Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2017 Cisco and/or its affiliates. All rights reserved. Thisdocument is Cisco Public. Cisco HyperFlex Systems HX Series Common Criteria Security Target Version 1.0 21 September 2017 Cisco HyperFlex Systems HX Series SecurityTarget Page 2 of 48 Table of Contents 1 SECURITY TARGET INTRODUCTION................................................................... 8 1.1 ST and TOE Reference .............................................................................................. 8 1.2 TOE Overview .......................................................................................................... 8 1.2.1 TOE Product Type .............................................................................................10 1.2.2 Supported non-TOE Hardware/ Software/ Firmware ...........................................11 1.3 TOE DESCRIPTION................................................................................................12 1.4 TOE Evaluated Configuration ...................................................................................15 1.5 Physical Scope of the TOE........................................................................................16 1.6 Logical Scope of the TOE.........................................................................................18 1.6.1 Security Audit ...................................................................................................18 1.6.2 User Data Protection..........................................................................................19 1.6.3 Identification and authentication.........................................................................19 1.6.4 Security Management ........................................................................................19 1.6.5 Protection of the TSF.........................................................................................20 1.6.6 Resource Utilization ..........................................................................................20 1.6.7 TOE Access.......................................................................................................20 1.6.8 Trusted Path ......................................................................................................20 1.7 Excluded Functionality .............................................................................................20 1.8 TOE Documentation .................................................................................................21 2 Conformance Claims ............................................................................................. 22 2.1 Common Criteria Conformance Claim.......................................................................22 2.2 Protection Profile Conformance ................................................................................22 3 SECURITY PROBLEM DEFINITION .................................................................... 23 3.1 Assumptions.............................................................................................................23 3.2 Threats.....................................................................................................................23 3.3 Organizational Security Policies................................................................................24 4 SECURITY OBJECTIVES..................................................................................... 25 4.1 Security Objectives for the TOE................................................................................25 4.2 Security Objectives for the Environment....................................................................26 5 SECURITY REQUIREMENTS .............................................................................. 27 5.1 Conventions .............................................................................................................27 5.2 TOE Security Functional Requirements .....................................................................27 5.2.1 Security audit (FAU)..........................................................................................28 5.2.1 User data protection (FDP).................................................................................30 5.2.2 Identification and authentication (FIA) ...............................................................31 5.2.3 Security management (FMT)..............................................................................32 5.2.4 Protection of the TSF (FPT) ...............................................................................32 5.2.5 Resource Utilisation (FRU) ................................................................................33 5.2.6 TOE Access (FTA)............................................................................................33 5.2.7 Trusted Path (FTP) ............................................................................................33 5.3 TOE SFR Dependencies Rationale ............................................................................33 5.4 Security Assurance Requirements..............................................................................35 5.4.1 SAR Requirements ............................................................................................35 Cisco HyperFlex Systems HX Series SecurityTarget Page 3 of 48 5.4.2 Security Assurance Requirements Rationale .......................................................35 5.5 Assurance Measures .................................................................................................35 6 TOE Summary Specification................................................................................... 37 6.1 TOE Security Functional Requirement Measures .......................................................37 6.2 TOE Bypass and interference/logical tampering Protection Measures .........................41 7 RATIONALE....................................................................................................... 41 7.1 Rationale for TOE Security Objectives ......................................................................41 7.2 Rationale for the Security Objectives for the Environment .........................................43 7.3 Rationale for requirements/TOE Objectives ...............................................................44 8 Annex A: References............................................................................................. 48 Cisco HyperFlex Systems HX Series SecurityTarget Page 4 of 48 List of Tables TABLE 1 ACRONYMS AND ABBREVIATIONS...............................................................................................................................4 TABLE 2 TERMS......................................................................................................................................................................5 TABLE 3 ST AND TOEIDENTIFICATION...................................................................................................................................8 TABLE 4IT ENVIRONMENT COMPONENTS..............................................................................................................................11 TABLE 5 HARDWARE MODELS AND SPECIFICATIONS..............................................................................................................16 TABLE 6 TOEASSUMPTIONS.................................................................................................................................................23 TABLE 7 THREATS ................................................................................................................................................................23 TABLE 9 SECURITY OBJECTIVES FOR THE TOE.......................................................................................................................25 TABLE 10SECURITY OBJECTIVES FOR THE ENVIRONMENT......................................................................................................26 TABLE 11 SECURITY FUNCTIONAL REQUIREMENTS................................................................................................................27 TABLE 12 AUDITABLE EVENTS..............................................................................................................................................28 TABLE 13SFR DEPENDENCY