achieved by providing
implementation of ARP/BGP/OSPF protocol.
2) Support routing information generation via OSPF protocol. This function is
provided by implementation of OSPF protocol.
3) Support routing information generation via BGP protocol. This function is
provided by implementation of BGP protocol.
4) Support routing information generation via manual configuration. This function
is achieved by storing static routes in memory.
5) Support importing BGP/static routing information for OSPF. This function is
provided by implementation of OSPF protocol.
6) Support importing OSPF/static routing information for BGP. This function is
provided by implementation of BGP protocol.
7) BGP support cryptographic algorithm MD5. This function is achieved by
performing verification for incoming BGP packets using MD5 algorithm.
8) OSPF support cryptographic algorithmMD5. This function is achieved by
performing verification for incoming OSPF packets using MD5 algorithm.
9) Support disconnection session with neighbor network devices. This function is
achieved by locating and cleaning session information.
10) OSPF support routing information aggregation. This function is achieved by
manipulating routes stored in memory.
11) OSPF support routing information filtering. This function is achieved by
manipulating routes stored in memory.
12) Support ARP strict learning. This function is achieved by regulating ARP
feature to accept entry generated by own ARP requests.
13) Support IPv4 traffic forwarding via physical interface. This function is achieved
by making routing decision based on routes generated by BGP/OSPF/static
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 53
configuration.
14) Support sending network traffic to VRP for central process where destination IP
address is one of the interfaces’ IP addresses of the TOE. This is achieved by
checking whether the traffic’s destination IP address is within the configured
interfaces’ IP addresses in the TOE. If it is, the traffic will be sent to VRP in
MCU for central process.
(FIA_UAU.2, FTP_TRP.1, FCS_COP.1, FIA_SOS.1, FDP_DAU.1)
Notes:S23XX-EI/S53XX-LI/S27XX-EI/ S57XX-LI Series Switches don’t support
Layer 3 forwarding;S53XX-SI/S57XX-SI Series Switches only supports Layer 3
forwarding by static routes, don’t support routing protocol like OSPF/BGP; E6xx
Series Switches only supports Layer 3 forwarding by static routes and RIP, don’t
support routing protocol like OSPF/BGP.
7.1.5Auditing
The TOE can provide auditing ability by receiving all types of logs and processing
them according to user’s configuration:
1) Support classification based on severity level. This function is achieved where
logging messages are encoded with severity level and output to log buffer.
2) Support enabling, disabling log output. This function is achieved by interpreting
enable/disable commands and storing results in memory. Log output is
performed based on this result.
3) Support redirecting logs to various output channels: monitor, log buffer, trap
buffer, log file. This function is achieved by interpreting commands and storing
results in memory or in log files in CF card. Log channelfor output is
selectedprior to execution of redirecting.
4) Support log output screening, based on filename. This function is performed by
providing filtering on output.
5) Support querying log buffer. This function is achieved by performing querying
operation with conditions input.
6) Support cleaning log buffer. This function is achieved by cleaning log buffer in
memory.
7) Support to automatically remove oldest log files if audit files exceed the sizeof
store device.
(FAU_GEN.1, FAU_GEN.2, FAU_SAR.1, FAU_SAR.3, FAU_STG.3, FMT_SMF.1)
7.1.6Communication Security
The TOE provides communication security by implementing SSH protocol. Two
versions of SSH: SSHv1 (SSH1.5) and SSHv2 (SSH2.0) are implemented. But
SSH2 is recommended for most cases by providing more secure and effectiveness
in terms of functionality and performance. SFTP is provided implementing secure .
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 54
1) Support SSHv1 and SSHv2. This function is achieved by providing
implementation of SSHv1 and SSHv2.
2) Support dh_group_exchange_sha1 as key exchange algorithm of SSH. This
function is achieved by providing implementation of dh_group_exchange_sha1
algorithm.
3) Support AES encryption algorithm. This function is achieved by providing
implementation of AES algorithm.
4) Support HMAC-SHA verification algorithm. This function is achieved by
providing implementation of HMAC-SHA algorithm.
5) Support using different encryption algorithm for client-to-server encryption and
server-to-client encryption. This function is achieved by interpreting related
commands and storing the result in memory.
6) Support Secure-FTP. This function is achieved by providing implementation of
Secure-FTP.
7) Support for RSA key destruction, overwriting it with 0.
8) The TOE names SSH as S-Telnet.
(FCS_COP.1,FCS_CKM.1, FCS_CKM.4, FMT_SMF.1, FDP_DAU.1)
7.1.7 ACL
The TOE supports Access Control List (ACL) to filter trafficdestined to TOE to
prevent internal traffic overload and service interruption.And the TOE also use ACL
to deny unwanted network traffic to pass through itself.
The TOE also uses the ACL to identify flows and perform flow control to prevent the
CPU and related services from being attacked.
1) Support enabling ACLs by associating ACLs to blacklist. This function is
achieved by interpreting ACL configurations then storing interpreted value in
memory.
2) Support screening,filteringtraffic destined to CPU. This function is achieved by
downloading blacklist ACL configurations into hardware.
3) Support rate limiting traffic based on screened traffic. This function is achieved
by downloading configuration of rate into hardware.
( FRU_PRS.1, FRU_RSA.1, FDP_IFC.1, FDP_IFF.1)
7.1.8Security Management
The TOE offers management functionality for its security functions, where
appropriate. This is partially already addressed in more detail in the previous
sections of the TSS, but includes:
• User management, including user name, passwords, etc.
