Nokia SR OS Security Target SECURITY TARGET FOR NOKIA 7-SERIES SERVICE ROUTER OPERATING SYSTEM (SR OS) FAMILY Evaluated Assurance Level: 3+ Document No. 2184-001-D102 Version: 1.1, 16 May 2022 Prepared for: Nokia 777 East Middlefield Road Mountain View, CA USA, 94043 Prepared by: EWA-Canada, An Intertek Company 1223 Michael Street North, Suite 200 Ottawa, Ontario, Canada K1J 7T2 and Saffire Systems PO Box 40295 Indianapolis, IN 46240 Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page i of v AMENDMENT RECORD SHEET Rev. Issue Date Description Author Reviewer 1.1 16 May 2022 Added Supplemental CC Guidance document to Section 1.7 Michelle Ruppel 1.0 21 March 2022 Filled in build number Michelle Ruppel 0.10 09 January 2022 Changed from SR OS v20 to v21. Clarified the need for a local trusted network. Michelle Ruppel 0.9 19 October 2021 Update ST author on Title page Michelle Ruppel 0.8 07 September 2021 Updated product guidance. Michelle Ruppel 0.7 23 October 2020 Addressed ORs from the Lab. Michelle Ruppel James Cumming 0.6 15 September 2020 Version submitted for evaluation. Michelle Ruppel 0.5 15 September 2020 Addressed all review comments. Michelle Ruppel 0.4 11 September 2020 Review comments James Cumming 0.3 22 August 2020 Addressed review comments Michelle Ruppel James Cumming 0.2 11 July 2020 Changed SAM to NSP, SROS to SR OS and added 7250 guidance documents. Michelle Ruppel James Cumming 0.1 12 June 2020 Initial draft Michelle Ruppel James Cumming Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page ii of v TABLE OF CONTENTS 1 INTRODUCTION..................................................................................................................6 1.1 DOCUMENT ORGANIZATION............................................................................................6 1.2 SECURITY TARGET REFERENCE......................................................................................6 1.3 TARGET OF EVALUATION REFERENCE .........................................................................6 1.4 TERMINOLOGY AND ACRONYMS....................................................................................7 1.4.1 Terminology .............................................................................................................................7 1.4.2 Acronyms ...............................................................................................................................12 1.5 TOE OVERVIEW..................................................................................................................14 1.5.1 TOE Type...............................................................................................................................14 1.5.2 Usage......................................................................................................................................15 1.5.3 Security Features ....................................................................................................................15 1.5.4 TOE Operational Environment...............................................................................................15 1.5.5 Hardware and Software Supplied by the IT Environment......................................................16 1.6 TOE DESCRIPTION .............................................................................................................17 1.6.1 General ...................................................................................................................................17 1.6.2 Management Plane Subsystem...............................................................................................18 1.6.3 Control Plane Subsystem........................................................................................................19 1.6.4 Data Plane Subsystem ............................................................................................................20 1.6.5 Platform Plane Subsystem......................................................................................................20 1.6.6 Out-of-Band Management Interfaces.....................................................................................20 1.6.7 In-Band Management Interface..............................................................................................20 1.6.8 Physical Scope........................................................................................................................21 1.6.9 Logical Scope.........................................................................................................................21 1.6.10 Evaluated Configuration.........................................................................................................22 1.6.11 Non-evaluated Functions/Features .........................................................................................23 1.7 TOE GUIDANCE DOCUMENTATION ..............................................................................24 1.7.1 7250 IXR (SR OS v21.10.R1) Guidance Documentation......................................................24 1.7.2 7750 SR (SR OS v21.10.R1) Guidance Documentation........................................................25 1.7.3 7705 SAR (SAR OS v21.10.R1) Guidance Documentation ..................................................26 1.7.4 7210 SAS (SAS OS v21.9.R1) Guidance Documentation .....................................................26 2 CONFORMANCE CLAIMS...............................................................................................28 2.1 COMMON CRITERIA CONFORMANCE CLAIM.............................................................28 2.2 PROTECTION PROFILE CONFORMANCE CLAIM.........................................................28 2.3 EVALUATION ASSURANCE LEVEL (EAL) ....................................................................28 Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page iii of v 3 SECURITY PROBLEM DEFINITION.............................................................................29 3.1 THREATS..............................................................................................................................29 3.2 ORGANIZATIONAL SECURITY POLICIES .....................................................................30 3.3 OPERATIONAL ENVIRONMENT ASSUMPTIONS .........................................................30 3.3.1 Personnel Assumptions ..........................................................................................................30 3.3.2 Physical Environment Assumptions.......................................................................................31 3.3.3 Operational Assumptions .......................................................................................................31 4 SECURITY OBJECTIVES .................................................................................................33 4.1 SECURITY OBJECTIVES FOR THE TOE..........................................................................33 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT .......................34 4.2.1 IT Security Objectives for the Operational Environment.......................................................34 4.2.2 Non-IT Security Objectives for the Operational Environment...............................................35 4.3 SECURITY OBJECTIVES RATIONALE ............................................................................35 4.3.1 Security Objectives Rationale Related to Threats ..................................................................35 4.3.2 Environment Security Objectives Rationale Related to Assumptions and OSPs...................37 4.3.3 Security Objectives Summary Mapping.................................................................................38 5 EXTENDED COMPONENTS DEFINITION...................................................................40 6 SECURITY REQUIREMENTS..........................................................................................41 6.1 SECURITY REQUIREMENTS PRESENTATION CONVENTIONS.................................41 6.2 TOE SECURITY FUNCTIONAL REQUIREMENTS..........................................................41 6.2.1 Security Audit (FAU).............................................................................................................42 6.2.2 User Data Protection (FDP)....................................................................................................43 6.2.3 Identification and Authentication (FIA).................................................................................48 6.2.4 Security Management (FMT).................................................................................................49 6.2.5 Protection of the TSF (FPT)...................................................................................................51 6.2.6 TOE Access (FTA).................................................................................................................51 6.3 TOE SECURITY ASSURANCE REQUIREMENTS ...........................................................53 6.4 CC COMPONENT HIERARCHIES AND DEPENDENCIES .............................................53 6.5 SECURITY REQUIREMENTS RATIONALE.....................................................................55 6.5.1 Security Functional Requirements Rationale .........................................................................55 6.5.2 Security Assurance Requirements Rationale..........................................................................57 7 TOE SUMMARY SPECIFICATION.................................................................................58 7.1 TOE SECURITY FUNCTIONS ............................................................................................58 7.1.1 Overview ................................................................................................................................58 7.1.2 F.Audit....................................................................................................................................58 Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page iv of v 7.1.3 F.I&A .....................................................................................................................................62 7.1.4 F.Security_Management.........................................................................................................64 7.1.5 F.TOE_Access........................................................................................................................68 7.1.6 F.User_Data_Protection .........................................................................................................69 7.2 TOE SECURITY FUNCTIONS RATIONALE.....................................................................72 8 OTHER REFERENCES......................................................................................................74 Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page v of v LIST OF FIGURES Figure 1: TOE Boundary ......................................................................................................................21 LIST OF TABLES Table 1: Security Target Reference ........................................................................................................6 Table 2: Platforms Supported by SR OS ................................................................................................7 Table 3: Threats ....................................................................................................................................29 Table 4: Organizational Security Policies.............................................................................................30 Table 5: Personnel Assumptions...........................................................................................................31 Table 6: Physical Environment Assumptions .......................................................................................31 Table 7: Operational Assumptions........................................................................................................31 Table 8: TOE Security Objectives ........................................................................................................33 Table 9: IT Security Objectives for the Operational Environment ......................................................34 Table 10: Non-IT Security Objectives for the Operational Environment............................................35 Table 11: Mapping Of Security Objectives to Threats ........................................................................36 Table 12: Mapping Of Environment Security Objectives to Assumptions and OSPs..........................38 Table 13: Summary of Security Functional Requirements...................................................................41 Table 14: Security Functions ................................................................................................................50 Table 15: EAL 3+ Assurance Requirements.........................................................................................53 Table 16: Functional Requirements Dependencies...............................................................................53 Table 17: Security Functional Requirements to TOE Security Objectives...........................................55 Table 18: Security Functions to SFR Mapping.....................................................................................72 Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 6 of 75 1 INTRODUCTION This Security Target (ST) defines the scope of the evaluation in terms of the assumptions made, the intended environment for the Nokia 7-Series Service Router Operating System (SR OS) Family, hereafter referred to generically as SR OS, the Information Technology (IT) security functional and assurance requirements to be met, and the level of confidence (evaluation assurance level) to which it is asserted that the SR OS satisfies its IT security requirements. This document forms the baseline for the Common Criteria (CC) evaluation. 1.1 DOCUMENT ORGANIZATION This document is structured as follows:  Section 1 - Introduction provides the ST reference, the TOE reference, the TOE overview and the TOE description.  Section 2 - Conformance Claims describes how this ST conforms to the Common Criteria and Packages. This ST does not conform to a Protection Profile.  Section 3 - Security Problem Definition describes the expected environment in which the TOE is to be used. This section defines the set of threats that are relevant to the secure operation of the TOE, organizational security policies with which the TOE must comply, and secure usage assumptions applicable to this analysis.  Section 4 - Security Objectives defines the set of security objectives to be satisfied by the TOE and by the TOE operating environment in response to the problem defined by the security problem definition  Section 5 - Extended Components Definition defines the extended components which are then detailed in Section 6.  Section 6 - Security Requirements specifies the security functional and assurance requirements that must be satisfied by the TOE and the Information Technology (IT) environment.  Section 7 - TOE Summary Specification describes the security functions and assurance measures that are included in the TOE to enable it to meet the IT security functional and assurance requirements.  Section 8 - Other References identifies reference documents beyond the TOE guidance documentation listed in Section 1.6.11 that are either referred to directly in this Security Target or aid in better understanding the TOE and the application of its technology. 1.2 SECURITY TARGET REFERENCE This Security Target is uniquely identified as depicted in Table 1. Table 1: Security Target Reference Title Security Target for Nokia 7-Series Service Router Operating System (SR OS) Family Version Number Version 1.1 Publication Date 16 May 2022 Author Electronic Warfare Associates – Canada Ltd. (EWA-Canada) Saffire Systems 1.3 TARGET OF EVALUATION REFERENCE The Target of Evaluation (TOE) for this Security Target (ST) is the Nokia 7-Series Service Router Operating System (SR OS) Family consisting of the following: Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 7 of 75 a. Nokia 7x50 Service Router Operating System (SR OS), v21.10.R1. The specific build number is 21.10.R1. b. Nokia Service Aggregation Router Operating System (SAR OS), v21.10.R1. The specific build number is 21.10.R1. c. Nokia Service Access Switch Operating System, v21.9.R1. The specific build number is 21.9.R1. The SR OS runs on the router and switch platforms and models listed in Table 2. The hardware for the models listed in Table 2 is excluded from the TOE boundary. Table 2: Platforms Supported by SR OS Platform Model(s) Operating System Collective Reference Terms 7750 Service Router (SR) SR-7, SR-12, SR-12e, SR-1s, SR-2s, SR-a4, SR-a8 SR OS v21.10.R1 7x50 or IXR/SR 7250 Interconnect Routers (IXR) IXR-e, IXR-R6, IXR-R4, IXR-10, IXR-6, IXR-s 7705 Service Aggregation Router (SAR) SAR-18, SAR-8, SAR-X, SAR-Ax, SAR-H, SAR-Hc, SAR-Hm, SAR-Hmc. SAR OS v21.10.R1 7705 or SAR 7210 Service Access Switch (SAS) SAS-R12, SAS-R6, SAS-MXP, SAS-D, SAS-Dxp , SAS-S, SAS-Sx, SAS-K30, SAS-K12, SAS-K5 SAS OS v21.9.R1 7210 or SAS 1.4 TERMINOLOGY AND ACRONYMS The following terms and acronyms as used within this Security Target have the meanings defined herein. 1.4.1 Terminology The following terminology is used in this ST: 7210 A collective term used in this document to refer to Nokia 7210 SAS service access switches. Refer to Table 2 for additional information. 7705 A collective term used in this document to refer to Nokia 7705 SAR service aggregation routers. Refer to Table 2 for additional information. 7x50 A collective term used in this document to refer to Nokia 7750 SR service routers and 7250 IXR Ethernet services switches. Refer to Table 2 for additional information. Access Control List An Access Control List (ACL) is filter policy applied on ingress or egress to a service SAP on an interface to control the traffic access. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 8 of 75 Nokia 7-Series Service Router Operating System (SR OS) Family The Nokia 7-Series Service Router Operating System (SR OS) Family is the Target of Evaluation (TOE). The SR OS consists of the following software configuration items (CIs): a. Nokia 7x50 Service Router Operating System (SR OS), v21.10.R1; b. Nokia Service Aggregation Router Operating System (SAR OS), v21.10.R1; and c. Nokia Service Access Switch Operating System (SAS OS), v21.9.R1. These software CIs operate on the routers and switches listed in Table 2. Asynchronous Transfer Mode Asynchronous Transfer Mode (ATM) is a standardized digital data transmission technology. ATM is a cell-based switching technique that uses asynchronous time division multiplexing. Border Gateway Protocol The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems (AS). It is described as a path vector protocol. BGP does not use traditional IGP metrics, but makes routing decisions based on path, network policies and/or rule sets. Central Processing Unit All traffic destined to the CPM and CSM and that will be processed by its CPU Command Line Interface The Command Line Interface (CLI) is a terminal-based administrator interface used to configure a 7x50 IXR/SR, 7705 SAR, or 7210 SAS node. Control and Switching Module The Control and Switching Module (CSM) is a module within the SAR devices. The CSM is functionally the same as the CPM on the IXR/SR/SAS-series devices. Control Processor Module The Control Processor Module (CPM) is a module with the IXR/SR and SAS-series devices. The CPM is functionally the same as the CSM on the SAR-series devices. Coordinated Universal Time Coordinated Universal Time (UTC) is the definitive reference time scale. Time zones around the world may be expressed as positive or negative offsets from UTC. UTC is derived from International Atomic Time (TAI). CPM Filter SR routers and switches use separate CPM modules that have traffic management and queuing hardware on the CPM modules dedicated to protecting the control plane. CPM filters can be created on this hardware. These filters can be used to drop or accept packets, as well as allocate dedicated hardware shaping queues for traffic directed to the control processors. On the SR-1, SR-1s and SR-2s the CPM filters are applied on a linecard separate to the CPM. On the SAR-series of routers and switches CPM filter functionality is performed in Software and is know as CSM filter. CPM filters are not supported on the SAS-series. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 9 of 75 CSM Filter SAR-series routers with separate CSM modules (SAR-8 and SAR- 18 models) have traffic management and queuing hardware on the CSM modules dedicated to protecting the Control Plane. CSM filters are created on this hardware and instantiated by the operating system without user interference. These filters can be used to drop or accept packets, as well as allocate dedicated hardware shaping queues for traffic directed to the control processors. On 7705 SAR-8 and SAR-18 nodes, the CSM is a redundant module. On the remaining 7705 nodes, the CSM is non-redundant. Customer Premise Equipment Customer Premise Equipment (CPE) is equipment that is installed in customer premises by a service provider to connect to a specific service. Documented Special Use Addresses Documented Special Use Addresses (DUSA) use IPv4 addresses Frame Relay Frame Relay (FR) is a data transmission technique that combines high-speed and low-delay circuit switching with the port sharing and dynamic bandwidth allocation capabilities of X.25 packet switching. Like X.25, frame relay divides transmission bandwidth into numerous virtual circuits and implements bursts of data. But unlike X.25, frame relay does not require a lot of processing at each node, delegating error correction and flow control to the attached devices. In-band In-band (IB) refers to interfaces using a physical I/O port on the router. Intermediate System to Intermediate System Intermediate system to intermediate system (IS-IS) is a protocol used by network devices (routers) to determine the best way to forward datagrams through a packet-switched network, a process called routing. Internet Engineering Task Force The Internet Engineering Task Force (IETF) develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite. It is an open standards organization. Internet Protocol The Internet Protocol (IP) is a network layer protocol underlying the Internet, which provides an unreliable, connectionless, packet delivery service. IP allows large, geographically-diverse networks of computers to communicate with each other quickly and economically over a variety of physical links. IXR Interconnect Routers (IXR) is a collective term used in this document to refer to the six 7250 IXR router models listed in Table 2. IXR/SR IXR/SR is a collective term used in this document to refer to the 7x50 series of SR routers listed in Table 2. Label Distribution Protocol The Label Distribution Protocol (LDP) is a new protocol that defines a set of procedures and messages by which one LSR (Label Switch Router) informs another of the label bindings it has made. Label Switch Router A Label Switch Router (LSR) is a node capable of forwarding datagrams based on a label. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 10 of 75 Link Aggregation Group Link Aggregation Group (LAG) is based on the [IEEE 802.3ad] standard; LAGs are configured to increase the bandwidth available between two network devices. All physical links in a given LAG combine to form one logical interface. Local Area Network A Local Area Network (LAN) is a system designed to interconnect computing devices over a restricted geographical area (usually not more than a couple of kilometres). Management Access Filter A Management Access Filter (MAF) controls all traffic in and out of the CPM. A MAF can be used to restrict management of the IXR/SR-Series device by other nodes outside either specific (sub)networks or through designated ports. For SAR and SAS-series devices, MAFs also control all traffic in and out of the CSM/CPM. They can be used to restrict management of the SAR or SAS by other nodes outside specific (sub)networks or through designated ports. Management Information Base A Management Information Base (MIB) is a type of database used for managing the devices in a communications network. Media Access Control Media Access Control (MAC) is a media-specific access control protocol within IEEE 802 specifications. The protocol is for medium sharing, packet formatting, addressing, and error detection. Multicast Source Discovery Protocol Multicast Source Discovery Protocol (MSDP) is a computer network protocol in the Protocol Independent Multicast (PIM) family of multicast routing protocols. Multi-Protocol Label Switching Multi-Protocol Label Switching (MPLS) technology implements the delivery of highly scalable, differentiated, end-to-end IP and VPN services. The technology allows core network routers to operate at higher speeds without examining each packet in detail, and allows differentiated services. Network Services Platform The Network Services Platform (NSP) provides GUI management functions (e.g., provisioning) for the IXR/SR, SAR, and SAS-series platforms. The NSP is defined outside the TOE boundary with a Console CLI (provides administrators with backside services) also outside the TOE boundary. All of the routers and switches listed in Table 2 can be managed by the NSP Release 20.6 or later. The operational environment requires a RADIUS or TACACS+ server for authentication/authorization services, the NSP for limited remote administration, local Console access for most administration, SNMP/Syslog servers for logging, and a Network Time Protocol (NTP) server for external time synchronization Open Shortest Path First Open Shortest Path First (OSPF) is a link-state routing algorithm that is used to calculate routes based on the number of routers, transmission speed, delays and route cost. Out-of-band Out-of-band (OOB) to the RS-232 Console port or the management Ethernet port on the SR. Quality of Service Quality of Service (QoS) is a set of performance parameters that characterize the traffic over a given connection Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 11 of 75 Remote Authentication Dial-In User Service Remote Authentication Dial-In User Service (RADIUS) is a client/server security protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize access to the requested system or service. Request for Comments A Request for Comments (RFC) is an Internet Engineering Task Force (IETF) memorandum on Internet systems and standards RS-232 RS-232 is a serial communications protocol currently defined by [TIA-232-F] SAR SAR is a collective term used in this document to refer to the 7705 SAR-series routers using the SAR OS v21.10.R1 operating system. SAS SAS is a collective term used in this document to refer to the 7210 SAS-series switches using the SAR OS v21.9.R1 operating system. Service Access Point A Service Access Point (SAP) identifies the customer interface point for a service on an IXR/SR, SAR, or SAS. Service Access Switch Service Access Switch (SAS) is a collective term used in this document to refer to the ten 7210 SAS switch models listed in Table 2. Service Aggregation Router Service Aggregation Router (SAR) is a collective term used in this document to refer to the eight 7705 SAR router models listed in Table 2. Service Router Service Router (SR) is a collective term used in this document to refer to the seven 7750 SR router models listed in Table 2. Synchronous Digital Hierarchy Synchronous Optical Networking (SONET) and Synchronous Digital Hierarchy (SDH) are standardized multiplexing protocols that transfer multiple digital bit streams over optical fiber using lasers or light-emitting diodes (LEDs). Synchronous Optical Networking Synchronous Optical Networking (SONET) and Synchronous Digital Hierarchy (SDH) are standardized multiplexing protocols that transfer multiple digital bit streams over optical fiber using lasers or light-emitting diodes (LEDs). Terminal Access Controller Access Control System Plus Terminal Access Controller Access Control System Plus (TACACS+) is an authentication protocol that allows a remote access server to forward an administrator's logon password to an authentication server to determine whether access is allowed to a given system. Time to Live Time to Live (TTL) is a limit on the period of time or number of iterations or transmissions in computer and computer network technology that a unit of data (e.g., a packet) experiences before it should be discarded. Transmission Control Protocol The Transmission Control Protocol (TCP) enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. User Datagram Protocol The User Datagram Protocol (UDP) is a is transport layer protocol which do not guarantee delivery of data. Virtual Private Network A Virtual Private Network (VPN) is a way to provide secure and dedicated communications between a group of private servers over public Internet. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 12 of 75 VPN Routing and Forwarding VPN Routing and Forwarding (VRF) is a technology used in computer networks that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses are used without conflicting with each other. 1.4.2 Acronyms The following acronyms are used in this ST: ACL Access Control List ADV Assurance Development (Common Criteria) AGD Assurance Guidance Documents (Common Criteria) ALC Assurance Life Cycle (Common Criteria) ANSI American National Standards Institute AS Autonomous System(s) ASE Assurance Security Target Evaluation (Common Criteria) ATE Assurance Tests (Common Criteria) ATM Asynchronous Transfer Mode AVA Assurance Vulnerability Assessment (Common Criteria) BGP Border Gateway Protocol CC Common Criteria for Information Technology Security Evaluation (Common Criteria) CEM Common Evaluation Methodology (Common Criteria) cf Compact Flash CLI Command Line Interface CPE Customer Premise Equipment CPM Control Processor Module CPU Central Processing Unit CSM Control and Switching Module D/DoS Distributed Denial of Service DoS Denial of Service DUSA Documented Special Use Addresses EAL Evaluation Assurance Level (Common Criteria) EAL 3+ Evaluation Assurance Level 3, Augmented (Common Criteria) eBGP External Border Gateway Protocol FC Forwarding Class FR Frame Relay FTP File Transfer Protocol GUI Graphical User Interface I&A Identification and Authentication I/O Input / Output IB In-band iBGP Internal Border Gateway Protocol ID Identification (or Identity) IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronic Engineers Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 13 of 75 IETF Internet Engineering Task Force IP Internet Protocol IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 IS-IS Intermediate System to Intermediate System ISO International Organization for Standardization ISP Internet Services Provider IT Information Technology IXR Interconnect Routers IXR/SR Interconnect Routers / System Service Router Refer to the 7x50 family listed in Table 2 LACP Link Aggregation Control Protocol (Ethernet LAG Control) LAG Link Aggregation Group LAN Local Area Network LDP Label Distribution Protocol LED Light Emitting Diode LMI Local Management Interface (e.g., ATM, Ethernet and Frame Relay) LSR Label Switch Router MAC Media Access Control MAF Management Access Filter MIB Management Information Base MPLS Multi-Protocol Label Switching MSDP Multicast Source Discovery Protocol NSP Network Services Platform NTP Network Time Protocol OAM Operation, Administration, and Maintenance OBJ Security Objectives (Common Criteria) OE Operational Environment OOB Out-of-band OSP Organizational Security Policies (Common Criteria) OSPF Open Shortest Path First PDH Plesiochronous Digital Hierarchy PIM Protocol Independent Multicast QoS Quality of Service RADIUS Remote Authentication Dial-In User Service RFC Request for Comments RS-232 Serial protocol RSVP-TE Resource Reservation Protocol - Traffic Engineering SAP Service Access Point SAR Security Assurance Requirement SAR Service Aggregation Router See the family of 7705 SAR routers listed in Table 2. SAS Service Access Switch See the family of 7210 SAS switches listed in Table 2. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 14 of 75 SCP Secure Copy SDH Synchronous Digital Hierarchy SDP Service Distribution Point SFP Security Function Policy (Common Criteria) SFR Security Functional Requirement SNMP Simple Network Management Protocol SONET Synchronous Optical Networking SR Service Router Refer to the 7750 SR family of routers listed in Table 2 SR OS Service Router Operating System Refer to the definition of “Nokia 7-Series Service Router Operating System (SR OS) Family” on page 8 for more information. SSH Secure Shell (protocol) ST Security Target (Common Criteria) TACACS+ Terminal Access Controller Access Control System Plus TAI International Atomic Time tar File format used for archiving data (derived from “tape archive”) TCP Transmission Control Protocol TCP/IP Transport Control Protocol over Internet Protocol TOE Target of Evaluation (Common Criteria) TSF TOE Security Functionality (Common Criteria) TSFI TOE Security Functionality Interface (Common Criteria) TSS TOE Summary Specification (Common Criteria) TTL Time to Live UDP User Datagram Protocol UTC Coordinated Universal Time VPN Virtual Private Network VPRN Virtual Private Routed Network VRF VPN Routing and Forwarding W3C World Wide Web Consortium XML Extensible Mark-up Language XRS Extensible Routing System 1.5 TOE OVERVIEW 1.5.1 TOE Type The TOE is an Interconnect Router (IXR) / Service Router (SR) / Service Aggregation Router (SAR) / Service Access Switch (SAS). Nokia 7750 Service Routers (SRs) are deployed in a multi-service edge routing environment (typically service providers, cable operators, and enterprise customers), and the 7250 Interconnect Routers (IXRs) are deployed in open and automated data center environments (mobile, cloud, 5G, and Internet of Things deployments). 7705 Service Aggregation Routers (SARs) and 7210 Service Access Switches (SASs) are typically deployed in mobile backhaul networks, fixed backhaul networks, and strategic industries’ networks (including power infrastructure companies, train operations, emergency services, government, etc.). Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 15 of 75 1.5.2 Usage The SR OS is designed to provide the functionality for infrastructure class telecom equipment including the Nokia 7250 Interconnect Router (IXR), 7750 Service Routers (SRs), 7705 Service Aggregation Routers (SARs), and 7210 Service Access Switches (SASs). The TOE leverages the SR OS to deliver Internet Protocol (IP) and Multi-Protocol Label Switching (MPLS) routing features. The 7250 IXR, 7750 SR, 7705 SAR, and 7210 SAS devices offer security features to address the security requirements in both network infrastructure and service layer. Service delivery access methods include: Asynchronous Transfer Mode (ATM), Synchronous Digital Hierarchy (SDH), Plesiochronous Digital Hierarchy (PDH), Ethernet, Synchronous Optical Networking (SONET), Optical Transport Hierarchy (OTH), and serial and analog interfaces. Forwarding Technology employed in the product includes Layer 2/Layer 3 encapsulation and Internet Protocol (IP), MPLS/ Media Access Control (MAC) forwarding lookup. The 7750 SR offers service providers and enterprises differentiated services over a single network infrastructure. The 7750 SR is designed to deliver high-performance, scalability, and flexibility to support a full array of IP services and functions. The 7250 IXR offers modular, high-scale interconnectivity in data centers and across WANs. The 7705 SAR and 7210 SAS nodes provide service providers with the means to aggregate service delivery in fixed and mobile backhaul networks. The SR OS family offer the ability to configure an SSH1 server to establish secure connection to/from the SR OS. It also supports network access control of client devices on an Ethernet network using the IEEE 802.1x standard. The SR OS family also offers the ability to manage the devices using Simple Network Management Protocol (SNMP). 1.5.3 Security Features The major security features of the SR OS are audit, Identification & Authentication (I&A), security management, access to the product, and information flow control (i.e., network packets sent through the TOE are subject to router information flow control rules setup by the administrator). The SR OS also provides protection against the Denial of Service (DoS) attacks. 1.5.4 TOE Operational Environment 1.5.4.1 General The IXR/SR, SAR and SAS all have the ability to monitor, route, and manipulate network traffic to facilitate its delivery to the proper destination on a network or between networks. The IXR/SR is typically placed at the edge of a given network or network segment. In the case of residential aggregation, there are broadband service access nodes and aggregator devices between the IXR/SR and the actual customer. There is typically a residential gateway in between the IXR/SR and the actual customer, which is a managed device from the service provider. For business services there is either another level of aggregation switches and Customer Premise Equipment (CPE) between the IXR/SR, SAR, or SAS and the customer network. The SR can also be deployed in core network architectures, where the interconnection between different operator core networks is maintained. The interconnection between the different core routers relies on a different setup of operational protocols and aspects, compared to an SR deployment in an aggregation or residential network. The SAR and SAS are primarily used in mobile backhaul networks as well as fixed backhaul and strategic industries (power infrastructure companies, train operations, emergency services, government, etc.). While it 1 SSH secure communications is a capability of the SR OS; however, the underlining crypto protocols and associated cryptographic functionality are defined outside the TOE and part of the TOE’s operational environment and not evaluated. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 16 of 75 can be used to for residential services (via the SAR-18 platform), the scale of the IXR/SR is more suited for this situation. For the IXR/SR, SAR or SAS to function, they must have physical access to at least two distinct networks or network segments to pass data between. These are devices that forward data packets along networks. The IXR/SR, SAR or SAS is connected to at least two networks, commonly two LANs or WANs or a LAN and its ISP’s network. Between IXR/SRs/SARs/SASs, network control information is exchanged via channels to allow dynamic connection establishment and packet routing. Network control information consists of specific requests and instructions that include destination address, routing controls, and signalling information. To ensure proper operation of the network itself, the network elements can also communicate Operations, Management and Alarm (OAM) information via designated control channels to provide automatic monitoring of the data bearers, and take consecutive actions in the event of deviation from a pre-defined operational steady-state condition. 1.5.4.2 Physical Installation, Deployed Configuration and Interfaces All TOE interfaces shown in, Figure 1 with the exception of the network traffic/data interface are attached to the internal trusted network. The network traffic/data interface is attached to internal and external networks. The Console Access via RS-232 interface is a direct local connection which provides the CLI. The physical boundary is the operating system (i.e., SR OS v21.10.R1, SAR OS v21.10.R1, or SAS OS v21.9.R1) located on a solid state memory card. These operating systems run on the various hardware platforms listed in Table 2. The processing resources of the TOE will be located within controlled access facilities, which will prevent unauthorized physical access. The operational environment provides the TOE with appropriate physical security, commensurate with the value of the IT assets protected by the TOE. Fully authorized administrators with access to data have low motivation to attempt to compromise the data because of other assumptions and organization security policies defined herein. The deployment configuration of the TOE in its intended environment is to be at least as restrictive as the baseline evaluated configuration defined herein and is to be configured in accordance with operational user/preparative guidance documentation. All administrators are assumed to be “vetted” to help ensure their trustworthiness, and administrator connectivity to the TOE is restricted. Non-administrative entities may have their packets routed by the TOE, but that is the extent of their authorization to the TOE's resources. Using the concept of separation of duties each administrator can have a defined function in respect to the operations aspect of the IXR/SR, SAS, or SAR. Each administrator can only be provided enough access to perform their duties on the network and no more. The deployed configuration of the TOE uses access control, quality service mechanisms, filters and Access Control Lists (ACLs) to protect against Distributed and other DoS (D/DoS) attacks. The operational environment is responsible for providing the TOE with the necessary trusted communication interfaces. Remote management traffic (to/from the TOE) will be protected using SNMP, SSH or SCP (secure copy) and remote telnet and FTP will be disabled. 1.5.5 Hardware and Software Supplied by the IT Environment This section identifies any non-TOE hardware, software, and firmware that is required by the TOE to operate correctly as specified herein. The TOE is a software TOE consisting of the Nokia 7-Series Service Router Operating System (SR OS) Family which is an integral component of the Nokia service router product platforms and modules identified in Table 2. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 17 of 75 The hardware for the models listed in Table 2 is excluded from the TOE boundary. For the various models there are only performance (number of I/O modules, thru-put, redundancy, capacity) differences and no security related differences. Security features, their behaviours, and the way they configured are the same in the 7x50 IXR/SR, 7705 SAR, and 7210 SAS routers and switches. There is also the Network Services Platform (NSP) Release 20.6 or later which provides GUI management functions (e.g., provisioning) for 7x50 IXR/SR, 7705 SAR, and 7210 SAS devices. The NSP is defined outside the TOE boundary. Additionally, the local Console used to interface with the Command Line Interface (CLI) (which provides administrators with backside services) is defined to be outside the TOE boundary. In the deployed configuration of the TOE in its intended environment, the primary means of administering the TOE during normal operations will be via the CLI accessed using the local Console or SSH. The operational environment requires a local Console and the following local systems attached to the internal trusted network:  a RADIUS or TACACS+ server for authentication / authorization services;  the NSP for remote administration;  SNMP/Syslog servers for logging; and  a Network Time Protocol (NTP) server for external time synchronization. Minimum hardware and operating system requirements for the external IT entities connected to the TOE are:  RADIUS/TACACS+ server: Any combined hardware and operating system platform that supports RFC 2865 (Authentication & Authorization) and RFC 2866 (Accounting) for RADIUS. Any combined hardware and operating system platform that supports RFC 1492 for TACACS+;  NSP: Any combined hardware and operating system platform that supports NSP;  SCP/remote CLI: Any combined hardware and operating system platform that supports the operation of the Secure Shell protocol;  SNMP/Syslog server: Any combined hardware and operating system platform that supports RFC 3411- RFC 3418 for Simple Network Management Protocol version 3. Any combined hardware and operating system platform that supports RFC 5424 The Syslog Protocol;  Local Console: Any combined hardware and operating system platform that supports terminal emulation to the ANSI X3.64 standard; and  NTP server: Any combined hardware and operating system platform that supports RFC 1305 for Network Time Protocol. 