RATIONALE..............................................................................................................................34 TABLE 14ASSURANCE MEASURES .........................................................................................................................................35 TABLE 15ASSURANCE MEASURES .........................................................................................................................................35 TABLE 16HOW TOESFRS MEASURES..................................................................................................................................37 TABLE 17THREATS & IT SECURITY OBJECTIVES MAPPINGS...................................................................................................41 TABLE 18TOETHREAT/POLICY/OBJECTIVE RATIONALE......................................................................................................42 TABLE 19THREATS & IT SECURITY OBJECTIVES MAPPINGS FOR THE ENVIRONMENT.............................................................43 TABLE 20ASSUMPTIONS/THREATS/OBJECTIVES RATIONALE................................................................................................43 TABLE 21SECURITY OBJECTIVE TO SECURITY REQUIREMENTS MAPPINGS..............................................................................44 TABLE 22OBJECTIVES TO REQUIREMENTS RATIONALE..........................................................................................................45 TABLE 23REFERENCES.........................................................................................................................................................48 List of Figures FIGURE 1 TOEEXAMPLE DEPLOYMENT...................................................................................................................................9 FIGURE 2 CISCO HXDATA LOGICAL DATA PATHS....................................................................................................................10 FIGURE 3CISCO HYPERFLEX HX220C M4NODE....................................................................................................................12 FIGURE 4CISCO HYPERFLEX HX240C M4NODE....................................................................................................................12 FIGURE 5CISCO HYPERFLEX HX240C M4NODES WITH CISCO UCSB200BLADE SERVERS...................................................13 FIGURE 6 CISCO HXDATA PLATFORM HARDWARE OVERVIEW...............................................................................................13 FIGURE 7 TOEEXAMPLE DEPLOYMENT.................................................................................................................................14 Acronyms and Abbreviations The following acronyms and abbreviations are common and may be used in this Security Target: Table 1 Acronyms and Abbreviations Acronyms / Abbreviations Definition AAA Administration,Authorization,and Accounting ACL Access ControlLists API ApplicationProgramming Interface CC Common Criteria CEM Common Evaluation Methodology CIMC Cisco IntegratedManagement Controller Cisco HyperFlex Systems HX Series SecurityTarget Page 5 of 48 Acronyms / Abbreviations Definition CIM-XML Common Information ModelXML CLI Command Line Interface CM ConfigurationManagement EAL Evaluation AssuranceLevel FC Fibre Channel HDD Hard-diskdrives HTTPS Hyper-Text Transport ProtocolSecure IP Internet Protocol OS Operating System SAR Security Assurance Requirement SFP Security FunctionalPolicy SFR Security FunctionalRequirement SM Service Module SSD Solid-state disk SSL Secure Socket Layer ST Security Target TCP Transport ControlProtocol TCP/IP TransmissionControlProtocol/Internet Protocol TLS Transport LayerSecurity TOE Target ofEvaluation TSC TSF Scope ofControl TSF TOE Security Function TSP TOE Security Policy UCS [Cisco]Unified Computing System UCSM UCS Manager UDP Userdatagramprotocol VIB VMware ESXi vSphere InstallationBundles VLAN Virtual LocalArea Network VM Virtual Machine,a virtualized guestoperating systeminstalled to a hypervisor. VMM Virtual MachineManager,a hypervisor. VSAN Virtual Storage AreaNetwork XML Extensible Markup Language XML API The UCS ManagerXMLAPIis a programmatic interface formanagingUCSvia CLI. Terminology The following terms are common for this technology and may be used in this Security Target: Table 2 Terms Term Definition Cluster A collection ofhoststhat are interconnectedforthe purpose ofimproving reliability, availability,serviceability,load balancingand performance.In this document,clusterimplies the storage cluster,unlessotherwisestated. ClusterAccessPolicy HX Data Platform(TOE) configurable feature that specifiesstorage clusterdata management whenthe nodesordisksfailin the storage cluster.Forexample, when the storage clusterchangesto read-only modeto protectdata. Datastore A logicalcontainer,similarto a file systemon a logicalvolume.Datastoresare where the host placesvirtualdiskfiles and otherVM files. Datastoreshidethe Cisco HyperFlex Systems HX Series SecurityTarget Page 6 of 48 Term Definition specifics ofphysicalstoragedevicesandprovide a uniformmodelforstoring VM files. Hyperconvergence Turning standard serversofchoice intoa single poolofcompute andstorage resources. HyperFlexHX Data PlatformController(also referenced ascontroller VM) The HyperFlexHX Data Platformcontrollerresideson eachnode and implements the distributedfile system.The controller VM runs in userspace within a virtual machine,intercepts,and handlesallI/Ofrom guestvirtualmachines (VM). IO Visor This [TOE] VIB providesa networkfile system(NFS) mount point so that the ESXi hypervisorcanaccessthe HyperFlexHXData Platform virtualdiskdrives that are attachedto individualvirtualmachines.Fromthe hypervisor’s perspective,it is simply attached toa networkfile system. Storage Cluster The storage clustercontainstheconverged nodesandtheirassociated storage that the HX Data Platform(TOE) manages.Thisstorageclustercanalso include compute nodes,thatdo notinclude storage,and that the HXData Platform(TOE) monitors. Users The usersofthe TOEare the processes and applicationson theVMs thatare on the TOE that accessthe storageclustersand datastoreswhich are provided bythe TOE. Virtual LocalArea Network (VLAN) The VLANs enable efficient traffic separation,providebetterbandwidth utilization,and alleviate scalingissuesby logically segmentingthe physicallocal- area network(LAN)infrastructure intodifferentsubnetssothat VLANpackets are presentedto interfaceswithin thesame VLAN. The most important requirement ofVLANs is the ability to identify the originationpoint forpackets with a VLAN tag to ensure packetscan only travelto interfacesforwhich they are authorized. Virtual Machines (VMs) The virtualmachines are thevirtualserversonthe TOEthat accessthe storage clustersanddatastores,which are providedby theTOE. vMotion Enables the live migration ofrunningvirtualmachinesfromone physicalserver to anotherwith zero downtime,continuous serviceavailability,and complete transactionintegrity.It is transparentto users. VMware vStorage APIfor Array Integration(VAAI) This storage offload [TOE]APIallows vSphere to request advancedfile system operationssuchas snapshots and cloning.The controllercausestheseoperations to occurthrough manipulation ofmetadata ratherthan actualdatacopying, providing rapid response,and thusrapiddeployment ofnewapplication environments Whitelist A whitelist may consist ofa list ofusers,applicationsorprocessesthat are viewed with approvalorbeing provideda particularprivilege. Entities on the whitelist will be approved,recognized and/oraccepted. Forthe TOE,the whitelist consist of IP addressesofthe VMs that haveaccesstothe HyperFlexHX Data storage clustersanddatastores thatare controlled and enforced bythe TOE. Cisco HyperFlex Systems HX Series SecurityTarget Page 7 of 48 DOCUMENTINTRODUCTION Prepared By: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134 This document provides the basis for an evaluation of a specific Target of Evaluation (TOE), the Cisco HyperFlex Systems HX Series running Cisco HyperFlex HX Data Platform Software, version 2.5(1c). This Security Target (ST) defines a set of assumptions about the aspects of the environment, a list of threats that the product intends to counter, a set of security objectives, a set of security requirements, and the IT security functions provided by the TOE which meet the set of requirements. Cisco HyperFlex Systems HX