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 55
• Access control management, including the association of users and
corresponding privileged functionalities.
• Enabling/disabling of SSH for the communication between LMT clients
and the TOE.
• Defining IP addresses and address ranges for clients that are allowed to
connect to the TOE.
All of these management options are typically available via the LMT GUI.
Detailed function specification include following:
1) Support Local configuration through console port. Parameters include console
port baudrate, data bit, parity, etc;
2) Support configuration for authentication and authorization on user logging in
via console port;
3) Support configuration for authentication mode and authorization mode on user
logging in via console port;
4) Support remotely managing the TOE using SSH.
5) Support enabling, disabling S-FTP;
6) Support configuration on service port for SSH;
7) Support configuration on RSA key for SSH;
8) Support configuration on authentication type, encryption algorithm for SSH;
9) Support authenticate user logged in using SSH, by password authentication,
RSA authentication, or combination of both;
10) Support configuration on logout when no operation is performed on the user
session within a given interval;
11) Support configuration on max attempts due to authentication failure within
certain period of time;
12) Support configuration on limiting access by IP address;
13) Support configuration on commands’ access level;
14) Support management on OSPF by enabling, disabling OSPF;
15) Support configuration on area, IP address range, authentication type of OSPF;
16) Support managementon BGP by enabling, disabling BGP;
17) Support configuration on peer address, authentication type of BGP;
18) Support management on ARP by specifying static ARP entry, aging time and
frequency of dynamical ARP entry. This function is achieved by interpreting
commands input and storing value in memory.
19) Support management on log by enabling, disabling log output;
20) Support configuration on log output channel, output host;
21) Support configuration ACLs based on IP protocol number, source and/or
destination IP address, source and/or destination port number if TCP/UDP;
22) Support enabling, disabling SNMP Agent and Trap message sending function;
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 56
23) Support enabling, disabling the switch to Send an Alarm Message of a
Specified Feature to the NM Station;
24) Support setting the Source Interface, Queue Length and Lifetime of Trap
message;
25) Support enabling, disabling STP function.
Above functions are achieved by providing interpreting input commands and storing
result of interpreting in memory. Some results like routes generated, ACLs will be
downloaded into hardware to assist forwarding and other TSF functions.
(FMT_SMF.1, FTP_TRP.1)
7.1.9 Cryptographic functions
Cryptographic functions are required by security features as dependencies. The
following cryptographic algorithms are supported:
1) Support AES256/RSA algorithms. This is achieved by providing
implementations of AES256/RSA algorithms.
2) Support HMAC-SHA algorithms. This is achieved by providing implementations
of HMAC-SHA algorithms.
3) Support for RSA key destruction overwriting it with 0
(FCS_COP.1, FCS_CKM.4)
7.1.10Time
The TOE supports its own clock, to support logging and timed log-outs.
(FPT_STM.1, FTA_SSL.3)
7.1.11 SNMP Trap
The TOE uses SNMP traps to notify a fault occurs or the system does not operate
properly.
1) Support management on trap by enabling, disabling trap output;
2) Support configuration on trap output interface, output host;
3) Support configuration on trap based on fault categories, fault functionality, or
modules where the faults occur.
4) Support SNMPv3 which provides:
a) Encrypted communication using AES algorithm.
b) Packet authentication using MD5 algorithms
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 57
(FPT_STM.1, FDP_DAU.1)
7.1.12 STP
The TOE supports Spanning Tree Protocol(STP) to cut offthe potential loops on the
network and provide Link redundancy.
1) Support blocking a certain interface to prevent replication and circular
propagation of packets on the network.
2) Support sending configuration BPDUs and Hello packets to detect link faults
with a certain time.
3) Support delay for interface status transition to prevent transient loops.
4) Support configuration on max aging time to specifies the aging time of BPDUs,
(FRU_FLT.1, FPT_FLS.1)
8 Abbreviations, Terminology and References
8.1 Abbreviations
ACL Access Control List
CC Common Criteria
CLI Command Line Interface
GUI Graphical User Interface
LMT Local Maintenance Terminal
LPU Line Process Unit
MCU Main Control Unit
NTP Network Time Protocol
PP Protection Profile
RMT Remote Maintenance Terminal
SFR Security Functional
Requirement
SFU Switching Fabric Unit
SNMP Simple Network Management
Protocol
SPU Service Process Unit
SRU Switch Router Unit
Huawei SSeries Ethernet SwitchesV200R008 Security Target
Huawei Technologies Co., Ltd. Page 58
ST Security Target
STP Spanning-Tree Protocol
TOE Target of Evaluation
TSF TOE Security Functions
VP Virtual Path
VRP Versatile Routing Platform
8.2 Terminology
This section contains definitions of technical terms that are used with a meaning
specific to this document. Terms defined in the [CC] are not reiterated here, unless
stated otherwise.
Administrator: An administrator is a user of the TOE who may have been assigned
specific administrative privileges within the TOE. This ST may
use the term administrator occasionally in an informal context,
and not in order to refer to a specific role definition – from the
TOE’s point of view, an administrator is simply a user who is
authorized to perform certain administrative actions on the TOE
and the objects managed by the TOE.
User: A user is a human or a product/application using the TOE.
8.3 References
[CC] Common Criteria for Information Technology Security Evaluation. Part 1-3.
September 2012. Version 3.1 Revision 4.
[CEM] Common Methodology for Information Technology Security Evaluation.
September 2012. Version 3.1 Revision 4.