1.6 TOE DESCRIPTION 1.6.1 General The three TOE/product subsystems that directly implement the SR OS security features for infrastructure/ service layer are: a. Management Plane subsystem; b. Control Plane subsystem; c. Data Plane subsystem; and d. Platform Plane subsystem. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 18 of 75 The SR OS software uses a base real-time operating system (OS). The primary copy of SR OS software is located on a solid state memory card installed in the hardware platforms. The removable media is shipped with each model and contains a copy of the applicable SR OS image (i.e., SR OS v21.10.R1, SAR OS v21.10.R1, or SAS OS v21.9.R1). 1.6.2 Management Plane Subsystem In the infrastructure layer, the security features for management plane address security needs associated with network management activities for the SR network elements. The Management Plane subsysetm includes the Command Line Interface (CLI) (accessed either via the Console or SSH), SNMP, or SSH. The Network Services Platform (NSP), which is outside the TOE boundary, provides GUI management functions using SNMP or SSH. The Management Plane provides configuration control and the connection of statistics and state information for reporting. Security capabilities are implemented in this plane. It provides other planes configuration information and receives statistics and state information from other planes. 1.6.2.1 Management Access Filter The Management Access Filter (MAF) restricts access to the SR to small list of servers or support workstations. MAFs are used to restrict traffic on Out-of-band (OOB) Ethernet ports. The MAFs are enforced in software and control all traffic going into the Control Processor Module (CPM), including all routing protocols. MAFs apply to packets from all ports and they are used to restrict management of the SR OS platforms by other nodes outside either specific (sub) networks or through designated ports. MAFs allow the administrator to configure the following: a. Destination UDP/TCP port number; b. IP protocol ID; c. Source port; and d. Source IP address. The MAF entries are explicitly created on each router. When the first match is found actions are executed. Entries are sequenced from most to least explicit. 1.6.2.2 Login Control Parameters Login control parameters (for CLI) can be configured for Console and SSH sessions. These parameters include exponential-back off, idle-timeout, inbound-max-sessions and login-banner. Exponential-back off parameter enables the exponential-back off of the login prompt to deter dictionary attacks using the CLI. Idle-timeout parameter configures the maximum amount of idle time that may occur for Console and SSH sessions before the session is terminated by the system. This parameter prevents unauthorized access through an unattended opened sessions. The inbound-max-sessions parameter configures the maximum number of concurrent inbound SSH sessions allowed. The login-banner parameter configures the display of a login banner for CLI login attempts. 1.6.2.3 Profiles Administrator profiles are configured to permit or deny access to a hierarchical branch or specific commands. Depending on the authorization requirements, passwords are configured locally or on a RADIUS server. Profiles also specify which protocols are allowed by the administrator to access the system. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 19 of 75 1.6.2.4 Authentication / Authorization Access permission to the system is controlled: a. remotely using either: (1) TACACS+; or (2) RADIUS; or b. local to the network element. A profile, which is based on administrator name and password configurations, is applied for the administrator authorization processes. RADIUS, and TACACS+ are supported on all TOE interfaces including the console port. This ST addresses TOE (client-side) support of RADIUS and TACACS+ where external authentication services are available via either RADIUS, TACACS+, or both. 1.6.2.5 Local Console Access Local authentication2 uses administrator names and passwords to authenticate login attempts. 1.6.2.6 Secure Copy Protocol (SCP) The administrator copies and manages software images, configuration files and log files via SCP3 . In the evaluated configuration, all of these functions are performed through in-band interfaces and the OOB management Ethernet port. 1.6.3 Control Plane Subsystem The Control Plane handles the dynamic protocols for the exchange of (reachability, topological, and resource state) information, allowing for an accurate forwarding operation. It provides other planes with pertinent information and services information and receives configuration and state information from others. The Control Plane consists of all software modules that interact with or control how traffic is forwarded through an individual node or the entire network. This includes routing and services protocols as well as OAM functionality. A Management Access Filter (MAF) can be used to restrict traffic destined for the CPM/CSM, including all routing and OAM protocols. MAF also provides protection against the DoS attacks for traffic destined ”to” the TOE. The control plane functions are mainly located in the CPM/CSM of an IXR/SR, SAS or SAR. The Switch Fabric (SF) / Control Processor Module (CPM) (or the Control and Switching Module (CSM) on SAR-series devices) controls the switching and routing and functions of the TOE. The TOE provides protection against the DoS attacks via the access control (including MAF) and quality of service mechanisms. On the IXR/SR and SAR-series routers and switches filters can be installed for ingress management traffic destined either for the CPM/CSM Ethernet port or any other logical port (LAG, port, or channel) on the device 2 To establish a console connection, an ASCII terminal or a PC running terminal emulation software is used, set to parameters: baud rate 115,200, data bits 8, parity none, stop bits 1, flow control none. 3 Secure Copy Protocol (SCP) is a capability of the SR OS versions in the TOE; however, the underlining crypto protocol and associated cryptographic functionality is defined outside the TOE and part of the TOE’s operational environment and is not evaluated. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 20 of 75 to be subject of the filter-action. On the SAS-series, specific filters are installed to identify and direct control traffic to the CPU. 1.6.4 Data Plane Subsystem The Data Plane handles the forwarding of customer data. It also provides other planes with statistics and state information and receives configuration information for services and forwarding information for the handling of data. Using Quality of Service (QoS) and Access Control List (ACL) filter capabilities of the SR OS, DoS activity can be mitigated. ACLs are used to protect against DoS attacks on traffic passing through the routers and MAF is used to protect against traffic “to” the TOE. The Data Plane subsystem applies Access control lists (ACLs) filter policies on ingress or egress to an interface or service. The Data Plane subsystem provides two types of traffic filters: a. ip-filters; and b. mac-filters. Addresses can be restricted to known MAC/IP’s; an ACL can be created and maintained to restrict access to the device based on MAC/IP’s. An ACL or Filter Policy is a filter template. Filter Policies can be applied on ingress or egress to a service access point on an interface thus allowing the specification of customer specific access control. The ACL can be used to prevent the un-known party (identified by IP match or MAC match criteria) to access the switch’s infrastructure and service layer, and provide security protections of both layers. Typically, traffic associated with a customer service or standard routing flow is completely handled by the data plane and cannot reach the control or network management planes. In some cases, certain data entering via the data plane may be redirected to the control plane for exception processing such as: a. protocol related packets; b. OAM packets; and c. error indicating packets. 1.6.5 Platform Plane Subsystem The platform subsystem manages the overall hardware system (chassis management) and provides the basic tools for other subsystems to obtain information and communicate with other subsystems as well as the interaction with outside elements. 1.6.6 Out-of-Band Management Interfaces Out-of-band interfaces use terminal emulation software and connect to the RS-232 Console port on the TOE or through a remote session based on SSH using the management Ethernet port on the TOE. Any out-of-band traffic received on the Management Ethernet port cannot be forwarded out of any in-band ports and vice versa. 1.6.7 In-Band Management Interface In-band Management Interface involves management sessions to one of the SR OS IP interfaces using a physical I/O (access or network) port on the device. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 21 of 75 1.6.8 Physical Scope Figure 1 shows the TOE in its deployment configuration. Note to Figure 1 The physical boundary is the SR OS operating system (i.e., SR OS v21.10.R1, SAR OS v21.10.R1, or SAS OS v21.9.1R1) located on a solid state memory card. The SR OS runs on various hardware platforms but the hardware platforms are excluded. The TOE’s operational environment requires the following systems be on an internal trusted network: a RADIUS or TACACS+ server for authentication/authorization services, the NSP for limited remote administration, local Console access for most administration, SNMP/Syslog servers for logging, and a Network Time Protocol (NTP) server for external time synchronization. 1.6.9 Logical Scope The logical boundaries of the TOE are defined by the functions that are carried out by the TOE at the TOE external interfaces. The TOE addresses the security relevant features described in the following subsections. RADIUS or TACACS+ Server Authentication NSP, remote CLI, SSH & SCP sessions 7x50 IXR/SR, 7705 SAR, or 7210 SAS (IT Environment) TOE SR OS v21.10.R1, SAR OS v21.10.R1, or SAS OS v21.9.R1 SNMP, Syslog Network traffic / data IT Environment TOE Legend: NTP Server Local CLI (Console) Figure 1: TOE Boundary Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 22 of 75 1.6.9.1 Audit Event logging controls the generation, dissemination and recording of system events for monitoring status and troubleshooting faults within the system. Audit also keeps track of the activity of an administrator who has accessed the network. The type of audit information recorded includes a history of the commands executed, the amount of time spent in the session, the services accessed, and the data transfer size during the session. 1.6.9.2 Identification & Authentication (I&A) SR OS identifies and authenticates individual users by validating an administrator’s username and password. Administrators are identified and authenticated via local authentication, RADIUS, or TACACS+. All authentication methods are available on each management interface. SR OS also provides authentication failure handling on the Console and the ability for the administrator to define password complexity requirements. 1.6.9.3 Security Management SR OS implements authorization features, which allow the administrator to access and execute commands at various command levels based on profiles assigned to the administrator. The Administrator configures system security and access functions and logging features using CLI syntax and command usage to configure parameters. 1.6.9.4 TOE Access Mechanisms place controls on Administrators’ sessions. An administrator-configurable message is displayed before establishing a user session. Local and remote Administrator’s sessions are dropped after an Administrator-defined time period of inactivity. Dropping the connection of a local and remote session (after the specified time period) reduces the risk of someone accessing the local and remote machines where the session was established, thus gaining unauthorized access to the session. 1.6.9.5 User data protection (Information flow control) The SR OS enforces an UNAUTHENTICATED SFP whereby the network packets sent through the TOE are subject to router [information flow control] rules setup by the administrator. The Quality of Service (QoS) and Access Control List (ACL) filter capabilities of the SR OS can mitigate DoS activity. The SR OS enforces an AUTHENTICATED SFP whereby information is passed via application proxy (Console, NSP, SNMP). Users must first be granted access by the administrator and then authenticated in order to access the router by Console, NSP, or SNMP. Management Access Filters (MAF) can be used to prevent Denial of Service (DoS) attacks. The SR OS enforces an EXPORT SFP whereby information events are sent from the TOE to SNMP trap, Syslog, and RADIUS/TACACS+ destinations. 1.6.10 Evaluated Configuration The evaluated configuration for the TOE must include the following enabled/disabled/configured (all other services, protocols and settings are excluded from the evaluated configuration): a. Enable SR OS (CLIENT-side) for: (1) RADIUS or TACACS+ server authentication/ authorization services; (2) local Console access for most administration; (3) SNMP/Syslog servers for logging; and Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 23 of 75 (4) Network Time Protocol (NTP) server for external time synchronization; b. Enable Routing protocols from this set: (1) OSPFv2; (2) IS-IS; (3) BGP-4; and (4) MPLS (LDP, RSVP-TE); c. Ensure Telnet and FTP remain disabled; d. Use SNMPv3 only; e. Configure MAF filters on the IXR/SR, SAR, and SAS devices to restrict access to management ports on the device; f. Configure MAF filters on IXR/SR, and SAR devices for protection of the CSM/CPM by restricting traffic; g. Configure Border Gateway Protocol (BGP) and Label Distribution Protocol (LDP) Time to Live (TTL) Security on IXR/SR; Application Note: BGP is not included in the scope for SAR or SAS for this Evaluation. These devices can support BGP as part of a VPRN (label distribution) and as an exterior protocol for VPRN (eBGP). But the 7705 SAR and the 7210 SAS do not provide typical boarder gateway functions such as RR, iBGP, eBGP for traditional ISP type boundaries. h. Enforce/enable/configure a strong password policy; i. Disable sending events to a console destination. The console device is not be used as an event log destination. A log created with the console type destination displays events to the physical console device. Events are displayed to the console screen whether an administrator is logged into the console or not; and j. Use SSHv2 only (SSHv1 is not allowed) 1.6.11 Non-evaluated Functions/Features This section identifies the features of the SR OS product family that are outside from the evaluated configuration. The following features of the SR OS product family are outside the evaluated configuration. Their use is allowed in the evaluated configuration, but the features have not been tested. 1. The 7750 SR offers service providers and enterprises differentiated services, from Internet access to multipoint Virtual Private Network (VPN) over a single network infrastructure. VPN is a capability of the SR OS; however, it is defined outside the TOE and was not evaluated. 2. High availability is an important feature in service provider routing systems. Downtime can be very costly, and, in addition to lost revenue, customer information and business-critical communications can be lost. High availability is the combination of continuous uptime over long periods (Mean Time Between Failures (MTBF)) and the speed at which failover or recovery occurs (Mean Time To Repair (MTTR). Network and service availability are critical aspects when offering advanced IP services which dictates that IP routers that are used to construct the foundations of these networks be resilient to component and software outages. The high availability feature is not in the scope of the evaluated configuration. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 24 of 75 3. SSH/SCP secure communications is a capability of the SR OS; however, the underlining cryptographic protocols and associated cryptographic functionality are defined outside the TOE and part of the TOE’s operational environment and not evaluated. 4. Border Gateway Protocol (BGP) is not in the scope of the evaluated configuration. The following features of the SR OS product family are excluded from the evaluated configuration. 1. The use of Telnet and FTP. 2. The use of the Netconf server. 3. The use SNMPv1 and SNMPv2. 4. The use of gRPC. 5. The use of SSHv1. 6. SR OS is able to function as an NTP server; however that capability is excluded from the evaluated configuration. (The use of NTP/SNTP server mode and multicast/broadcast mode are excluded.). 7. Use of the Model-Driven Command Line Interface (MD-CLI). While there are no known issues with the MD-CLI, this administrative interface was not tested during the evaluation. 1.7 TOE GUIDANCE DOCUMENTATION The guidance documentation that accompanies the TOE for each platform is listed in the following subsections. In addition to these documents, the following document applies to all of the platforms in the TOE: Nokia 7-Series Service Router Operating System (SR OS) Family Supplemental Common Criteria Guidance, v1.0, 21 March 2022 1.7.1 7250 IXR (SR OS v21.10.R1) Guidance Documentation [3HE 17342 AAAD TQZZA 01] Nokia 7250 Interconnect Router: Basic System Configuration Guide, Release 21.10.R1, Part Number 3HE 17342 AAAD TQZZA 01 [3HE 17344 AAAD TQZZA 01] Nokia 7250 Interconnect Router: System Management Guide, Release 21.10.R1, Part Number 3HE 17344 AAAD TQZZA 01 [3HE 17345 AAAD TQZZA 01] Nokia 7250 Interconnect Router: Interface Configuration Guide, Release 21.10.R1, Part Number 3HE 17345 AAAD TQZZA 01 [3HE 17343 AAAD TQZZA 01] Nokia 7250 Interconnect Router: Router Configuration Guide, Release 21.10.R1, Part Number 3HE 17343 AAAD TQZZA 01 [3HE 17339 AAAD TQZZA 01] Nokia 7250 Interconnect Router: Unicast Routing Protocols Guide, Release 21.10.R1, Part Number 3HE 17339 AAAD TQZZA 01 [3HE 17340 AAAD TQZZA 01] Nokia 7250 Interconnect Router: Multicast Routing Protocols Guide, Release 21.10.R1, Part Number 3HE 17340 AAAD TQZZA 01 [3HE 17348 AAAD TQZZA 01] Nokia 7250 Interconnect Router: MPLS Guide, Release 21.10.R1, Part Number 3HE 17348 AAAD TQZZA 01 [3HE 17346 AAAD TQZZA 01] Nokia 7250 Interconnect Router: Quality of Service Guide, Release 21.10.R1, Part Number 3HE 17346 AAAD TQZZA 01 [3HE 17347 AAAD TQZZA 01] Nokia 7250 Interconnect Router: OAM and Diagnostics Guide, Release 21.10.R1, Part Number 3HE 17347 AAAD TQZZA 01 [3HE 17355 AAAD TQZZA 01] Nokia 7250 Interconnect Router: Classic CLI Command Reference Guide Release 21.10.R1, Part Number 3HE 17355 AAAD TQZZA 01 Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 25 of 75 [3HE 17354 AAAD TQZZA 01] Nokia 7250 Interconnect Router: Clear, Monitor, Show, and Tools CLI Command Reference Guide Release 21.10.R1, Part Number 3HE 17354 AAAD TQZZA 01 [3HE 17438 AAAB TQZZA 01] Nokia 7250 Interconnect Router: Security Best Practices and Hardening Guide Part Number 3HE 17438 AAAD TQZZA 01 1.7.2 7750 SR (SR OS v21.10.R1) Guidance Documentation [3HE 17141 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System Virtualized Service Router: Basic System Configuration Guide, Release 21.10.R1, Part Number 3HE 17141 AAAD TQZZA 01 [3HE 17163 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System Virtualized Service Router: System Management Guide, Release 21.10.R1, Part Number 3HE 17163 AAAD TQZZA 01 [3HE 17147 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System Virtualized Service Router: Interface Configuration Guide, Release 21.10.R1, Part Number 3HE 17147 AAAD TQZZA 01 [3HE 17161 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System Virtualized Service Router: Router Configuration Guide, Release 21.10.R1, Part Number 3HE 17161 AAAD TQZZA 01 [3HE 17165 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System Virtualized Service Router: Unicast Routing Protocols Guide, Release 21.10.R1, Part Number 3HE 17165 AAAD TQZZA 01 [3HE 17155 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System Virtualized Service Router: Multicast Routing Protocols Guide, Release 21.10.R1, Part Number 3HE 17155 AAAD TQZZA 01 [3HE 17154 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System Virtualized Service Router: MPLS Guide, Release 21.10.R1, Part Number 3HE 17154 AAAD TQZZA 01 [3HE 17159 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System Virtualized Service Router: Quality of Service Guide, Release 21.10.R1, Part Number 3HE 17159 AAAD TQZZA 01 [3HE 17158 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System Virtualized Service Router: OAM and Diagnostics Guide, Release 21.10.R1, Part Number 3HE 17158 AAAD TQZZA 01 [3HE 17142 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System, Virtualized Service Router: Classic CLI Command Reference Guide, Release 21.10.R1, Part Number 3HE 17142 AAAD TQZZA 01 [3HE 17143 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System, Virtualized Service Router: Clear, Monitor, Show, and Tools Command Reference Guide, Release 21.10.R1, Part Number 3HE 17143 AAAD TQZZA 01 [3HE 17150 AAAD TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System