Series SecurityTarget Page 8 of 48 1 SECURITY TARGET INTRODUCTION The Security Target contains the following sections:  Security Target Introduction [Section 1]  Conformance Claims [Section 2]  Security Problem Definition [Section 3]  Security Objectives [Section 4]  IT Security Requirements [Section 5]  TOE Summary Specification [Section 6]  Rationale [Section 7] The structure and content of this ST comply with the requirements specified in the Common Criteria (CC), Part 1, Annex A, and Part 3, Chapter 4 1.1 ST and TOE Reference This section provides information needed to identify and control this ST and its TOE. Table 3 ST and TOE Identification Name Description STTitle Cisco HyperFlexSystems HXSeries Common Criteria Security Target STVersion 1.0 PublicationDate 21 September2017 STAuthor Cisco Systems,Inc. Developer of the TOE Cisco Systems,Inc. TOE Reference Cisco HyperFlexSystems HXSeries TOE Hardware Models  Cisco HyperFlexHX220c M4Node  Cisco HyperFlexHX240c M4Node  Cisco HyperFlexHX240c M4Nodes with Cisco UCS B200 Blade Servers TOE Software Version Cisco HyperFlexHX Data PlatformSoftware, version 2.5(1c) TOE Guidance Cisco HyperFlexSystems HXSeries Common Criteria OperationalUserGuidance andPreparative Procedures, Version 1.0 Keywords HyperFlex, Convergent,Cluster,Storage,Data Protection,Authentication 1.2 TOE Overview The TOE is the Cisco HyperFlex Systems HX Series (herein after also referred to as Converged Hosts or TOE). The TOE is a hyper-convergent software-centric solution that tightly integrates computing, storage, networking and virtualization resources in a single hardware platform. The TOE is installed in a hypervisor environment, such as VMware vSphere. The TOE manages the storage of a storage cluster that has a minimum three servers (HyperFlex HX Series Nodes (Converged Host)) with Solid-state disk (SSD) and Hard-disk drives (HDD) attached storage. The Cisco HyperFlex Systems HX Series SecurityTarget Page 9 of 48 clustered servers are networked with switches and fabric interconnects. Optionally, non-storage servers, (compute nodes), can be included in the storage cluster. HX Data Platform manages the storage for the data and VMs stored on the associated storage cluster. The HyperFlex HX Series installer is loaded on a UCS platform that is networked to the storage cluster to be managed. During the installation of the TOE, the initial cluster with at least three HyperFlex HX Series Nodes is created. The datastores are added to the storage cluster after the installation is complete. The HyperFlex HX Series provides a highly fault-tolerant distributed storage system that preserves data integrity and optimizes performance for virtual machine (VM) storage workloads. The HyperFlex HX Series includes CLI commands that are used to monitor and manage the storage clusters. The CLI also provides the Authorized Administrator the ability to add nodes as the storage capacity and the storage needs grow within the organization. The following figure provides a visual depiction of an example TOE deployment. Figure 1 TOE Example Deployment Trunk ports with VLANs are the access points between the physical and virtual environments. The VLANs are VLAN tagged External Switch VLAN Tagging (EST). The VLAN used for HX Cisco HyperFlex Systems HX Series SecurityTarget Page 10 of 48 storage traffic must be able to traverse the network uplinks from the UCS domain, reaching FI A from FI B, and vice-versa. The VLANs are configured during install of the TOE, then managed by VMware ESXi. There are four required zones, o Management Zone: This zone comprises the connections needed to manage the physical hardware, the hypervisor hosts, and the storage platform controller virtual machines (SCVM). o VM Zone: This zone comprises the connections needed to service network IO to the guest VMs that will run inside the HyperFlex HX Series hyperconverged system. o Storage Zone: This zone comprises the connections used by the Cisco HX Data Platform software, ESXi hosts, and the storage controller VMs to service the HX Distributed Data Filesystem. o VMotion Zone: This zone comprises the connections used by the ESXi hosts to enable vMotion of the guest VMs from host to host. Following is a diagram illustrates the logical data path and network design Figure 2 CiscoHX Data logical data paths 1.2.1 TOE Product Type The Cisco HyperFlex Systems HX Series product type is a type of infrastructure system with a software-centric architecture that tightly integrates compute, storage, networking and virtualization resources. The HyperFlex Systems HX Series provides connectivity and security services onto a single, secure device. The TOE offers:  Enterprise-class data management features that are required for complete lifecycle management and enhanced data protection in distributed storage Cisco HyperFlex Systems HX Series SecurityTarget Page 11 of 48  Simplified data management that integrates storage functions into existing management tools and allowing instant provisioning for dramatically simplified daily operations  Independent scaling of the computing, caching, and capacity tiers, giving you the flexibility to scale the environment based on evolving business needs  Continuous data optimization with inline data deduplication and compression that increases resource utilization with more headroom for data scaling  Dynamic data placement in node memory, enterprise-class flash memory (on solid-state disk [SSD] drives), and persistent storage tiers (on hard-disk drives [HDDs]) to optimize performance and resiliency—and to readjust data placement as you scale your cluster The HyperFlex Systems HX Series delivers the combination of the essential features in a single solution. 1.2.2 Supported non-TOE Hardware/ Software/ Firmware The TOE supports the following hardware, software, and firmware components in its operational environment. Each component is identified as being required or not based on the claims made in this Security Target. All of the following environment components are supported by all TOE evaluated configurations. Table 4 IT Environment Components Component Required Usage/Purpose Descriptionfor TOE performance DNS Server Yes The DNS Serveris required to support IPaddressesthatare providedas host names forthe variouscomponents thatmay be usedfortraffic and access control. Fabric Interconnects (FI) (Cisco UCS) Yes The FIs providestheconnectionsto thelargernetworkincludingtheswitches and servers. The TOEdeployment requiresa minimum oftwo FIs for each Cisco HyperFlexClusterto create high availability. The FIprovidesthe single point ofconnectivityandhardware management that integratesCiscoHyperFlex HX Series nodesandCisco UCSB-Series Blade Servers into a single unified cluster. The two FIs must be directly connected togetherusingEthernetcables between the two FIports.This allows boththeFIs to continuously monitorthe status ofeachother. Cisco UCSManageris an embedded software onthe pair of fabric interconnects. Management Workstation Yes This includesanyIT Environment Management workstationinstalled with the SSHv2 client to support theTOECLI interface formanagement oftheTOE. The connection ofthemanagementworkstation tothe TOEis protectedthrough SSHv2 channel. NTP Server Yes The TOE supportscommunicationswith an NTPserverto receive clock updates. SNMPServer No The serveris requiredforthe AutoSupportservice,an alert notificationservice that is an optionalservice. Switches Yes The switchesprovide data transmissionandtracking VMware vSphere Yes The supportedversionsinclude 6.0U1b,6.0 U2, 6.0 U2 Patch 3,with VMware vSphere Editions ofEnterprise,Enterprise Plus,Standard,EssentialsPlus, ROBO. vSphere containsbothvCenterandESXi. The vCenterversion must always be equalto orhigherthantheESXi version1 . 1 HyperFlexSystems may be pre-installed VMware vSphere with licensingapplied at purchase Cisco HyperFlex Systems HX Series SecurityTarget Page 12 of 48 1.3 TOE DESCRIPTION This section provides an overview of the Cisco HyperFlex Systems HXSeries Target of Evaluation (TOE). The TOE is comprised of both software and hardware. The TOE software is Cisco HyperFlex HX Data Platform Software, version 2.5(1c). Cisco HyperFlex HX Data Platform™ Software is a Cisco-developed highly configurable proprietary operating system that provides for efficient and effective scaling for storage capacity and performance. The TOE hardware is the Cisco HyperFlex HX Series Nodes and Cisco UCS B-Series Blade Servers that includes the following models: The Cisco HyperFlex HX220c M4 Node is a small footprint one rack unit (1RU) that efficiently stores data and optimizes performance with two Intel Xeon E5 2600 v3 processors, 256 Gb to 512 Gb 2133 MHz DIMMs, 480-Gb high-endurance (Intel 3610) cache SSD and 6 x 1.2 TB 10,000 RPM 12-Gbps SAS disks. Figure 3 CiscoHyperFlex HX220c M4Node The Cisco HyperFlex HX240c M4 Node is a two rack unit (2RU) that allows for cluster scaling with maximum storage capacity. The HyperFlex HX240c M4 Node has two Intel Xeon E5 2600 v3 processors, 256 Gb to 784 Gb 2133 MHz DIMMs 1.6-Tb high-endurance (Intel 3610) cache SSDs and 15 x 1.2 TB 10K RPM 12gbps SAS disks. Figure 4 CiscoHyperFlex HX240c M4Node The Cisco HyperFlex HX240c M4 Nodes with Cisco UCS B200 Blade Servers efficiently stores data and optimizes for performance so you never worry about running out of one resource while having too much of another. The HyperFlex HX240c M4 Nodes with Cisco UCS B200 Blade Servers has two 2 x Intel Xeon E5 2600 v3 processors plus 2x Intel Xeon E5 2600 v3 processors in Cisco UCS B200 servers, 256 Gb to 784 Gb 2133 MHz DIMMs and 1.6-Tb high-endurance (Intel 3610) cache SSDs and 15 x 1.2-TB 10,000 RPM 12-gbps SAS disks. Cisco HyperFlex Systems HX Series SecurityTarget Page 13 of 48 Figure 5 CiscoHyperFlex HX240c M4 Nodes with CiscoUCS B200 Blade Servers The Cisco HyperFlex HX Series Cluster contains a minimum of three and a maximum of eight converged HX-nodes (Cisco HyperFlex HX240c M4 or Cisco HyperFlex HX220c M4) with an option of adding compute-only nodes (Cisco B200 M4) to provide additional compute power if there is no need for extra storage. Each server in a HyperFlex HX Cluster may also be referred as a Converged hosts or HX node. The following drawing illustrates the HyperFlex HX Series (Converged Host) required hardware components and the relative connections between the components. Figure 6 CiscoHX Data Platform Hardware Overview Cisco HyperFlex Systems HX Series SecurityTarget Page 14 of 48 For each of the TOE Converged hosts (HyperFlex HX Series Nodes) depicted in the diagram above, that provide the storage in the storage cluster. The SSDs are depicted as the blue squares and the HDDs are depicted as the green-layered circles). The following figure provides a visual depiction of an example TOE deployment. Figure 7 TOE Example Deployment The diagram above includes the following TOE components:  vCenter cluster - the original vSphere cluster containing the VM hosts that use and access the storage clusters. Note, as depicted in the drawing above, the VM hosts are in both the vCenter Cluster and the HyperFlex HX Series Storage Cluster. These are the same VM hosts, but they belong to both clusters.  Storage cluster - the created HyperFlex HX Series cluster containing the listed hosts from the vCenter cluster. A cluster requires a minimum of three TOE Converged Hosts (HyperFlex HX Series Nodes). Data is replicated across at least two of these nodes, and a third node is required for continuous operation in the event of a single-node failure. Each node that has disk storage is equipped with at least one high-performance SSD drive for data caching and rapid acknowledgment of write requests. Each node also is equipped with up to the platform’s physical capacity of spinning disks for maximum data capacity.  HyperFlex HX Series controller - resides on each TOE Converged Hosts (HyperFlex HX Series Nodes) and implements the distributed file system. It uses the node’s memory and Cisco HyperFlex Systems HX Series SecurityTarget Page 15 of 48 SSD drives as part of a distributed caching layer, and it uses the node’s HDDs for distributed storage.  HyperFlex HX Series Installer VM - remains available for additional cluster creation, cluster expansion with TOE Converged hosts, or compute nodes.  HyperFlex Controller VM – runs on each of the TOE Converged Hosts (HyperFlex HX Series Nodes) in the cluster. The Controller VMs cooperate to form and coordinate the Cisco HX Distributed Filesystem, and service all the guest VM IO requests. The Controller VMs are deployed as a vSphere ESXi agent, and the agent is tied to a specific host. Each ESXi hypervisor host has a single ESXi agent deployed, which is the Controller VM for that node, and it cannot be moved or migrated to another host. 1.4 TOE Evaluated Configuration The TOE consists of one or more physical devices as specified in section 1.5 Physical Scope of the TOE below and includes the Cisco HyperFlex HX Data Platform Software, version 2.5(1c). The TOE is installed in a hypervisor environment, such as VMware vSphere where it manages the storage clusters and datastores that has a minimum three servers, (TOE Converged hosts), with SSD and HDD attached storage. The clustered servers (TOE Converged hosts) are networked with switches and fabric interconnects. Optionally, non-storage servers, (compute nodes), can be included in the storage cluster (TOE Converged hosts). HyperFlex HX Series manages the storage for the data and VMs stored on the associated storage cluster (TOE Converged hosts). The evaluated configuration is the configuration of the TOE that satisfies the requirements as defined in this Security Target (ST). For example,  Security audit – The TOE generates audit records to assist the Authorized Administrator in monitoring the security state of the HX Data Platform as well as trouble shooting various problems that arise throughout the operation of the system  User Data Protection – The TOE provides access controls to the TOE Converged hosts, clusters and datastores.  Identification and authentication – The TOE ensures that all Authorized Administrator are successfully identified and authenticated prior to gaining access to the TOE and terminates connection after a configured period of inactivity.  Secure Management – The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs through the CLI (over SSHv2). All of these management functions are restricted to Authorized Administrator. The term "Authorized Administrator" is used in this ST to refer to any user account that has been assigned the privileges to perform the relevant action. The TOE provides the ability to perform the following actions:  Administer the TOE remotely  Manage access control attributes  Manage Authorized Administrator’s security attributes  Review audit record logs  Configure and manage the system time Cisco HyperFlex Systems HX Series SecurityTarget Page 16 of 48  Protection of the TSF - The TOE protects against interference and tampering by untrusted subjects by implementing identification and authentication, access control to the TOE Converged hosts, clusters and datastores and limits configuration options to the Authorized Administrator. Additionally Cisco HyperFlex HX Series is not a general-purpose operating system and access to Cisco HyperFlex HX Series memory space is restricted to only Cisco HyperFlex HX Series functions. The TOE also provides the capability to protect unavailability of capabilities and system resources and to revert to a saved space in the case of hardware or system disruption of failure. The TOE internally maintains the date and time. This date and time is used as the timestamp that is applied to audit records generated by the TOE. Authorized Administrator can update the TOE’s clock manually or can configure the TOE to use NTP to synchronize the TOE’s clock with an external time source.  TOE Access -The TOE can enforce the termination of inactive sessions after an Authorized Administrator configurable time-period. Once a session has been terminated, the TOE requires the Authorized Administrator to re-authenticate to establish a new session.  Resource Utilization - Ensures the system, resources and data is preserved in case of a failure or degradation of services.  Trusted Path/Channel – Ensures a trusted path is established between the TOE and the CLI using SSHv2. The TOE is remotely administered using the CLI, therefore, the management station must be connected to an internal network and SSHv2 must be used to securely connect to the TOE. The TOE is also configured to connect to an NTP server on its internal protected network for time services, which is only accessible via the protected internal network. The NTP server is used for clock synchronization between services running on the Cisco HyperFlex HX Series Nodes, the storage controller VMs (storage controller) and ESX hosts (Hypervisor). 