Virtualized Service Router: Log Events Guide, Release 21.10.R1, Part Number 3HE 17150 AAAD TQZZA 01 [3HE 16989 AAAB TQZZA 01] Nokia 7450 Ethernet Service Switch, 7750 Service Router, 7950 Extensible Routing System Virtualized Service Router: Security Best Practices and Hardening Guide, Part Number 3HE 16989 AAAB TQZZA 01 Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 26 of 75 1.7.3 7705 SAR (SAR OS v21.10.R1) Guidance Documentation [3HE 17547 AAAB TQZZA 01] Nokia 7705 Service Aggregation Router | Release 21.10.R1: Basic System Configuration Guide, Part Number 3HE 17547 AAAB TQZZA Edition 01 [3HE 17548 AAAB TQZZA 01] Nokia 7705 Service Aggregation Router | Release 21.10.R1: Interface Configuration Guide, Part Number 3HE 17548 AAAB TQZZA Edition 01 [3HE 17550 AAAB TQZZA 01] Nokia 7705 Service Aggregation Router | Release 21.10.R1: MPLS Guide, Part Number 3HE 17550 AAAB TQZZA Edition 01 [3HE 17551 AAAB TQZZA 01] Nokia 7705 Service Aggregation Router | Release 21.10.R1: OAM and Diagnostics Guide, Part Number 3HE 17551 AAAB TQZZA Edition 01 [3HE 17552 AAAB TQZZA 01] Nokia 7705 Service Aggregation Router | Release 21.10.R1: Quality of Service Guide, Part Number 3HE 17552 AAAB TQZZA Edition 01 [3HE 17553 AAAB TQZZA 01] Nokia 7705 Service Aggregation Router | Release 21.10.R1: Router Configuration Guide, Part Number 3HE 17553 AAAB TQZZA Edition 01 [3HE 17554 AAAB TQZZA 01] Nokia 7705 Service Aggregation Router | Release 21.10.R1: Routing Protocols Guide, Part Number 3HE 17554 AAAB TQZZA Edition 01 [3HE 17556 AAAB TQZZA 01] Nokia 7705 Service Aggregation Router | Release 21.10.R1: System Management Guide, Part Number 3HE 17556 AAAB TQZZA Edition 01 [3HE 17549 AAAB TQZZA 01] Nokia 7705 Service Aggregation Router | Release 21.10.R1: Log Events Guide, Part Number 3HE 17549 AAAB TQZZA Edition 01 1.7.4 7210 SAS (SAS OS v21.9.R1) Guidance Documentation [3HE 17357 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Basic System Configuration Guide, Part Number 3HE 17357 AAAB TQZZA Edition 01 [3HE 17358 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS M, T, R6, R12, Mxp, Sx, S Basic System Configuration Guide, Part Number 3HE 17358 AAAB TQZZA Edition 01 [3HE 17377 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C System Management Guide, Part Number 3HE 17377 AAAB TQZZA Edition 01 [3HE 17378 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-M, T, R6, R12, Mxp, Sx, S System Management Guide, Part Number 3HE 17378 AAAB TQZZA Edition 01 [3HE 17369 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Router Configuration Guide, Part Number 3HE 17369 AAAB TQZZA Edition 01 [3HE 17370 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-M, T, R6, R12, Mxp, Sx, S Router Configuration Guide, Part Number 3HE 17370 AAAB TQZZA Edition 01 [3HE 17371 AAAB TQZZA] 7210 SAS-D, Dxp, K 2F1C2T Routing Protocols Guide, Part Number 3HE 17371 AAAB TQZZA Edition: 01 [3HE 17372 AAAB TQZZA] 7210 SAS-K 2F6C4T, K 3SFP+ 8C Routing Protocols Guide, Part Number 3HE 17372 AAAB TQZZA Edition: 01 [3HE 17373 AAAB TQZZA] 7210 SAS-M, T, R6, R12, Mxp, Sx, S Routing Protocols Guide, Part Number 3HE 17373 AAAB TQZZA Edition: 01 Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 27 of 75 [3HE 17359 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Interface Configuration Guide, Part Number 3HE 17359 AAAB TQZZA Edition 01 [3HE 17360 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-M, T, R6, R12, Mxp, Sx, S Interface Configuration Guide, Part Number 3HE 17360 AAAB TQZZA Edition 01 [3HE 17363 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C OAM and Diagnostics Guide, Part Number 3HE 17363 AAAB TQZZA Edition 01 [3HE 17364 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-M, T, R6, R12, Mxp, Sx, S OAM and Diagnostics Guide, Part Number 3HE 17364 AAAB TQZZA Edition 01 [3HE 17361 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-K 2F6C4T, K 3SFP+ 8C MPLS Guide, Part Number 3HE 17361 AAAB TQZZA Edition 01 [3HE 17362 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-M, T, R6, R12, Mxp, Sx, S MPLS Guide, Part Number 3HE 17362 AAAB TQZZA Edition 01 [3HE 17365 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-D, Dxp Quality of Service Guide, Part Number 3HE 17365 AAAB TQZZA Edition 01 [3HE 17366 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Quality of Service Guide, Part Number 3HE 17366 AAAB TQZZA Edition 01 [3HE 17367 AAAB TQZZA] Nokia 7210 Service Access Switch| Release 21.9.R1: 7210 SAS-M, T, R6, R12, Mxp, Sx, S Quality of Service Guide, Part Number 3HE 17367 AAAB TQZZA Edition 01 Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 28 of 75 2 CONFORMANCE CLAIMS 2.1 COMMON CRITERIA CONFORMANCE CLAIM This ST is conformant with the Common Criteria for Information Technology Security Evaluation (CC), Version 3.1, Revision 5, April 2017: b. Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model, CCMB-2017-04-001, Version 3.1, Revision 5, April 2017; c. Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components, CCMB-2017-04-002, Version 3.1, Revision 5, April 2017; and d. Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components, CCMB-2017-04-003, Version 3.1, Revision 5, April 2017. The Target of Evaluation (TOE) for this ST is:  CC Part 2 conformant; and  CC Part 3 conformant. 2.2 PROTECTION PROFILE CONFORMANCE CLAIM The TOE described by this ST does not claim conformance with any Protection Profile (PP). 2.3 EVALUATION ASSURANCE LEVEL (EAL) This Security Target claims conformance to EAL3, augmented with ALC_FLR.1 (Basic Flaw Remediation). Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 29 of 75 3 SECURITY PROBLEM DEFINITION The security problem definition shows the threats, Organizational security policies (OSPs) and assumptions that must be countered, enforced and upheld by the TOE and its operational environment. 3.1 THREATS A threat consists of a threat agent, an asset and an adverse action of that threat agent on that asset. The threats listed in Table 3 are addressed by the TOE. The threat agents consist of unauthorized persons or external IT entities that are not authorized to use the TOE as well as authorized administrators of the TOE who make errors in configuring the TOE. The threat agents are divided into two categories: a. Attackers who are not TOE administrators - They have public knowledge of how the TOE operates and are assumed to possess a low skill level, limited resources to alter TOE configuration settings/parameters and no physical access to the TOE; and b. TOE administrators - They have extensive knowledge of how the TOE operates and are assumed to possess a high skill level, moderate resources to alter TOE configuration settings/parameters and physical access to the TOE. (TOE administrators are, however, assumed not to be wilfully hostile to the TOE.) The assumed level of expertise of the attacker for all the threats is unsophisticated. Both threat agents are assumed to have a low level of motivation. The IT assets requiring protection are the user data saved on or transitioning through the TOE and the hosts on the protected network. Considering the possible attack scenarios for the deployed configuration of the TOE in its intended environment, the level of attack potential assumed for the attacker is BASIC4 which is in keeping with the desired EAL 3+ assurance level of this TOE, considering factors of attackers’ expertise, resources, opportunity and motivation. Fully authorized administrators with access to data have low motivation to attempt to compromise the data because of other assumptions and organization security policies defined herein. Table 3: Threats Identifier Description T.AUDIT Actions performed by administrators (modification of TOE and network infrastructure and service layer system security configuration/parameters) may not be known to the administrators due to actions not being recorded (and time stamped) or the audit records not being reviewed prior to the machine shutting down, or an unauthorized administrator modifies or destroys audit data. T.TSF_DATA A malicious administrator may gain unauthorised access to inappropriately view, tamper, modify, or delete TOE Security Functionality (TSF) data. T.MEDIATE An unauthorized entity may send impermissible information through the TOE which results in the exploitation (e.g., destruction, modification, or removal of information and/or other resources), and/or exhaustion of 4 Attack Potential is a function of expertise, resources and motivation. Refer to Sections B.3 and B.4 of the "Common Methodology for Information Technology Security Evaluation - Evaluation Methodology", Document ID: CCMB-2017-04-004 for a detailed discussion of Attack Potential and how it is estimated. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 30 of 75 Table 3: Threats Identifier Description resources on the network (e.g., bandwidth consumption or packet manipulation). T.UNATTENDED_SESSION A user may gain unauthorized access to an unattended session and view and change the TOE security configuration. T.UNAUTH_MGT_ACCESS An unauthorized user gains management access to the TOE and views or changes the TOE security configuration. 3.2 ORGANIZATIONAL SECURITY POLICIES Organizational security policies may be defined by the end-user of the TOE. The TOE developer provides procedural security recommendations to the purchaser of the TOE. Table 4 defines the Organizational Security Policies (OSPs) that are to be enforced by the TOE, its operational environment, or a combination of the two. Table 4: Organizational Security Policies Identifier Description P.CONSOLE In the deployed configuration of the TOE in its intended environment, the primary means of administering the TOE during normal operations will be via CLI accessed over the local Console or SSH. P.DEPLOYED_CONFIG The deployed configuration of the TOE in its intended environment shall be at least as restrictive as the baseline evaluated configuration defined herein and will be configured in accordance with guidance documentation. P.USERS The TOE is administered by one or more Administrators who have been granted rights to administer the TOE. All administrators are "vetted" to help ensure their trustworthiness, and administrator connectivity to the TOE is restricted. Non- administrative entities may have their packets routed by the TOE, but that is the extent of their authorization to the TOE's resources. 3.3 OPERATIONAL ENVIRONMENT ASSUMPTIONS This section of the security problem definition shows the assumptions that are made on the operational environment in order to be able to provide the claimed security functionality. If the TOE is placed in an operational environment that does not meet these assumptions, the TOE may not be able to provide all of its security functionality anymore. Assumptions are made on physical, personnel and operational environment. 3.3.1 Personnel Assumptions Table 5 identifies the assumptions made regarding the personnel who will manage and operate the TOE in its intended operating environment. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 31 of 75 Table 5: Personnel Assumptions Identifier Description A.ADMINISTRATOR It is assumed that authorized administrators are not careless, wilfully negligent, or hostile and will follow and abide by the instructions provided by the TOE documentation, including the administrator guidance, and will periodically check the audit record; however, they are capable of error. It is further assumed that personnel will be trained in the appropriate use of the TOE to ensure security. 3.3.2 Physical Environment Assumptions Table 6 identifies the assumptions made regarding the physical environment in which the TOE will operate. Table 6: Physical Environment Assumptions Identifier Description A.PHYSICAL It is assumed that the operational environment provides the TOE with appropriate physical security, commensurate with the value of the IT assets protected by the TOE. A.LOCATION It is assumed that the processing resources of the TOE will be located within controlled access facilities which will prevent unauthorized physical access. A.CONNECTIVITY It is assumed that the trusted remote systems that communicate with the TOE, except for the network traffic/data interface, are attached to the internal (trusted) network. This includes: (1) the RADIUS, TACACS+ server; (2) the NSP server; (3) system with SCP interface; (4) the SNMP, Syslog servers; and (5) the NTP server. The Network traffic/data interface is attached to internal and external networks. Console Access is via RS-232, a direct local connection in the same physical location as the TOE. 3.3.3 Operational Assumptions The specific conditions identified in Table 7 are assumed to exist for how the TOE is operated in its environment. Table 7: Operational Assumptions Identifier Description A.GENPURPOSE It is assumed that there are no general purpose computing capabilities (e.g., the ability to execute arbitrary code or applications) and storage repository capabilities on the TOE. A.EXT_AUTHORIZATION It is assumed that external authentication services will be available to the TOE via either RADIUS, TACACS+, or both, based on defined Internet Engineering Task Force (IETF) standards. A.INTEROPERABILITY It is assumed that the TOE functions with the external IT entities shown in Figure 1 and with other vendors’ routers on the network and meets Request for Comments (RFC) requirements for implemented protocols. A.TIMESTAMP It is assumed that the Operational Environment provides the TOE with the necessary reliable time stamp. External Network Time Protocol (NTP) services will also be available to provide external time synchronization. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 32 of 75 Table 7: Operational Assumptions Identifier Description A.TRUSTED_COMM5 It is assumed that the Operational Environment will provide trusted communications with the following trusted systems: NSP server, system with SCP interface/remote CLI, SNMP server. It is expected that the operational environment: a. provides the TOE with the necessary trusted interfaces. Remote management traffic (to/from the TOE) will be protected using SNMP, SSH or SCP (secure copy). Remote telnet and FTP will be disabled. b. will protect remote administrative sessions from eavesdropping. The Operational environment will provide a means to ensure that administrators are not communicating with some other entity pretending to be the TOE when supplying identification and authentication data. c. will protect communications with remote external IT entities. The operational environment will ensure that the communication channel is logically distinct from other communication channels. 5 SSH/SCP communications is a capability provided by the SR OS; however, the underlining crypto protocols are defined outside the TOE and are part of the TOE’s operation environment and are not evaluated. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 33 of 75 4 SECURITY OBJECTIVES Security objectives are a concise and abstract statement of the intended solution to the problem defined by the security problem definition. This section describes the security objectives for the TOE and the TOE’s operating environment. The security objectives are divided between TOE Security Objectives (i.e., security objectives addressed directly by the TOE) and Security Objectives for the Operating Environment (i.e., security objectives addressed by the IT domain or by non-technical or procedural means). Mappings of security objectives to assumptions, threats and organizational security policies, along with supporting rationale, are found in Section 4.3. 4.1 SECURITY OBJECTIVES FOR THE TOE Table 8 defines the TOE security objectives that are to be addressed by the TOE. Table 8: TOE Security Objectives Identifier Description O.AUDIT The TOE will generate audit records which will include the time that the event occurred and the identity of the administrator performing the event. The TOE will provide the privileged administrators the capability to review Audit data and will restrict audit review to administrators who have been granted explicit read-access. O.MANAGE The TOE will provide all the functions and facilities necessary to support the administrators in their management of the security of the TOE, and restrict these functions and facilities from unauthorized use. O.I&A The TOE will uniquely identify and authenticate the claimed identity of all administrative administrators before granting management access and to control their actions. O.MEDIATE The TOE must mediate the flow of all information between hosts located on disparate internal and external networks governed by the TOE. The TOE must mediate the flow of information between sets of TOE network interfaces or between a network interface and the TOE itself in accordance with its security policy. O.TOE_ACCESS The TOE will provide mechanisms that control an administrator’s logical access to the TOE and to explicitly deny access to specific administrators when appropriate. For a detailed mapping between threats and the TOE security objectives listed in Table 8, see Section 4.3.1, starting on page 35. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 34 of 75 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT 4.2.1 IT Security Objectives for the Operational Environment The IT security objectives for the environment6 listed in Table 9 are to be addressed by the Operational Environment via technical means. Table 9: IT Security Objectives for the Operational Environment Identifier Description OE.TIME The operational environment will supply the TOE with a reliable time source. OE.EXT_AUTHORIZATION A RADIUS server, a TACACS+ server, or both must be available for external authentication services. OE.TRUSTED_COMM The Operational Environment: a. will provide the TOE with the necessary trusted interfaces. b. will support Secure Shell Version 2 (SSH), that is a protocol that provides a secure, connection to the router. A connection is always initiated by the client (the administrator). Authentication takes place by one of the configured authentication methods (local, RADIUS, or TACACS+). SSH allows for a secure connection over an insecure network. The remote CLI/SCP interface uses SSH. The NSP can use SSH. c. will support SNMPv3 for communication with NSP and SNMP servers. OE.GENPURPOSE There are no general purpose computing capabilities (e.g., the ability to execute arbitrary code or applications) and storage repository capabilities for the TOE in its operational environment. OE.INTEROPERABILITY The external IT entities shown in Figure 1 will be able to function with the TOE and with other vendors’ routers on the network and meet Request for Comments (RFC) requirements for implemented protocols. OE.CONNECTIVITY All TOE external interfaces except for the network traffic/data interface are attached to the internal (trusted) network. This includes: (1) the RADIUS, TACACS+ server interface; (2) the NSP, SCP interface; (3) the SNMP, Syslog interface; and (4) the NTP interface. The Network traffic/data interface is attached to internal and external networks. Console Access is via RS-232, a direct local connection in the same physical location as the TOE. 6 Secure Copy Protocol (SCP) and SSH secure communications are capabilities of the SR OS; however, the underlining crypto protocols and associated cryptographic functionality are defined outside the TOE and part of the TOE's operational environment and not evaluated. This ST addresses TOE (client-side) support of RADIUS and TACACS+ where external authentication services are available via either RADIUS, TACACS+, or both. RADIUS or TACACS+ authentication servers or NTP servers with which the SR OS communicates are considered external IT entities that are part of the TOE's operational environment. The operational environment for the SR OS requires a RADIUS or TACACS+ server and the NSP for remote administration and a Network Time Protocol (NTP) server for external time synchronization. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 35 of 75 Table 9: IT Security Objectives for the Operational Environment Identifier Description OE.DEPLOYED_CONFIG The deployed configuration of the TOE in its intended environment shall be at least as restrictive as the baseline evaluated configuration defined herein and will be configured in accordance with a guidance documentation OE.CONSOLE In the deployed configuration of the TOE in its intended environment, the primary means of administering the TOE during normal operations will be via CLI accessed over the local Console and SSH. 4.2.2 Non-IT Security Objectives for the Operational Environment The non-IT security objectives listed in Table 10 are to be satisfied without imposing technical requirements on the TOE. Thus, they will be satisfied through application of procedural or administrative measures. Table 10: Non-IT Security Objectives for the Operational Environment Identifier Description OE.ADMINISTRATOR The authorized administrators are not careless, wilfully negligent, or hostile and will follow and abide by the instructions provided by the TOE documentation, including the administrator guidance (e.g., procedures to review/manage audit records); however, they are capable of error. Personnel will be trained in the appropriate use of the TOE to ensure security. OE.LOCATION The processing resources of the TOE will be located within controlled access facilities, which will prevent unauthorized physical access. OE.PHYSICAL The operational environment provides the TOE with appropriate physical security, commensurate with the value of the IT assets protected by the TOE. OE.USERS All administrators are “vetted” to help ensure their trustworthiness, and administrator connectivity to the TOE is restricted. Non administrative entities may have their packets routed by the TOE, but that is the extent of their authorization to the TOE's resources. 4.3 SECURITY OBJECTIVES RATIONALE 4.3.1 Security Objectives Rationale Related to Threats Table 11 provides a bi-directional mapping of Security Objectives to Threats. It shows that each of the threats is addressed by at least one of the security objectives, and that each of the TOE security objectives addresses at least one of the threats. Following this table is rationale that discusses how each threat is countered by one or more Security Objectives. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 36 of 75 Table 11: Mapping Of Security Objectives to Threats O.AUDIT O.I&A O.MANAGE O.MEDIATE O.TOE_ACCESS OE.ADMINISTRATOR OE.TIME T.AUDIT X X X T.MEDIATE X T.TSF_DATA X X T.UNATTENDED_SESSION X T.UNAUTH_MGT_ACCESS X 4.3.1.1 T.AUDIT Countered Rationale T.AUDIT Actions performed by administrators (modification of TOE and network infrastructure and service layer system security configuration/parameters) may not be known to the administrators due to actions not being recorded (and time stamped) or the audit records not being reviewed prior to the machine shutting down, or an unauthorized administrator modifies or destroys audit data. The O.AUDIT objective requires that the TOE mitigate this threat by generating audit records. O.AUDIT requires the TOE provide the Authorized administrator with the capability to view Audit data. O.AUDIT requires that the TOE protect audit data. O.AUDIT also requires the TOE to restrict audit review to administrators who have been granted explicit read-access. The OE.ADMINISTRATOR objective on the environment assists in covering this threat on the TOE by requiring that the administrator abide by the instructions provided by the TOE documentation, including the administrator guidance to periodically check the audit record. The OE.TIME objective on the environment assists in covering this threat by requiring that the OE provide accurate time to the TOE for use in the audit records. These objectives provide complete TOE coverage of the threat. 4.3.1.2 T.MEDIATE Countered Rationale T.MEDIATE An unauthorized entity may send impermissible information through the TOE which results in the exploitation (e.g., destruction, modification, or removal of information and/or other resources), and/or exhaustion of resources on the network (e.g., bandwidth consumption or packet manipulation). The O.MEDIATE security objective requires that the TOE mitigate this threat by ensuring all information that passes through the network is mediated by the TOE. O.MEDIATE requires that the TOE mitigate this threat by mediating the flow of information between sets of TOE network interfaces or between a network interface and the TOE itself in accordance with its security policy. This objective provides complete TOE coverage of the threat. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 37 of 75 4.3.1.3 T.TSF_DATA Countered Rationale T.TSF_DATA A malicious administrator may gain unauthorised access to inappropriately view, tamper, modify, or delete TOE Security Functionality (TSF) data. The O.MANAGE objective requires that the TOE mitigate this threat by providing all the functions and facilities necessary to support the administrators in their management of the security of the TOE, and restrict these functions and facilities from unauthorized use. This objective provides complete TOE coverage of the threat. The OE.ADMINISTRATOR objective on the environment assists in covering this threat on the TOE by requiring that the administrator abide by the instructions provided by the TOE documentation, including the administrator guidance to periodically check the audit record, reducing the possibility for error. 4.3.1.4 T.UNATTENDED_SESSION Countered Rationale T.UNATTENDED_SESSION A user may gain unauthorized access to an unattended session and view and change the TOE security configuration. The O.TOE_ACCESS objective requires that the TOE mitigate this threat by including mechanisms that place controls on administrator’s sessions. Local and remote administrator’s sessions are dropped after an Administrator-defined time period of inactivity. Dropping the connection of a local and remote session (after the specified time period) reduces the risk of someone accessing the local and remote machines where the session was established, thus gaining unauthorized access to the session. This objective provides complete TOE coverage of the threat. 4.3.1.5 T.UNAUTH_MGT_ACCESS Countered Rationale T.UNAUTH_MGT_ACCESS An unauthorized user gains management access to the TOE and views or changes the TOE security configuration. The O.I&A objective requires that the TOE mitigate this threat by uniquely identifying and authenticating the claimed identity of all administrators before granting management access and to control their actions. O.I&A requires an administrator to enter a unique identifier and authentication before management access is granted. These objectives provide complete TOE coverage of the threat. 4.3.2 Environment Security Objectives Rationale Related to Assumptions and OSPs Table 12 provides a bi-directional mapping of Assumptions and OSPs to Security Objectives for the Operational Environment. Since the Security Objectives for the Operational Environment were derived directly from the Assumptions and OSPs there is a one to one mapping between them. It is also clear since the Security Objectives for the Operational Environment are simply a restatement of the applicable assumption or OSP, that each objective is suitable to meet its corresponding assumption or OSP. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 38 of 75 Table 12: Mapping Of Environment Security Objectives to Assumptions and OSPs Security Objective OE.ADMINISTRATOR OE.CONNECTIVITY OE.EXT_AUTHORIZATION OE.GENPURPOSE OE.INTEROPERABILITY OE.LOCATION OE.PHYSICAL OE.TIME OE.TRUSTED_COMM OE.CONSOLE OE.DEPLOYED_CONFIG OE.USERS A.ADMINISTRATOR X A.CONNECTIVITY X A.EXT_AUTHORIZATION X A.GENPURPOSE X A.INTEROPERABILITY X A.LOCATION X A.PHYSICAL X A.TIMESTAMP X A.TRUSTED_COMM X P.CONSOLE X P.DEPLOYED_CONFIG X P.USERS X 4.3.3 Security Objectives Summary Mapping This section provides a consolidated summary of the two previous sections demonstrating that each organizational security policy, threat and assumption maps to no less than one security objective. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 39 of 75 Operational Environment Security Objectives O.AUDIT O.I&A O.MANAGE O.MEDIATE O.TOE_ACCESS OE.ADMINISTRATOR OE.CONNECTIVITY OE.CONSOLE OE.DEPLOYED_CONFIG OE.EXT_AUTHORIZATION OE.GENPURPOSE OE.INTEROPERABILITY OE.LOCATION OE.PHYSICAL OE.TIME OE.TRUSTED_COMM OE.USERS Organizational Security Policies P.CONSOLE X P.DEPLOYED_CONFIG X P.USERS X Threats T.AUDIT X X X T.MEDIATE X T.TSF_DATA X X T.UNATTENDED_SESSION X T.UNAUTH_MGT_ACCESS X Assumptions A.ADMINISTRATOR X A.CONNECTIVITY X A.EXT_AUTHORIZATION X A.GENPURPOSE X A.INTEROPERABILITY X A.LOCATION X A.PHYSICAL X A.TIMESTAMP X A.TRUSTED_COMM X Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 40 of 75 5 EXTENDED COMPONENTS DEFINITION There are no extended SFRs for the TOE. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 41 of 75 6 SECURITY REQUIREMENTS Section 6 provides security functional and assurance requirements that must be satisfied by a compliant TOE. These requirements consist of functional components from Part 2 of the CC and an Evaluation Assurance Level (EAL) that contains assurance components from Part 3 of the CC. The security requirements consist of two groups of requirements: a. the security functional requirements (SFRs): a translation of the security objectives for the TOE into a standardised language; and b. the security assurance requirements (SARs): a description of how assurance is to be gained that the TOE meets the SFRs. 6.1 SECURITY REQUIREMENTS PRESENTATION CONVENTIONS The CC permits four types of operations to be performed on functional requirements: selection, assignment, refinement, and iteration. These operations, when performed on requirements that derive from CC Part 2 are identified in this ST in the following manner: a. Selection: Indicated by surrounding brackets and italicized text, e.g., [selected item]. To improve readability selections of [none] are generally not shown; b. Assignment: Indicated by surrounding brackets and regular text, e.g., [assigned item]. To improve readability assignments of [none] are not shown unless doing so aids in the readability and understandability of the specified requirement; c. Refinement: Refined components are identified by using underlining additional information, or strikeout for deleted text; and d. Iteration: Indicated by assigning a number in parenthesis to the end of the functional component identifier as well as by modifying the functional component title to distinguish between iterations, e.g., ‘FDP_IFC.1(1), Subset Information Flow Control (Peered Policy)’ and ‘FDP_IFC.1(2) Subset Information Flow Control (Authenticated Policy)’. The markings are relative to the requirement statements in the Common Criteria standard. 6.2 TOE SECURITY FUNCTIONAL REQUIREMENTS The security functional requirements for this ST consist of the following components from Part 2 of the CC as summarized in Table 13. Table 13: Summary of Security Functional Requirements Class Identifier Name Security Audit (FAU) FAU_GEN.1 Audit Data Generation FAU_GEN.2 User Identity Association FAU_SAR.1 Audit Review FAU_SAR.2 Restricted Audit Review User Data Protection (FDP) FDP_IFC.1(1) Subset Information Flow Control (Unauthenticated Policy) FDP_IFC.1(2) Subset Information Flow Control (Authenticated Policy) FDP_IFC.1(3) Subset Information Flow Control (Export Policy) FDP_IFF.1(1) Simple Security Attributes (Unauthenticated Policy) Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 42 of 75 Table 13: Summary of Security Functional Requirements Class Identifier Name FDP_IFF.1(2) Simple Security Attributes (Authenticated Policy) FDP_IFF.1(3) Simple Security Attributes (Export Policy) Identification and Authentication (FIA) FIA_AFL.1(1) Authentication Failure Handling (CLI) FIA_AFL.1(2) Authentication Failure Handling (Exponential Back Off - CLI) FIA_SOS.1 Verification of Secrets FIA_UAU.2 User Authentication Before Any Action FIA_UAU.5 Multiple Authentication Mechanisms FIA_UID.2 User Identification Before Any Action Security Management (FMT) FMT_MOF.1 Management of Security Functions Behaviour FMT_MSA.1 Management of Security Attributes FMT_MSA.3 Static Attribute Initialization FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security Roles Protection of the TSF (FPT) FPT_STM.1 Reliable Time Stamps TOE Access (FTA) FTA_SSL.3 TSF-initiated Termination FTA_SSL.4 User Initiated Termination FTA_TAB.1 Default TOE access banners FTA_TSE.1 TOE Session Establishment 6.2.1 Security Audit (FAU) 6.2.1.1 FAU_GEN.1 Audit Data Generation Hierarchical to: No other components. Dependencies: FPT_STM.1 Reliable Time Stamps FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) start-up and shutdown of the audit functions; b) all auditable events for the [not specified] level of audit; c) [Log successful activity of administrators; d) Log critical network traffic; e) Logging of successful configuration changes; and f) Security breach logging.] Application Note: Log critical network traffic. Applications within the SR OS for which log entries are generated are: IP, routing protocols and services, and CLI and remote access. Logging of configuration changes. The change activity event source is all events that directly affect the configuration or operation of the TOE as defined in Section 6.2.4.4 (FMT_SMF.1 Specification of Management Functions) and Section 7.1.4.4 (Specification of Management Functions). Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 43 of 75 Security breach logging. The security event source is all events that affect attempts to breach system security such as failed login attempts or attempts to access Management Information Base (MIB) tables to which the administrator is not granted access. Security events are generated by the security application. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, and the outcome (success or failure) (short text description) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the ST, [none]. 6.2.1.2 FAU_GEN.2 User Identity Association Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit Data Generation FIA_UID.1 Timing of Identification FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. 6.2.1.3 FAU_SAR.1 Audit Review Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit Data Generation FAU_SAR.1.1 The TSF shall provide [authorized administrators] with the capability to read [all audit data] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. Application Note: This SFR (FAU_SAR.1) does not apply to the syslog and session audit files. 6.2.1.4 FAU_SAR.2 Restricted Audit Review Hierarchical to: No other components. Dependencies: FAU_SAR.1 Audit Review FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except those users that have been granted explicit read-access. Application Note: This SFR (FAU_SAR.2) does not apply to the syslog and session audit files. 6.2.2 User Data Protection (FDP) 6.2.2.1 FDP_IFC.1(1) Subset Information Flow Control (Unauthenticated Policy) Hierarchical to: No other components. Dependencies: FDP_IFF.1(1) Simple Security Attributes (Unauthenticated Policy) FDP_IFC.1.1(1) The TSF shall enforce the [UNAUTHENTICATED SFP] on [ a) subjects: each IT entity that sends and receives information through the TOE to one another; Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 44 of 75 b) information: network packets sent through the TOE from one subject to another; and c) operations: route packets]. 6.2.2.2 FDP_IFC.1(2) Subset Information Flow Control (Authenticated Policy) Hierarchical to: No other components. Dependencies: FDP_IFF.1(2) Simple Security Attributes (Authenticated Policy) FDP_IFC.1.1(2) The TSF shall enforce the [AUTHENTICATED INFORMATION FLOW SFP] on [ a) source subject representing authenticated user: source network identifier; b) destination subject: TOE interface to which information is destined; c) information: network packets; and d) operations: pass information via application proxy (Console, NSP, file-copy)]. 6.2.2.3 FDP_IFC.1(3) Subset Information Flow Control (Export Policy) Hierarchical to: No other components. Dependencies: FDP_IFF.1(3) Simple Security Attributes (Export Policy) FDP_IFC.1.1(3) The TSF shall enforce the [EXPORT SFP] on [ a) subjects: each IT entity that receives information from the TOE; b) information: events sent from the TOE to SNMP trap, Syslog and RADIUS/TACACS+ destinations; and c) operations: send events]. 6.2.2.4 FDP_IFF.1(1) Simple Security Attributes (Unauthenticated Policy) Hierarchical to: No other components. Dependencies: FDP_IFC.1(1) Subset Information Flow Control (Unauthenticated Policy) FMT_MSA.3 Static Attribute Initialization FDP_IFF.1.1(1) The TSF shall enforce the [UNAUTHENTICATED SFP] based on the following types of subject and information security attributes: [ a) security subject attributes: i. IP network address, MAC address, and port of source subject; ii. IP network address and port of destination subject; iii. transport layer protocol and their flags and attributes (UDP, TCP); iv. network layer protocol (IP, ICMP); v. Documented Special Use (DUSA) IPv4 addresses; vi. interface on which traffic arrives and departs; and vii. routing protocols and their configuration and state]. FDP_IFF.1.2(1) The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [ Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 45 of 75 a) the identity of the source subject is in the set of source subject identifiers (i.e., addresses); b) the identity of the destination entity is in the set of destination entity identifiers (i.e., addresses); Application Note: The set of identifiers are associated with the physical router interfaces. c) the information security attributes match the attributes in an information flow policy rule (contained in the information flow policy rule set defined by the Administrator) according to the following algorithm [First match. When multiple policy names are specified, the policies shall be executed in the order they are specified. The first policy that matches is applied]; and d) the selected information flow policy rule specifies that the information flow is to be permitted]. FDP_IFF.1.3(1) The TSF shall enforce the [following additional information flow control rules: a) Each IFF filter policy must consist of at least one filter entry. Each entry shall consist of a collection of filter match criteria. When packets enter the ingress or egress ports, packets shall be compared to the criteria specified within the entry or entries; b) For packet matching criteria as few or as many match parameters are specified as required, but all conditions must be met in order for the packet to be considered a match and the specified action performed. The process stops when the first complete match is found and then executes the action defined in the policy entry, either to drop or forward packets that match the criteria; and c) Using filters and Access Control Lists (ACLs) to protect against Distributed and other DoS (D/DoS) attacks]. FDP_IFF.1.4(1) The TSF shall explicitly authorize an information flow based on the following rules: [none]. FDP_IFF.1.5(1) The TSF shall explicitly deny an information flow based on the following rules: [ a) The TOE shall reject requests for access or services where the source identity of the information received by the TOE is not included in the set of source identifiers for the source subject; Application Note: The intent of this requirement is to ensure that a user cannot send packets originating on one TOE interface claiming to originate on another TOE interface. b) The TOE shall reject requests for access or services where the source identity of the information received by the TOE specifies a broadcast identity; Application Note: A broadcast identity is one that specifies more than one host address on a network. It is understood that the TOE only knows the sub-netting configuration of networks directly connected to the TOE’s interfaces and therefore is only aware of broadcast addresses on those networks. c) The TSF shall reject requests for access or services where the presumed source identity of the information received by the TOE specifies a loopback identifier; d) The TSF shall drop requests in which the information received by the TOE does not correspond to an entry in the routing table; Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 46 of 75 e) The TSF shall deny information flows that do not conform to the layer 3 IP packet header specification; f) The TSF shall deny information flows based on filter policies (access control lists (ACLs)) selectively blocking traffic matching criteria from ingressing or egressing the TOE. Filter policies shall control the traffic allowed in or out of the TOE based on MAC or IP match criteria. Non-matching packets shall be dropped/denied; g) When packets arrive at TOE that are not destined to any of the SR OS network management interfaces they will be either dropped or forwarded in accordance with the type of service, ACL, policies configured; and h) The TSF shall block traffic going to a destination address based on an IP prefix received from a customer]. 6.2.2.5 FDP_IFF.1(2) Simple Security Attributes (Authenticated Policy) Hierarchical to: No other components. Dependencies: FDP_IFC.1(2) Subset Information Flow Control (Authenticated Policy) FMT_MSA.3 Static Attribute Initialization FDP_IFF.1.1(2) The TSF shall enforce the [AUTHENTICATED INFORMATION FLOW SFP] based on the following types of subject and information security attributes: [ a) Source subject security attributes: source port and IP protocol ID and address, username/password and profile, source network identifier, remote or console session idle timeout, maximum number of concurrent inbound remote sessions, administrator permission for remote or console access, local home directory for the administrator for remote or console access; b) Destination subject security attributes: set of destination subject identifiers (UDP/TCP port number); and c) Information security attributes: authenticated identity of source subject; identity of destination subject; transport layer protocol; and destination subject service identifier (TCP destination port number)]. Application Note: “Service identifier” specifies a service that is above the network and transport layers in the protocol stack. FDP_IFF.1.2(2) The TSF shall permit an information flow between a source subject and a destination subject via a controlled operation if the following rules hold: [ a) the username has successfully authenticated to the TOE; b) the identity of the destination subject is in the set of destination identifiers; c) the information security attributes match the attributes in an information flow policy rule (contained in the information flow policy rule set defined by the administrator) according to the following algorithm [first match]; and d) the selected information flow policy rule specifies that the information flow is to be permitted via the authenticated proxy selected by the rule]. FDP_IFF.1.3(2) The TSF shall enforce the [following additional information flow control rules: a) Any packet that is destined to the TOE, has to have the correct IP address assigned by the network administrator to be able to remotely operate the TOE; and Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 47 of 75 b) Management access filters to control all traffic in and out of the TOE and to restrict management of the TOE by other nodes outside either specific (sub) networks or through designated ports. Management access filters allow the administrator to configure the following: i. Destination UDP/TCP port number; ii. IP protocol ID; iii. Source port; and iv. Source IP address]. FDP_IFF.1.4(2) The TSF shall explicitly authorise an information flow based on the following rules: [ a) Profiles shall be used to permit access to a hierarchical CLI branch or specific CLI commands. Commands matching the entry command match criteria will be permitted; and b) Profiles shall be referenced in an administrator configuration]. FDP_IFF.1.5(2) The TSF shall explicitly deny an information flow based on the following rules: [none.] 6.2.2.6 FDP_IFF.1(3) Simple Security Attributes (Export Policy) Hierarchical to: No other components. Dependencies: FDP_IFC.1(3) Subset Information Flow Control (Export Policy) FMT_MSA.3 Static Attribute Initialization FDP_IFF.1.1(3) The TSF shall enforce the [EXPORT SFP] based on the following types of subject and information security attributes: [ a) Source subject security attributes: source network identifier; and b) Destination subject security attributes: i. Syslog server IP address; ii. UDP port used to send the syslog message; iii. Syslog Facility Code; iv. Syslog Severity Threshold; v. IP address of the SNMP trap receiver; vi. UDP port used to send the SNMP trap; vii. SNMPv3 used to format the SNMP notification; viii. Security name and level for SNMPv3 trap receivers; and ix. RADIUS/TACAS+ server IP address]. FDP_IFF.1.2(3) The TSF shall permit an information flow between a source subject and a destination subject via a controlled operation if the following rules hold: [ a) the identity of the destination subject is in the set of destination identifiers; b) the information security attributes match the security attributes defined by the administrator according to the following algorithm [ALL the security attributes must match]; and Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 48 of 75 c) the selected information flow policy rule specifies that the information flow is to be permitted]. FDP_IFF.1.3(3) The TSF shall enforce the [none]. FDP_IFF.1.4(3) The TSF shall explicitly authorize an information flow based on the following rules: [none]. FDP_IFF.1.5(3) The TSF shall explicitly deny an information flow based on the following rules: [none]. 