1.5 Physical Scope of the TOE The TOE is a hardware and software solution that makes up the Cisco HyperFlex Systems HX Series. The hardware platforms include the Cisco HyperFlex HX Series Nodes and Cisco UCS B- Series Blade Servers. The software is the Cisco HyperFlex HX Data Platform™ Software v2.5(1c). The network, on which they reside, is considered part of the environment. The TOE guidance documentation that is considered to be part of the TOE can be found listed in the Cisco HyperFlex Systems HX Series Common Criteria Operational User Guidance and Preparative Procedures document and can be obtained from the http://cisco.com web site. The TOE is comprised of the following physical specifications as illustrated and described in the Figures and Tables below: Table 5 Hardware Models and Specifications Cisco HyperFlex Systems HX Series SecurityTarget Page 17 of 48 Hardware Picture Size Power Interfaces Cisco HyperFlex HX220c M4Node Height 1.7 in. (4.32 cm) Width 16.89 in. (43.0 cm) including handles: 18.98 in. (48.2 cm) Depth 29.8 in. (75.6 cm) including handles: 30.98 in. (78.7 cm) Two 770 W (AC) hot swappable power supplies Rear panel  One DB15 VGA connector  One RJ45 serialport connector  Two USB 3.0 port connectors  One RJ-45 10/100/1000 Ethernet management port,using Cisco Integrated  ManagementController(CIMC) firmware  Two Inteli350 embedded (on the motherboard)GbELOM ports  One flexible modularLAN on motherboard (mLOM)slot that  Accommodates theCisco UCS VIC1227 VIC MLOM - DualPort 10Gb SFP+ interface card.  Two PCIe 3.0 slots Front panel  One KVM console connector (suppliestwo USB2.0 connectors,one VGA  DB15 connector,and one serial port (RS232) RJ45 connector) Cisco HyperFlex HX240c M4Node Height 3.43 in. (8.70 cm) Width (including slam latches) 17.65 in.(44.8 cm) Including handles: 18.96 in (48.2 cm) Depth 29.0 in. (73.8 cm) Including handles: 30.18 in (76.6 cm) Up to two hot- pluggable, redundant 650W, 930W DC, 1200W, or 1400W power supplies Rear panel  One DB15 VGA connector  One RJ45 serialport connector  Two USB 3.0 port connectors  One RJ-45 10/100/1000 Ethernet management port,using Cisco Integrated  ManagementController (CIMC) firmware  Two Inteli350 embedded (on the motherboard)GbELOM ports  One flexible modularLAN on motherboard (mLOM)slot that  Accommodates theCisco UCS VIC1227 VIC MLOM - DualPort 10Gb SFP+ interface card.  Two PCIe 3.0 slots Front panel  One KVM console connector (suppliestwo USB2.0 connectors,one VGA  DB15 video connector,and one serialport (RS232) RJ45 connector) Cisco HyperFlex Systems HX Series SecurityTarget Page 18 of 48 Hardware Picture Size Power Interfaces Cisco HyperFlex HX240c M4Nodes with Cisco UCS B200 Blade Servers Same as above for the node and the following blade size Height 1.95 in. (50 mm) Width 8.00 in.(203 mm) Depth 24.4 in. (620 mm) Same as above forthe node and blade Same as aboveforthe node andthe following blade interface: Front panel  One console connector 1.6 Logical Scope of the TOE The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below.  Security audit  User data protection  Identification and authentication  Secure Management  Protection of the TSF  Resource Utilization  TOE Access  Trusted Path These features are described in more detail in the subsections below. 1.6.1 Security Audit The TOE generates audit messages that identify specific TOE operations. For each event, the TOE records the date and time of each event, the type of event, the subject identity, and the outcome of the event. Auditable events include:  all use of the user identification mechanism;  all use of the authentication mechanism;  all modification in the behavior of the functions in the TSF;  all modifications of the default settings;  all modifications to the values of the TSF data;  use of the management functions;  changes to the time;  terminations of an interactive session; and  attempts to use the trusted path functions Cisco HyperFlex Systems HX Series SecurityTarget Page 19 of 48 The TOE will write audit records to the local logging buffer by default. The TOE provides an interface available for the Authorized Administrator to delete audit data stored locally on the TOE to manage the audit log space. The logs can be viewed on the TOE using Task View CLI commands. The records include the date/time the event occurred, the event/type of event, the user associated with the event, and additional information of the event and its success and/or failure. 1.6.2 User Data Protection The TOE provides the Authorized Administrator with the ability to control remote host (VMs) access to the TOE Converged hosts, clusters and datastores with whitelisting. The whitelist controls access using IP addresses. If the Remote Host (VM) host IP address is included on the whitelist and there is sufficient storage capacity, accessis granted otherwise access is denied. The three sets of addressing that may be used:  Management addresses identify the TOE Converged hosts and their clusters and datastores and the Storage Controller VM management interfaces  VM addresses identify the guest VMs that run in the TOE HyperFlex hyperconverged system  Storage addresses that are used by Cisco HX Data Platform software, ESXi hosts, and the storage controller VMs to service the HX Distributed Filesystem. These interfaces and IP addresses need to be able to communicate with each other at all times for proper operation. 1.6.3 Identification and authentication The TOE provides authentication services for the Authorized Administrator to connect to the TOEs secure CLI administrator interface. The TOE requires the Authorized Administrator to authenticate prior to being granted access to any of the management functionality. The TOE can be configured to enforce password minimum length as well as mandatory password complexity rules. The TOE provides administrator authentication against a local user database. Password- based authentication is performed on the SSHv2 CLI session interfaces secured connection. For eachAuthorized Administrator account, they must have a unique user name. For authentication purposes, a password is required for each Authorized Administrator account. 1.6.4 Security Management The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs through the CLI interface via SSHv2 secure connection. The TOE provides the ability to securely:  Administer the TOE remotely  Manage access control attributes Cisco HyperFlex Systems HX Series SecurityTarget Page 20 of 48  Manage Authorized Administrator’s security attributes, noting the TOE allows for more than one administrator account to be configured. Each Authorized Administrator must be assigned a unique username and password  Review audit record logs  Configure and manage the system time 1.6.5 Protection of the TSF The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication and limit configuration options to the Authorized Administrator. Additionally, Cisco HyperFlex HX Data Platform™ Software v2.5(1c) is not a general-purpose operating system and access to Cisco HyperFlex HX Data Platform™ Software v2.5(1c) memory space is restricted to only Cisco HyperFlex HX Data Platform™ Software v2.5(1c) functions. The TOE provides the capability called native snapshot to save the current state of the VMs, so the Authorized Administrator has the option to revert to the saved state in the case of disruption or failure. The TOE internally maintains the date and time. This date and time is used as the timestamp that is applied to audit records generated by the TOE. Authorized Administrators can update the TOE’s clock manually or configure the TOE to use NTP to synchronize the TOE’s clock with an external time source. It is recommended that NTP server be configured to connect to an NTP server on its internal protected network for time services, which is only accessible via the protected internal network. The NTP server is used for clock synchronization between services running on the Cisco HyperFlex HX Series Nodes, the storage controller VMs (storage controller) and ESX hosts (Hypervisor). 1.6.6 Resource Utilization The TOE protects against unavailability of capabilities and system resources caused by failure or degradation of services by supporting redundancy and failover capabilities of the storage management network and the storage data networks. 1.6.7 TOE Access The TOE enforces the termination of inactive sessions after an Authorized Administrator configurable time-period has expired. Once a session has been terminated, the TOE requires the Authorized Administrator to re-authenticate to establish a new session. 1.6.8 Trusted Path The TOE allows trusted paths to be established to itself from remote administrators over SSHv2 for remote CLI access. 1.7 Excluded Functionality The following functionality is excluded from the evaluation.  Telnet: Sends authentication data in plain text. This feature is disabled by default and must remain disabled in the evaluated configuration. Cisco HyperFlex Systems HX Series SecurityTarget Page 21 of 48 1.8 TOE Documentation This section identifies the guidance documentation included in the TOE. The documentation for the Cisco HyperFlex Systems HX Series comprises:  Cisco HyperFlex Systems HX Series Common Criteria Operational User Guidance and Preparative Procedures, v1.0 dated [DD MMM YYYY]. Cisco HyperFlex Systems HX Series SecurityTarget Page 22 of 48 2 CONFORMANCE CLAIMS 2.1 Common Criteria Conformance Claim The ST and the TOE it describes are conformant with the following CC specifications:  Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Components, Version 3.1, Revision 4, September 2012 o Part 2 Conformant  Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Components, Version 3.1, Revision 4, September 2012 o Part 3 Conformant The ST and TOE are package conformant to evaluation assurance package:  EAL2 2.2 Protection Profile Conformance This ST claims no compliance to any Protection Profiles Cisco HyperFlex Systems HX Series SecurityTarget Page 23 of 48 3 SECURITY PROBLEM DEFINITION This section describes the following security environment in which the TOE is intended to be used.  Significant assumptions about the TOE’s operational environment  IT related threats to the organization countered by the TOE  Environmental threats requiring controls to provide sufficient protection  Organizational security policies for the TOE as appropriate This document identifies assumptions as A.assumption with “assumption” specifying a unique name. Threats are identified as T.threat with “threat” specifying a unique name. 3.1 Assumptions The specific conditions listed in the following subsections are assumed to exist in the TOE’s environment. These assumptions include both practical realities in the development of the TOE security requirements and the essential environmental conditions on the use of the TOE. Table 6 TOE Assumptions Assumptions Assumption Definition A.ADMIN All Authorized Administrator are assumed not evil, will follow the administrative guidance and will not disrupt the operation of the TOE intentionally. A.CONNECTIONS The operationalenvironment in which the TOE is installed will allow the users of the TOE to access the stored information. A.LOCATE The processing resources ofthe TOE and those services provided by the operational environment will be located within controlled access facilities, which will prevent unauthorized physicalaccess. 3.2 Threats The following table lists the threats addressed by the TOE and the IT Environment. The assumed level of expertise of the attacker for all the threats identified below is Basic. Table 7 Threats Thre at Thre at De finition T.ACCOUNTABILITY An authorized administrative is notheld accountable fortheir actions onthe TOEbecause the audit recordsare not generatedor reviewed. T.NOAUTH An unauthorized person (attacker) may attempt to bypassthe security of the TOE so as to access and use security functions and/ornon-security functions provided by the TOE to disrupt operations ofthe TOE. T.RESOURCE_AVAILABILITY The TOE data (user) could become corrupted or unavailable due to hardware or systemoperation failures. T.TIME Evidence of a compromise by an unauthorized user(attacker) or malfunction of the TOE may go unnoticed ornot be properly Cisco HyperFlex Systems HX Series SecurityTarget Page 24 of 48 Thre at Thre at De finition traceable if recorded events (audit data) are not properly sequenced through application of correct timestamps. 3.3 Organizational Security Policies No Organizational Security Polices (OSPs) have been defined for this TOE. Cisco HyperFlex Systems HX Series SecurityTarget Page 25 of 48 4 SECURITY OBJECTIVES This Section identifies the security objectives of the TOE and the IT Environment. The security objectives identify the responsibilities of the TOE and the TOE’s IT environment in meeting the security needs. This document identifies objectives of the TOE as O.objective with objective specifying a unique name. Objectives that apply to the IT environment are designated as OE.objective with objective specifying a unique name. 4.1 Security Objectives for the TOE The following table, Security Objectives for the TOE, identifies the security objectives of the TOE. These security objectives reflect the stated intent to counter identified threats and/or comply with any security policies identified. An explanation of the relationship between the objectives and the threats/policies is provided in the rationale section of this document. Table 8 SecurityObjectives for the TOE TOE Obje ctive TOE Se curity Obje ctive Definition O.ACCESS_CONTROL The TOE will restrict access to the TOE management functions to the Authorized Administrator. O.ADMIN The TOE will provide the Authorized Administrator with a set ofprivileges to isolate administrativeactions and to make the administrativefunctionsavailable remotely. O.AUDIT_GEN The TOE will generate audit records that will include the time that the event occurred,the identity of the userperforming the event and the outcome of the event. O.AVAILABILITY The TOE will provide mechanisms to maintain a secure state and mitigate against data loss or corruption due to hardware or systemoperation failures. O.AUDIT_VIEW The TOE will provide the Authorized Administrator the capability to review audit data. O.DATA The TOE will protectthe configurationanduserdata fromunauthorized modifications. O.IDAUTH The TOE must uniquely identify and authenticate the claimed identity of all administrative users before granting management access. O.SELFPRO The TOE must protect itself against attempts by unauthorized users to bypass,deactivate,ortamper with TOE security functions. O.TIME The TOE will provide a reliable time stamp for its own use. Cisco HyperFlex Systems HX Series SecurityTarget Page 26 of 48 4.2 Security Objectives for the Environment All of the assumptions stated in Section 3.1 are considered to be security objectives for the environment. The following are the non-IT security objectives, which, in addition to those assumptions, are to be satisfied without imposing technical requirements on the TOE. That is, they will not require the implementation of functions in the TOE hardware and/or software. Thus, they will be satisfied largely through application of procedural or administrative measures. Table 9 SecurityObjectives for the Environment Environment Se curity Obje ctive IT Environme nt Se curity Obje ctive Definition OE.ADMIN The Authorized Administrator are well trained and trusted to manage the TOE and to configure the IT environment and required non-TOE devices for the proper network support. OE.CONNECTION The operationalenvironment will have the required protected network support forthe operation of the TOE to prevent unauthorized access to the TOE. OE.LOCATE The processing resources ofthe TOE and those services provided by the operationalenvironment will be located within controlled access facilities, which will prevent unauthorized physicalaccess. Cisco HyperFlex Systems HX Series SecurityTarget Page 27 of 48 5 SECURITY REQUIREMENTS This section identifies the Security Functional Requirements for the TOE. The Security Functional Requirements included in this section are derived from Part 2 of the Common Criteria for Information Technology Security Evaluation, Version 3.1,Revision 4,dated: September 2012 and all international interpretations. 5.1 Conventions The CC defines operations on Security Functional Requirements: assignments, selections, assignments within selections and refinements. This document uses the following font conventions to identify the operations defined by the CC:  Assignment: allows the specification of an identified parameter. Assignments are indicated using bold and are surrounded by brackets (e.g., [assignment]). Note that an assignment within a selection would be identified in italics and with embedded bold brackets (e.g., [[selected-assignment]]).  