6.2.3 Identification and Authentication (FIA) 6.2.3.1 FIA_AFL.1(1) Authentication Failure Handling (CLI) Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of Authentication FIA_AFL.1.1(1) The TSF shall detect when [an administrator configurable positive integer within [a range of values 1 – 64]], within an administrator configurable period of time within a range of values 0 — 60 minutes, unsuccessful authentication attempts occur related to [any claimed administrator ID attempting to authenticate to the CLI]. FIA_AFL.1.2(1) When the defined number of unsuccessful authentication attempts has been [met], the TSF shall [at the option of the Administrator prevent the administrators except the administrator from performing activities that require authentication until an action is taken by the Administrator, or until an Administrator defined time period (within a range of values 0 - 1440 minutes) has elapsed]. 6.2.3.2 FIA_AFL.1(2) Authentication Failure Handling (Exponential Back Off - CLI) Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of Authentication FIA_AFL.1.1(2) The TSF shall detect when [[one (1)]], within an administrator configurable period of time within a range of values 0 – 60 minutes, unsuccessful authentication attempts occurs related to [any claimed administrator ID attempting to authenticate to the SR OS via the CLI]. FIA_AFL.1.2(2) When the defined number of one (1) unsuccessful authentication attempts has been [met], the TSF shall [exponentially increase the delay between subsequent login attempts]. Application Note: Only applicable when a person tries to log in to a device via console. 6.2.3.3 FIA_SOS.1 Verification of Secrets Hierarchical to: No other components. Dependencies: No dependencies. FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets (passwords) meet [for all users except the “admin” user, the password must meet the following: a) a minimum length (characters): default 6 and within a range of 6-50; b) the maximum non-hashed length shall be 20 characters; c) Complexity requirements: [numeric] [special-character] [mixed-case]: i. at least one (1) numeric character must be present in the password; Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 49 of 75 ii. at least one (1) special character must be present in the password. Special characters include: ~!@#$%^&*()_+|{}:”<>?`-=\[];’; and iii. at least one (1) upper and one (1) lower case character; d) An administrator defined number of days an administrator password is valid before the administrator must change their password. This parameter shall be used to force the administrator to change the password at the configured interval. The maximum number of days the password is valid shall be definable within a range of values of 1 – 500; and e) Either the administrator must change his password at the next login, or the administrator is not forced to change his password at the next login, as configured by the administrator]. 6.2.3.4 FIA_UAU.2 User Authentication Before Any Action Hierarchical to: FIA_UAU.1 Timing of authentication Dependencies: FIA_UID.1 Timing of identification FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. Application Note: No actions are allowed until the user has logged in (I&A). 6.2.3.5 FIA_UAU.5 Multiple Authentication Mechanisms Hierarchical to: No other components. Dependencies: No dependencies. FIA_UAU.5.1 The TSF shall provide [client RADIUS, TACACS+, and local authentication mechanisms] to support user authentication. FIA_UAU.5.2 The TSF shall authenticate any user's claimed identity according to the [authentication mechanism specified by the authorised user]. 6.2.3.6 FIA_UID.2 User Identification Before Any Action Hierarchical to: FIA_UID.1 Timing of Identification Dependencies: No dependencies. FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. Application Note: No actions are allowed until the user has logged in (I&A). 6.2.4 Security Management (FMT) 6.2.4.1 FMT_MOF.1 Management of Security Functions Behaviour Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security Roles FMT_SMF.1 Specification of Management Functions FMT_MOF.1.1 The TSF shall restrict the ability to [determine the behaviour of] the functions [listed in Table 14] to [the Administrator]. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 50 of 75 Table 14: Security Functions Security Functions Configuring Management Access Configuring IP MAF Filters Configuring IPv6 MAF Filters Configuring Password Management Parameters Configuring Profiles Configuring Administrators Copying and Overwriting Administrators and Profiles Configuring remote administration Configuring Login control Configuring RADIUS/TACACS+ Configuring SNMP/Syslog Configuring NTP Configuring Event logs 6.2.4.2 FMT_MSA.1 Management of Security Attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset Access Control, or FDP_IFC.1 Subset Information Flow Control] FMT_SMR.1 Security Roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1 The TSF shall enforce the [UNAUTHENTICATED, AUTHENTICATED and EXPORT SFPs] to restrict the ability to [change_default, query, modify, delete] the security attributes [defined in FDP_IFF.1.1(1), FDP_IFF.1.1(2), and FDP_IFF.1.1(3)] to the [Administrator]. 6.2.4.3 FMT_MSA.3 Static Attribute Initialization Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of Security Attributes FMT_SMR.1 Security Roles FMT_MSA.3.1 The TSF shall enforce the [UNAUTHENTICATED, AUTHENTICATED and EXPORT SFPs] to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [Administrators] to specify alternative initial values to override the default values when an object or information is created. 6.2.4.4 FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Dependencies: No dependencies. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 51 of 75 FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: [ a) start-up and shutdown; b) create, modify, or delete configuration items; c) create, delete, empty, and review the audit trail; d) create, delete, modify, and view filtering rules; e) perform configuration backups; f) password management; and g) security management functions listed in 6.2.4.1 FMT_MOF.1 Management of Security Functions Behaviour]. 6.2.4.5 FMT_SMR.1 Security Roles Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FMT_SMR.1.1 The TSF shall maintain the roles [administrators]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 6.2.5 Protection of the TSF (FPT) 6.2.5.1 FPT_STM.1 Reliable Time Stamps Hierarchical to: No other components. Dependencies: No dependencies. FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own use. 6.2.6 TOE Access (FTA) 6.2.6.1 FTA_SSL.3 TSF-initiated Termination Hierarchical to: No other components. Dependencies: No dependencies. FTA_SSL.3.1 The TSF shall terminate an interactive session after a an [administrator defined period of inactivity within a range of 1 to 1440 minutes]. 6.2.6.2 FTA_SSL.4 User-initiated Termination Hierarchical to: No other components. Dependencies: No dependencies. FTA_SSL.4.1 The TSF shall allow user-initiated termination of the user's own interactive session. 6.2.6.3 FTA_TAB.1 Default TOE access banners Hierarchical to: No other components. Dependencies: No dependencies. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 52 of 75 FTA_TAB.1.1 Before establishing a user session, the TSF shall display an advisory warning message regarding unauthorised use of the TOE. 6.2.6.4 FTA_TSE.1 TOE Session Establishment Hierarchical to: No other components. Dependencies: No dependencies. FTA_TSE.1.1 The TSF shall be able to deny remote session establishment based on [maximum number of concurrent inbound SSH sessions on the node, values 0 - 15]. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 53 of 75 6.3 TOE SECURITY ASSURANCE REQUIREMENTS The security assurance requirements for the TOE consist of the requirements corresponding to the EAL3 level of assurance, as defined in the CC Part 3, augmented by the inclusion of Basic Flaw Remediation (ALC_FLR.1). The assurance requirements for this evaluation are summarized in Table 15: EAL 3+ Assurance Requirements. Table 15: EAL 3+ Assurance Requirements Assurance Class Assurance Components Identifier Name Development ADV_ARC.1 Security architecture description ADV_FSP.3 Functional specification with complete summary ADV_TDS.2 Architectural design Guidance Documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures Life-cycle support ALC_CMC.3 Authorisation controls ALC_CMS.3 Implementation representation CM coverage ALC_DEL.1 Delivery procedures ALC_DVS.1 Identification of security measures ALC_FLR.1 Flaw reporting procedures ALC_LCD.1 Developer defined life-cycle model Security Target Evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification Tests ATE_COV.2 Analysis of coverage ATE_DPT.1 Testing: basic design ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample Vulnerability Assessment AVA_VAN.2 Vulnerability analysis 6.4 CC COMPONENT HIERARCHIES AND DEPENDENCIES Table 16 identifies the Security Functional Requirements and their associated dependencies. It also indicates whether the ST explicitly addresses each dependency. Notes are provided for those cases where the dependencies are satisfied by components which are hierarchical to the specified dependency. Table 16: Functional Requirements Dependencies SFR Dependencies Dependency Satisfied? FAU_GEN.1 FPT_STM.1 Yes FAU_GEN.2 FAU_GEN.1 FIA_UID.1 Yes Yes - Satisfied by FIA_UID.2 which is hierarchical to FIA_UID.1 FAU_SAR.1 FAU_GEN.1 Yes FAU_SAR.2 FAU_SAR.1 Yes FDP_IFC.1(1) FDP_IFF.1(1) Yes FDP_IFC.1(2) FDP_IFF.1(2) Yes FDP_IFC.1(3) FDP_IFF.1(3) Yes Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 54 of 75 Table 16: Functional Requirements Dependencies SFR Dependencies Dependency Satisfied? FDP_IFF.1(1) FDP_IFC.1(1) FMT_MSA.3 Yes Yes FDP_IFF.1(2) FDP_IFC.1(2) FMT_MSA.3 Yes Yes FDP_IFF.1(3) FDP_IFC.1(3) FMT_MSA.3 Yes Yes FIA_AFL.1(1) FIA_UAU.1 Yes - Satisfied by FIA_UAU.2 which is hierarchical to FIA_UAU.1 FIA_AFL.1(2) FIA_UAU.1 Yes - Satisfied by FIA_UAU.2 which is hierarchical to FIA_UAU.1 FIA_SOS.1 None N/A FIA_UAU.2 FIA_UID.1 Yes – Satisfied by FIA_UID.2 which is hierarchical to FIA_UID.1 FIA_UAU.5 None N/A FIA_UID.2 None N/A FMT_MOF.1 FMT_SMR.1 FMT_SMF.1 Yes Yes FMT_MSA.1 [FDP_ACC.1 or FDP_IFC.1] FMT_SMR.1 FMT_SMF.1 [No Yes] Yes Yes FMT_MSA.3 FMT_MSA.1 FMT_SMR.1 Yes Yes FMT_SMF.1 None N/A FMT_SMR.1 FIA_UID.1 Yes – Satisfied by FIA_UID.2 which is hierarchical to FIA_UID.1 FPT_STM.1 None N/A FTA_SSL.3 None N/A FTA_SSL.4 None N/A FTA_TAB.1 None N/A FTA_TSE.1 None N/A Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 55 of 75 6.5 SECURITY REQUIREMENTS RATIONALE 6.5.1 Security Functional Requirements Rationale Table 17 provides a bi-directional mapping of Security Functional Requirements to TOE Security Objectives. This table demonstrates that each of the applicable objectives for the TOE is addressed by at least one of the functional requirements and that each of the functional requirements address at least one of the objectives. Table 17: Security Functional Requirements to TOE Security Objectives Security Functional Requirement O.AUDIT O.I&A O.MANAGE O.MEDIATE O.TOE_ACCESS FAU_GEN.1 Audit Data Generation X FAU_GEN.2 User Identity Association X FAU_SAR.1 Audit Review X FAU_SAR.2 Restricted Audit Review X FDP_IFC.1(1) Subset Information Flow Control (Unauthenticated Policy) X FDP_IFC.1(2) Subset Information Flow Control (Authenticated Policy) X FDP_IFC.1(3) Subset Information Flow Control (Export Policy) X FDP_IFF.1(1) Simple Security Attributes (Unauthenticated Policy) X FDP_IFF.1(2) Simple Security Attributes (Authenticated Policy) X FDP_IFF.1(3) Simple Security Attributes (Export Policy) X FIA_AFL.1(1) Authentication Failure Handling (CLI) X FIA_AFL.1(2) Authentication Failure Handling (Exponential Back Off - CLI) X FIA_SOS.1 Verification of Secrets X FIA_UAU.2 User Authentication Before Any Action X FIA_UAU.5 Multiple Authentication Mechanisms X FIA_UID.2 User Identification Before Any Action X FMT_MOF.1 Management of Security Functions Behaviour X FMT_MSA.1 Management of Security Attributes X FMT_MSA.3 Static Attribute Initialization X X FMT_SMF.1 Specification of Management Functions X FMT_SMR.1 Security Roles X FPT_STM.1 Reliable Time Stamps X FTA_SSL.3 TSF-initiated Termination X FTA_SSL.4 User-initiated Termination X FTA_TAB.1 Default TOE access banners X FTA_TSE.1 TOE Session Establishment X The following subsections describe how each applicable TOE Security Objective is addressed by the corresponding Security Functional Requirements. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 56 of 75 6.5.1.1 Satisfaction of O.AUDIT Rationale O.AUDIT The TOE will generate audit records which will include the time that the event occurred and the identity of the administrator performing the event. The TOE will provide the privileged administrators the capability to review Audit data and will restrict audit review to administrators who have been granted explicit read-access. The TOE will generate audit records which will include the time that the event occurred and the identity of the administrator performing the event. [FAU_GEN.1, FAU_GEN.2, and FPT_STM.1]. The TOE will provide the privileged administrators the capability to review Audit data. [FAU_SAR.1and FAU_SAR.2]. 6.5.1.2 Satisfaction of O.I&A Rationale O.I&A The TOE will uniquely identify and authenticate the claimed identity of all administrative administrators before granting management access and to control their actions. The TOE must uniquely identify and authenticate the claimed identity of all administrative administrators before granting management access. Administrators authorized to access the TOE must be defined using an identification and authentication process [FIA_UID.2, FIA_UAU.2]. Before anything occurs on behalf of the administrator, the administrator’s identity is identified to the TOE [FIA_UID.2]. Multiple consecutive unsuccessful attempts to authenticate result in locking of the account until the authentication administrator re- enables it [FIA_AFL.1(1) and (2)]. The TOE must increase the delay between login attempts exponentially after each failed login attempt. The TOE must also check passwords for aging, minimum length, login attempts, and complexity [FIA_SOS.1]. The TOE must provide RADIUS, TACACS+, and local authentication mechanisms to support administrator authentication. [FIA_UAU.5] 6.5.1.3 Satisfaction of O.MANAGE Rationale O.MANAGE The TOE will provide all the functions and facilities necessary to support the administrators in their management of the security of the TOE, and restrict these functions and facilities from unauthorized use. The TOE is required to provide the ability to restrict the use of TOE management/administration/security functions to authorized administrators of the TOE [FMT_MOF.1]. The TOE will capable of performing security management functions. The TOE is capable of performing numerous management functions including start-up, shutdown, and creating/modifying/deleting configuration items [FMT_SMF.1]. The TOE must be able to recognize the administrative role that exists for the TOE [FMT_SMR.1]. The TOE must restrict the ability to manage security attributes associated with the UNAUTHENTICATED SFP to the administrator. [FMT_MSA.1] The TOE must allow the privileged administrator to specify alternate initial values when an object is created. [FMT_MSA.3]. The TOE ensures that all administrator actions resulting in the access to TOE security functions and configuration data are controlled. [FMT_SMF.1, FMT_MOF.1] The TOE ensures that access to TOE security functions and configuration data is based on the assigned administrator role. [FMT_SMR.1] 6.5.1.4 Satisfaction of O.MEDIATE Rationale O.MEDIATE The TOE must mediate the flow of all information between hosts located on disparate internal and external networks governed by the TOE. The TOE must mediate the flow of Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 57 of 75 information between sets of TOE network interfaces or between a network interface and the TOE itself in accordance with its security policy. The TOE is required to identify the entities involved in the unauthenticated and authenticated information flow control SFPs [FDP_IFC.1(1) and FDP_IFC.1(2)] and to identify the attributes of the administrators sending and receiving the information in the unauthenticated, unauthenticated and export SFPs [FDP_IFF.1(1), FDP_IFF.1(2), and FDP_IFF.1(3)]. The policy is defined by saying under what conditions information is permitted to flow [FDP_IFF.1(1), FDP_IFF.1(2), and FDP_IFF.1(3)]. Information that is permitted to flow will then be routed according to the information in the routing table [FDP_IFF.1(1), FDP_IFF.1(2), and FDP_IFF.1(3)]. The TOE ensures that there is a default deny policy for the information flow control security rules [FMT_MSA.3]. The TOE ensures that the export of user data is controlled. [FDP_IFC.1(3)] 6.5.1.5 Satisfaction of O.TOE_ACCESS Rationale O.TOE_ACCESS The TOE will provide mechanisms that control an administrator’s logical access to the TOE and to explicitly deny access to specific administrators when appropriate. The TOE will terminate an interactive Console or SSH sessions after an administrator defined time interval of administrator inactivity. [FTA_SSL.3] The administrator is also able to terminate their own interactive session. [FTA_SSL.4] The TOE will deny session establishment after an administrator defined number of active SSH sessions. [FTA_TSE.1]. This requirement limits the number of inbound NSP sessions. The TOE will display an administrator-configurable message to users prior to session establishment using the CLI. [FTA_TAB.1] 6.5.2 Security Assurance Requirements Rationale Nokia has decided that the TOE will be evaluated at EAL 3, augmented with basic flaw remediation (ALC_FLR.1). This combination is termed EAL 3+. This provides a level of independently assured security that is consistent with the postulated threat environment. Specification of EAL 3+ includes the vulnerability assessment component. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 58 of 75 7 TOE SUMMARY SPECIFICATION The objective for the TOE summary specification is to provide potential consumers of the TOE with a description of how the TOE satisfies all the SFRs. The TOE summary specification should provide the general technical mechanisms that the TOE uses for this purpose. The level of detail of this description should be enough to enable potential consumers to understand the general form and implementation of the TOE. This section also provides a description of the functions that are carried out by the TOE at the TOE external interfaces (TOE Security Functionality Interfaces (TSFI)). This section provides a description of the security functions (and supporting general technical mechanisms) of the TOE that meet the TOE security requirements defined in Section 6. The functions and functional requirements are cross-referenced in Table 18. 7.1 TOE SECURITY FUNCTIONS 7.1.1 Overview The TOE security functions that were previously introduced are further elaborated in this section. The major functions (e.g., audit) are decomposed to more clearly define their functionality. 