Selection: allows the specification of one or more elements from a list. Selections are indicated using bold italics and are surrounded by brackets (e.g., [selection]).  Iteration: allows a component to be used more than once with varying operations. In the ST, iteration is indicated by a number placed at the end of the component. For example FDP_IFF.1(1) and FDP_IFF.1(2) indicate that the ST includes two iterations of the FDP_IFF.1 requirement, (1) and (2).  Refinement: allows the addition of details. Refinements are indicated using bold, for additions, and strike-through, for deletions (e.g., “… all objects …” or “… some big things …”).  Extended Requirements (i.e., those not found in Part 2 of the CC) are identified with “(EXT)” in of the functional class/name.  Other sections of the ST use bolding to highlight text of special interest, such as captions. 5.2 TOE Security Functional Requirements This section identifies the Security Functional Requirements for the TOE. The TOE Security Functional Requirements that appear in the following table are described in more detail in the following subsections. Table 10 SecurityFunctional Requirements Functional Component Re quirement Class Re quirement Component FAU: Security audit FAU_GEN.1: Audit datageneration FAU_GEN.2: Useridentity association FAU_SAR.1: Audit review FAU_STG.1: Protectedaudit trailstorage FDP: Userdata protection FDP_ACC.2: Complete accesscontrol FDP_ACF.1:Security attribute based accesscontrol FIA: Identificationand authentication FIA_ATD.1Userattribute definition FIA_SOS.1Verification of secrets FIA_UAU.2Userauthentication before any action FIA_UAU.7:Protected authentication feedback Cisco HyperFlex Systems HX Series SecurityTarget Page 28 of 48 Functional Component FIA_UID.2Useridentification before any action FMT:Security management FMT_MSA.1Secure SecurityAttributes (AccessControl) FMT_MSA.3Static AttributeInitialization (AccessControl) FMT_MTD.1:Management ofTSFdata FMT_SMF.1:Specificationofmanagement functions FMT_SMR.1:Security roles FPT: Protection ofthe TSF FPT_FLS.1 Failure with preservation ofsecure state FPT_STM.1:Reliable time stamps FRU: Resource Utilization FRU_FLT.2 Limited fault tolerance FTA:TOE Access FTA_SSL.3:TSF-initiated termination FTP: TrustedPath FTP_TRP.1: TrustedPath 5.2.1 Security audit (FAU) 5.2.1.1 FAU_GEN.1Auditdata generation FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shut-down of the audit functions; b) All auditable events for the [not specified] level of audit specified in Table 11 Auditable Events; and c) [no additional events].. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [information specified in the Additional Audit Record Contents column of Table 11 Auditable Events]. Table 11 Auditable Events Requirement Auditable Events Additional Audit Record Contents FAU_GEN.1 None. FAU_GEN.2 None. FAU_SAR.1 None. FAU_STG.1 None. FDP_ACC.2 None FDP_ACF.1 None FIA_ATD.1 None FIA_SOS.1 None Cisco HyperFlex Systems HX Series SecurityTarget Page 29 of 48 Requirement Auditable Events Additional Audit Record Contents FIA_UAU.2 All use ofthe authentication mechanism. Provided useridentity, origin of the attempt (e.g., IP address). FIA_UAU.7 None FIA_UID.2 All use ofthe identification mechanism. Provided useridentity, origin of the attempt (e.g., IP address). FMT_MSA.1 None FMT_MSA.3 Modificationsofthe default settingofpermissiveor restrictive rules and all modifications ofthe initial values ofsecurityattributes. None FMT_MTD.1 All modifications to the values ofTSFdata The identity ofthe authorized administrator performing the operation. FMT_SMF.1 Use ofthe management functions The identity ofthe authorized administrator performing the operation. FMT_SMR.1 None FPT_FLS.1 Failure ofthe TSF None FPT_STM.1 Changesto thetime. The identity ofthe authorized administrator performing the operation. FRU_FLT.2 Any failure detectedby the TSF None FTA_SSL.3 Termination ofan interactive sessionby thesession locking mechanism. None FTP_TRP.1 Attemptsto use the trusted path functions. Identificationofthe user associatedwith alltrusted path invocationsincluding failures,if available. 5.2.1.2 FAU_GEN.2 User IdentityAssociation FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. Cisco HyperFlex Systems HX Series SecurityTarget Page 30 of 48 5.2.1.1 FAU_SAR.1 AuditReview FAU_SAR.1.1 The TSF shall provide [Authorized Administrator,] with the capability to read [all TOE audit trail data] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. 5.2.1.2 FAU_STG.1Protected audittrail storage FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorised deletion. FAU_STG.1.2 The TSF shall be able to [prevent] unauthorised modifications to the stored audit records in the audit trail. 5.2.1 User data protection (FDP) 5.2.1.1 FDP_ACC.2 Complete accesscontrol FDP_ACC.2.1 The TSF shall enforce the [Access Control SFP] on [ Subjects:  Remote Host (VMs) Objects:  Clusters (Converged Host)  Datastores] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2 The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. 5.2.1.2 FDP_ACF.1Securityattributebased accesscontrol FDP_ACF.1.1 The TSF shall enforce the [AccessControlSFP]to objects based on the following: [ Subject security attributes:  Remote Host IP address Object security attributes:  Cluster Datastore IP address  Whitelist  Storage capacity ]. Cisco HyperFlex Systems HX Series SecurityTarget Page 31 of 48 FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [if the Remote Host IP address is on the Cluster Datastore whitelist, access is granted]. FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [if the Cluster Datastore storage space is not available, access is denied]. 5.2.2 Identification and authentication (FIA) 5.2.2.1 FIA_ATD.1UserAttributeDefinition FIA_ATD.1.1The TSF shall maintain the following list of security attributes belonging to individual users: [For interactive users: a) user identity; b) password]. 5.2.2.2 FIA_SOS.1 Verification ofsecrets FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet [at least eight characters long; includes upper and lower alpha characters and alpha numeric characters]. 5.2.2.3 FIA_UAU.2 User Authentication BeforeAnyAction FIA_UAU.2.1The TSF shall require each user to be successfully authenticated before allowing any other TSF mediated actions on behalf of that user. 5.2.2.4 FIA_UAU.7:Protected authentication feedback FIA_UAU.7.1The TSF shall provide only [no feedback or any locally visible representation of the user-entered password] to the user while the authentication is in progress. 5.2.2.5 FIA_UID.2UserIdentification BeforeAnyAction FIA_UID.2.1 The TSF shall require each user to identify itself before allowing any other TSF- mediated actions on behalf of that user. Cisco HyperFlex Systems HX Series SecurityTarget Page 32 of 48 5.2.3 Security management (FMT) 5.2.3.1 FMT_MSA.1 Managementofsecurityattributes FMT_MSA.1.1 The TSF shall enforce the [Access Control SFP] to restrict the ability to [modify, [none]] the security attributes [listed in section FDP_ACF1.1] to [Authorized Administrator] 5.2.3.1 FMT_MSA.3 Staticattributeinitialization FMT_MSA.3.1 The TSF shall enforce the [Access Control SFP] to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow [Authorized Administrator] to specify alternative initial values to override the default values when an object or information is created. 5.2.3.2 FMT_MTD.1 ManagementofTSF Data FMT_MTD.1.1 The TSF shall restrict the ability to [modify] the [all TSF data] to [Authorized Administrator]. 5.2.3.3 FMT_SMF.1Specification ofManagementFunctions FMT_SMF.1.1 The TSF shall be capable of performing the following management functions:[  Ability to administer the TOE remotely  Manage the access control security attributes  Manage Authorized Administrator’s security attributes  Reviewaudit record logs  Configure and manage the system time]. 5.2.3.4 FMT_SMR.1Security Roles FMT_SMR.1.1 The TSF shall maintain the following roles [Authorized Administrator]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 5.2.4 Protection of the TSF (FPT) 5.2.4.1 FPT_FLS.1 Failurewith preservation ofsecurestate FPT_FLS.1.1 The TSF shall preserve a secure state when the following types of failures occur: [  Failure of a Node (HXData Platform) within a Cluster  Failure of one or more HDD of a Node (HX Data Platform) within a Cluster Cisco HyperFlex Systems HX Series SecurityTarget Page 33 of 48  Failure of one or more SSD of a Node (HXData Platform) within a Cluster ]. 