7.1.2 F.Audit 7.1.2.1 Audit Data Generation The SR OS records the start-up and shutdown of the audit functions. It also generates an audit record of the following events: a. Log successful activity of administrators. The SR OS logs the activity of the administrator in a security log; b. Log critical network traffic. Applications within the SR OS for which log entries are generated are: IP, routing protocols and services, and CLI and remote access; c. Logging of successful configuration changes. The change activity event source is all events that directly affect the configuration or operation of the TOE as defined in 7.1.4.4; and d. Security breach logging. The security event source is all events that affect attempts to breach system security such as failed login attempts or attempts to access Management Information Base (MIB) tables to which the administrator is not granted access. Security events are generated by the security application. The SR OS logs the activity of the administrator in a security log. The generating application, a unique event ID within the application, and a short text description is recorded for each applicable event in the audit logs. Event logs are the means of recording system generated events for later analysis. Events are messages generated by applications or processes with the SR OS. The SR OS is configured to record attempts to breach system security. Logs are configured in the following contexts: a. Log file - Log files contain log event message streams. Log file IDs are used to direct events, alarms/traps and debug information to their respective targets; b. SNMP trap groups - SNMP trap groups contain an IP address and community names which identify targets to send traps following specified events; Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 59 of 75 c. Syslog - Information is sent to a Syslog host that is capable of receiving selected Syslog messages from a network element; d. Event control - Configures a particular event or all events associated with an application to be generated or suppressed; e. Event filters - An event filter defines whether to forward or drop an event or trap based on match criteria; f. Event logs - An event log defines the types of events to be delivered to its associated destination; and g. Event throttling rate - Defines the rate of throttling events. Event logging controls the generation, dissemination and recording of system events for monitoring status and troubleshooting faults within the system. The following event sources are the main categories of events that feed the log manager:  Security - The security event source is all events that affect attempts to breach system security;  Change - The change activity event source is all events that directly affect the configuration or operation of the node;  Debug — The debug event source is the debugging configuration that has been enabled on the system; and  Main - The main event source receives events from all other applications within the IXR/SR, SAR, and SAS-series. A set of log filter rules is associated with the event log to control which events will be logged in the event log based on combinations of application, severity, event Identification (ID) range, and the subject of the event. An event log within the SR OS associates the event sources with logging destinations:  Memory - All selected log events will be directed to an in-memory storage area. A memory log is a circular buffer. When the log is full, the oldest entry in the log is replaced with the new entry. When a memory log is created, the specific number of entries it holds is specified; otherwise, it will assume a default size. An event log sends entries to a memory log destination;  Session - An administrator logged in to the local console device or connected to the CLI via a remote session also creates a log with a destination type of 'session'. Events are displayed to the session device until the administrator logs off. When the administrator logs off, the 'session' type log is deleted. A session destination is a temporary log destination which directs entries to the active session for the duration of the session. When the session is terminated, for example, when the administrator logs out, the event log is removed. Event logs configured with a session destination are not stored in the configuration file. Event logs direct log entries to the session destination;  SNMP traps - Events defined as SNMP traps are sent to the configured SNMP trap destinations and are logged in Notification Log- Management Information Base (MIB) tables;  Syslog - All selected log events are sent to the Syslog address; and  File - All selected log events will be directed to a file on one of the CPM/CSM solid state memory disks. Log files are used by event logs and are stored on the solid state memory devices in the file system. A log file is identified with a single log file ID, but a log file will generally be composed of a number individual files in the file system. Log files are created in specific subdirectories with standardized names in accordance with on the type of information stored in the log file.  Console - All selected log events will be sent to the system console. Only a single log destination is associated with an event log. An event log is associated with multiple event sources, but it only has a single log destination. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 60 of 75 An event log has the following properties:  A unique log ID. The log ID is a short, numeric identifier for the event log. A maximum of ten logs are configured at a time;  One or more log sources. The source stream or streams to be sent to log destinations are specified. The source must be identified before the destination is specified. The events are from the main event stream, events in the security event stream, or events in the administrator activity stream;  One event log destination. A log only has a single destination. The destination is one of console, session, Syslog, SNMP-trap-group, memory, or a file on the local file system; and  Optional events filter policy. A set of event filter rules defines whether to forward or drop an event or trap based on match criteria. The log manager uses event filter policies to allow fine control over which events are forwarded or dropped. Like other policies with the SR OS, filter policies have a default action. The default actions are either: Forward, or Drop. Log entries that are forwarded to a destination are formatted in a way appropriate for the specific destination whether it be recorded to a file or sent as an SNMP trap, but log event entries have common elements or properties:  A time stamp in Universal Time Co-ordinated (UTC) or local time; and  The generating application: o A unique event ID within the application; o A router name identifying the VRF-ID that generated the event; o A subject identifying the affected object; and o A short text description. 7.1.2.2 User Identity Association For audit events resulting from actions of identified administrators, the SR OS is able to associate each auditable event with the identity of the administrator that caused the event. 7.1.2.3 Audit Review The administrator reads all the information in the log destinations (i.e., SNMP-trap-group, memory, or a file on the local file system) via CLI log detail commands. Log Commands are in the following categories: a. Configuration Commands; b. Show Commands; and c. Clear Commands. The LOG-ID command displays an event log summary with settings and statistics or the contents of a specific log file, SNMP log, or memory log. If the command is specified with no command line options, a summary of the defined system logs is displayed. The summary includes log settings and statistics. If the log ID of a memory, SNMP, or file event log is specified, the command displays the contents of the log. Additional command line options control what and how the contents are displayed. Contents of logs with console, session or syslog destinations cannot be displayed. The actual events are only be viewed on the receiving syslog or console device (part of the OE). The administrator limits the number of log entries displayed to the number specified, and displays only events generated by the specified application or the specified and higher severity (cleared, indeterminate, critical, Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 61 of 75 major, minor, warning). The administrator displays the log entry numbers from a particular entry sequence number to another sequence number. If the to-sequence number is not provided, the log content to the end of the log is displayed. Logs are normally shown from the newest entry to the oldest in descending sequence number order on the screen. When using the ascending parameter, the log will be shown from the oldest to the newest entry. The log files are stored in system memory on solid state memory (cf1: or cf2:) in a compressed (tar) XML format and are retrieved using file-copy. The SR OS creates two directories on the solid state memory to store the files. When a log file is created, only the solid state memory device for the log file is specified. Log files are created in specific subdirectories with standardized names depending on the type of information stored in the log file. Event log files are always created in the \log directory on the specified solid state memory device. The \act- collect directory is where active logs are written. When a log is rolled over, the active file is closed and archived in the \act directory before a new active log file created in \act-collect. Logging policies are used to ensure that different level events are send to different logging destinations. The SR OS provides authorized administrators with the capability to read audit data from the audit records in a manner suitable for the administrator to interpret the information by means of the CLI SHOW LOG command which displays the following information: a. applications; b. event-control; c. file-id; d. filter-id; e. log-collector; f. log-id; g. snmp-trap-group; and h. syslog [syslog-id]. The administrator executes the following log commands: a. Configuration Commands; b. Generic Commands; c. Event Control; d. Log File Commands; e. Log Filter Commands; f. Log Filter Entry; g. Log Filter Entry Match Commands; h. Syslog Configuration Commands; i. SNMP Trap Groups; j. Logging Destination Commands; k. Show Commands; and l. Clear Commands. The administrator views log collector statistics for the main, security, change and debug log collectors. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 62 of 75 The administrator displays event file log information. A summary output of all event log files is displayed along with detailed information on the event file log. The administrator reinitializes/rolls over the specified memory/file. Memory logs are reinitialized and cleared of contents. File logs are manually rolled over by log clear command. 7.1.2.4 Restricted Audit Review Administrator capabilities are all controlled via the configuration of the administrator profile. This profile allows an administrator’s permissions to allow or disallow access to any command in the system’s management down to the granularity of an individual command. The SR OS prohibits all administrators read access to the audit records, except those administrators that have been granted explicit read-access. This is accomplished by means of administrator profiles that are used to deny or permit access to a CLI hierarchical branch or specific commands, including the log clear command. 7.1.2.5 Reliable Time Stamps The SR OS synchronizes its local time with an NTP server in the operational environment. The SR OS includes the date and time (using either UTC or local time as configured by the Administrator) within each audit record that it generates. 7.1.3 F.I&A 7.1.3.1 Authentication Failure Handling (CLI) The following is defined by the administrator: a. The number of unsuccessful login attempts allowed for the specified time. b. The period of time, in minutes, that a specified number of unsuccessful attempts that are made before the administrator is locked out. c. The lockout period in minutes where the administrator is not allowed to login. When the administrator exceeds the attempted count times in the specified time, then that administrator is locked out from any further login attempts for the configured time period. Parameters are modifiable from the provided default values:  The SR OS detects when an administrator configurable positive integer (default: 3, within a range of values 1 – 64), within an administrator configurable period of time (default 5 minutes, and within a range of values 0 — 60), unsuccessful authentication attempts occurs related to any claimed administrator ID attempting to authenticate to the SR OS via the console; and  When the defined number of unsuccessful authentication attempts has been met, the SR OS will at the option of the Administrator prevent activities that require authentication until an action is taken by the Administrator, or until an Administrator defined time period (default: 10 minutes and within a range of values 0 - 1440 minutes) has elapsed. 7.1.3.2 Authentication Failure Handling (Exponential Back Off - CLI) The exponential-back off parameter enables the exponential-back off of the login prompt. This function is used to deter dictionary attacks, when a malicious administrator tries to gain access to the SR OS by using a script to try any conceivable password. SR OS increases the delay between login attempts exponentially to mitigate attacks. It is applied to the console login. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 63 of 75 The SR OS shall detect when [one (1)], within [an administrator configurable period of time, (default 5 minutes, and within a range of values 0 – 60 minutes)], unsuccessful authentication attempts occurs related to [any claimed administrator ID attempting to authenticate to the SR OS]. 7.1.3.3 Verification of Secrets The verifications of secrets apply to all authentication methods: local console, RADIUS and TACACS+. The password for all users except the “admin” username needs to satisfy the following requirements: a. A minimum length (characters); default 6 and within a range of 6-50; b. A maximum non-hashed password length of 20 characters; c. at least one upper and one lower case character; d. at least one numeric character must be present in the password; and e. at least one special character must be present in the password. Special characters include: ~!@#$%^&*()_+|{}:”<>?`-=\[];’,./. In the CC evaluated configuration, administrators are instructed to only use the “admin” username account during setup and to create user unique administrator accounts for each human user. Also, as part of administrator registration, one of the following flags is set, either: a. Y - administrator must change his password at the next login; or b. N - The administrator is not forced to change his password at the next login. Definitions are: a. numeric — Specifies that at least one numeric character must be present in the password. This keyword is used in conjunction with the mixed-case and special-character parameters; b. special-character — Specifies that at least one special character must be present in the password. This keyword is used in conjunction with the numeric and special-character parameters; c. Special characters include: ~!@#$%^&*()_+|{}:”<>?`-=\[];’,./; and d. mixed-case — Specifies that at least one upper and one lower case character must be present in the password. This keyword is used in conjunction with the numeric and special-character parameters. 7.1.3.4 User Authentication Before Any Action The SR OS is configured to use RADIUS, TACACS+, and local/remote authentication to validate administrators requesting access to the network. The order in which password authentication is processed among RADIUS, TACACS+ and local passwords is specifically configured. Authentication validates an administrator name and password combination when an administrator attempts to log in. When an administrator attempts to log in through the console, or remotely, each client (7x50 IXR/SR, 7705 SAR, and 7210 SAS) sends an access request to a RADIUS, TACACS+, or local database. 7.1.3.5 User Identification Before Any Action The SR OS validates an administrator name and password combination when an administrator attempts to log in. 7.1.3.6 Multiple Authentication Mechanisms The SR OS implements local, RADIUS, and TACACS+ authentication to control the actions of specific administrators by applying a profile based on administrator name and password configurations. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 64 of 75 7.1.4 F.Security_Management The Network Services Platform (NSP) provides GUI management functions (e.g., provisioning) for the IXR/SR, SAR, and SAS-series platforms. (Note: The NSP is defined outside the TOE boundary. The local Console used to interface with the CLI is also outside the TOE boundary.) All of the routers and switches listed in Table 2 can be managed by the NSP Release 20.6 or later. The NSP can interface with the TOE using SSH or SNMP. The SR OS has a direct connection via the physical RS-232 console interface and a network connection to perform security management functions. Th network interface is controlled via an information flow control (authenticated policy) as defined herein. The SR OS requires local access to initially configure. Local console authentication access via a RS-232 port to the router uses administrator names and passwords to authenticate login attempts. 7.1.4.1 Management of Security Functions Behaviour Administrator capabilities are all controlled via the configuration of the administrator profile. This profile allows an administrator’s permissions to allow or disallow access to any command in the system’s management down to the granularity of an individual command. The following security functions are restricted to the administrators. The administrator will perform the following: a. Configures authentication failure handling configurable integer of unsuccessful authentication attempts within configurable range of time, and configurable lock out period of time that occurs related to an administrator’s authentication; b. Controls when (e.g., time and day(s) of the week) and where (e.g., from a specific network address) administrators, and authorized IT entities access the TOE; c. Configures the maximum number of active sessions; d. Configures authentication attempts count, time interval [minutes], and lockout time period [minutes]; e. Configures authentication-order for local console, RADIUS and TACACS+; f. Configures password complexity [numeric] [special-character] [mixed-case]; g. Configures password minimum-length value; h. Configures: management access filters, profiles, administrator access parameters, password management parameters; i. Enables RADIUS and/or TACACS+ (TOE client-side); j. Configures event and logs; k. Configures access parameters for individual administrators - the login name for the administrator and information that identifies the administrator; l. Configures administrator profiles used to deny or permit access to CLI command tree permissions, or specific CLI commands; m. Copies a profile or administrator or overwrite an existing profile or administrator; n. Allows/disallows an administrator the privilege to change their password for console login; and The administrator will also configure the following SNMP access group information: a. Group name - The access group name; b. Security model - The security model required to access the views configured in this node; Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 65 of 75 c. Security level - Specifies the required authentication and privacy levels to access the views configured in this node; d. Read view - Specifies the variable of the view to read the MIB objects; e. Write view - Specifies the variable of the view to configure the contents of the agent; and f. Notify view - Specifies the variable of the view to send a trap about MIB objects. The administrator will execute the following security CLI commands a. Configuration Commands; b. General Security Commands; c. Login, Telnet, remote management commands; d. Management Access Filter Commands; e. Password Commands; f. Profile Management Commands; g. Administrator Management Commands; h. RADIUS Client Commands; i. TACACS+ Client Commands; j. Generic 802.1x Commands; k. TTL Security Commands; l. Show Commands; m. Security Commands; n. Login Control; o. Clear Commands; p. Authentication Commands; and q. Debug Commands. The administrator will perform the following logging tasks: a. Modify a Log File; b. Delete a Log File; c. Modify a File ID; d. Delete a File ID; e. Modify a Syslog ID; f. Delete a Syslog; g. Modify an SNMP Trap Group; h. Delete an SNMP Trap Group; i. Modify a Log Filter; j. Delete a Log Filter; k. Modify Event Control Parameters; and Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 66 of 75 l. Return to the Default Event Control Configuration. 7.1.4.2 Management of Security Attributes 7.1.4.2.1 Simple Security Attributes (Unauthenticated Policy) The administrator specifies information flow policy rules (i.e., routing protocols and ingress/egress traffic filtering and peer filtering) that contain information security attribute values, and associate with that rule an action that permits the information flow or disallows the information flow. When a packet arrives at the source interface, the information security attribute values of the packet are compared to each information flow policy rule and when a match is found the action specified by that rule is taken. Subject and information security attributes used are: a. IP network address and port of source subject; b. IP network address and port of destination subject; c. transport layer protocol and their flags and attributes (UDP, TCP); d. network layer protocol (IP, ICMP); e. Documented Special Use (DUSA) IPv4 addresses; f. interface on which traffic arrives and departs; and g. routing protocols and their configuration and state. 7.1.4.2.2 Simple Security Attributes (Authenticated Policy) The Administrator using CLI syntax: a. configures administrator name/password and profile; b. configures local home directory for console and remote access; c. grants an administrator permission for remote or console access; d. configures the maximum number of concurrent inbound remote sessions; e. configures the idle timeout for file-copy, console, or remote sessions which determines when the session is terminated by the system; and f. Configures Management Access Filters to control all traffic in and out of the SR OS and to restrict management of the SR OS by other nodes outside either specific (sub)networks or through designated ports. Subject and information security attributes used are: a. Source subject security attributes: source port and IP protocol ID and address, username/password and profile, source network identifier, remote or console session idle timeout, maximum number of concurrent inbound remote sessions, administrator permission for remote or console access, local home directory for the administrator for remote or console access; b. Destination subject security attributes: set of destination subject identifiers (UDP/TCP port number); and c. Information security attributes: authenticated identity of source subject; identity of destination subject; transport layer protocol; and destination subject service identifier (TCP destination port number). Application Note: “Service identifier” specifies a service that is above the network and transport layers in the protocol stack. 7.1.4.2.3 Simple Security Attributes (Export Policy) Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 67 of 75 The event log is configured to send events to one syslog destination. Syslog destinations have the following properties: a. Syslog server IP address; b. The UDP port used to send the syslog message; c. The Syslog Facility Code (0 - 23) (default 23 - local 7); and d. The Syslog Severity Threshold (0 - 7) - events exceeding the configured level will be sent. The Administrator configures a Syslog Target using CLI syntax to configure a syslog file. Log events cannot be sent to a syslog target host until a valid syslog ID exists. All references to the syslog ID must be deleted before the syslog ID can be removed. The Administrator uses CLI syntax to configure the port number to receive SNMP request messages and to send replies. Subject and information security attributes used are: a. Source subject security attributes: source network identifier; and b. Destination subject security attributes: (1) Set of destination network identifiers; (2) Syslog server IP address; (3) UDP port used to send the syslog message; (4) Syslog Facility Code; (5) Syslog Severity Threshold; and (6) Port number used to send SNMP traffic. 7.1.4.3 Static Attribute Initialization SR OS equipped systems arrive out-of-the-box configured with no services turned on and with direct console access only. In addition, no IP address is configured on the router by default. This requires physical or out-of- band console access in order to bring a new system up. The SR OS requires local console access to initially configure an IP address and enable remote access. Administrators are set up with an individual account configured to only allow the minimum access to perform the assigned support duties. The administrator is instructed in administrative guidance how to set and specify alternative initial default attribute values. 7.1.4.4 Specification of Management Functions The Administrator performs the following security management functions on the SR OS: a. start-up and shutdown; b. create, modify, or delete configuration items; c. modify and set the time and date; d. create, delete, empty, and review the audit trail; e. create, delete, modify, and view filtering rules; f. perform configuration backups; g. password management; and Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 68 of 75 h. security management functions listed in Section 7.1.4.1. Password management parameters consists of defining aging, the authentication order and authentication methods, password length and complexity, as well as the number of attempts an administrator enters a password. Also, as part of administrator registration, the following are set: a. Y — The administrator has the ability to change the login password; and b. N — The administrator does not have the ability to change the login password. The SR OS implements the periodic backup of the SR OS configurations. The backups are used for recovering the network configurations when major network events happen, such as hardware failure and misconfigurations. For additional management functions refer to Section 7.1.4.1. 7.1.4.5 Security Roles The SR OS allows all authorized administrators with the needed authority to configure and control the associated features. Only authenticated administrators and administrators are permitted to use or manage the router resources. There is one role associated with the SR OS: ADMINISTRATOR role. Only administrators are permitted to use or manage the router resources. Only authenticated administrators execute certain CLI commands. Authorization features allow administrators to configure administrator profiles which are used to limit what CLI commands are executed by the specific authenticated administrator. Once an administrator has been authenticated the SR OS is configured to perform authorization. Profiles consist of a suite of commands that the administrator is allowed or not allowed to execute. When an administrator issues a command, the SR OS looks at the command and the administrator information and compares it with the commands in the profile. If the administrator is authorized to issue the command, the command is executed. If the administrator is not authorized to issue the command, then the command is not executed. 7.1.5 F.TOE_Access 7.1.5.1 TSF-initiated Termination The SR OS allows configuring login control parameters for console and remote administration sessions. The SR OS has the ability to terminate stale (inactive) connections. The SR OS terminates interactive session after an administrator defined period of inactivity with a default value of 30 minutes, and within a range of 1 to 1440 minutes. This idle-time parameter configures the idle timeout for console, or remote sessions before the session is terminated by the system. This would reduce the chance for the unauthorized administrators to access the router through an unattended opened session. By default, an idle console, or remote session times out after thirty (30) minutes of inactivity. This timer is set per session. 7.1.5.2 User-initiated Termination. Administrators initiate termination of their own sessions. The SR OS allows an administrator to terminate their own session by issuing the command “logout” at the CLI prompt. Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 69 of 75 7.1.5.3 TOE Session Establishment The SR OS will deny session establishment after an administrator defined number of active NSP sessions thereby limiting the number of inbound NSP sessions. The SR OS denies remote session establishment based on maximum number of concurrent remote sessions on the node, default 5, values 0 - 15. 7.1.5.4 TOE Access Banners The SR OS will display an administrator-configured message to users on the login screen prior to the user entering identification and authentication credentials. 7.1.6 F.User_Data_Protection 7.1.6.1 Subset Information Flow Control (Unauthenticated Policy) The TOE enforces an UNAUTHENTICATED SFP whereby the network packets sent through the TOE are subject to router information flow control rules setup by the administrator. All subsystems are involved in determining how a packet will be forwarded and or performing the packet forwarding process. The controlling mechanisms include the system configuration, protocol state for the forwarding of the actual data. 7.1.6.2 Subset Information Flow Control (Authenticated Policy) The TOE enforces an AUTHENTICATED SFP whereby information is passed via application proxy (Console, NSP). Administrators must first be granted access by the administrator and then authenticated in order to access the router by Console, NSP. The TOE will only send and accept management connections from properly configured or authenticated sources. 7.1.6.3 Subset Information Flow Control (Export Policy) The TOE enforces an EXPORT SFP whereby information events are sent from the TOE to SNMP trap, Syslog and RADIUS/TACACS+ destinations. The TOE will only send management data to properly configured destinations. 7.1.6.4 Simple Security Attributes (Unauthenticated Policy) The TOE uses traffic filters and protocol configuration and protocol state to enforce the UNAUTHENTICATED SFP. The administrator configures the SR-series routers, IXR-series switches, SAR-series routers, and SAS-series switches setting the following protocols, standards, and services from the set of: a. OSPFv2; b. IS-IS; c. BGP-4; and d. MPLS (LDP, RSVP-TE). The TCP/IP stack is implemented as a common protocol stack for IP, UDP and TCP communications. That packets going to the TOE are first classified into forwarding classes (FCs). Filter policies, also referred to as Access Control Lists (ACLs), are templates applied to services or network ports to control network traffic into (ingress) or out of (egress) a service access port or network port based on Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 70 of 75 IP, IPv6, and MAC matching criteria. Filters are applied to services to look at packets entering or leaving a SAP or network interface. Filters can be used on several interfaces. The same filter can be applied to ingress traffic, egress traffic, or both. Ingress filters affect only inbound traffic destined for the routing complex, and egress filters affect only outbound traffic sent from the routing complex. Access Control Lists provide complete control over the traffic which is allowed to enter the network. The SR OS routes the traffic that is permitted by the information flow policies. All traffic passing through the router is processed by the ACL attached to the interface/ protocol. An ACL is filter policy applied on ingress or egress to a SAP on an interface to control the traffic access. The ACL prevents an unknown party (identified by IP match or Media Access Control (MAC) match criteria) to access the router/switch’s infrastructure and service layer, and provide security protections of both layers. The ACL is processed top-down, with processing continuing until the first match is made. All traffic that successfully clears the ACLs is processed by the routing tables. The routing table is processed top-down, with processing continuing until the first match is made. The routing table may be statically updated by a privileged administrator or dynamically through routing protocols. The administrator specifies information flow policy rules (routing protocols and ingress/egress traffic filtering and peer filtering) that contain information security attribute values, and associate with that rule an action that permits the information flow or disallows the information flow. When a packet arrives at the source interface, the information security attribute values of the packet are compared to each information flow policy rule and when a match is found the action specified by that rule is taken. The set of identifiers are associated with the physical router interfaces. Subject and information security attributes used are: a. IP network address and port of source subject; b. IP network address and port of destination subject; c. transport layer protocol and their flags and attributes (UDP, TCP); d. network layer protocol (IP, ICMP); e. Documented Special Use (DUSA) IPv4 addresses; f. interface on which traffic arrives and departs; and g. routing protocols and their configuration and state. IP/MAC filter policies match criteria that associate traffic with an ingress or egress SAP. A filter policy compares the match criteria specified within a filter entry to packets coming through the system, in the order the entries are numbered in the policy. When a packet matches all the parameters specified in the entry, the system takes the specified action to either drop or forward the packet. If a packet does not match the entry parameters, the packet continues through the filter process and is compared to the next filter entry, and so on. If the packet does not match any of the entries, then system executes the default action specified in the filter policy. Each filter policy is assigned a unique filter ID. When filter rule entries are created, they are arranged sequentially from the most explicit entry to the least explicit. Filter matching ceases when a packet matches an entry. The entry action is performed on the packet. The TOE performs either drop or forward action. To be considered a match, the packet must meet all the conditions defined in the entry. Packets are compared to entries in a filter policy in an ascending entry ID order. When a filter consists of a single entry, the filter executes actions as follows: a. If a packet matches all the entry criteria, the entry’s specified action is performed (drop or forward); and b. If a packet does not match all of the entry criteria, the policy’s default action is performed. If a filter policy contains two or more entries, packets are compared in ascending entry ID order: Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 71 of 75 a. Packets are compared with the criteria in the first entry ID; b. If a packet matches all the properties defined in the entry, the entry’s specified action is executed; c. If a packet does not completely match, the packet continues to the next entry, and then subsequent entries; and d. If a packet does not completely match any subsequent entries, then the default action is performed. TTL security parameters are used for incoming packets. BGP/LDP accepts incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL value (values 1 — 255) configured for that peer. The SR OS provides automatic detection of attacks triggered by excessive control plane and routing protocol traffic, and it recognizes signatures of some common Distributed and other DoS (D/DoS) attacks and further it will suppress these attacks using the ACLs. 7.1.6.5 Simple Security Attributes (Authenticated Policy) The TOE also enforces an AUTHENTICATED SFP whereby information is passed via application proxy (Console, SSH, file-copy). Users must first be granted access by the administrator and then authenticated in order to access the router by Console, SSH, file-copy. Source subject security attributes are: a. source port and IP protocol ID and address; b. username/password and profile; c. source network identifier; d. remote or console session idle timeout; e. maximum number of concurrent inbound remote sessions; f. administrator permission for remote or console access; and g. local home directory for the administrator for remote or console access. Destination subject security attributes are: a. set of destination subject identifiers (UDP/TCP port number). Any packet that is destined to the SR OS, must have the correct IP address that has been assigned by the network administrator to be able to remotely operate the SR OS. Management Access Filters (MAFs) control all traffic to the CPM/CSM on SR OS devices as well as routing protocols. They can be used to restrict management of the node by other nodes outside specific (sub)networks or through designated ports, for example, to a small list of NSP servers or support workstations. By default, there are no filters associated with security options. The MAF filter and its entries must be explicitly created on each router. When the first match is found, actions are executed. Entries must be sequenced correctly from most to least explicit. 7.1.6.6 Simple Security Attributes (Export Policy) The TOE also enforces an EXPORT SFP whereby information events are sent from the TOE to SNMP trap, Syslog, and RADIUS/TACACS+ destinations. Subject and information security attributes used are: a. Source subject security attributes: source network identifier; and b. Destination subject security attributes: Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 72 of 75 (1) Syslog server IP address; (2) UDP port used to send the syslog message; (3) Syslog Facility Code; (4) Syslog Severity Threshold; (5) IP address of the SNMP trap receiver; (6) UDP port used to send the SNMP trap; (7) SNMPv3 used to format the SNMP notification; (8) Security name and level for SNMPv3 trap receivers; and (9) RADIUS/TACACS+ server IP address. For SNMP traps sent out-of-band through the Management Ethernet port, the source IP address of the trap is the IP interface address defined on the Management Ethernet port. For SNMP traps sent in-band, the source IP address of the trap is the system IP address of the SR OS. Each trap target destination of a trap group receives the identical sequence of events as defined by the log ID and the associated sources and log filter applied. The Syslog protocol is used to convey event notification messages. Parameters are defined identified in RFC 5424 - The Syslog Protocol which describes the format of a Syslog message. 7.2 TOE SECURITY FUNCTIONS RATIONALE Table 18 provides a bi-directional mapping of Security Functions to Security Functional Requirements. It shows that each of the SFRs is addressed by at least one of the Security Functions and that each of the Security Functions addresses at least one of the SFRs. For a description of how each Security Functional Requirement is addressed by the corresponding Security Function refer to Section 7.1. Table 18: Security Functions to SFR Mapping Security Functional Requirement F.Audit F.I&A F.Security_Management F.TOE_Access F.User_Data_Protection FAU_GEN.1 Audit Data Generation X FAU_GEN.2 User Identity Association X FAU_SAR.1 Audit Review X FAU_SAR.2 Restricted Audit Review X FDP_IFC.1(1) Subset Information Flow Control (Unauthenticated Policy) X FDP_IFC.1(2) Subset Information Flow Control (Authenticated Policy) X FDP_IFC.1(3) Subset Information Flow Control (Export Policy) X FDP_IFF.1(1) Simple Security Attributes (Unauthenticated Policy) X FDP_IFF.1(2) Simple Security Attributes (Authenticated Policy) X Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 73 of 75 Security Functional Requirement F.Audit F.I&A F.Security_Management F.TOE_Access F.User_Data_Protection FDP_IFF.1(3) Simple Security Attributes (Export Policy) X FIA_AFL.1(1) Authentication Failure Handling (CLI) X FIA_AFL.1(2) Authentication Failure Handling (Exponential Back Off - CLI) X FIA_SOS.1 Verification of Secrets X FIA_UAU.2 User Authentication Before Any Action X FIA_UAU.5 Multiple Authentication Mechanisms X FIA_UID.2 User Identification Before Any Action X FMT_MOF.1 Management of Security Functions Behaviour X FMT_MSA.1 Management of Security Attributes X FMT_MSA.3 Static Attribute Initialization X FMT_SMF.1 Specification of Management Functions X FMT_SMR.1 Security Roles X FPT_STM.1 Reliable Time Stamps X FTA_SSL.3 TSF-initiated Termination X FTA_SSL.4 User-initiated Termination X FTA_TAB.1 Default TOE access banners X FTA_TSE.1 TOE Session Establishment X Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 74 of 75 8 OTHER REFERENCES This section lists references other than the TOE guidance documentation presented in Section j on page 23 that either aid in better understanding the TOE or are referred to directly in this Security Target. [ANSI X3.64] Additional Controls for Use with the American National Standard Code for Information Interchange, ANSI X3.64-1979(R1990), American National Standards Institute (ANSI) [IEEE 802.3ad] Amendment to Carrier Sense Multiple Access With Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications-Aggregation of Multiple Link Segments, IEEE Standard 802.3ad-2000, Institute of Electrical and Electronic Engineers [RFC 1305] Network Time Protocol (Version 3) Specification, Implementation and Analysis, RFC 1305, March 1992, Internet Engineering Task Force [RFC 1492] An Access Control Protocol, Sometimes Called TACACS, RFC 1492, July 1993, Internet Engineering Task Force [RFC 2138] Remote Authentication Dial In User Service (RADIUS), RFC 2138, April 1997, Internet Engineering Task Force [RFC 2865] Remote Authentication Dial In User Service (RADIUS), RFC 2865, June 2000, Internet Engineering Task Force [RFC 2866] RADIUS Accounting, RFC 2866, June 2000, Internet Engineering Task Force [RFC 3411] An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks, RFC 3411, December 2002, Internet Engineering Task Force [RFC 3412] Message Processing and Dispatching for the Simple Network Management Protocol (SNMP), RFC 3412, December 2002, Internet Engineering Task Force [RFC 3413] Simple Network Management Protocol (SNMP) Applications, RFC 3413, December 2002, Internet Engineering Task Force [RFC 3414] User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), RFC 3414, December 2002, Internet Engineering Task Force [RFC 3415] View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), RFC 3415, December 2002, Internet Engineering Task Force [RFC 3416] Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP), RFC 3416, December 2002, Internet Engineering Task Force [RFC 3417] Transport Mappings for the Simple Network Management Protocol (SNMP), RFC 3417, December 2002, Internet Engineering Task Force [RFC 3418] Management Information Base (MIB) for the Simple Network Management Protocol (SNMP), RFC 3418, December 2002, Internet Engineering Task Force [RFC 4250] The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, January 2006, Internet Engineering Task Force [RFC 4251] The Secure Shell (SSH) Protocol Architecture, RFC 4251, January 2006, Internet Engineering Task Force [RFC 4252] The Secure Shell (SSH) Authentication Protocol, RFC 4252, January 2006, Internet Engineering Task Force [RFC 4253] The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, January 2006, Internet Engineering Task Force Nokia SR OS Security Target Doc No: 2184-001-D102 Version: 1.1 Date: 16 May 2022 Page 75 of 75 [RFC 4254] The Secure Shell (SSH) Connection Protocol, RFC 4254, January 2006, Internet Engineering Task Force [RFC 5424] The Syslog Protocol, RFC 5424, March 2009, Internet Engineering Task Force [TIA-232-F] Interface between Data Terminal Equipment and Data Circuit-Terminating Equipment Employing Serial Binary Data Interchange, October 1 1997, Telecommunications Industry Association (TIA)