5.2.4.2 FPT_STM.1Reliabletimestamps FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own use. 5.2.5 Resource Utilisation (FRU) 5.2.5.1 FRU_FLT.2Limited faulttolerance FRU_FLT.2.1 The TSF shall ensure the operation of all the TOE'scapabilities when the following failures occur: [  Failure of a Node (HXData Platform) within a Cluster  Failure of one or more HDD of a Node (HX Data Platform) within a Cluster  Failure of one or more SSD of a Node (HXData Platform) within a Cluster ]. 5.2.6 TOE Access (FTA) 5.2.6.1 FTA_SSL.3:TSF-initiated termination FTA_SSL.3.1 The TSF shall terminate a remote interactive session after a [Authorized Administrator configurable time interval of session inactivity]. 5.2.7 Trusted Path (FTP) 5.2.7.1 FTP_TRP.1Trusted path FTP_TRP.1.1 The TSF shall provide a communication path between itself and [remote] users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from [modification, disclosure]. FTP_TRP.1.2 The TSF shall permit [remote users]to initiate communication via the trusted path. FTP_TRP.1.3 The TSF shall require the use of the trusted path for [initial user authentication, [management of the TOE via administrative interfaces]]. Application note: Remote administrative interfaces relevant to this SFR include the HX Data Platform CLI (via SSHv2). 5.3 TOE SFR Dependencies Rationale This section of the Security Target demonstrates that the identified TOE Security Functional Requirements include the appropriate hierarchical SFRs and dependent SFRs. The following table Cisco HyperFlex Systems HX Series SecurityTarget Page 34 of 48 lists the TOE Security Functional Components and the Security Functional Components each are hierarchical to and dependent upon and any necessary rationale. Table 12 SFRDependency Rationale SFR Dependency Rationale FAU_GEN.1 FPT_STM.1 Met by: FPT_STM.1 FAU_GEN.2 FAU_GEN.1 FIA_UID.1 Met by: FAU_GEN.1 FIA_UID.2 FAU_SAR.1 FAU_GEN.1 Met by: FAU_GEN.1 FAU_STG.1 FAU_GEN.1 Met by: FAU_GEN.1 FDP_ACC.2 FDP_ACF.1 Met by: FDP_ACF.1 FDP_ACF.1 FDP_ACC.1 FMT_MSA.3 Met by: FDP_ACC.2 FMT_MSA.3 FIA_ATD.1 No dependencies N/A FIA_SOS.1 No dependencies N/A FIA_UAU.2 FIA_UID.1 Met by: FIA_UID.1 FIA_UAU.7 FIA_UAU.1 Met by: FIA_UAU.2 FIA_UID.2 No dependencies N/A FMT_MSA.1 FDP_ACC.1 FMT_SMR.1 FMT_SMF.1 Met by: FDP_ACC.1 FMT_SMR.1 FMT_SMF.1 FMT_MSA.3 FMT_MSA.1 FMT_SMR.1 Met by: FMT_SMR.1 FMT_MSA.1 FMT_MTD.1 FMT_SMF.1 FMT_SMR.1 Met by: FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 No dependencies N/A FMT_SMR.1 FIA_UID.1 Met by: FIA_UID.2 FPT_FLS.1 No dependencies N/A FPT_STM.1 No dependencies N/A FRU_FLT.2 FPT_FLS.1 Met by: FPT_FLS.1 FTA_SSL.3 No dependencies N/A FTP_TRP.1 No dependencies N/A Cisco HyperFlex Systems HX Series SecurityTarget Page 35 of 48 5.4 Security Assurance Requirements 5.4.1 SAR Requirements The TOE assurance requirements for this ST are EAL2 derived from Common Criteria Version 3.1, Revision 4. The assurance requirements are summarized in the table below. Table 13 Assurance Measures Assurance Class Components Components Description Development ADV_ARC.1 ArchitecturalDesign with domain separationandnon- bypassability ADV_FSP.2 Security-enforcing functionalspecification ADV_TDS.1 Basic design Guidance Documents AGD_OPE.1 Operationaluserguidance AGD_PRE.1 Preparative Userguidance Life Cycle Support ALC_CMC.2 Use ofa CM system ALC_CMS.2 Parts ofthe TOECM coverage ALC_DEL.1 Delivery procedures Tests ATE_COV.1 Evidence ofcoverage ATE_FUN.1 Functionaltesting ATE_IND.2 Independent testing– sample Vulnerability Assessment AVA_VAN.2 Vulnerability analysis 5.4.2 Security Assurance Requirements Rationale This Security Target claims conformance to EAL2. This target was chosen to ensure that the TOE has a moderate level of assurance in enforcing its security functions when instantiated in its intended environment which imposes no restrictions on assumed activity on applicable networks. 5.5 Assurance Measures The TOE satisfies the identified assurance requirements. This section identifies the Assurance Measures applied by Cisco to satisfy the assurance requirements. The table below lists the details. Table 14 Assurance Measures Component How the requirementwill be met ADV_ARC.1 The architecture descriptionprovides the justification howthe security functionalrequirementsare enforced,howthe securityfeatures(functions) cannotbe bypassed,and howthe TOEprotectsitselffromtampering by untrusted active entities. The architecture descriptionalso identifiesthe system initialization componentsandtheprocessingthat occurs when theTOEis brought into a secure state(e.g.transitionfroma down state to theinitialsecure state (operational)). ADV_FSP.2 The functionalspecificationdescribestheexternalinterfaces oftheTOE; such as the means fora userto invoke a service and the corresponding response of those services. The descriptionincludesthe interface(s)thatenforcesa security functionalrequirement,the interface(s)that supportsthe enforcementofa security functionalrequirement,andthe interface(s)that doesnot enforceany security functionalrequirements. The interfacesare described in terms oftheir purpose (generalgoalofthe interface),methodofuse(howthe interface is to be Cisco HyperFlex Systems HX Series SecurityTarget Page 36 of 48 Component How the requirementwill be met used),parameters(explicit inputs to and outputsfroman interface that control the behaviorofthat interface),parameterdescriptions(tells what theparameter is in some meaningfulway),and errormessages(identifies thecondition that generated it,what the messageis,and themeaning ofanyerrorcodes).The development evidencealso containsa tracing ofthe interfacesto the SFRs describedin this ST. ADV_TDS.1 The TOE design describesthe TOEsecurity functional(TSF)boundaryand howthe TSFimplements the securityfunctionalrequirements. The design description includesthe decomposition of the TOEinto subsystems and/or modules,thus providing the purpose ofthe subsystem/module,thebehavior of the subsystem/module and the actionsthe subsystem/module performs. The description alsoidentifies the subsystem/module as SFR(security function requirement)enforcing,SFRsupporting,orSFRnon-interfering; thus identifying theinterfacesas described in the functionalspecification. In addition,the TOEdesign describesthe interactionsamongorbetween the subsystems/modules;thusprovidinga descriptionofwhat the TOEis doing and how. AGD_OPE.1 The Administrative Guide provides the descriptionsofthe processesand proceduresofhowthe administrativeusersofthe TOEcan securely administer the TOE using theinterfacesthat providethe featuresand functionsdetailed in the guidance. AGD_PRE.1 The InstallationGuide describes the installation,generation,and startup proceduressothat theusersofthe TOEcan put the componentsofthe TOEin the evaluatedconfiguration. ALC_CMC.2 The Configuration Management(CM)document(s)describeshowtheconsumer (end-user)ofthe TOEcan identify the evaluated TOE(Target ofEvaluation). The CM document(s),identifies the configurationitems,howthose configurationitems are uniquely identified,andthe adequacyofthe procedures that are usedto controland trackchangesthatare made to the TOE. This includes details onwhat changesare tracked,howpotentialchangesare incorporated,and the degreeto which automationis used to reduce the scope for error. ALC_CMS.2 ALC_DEL.1 The Delivery document describes the delivery procedures forthe TOEto include the procedureon howto downloadcertain componentsofthe TOEfrom the Cisco websiteandhowcertain componentsofthe TOEare physically delivered to the user.The delivery procedure detailhowthe end-usermay determine if they havethe TOEand ifthe integrity ofthe TOEhas been maintained.Further,the deliverydocumentation describeshowto acquire the properlicense keys tousethe TOEcomponents. ATE_COV.1 The Test document(s) consist ofa testplan describesthe test configuration,the approachto testing,and how the subsystems/modules and TSFI(TOEsecurity function interfaces)hasbeentestedagainst its functionalspecification and design asdescribedin the TOEdesign andthesecurityarchitecture description. The test document(s)also include thetest cases/procedures thatshowthetest stepsandexpected results,specify theactionsandparametersthat were applied to the interfaces,as wellas howthe expectedresultsshould be verified and what they are. Actualresultsare also included in the set ofTestdocuments. ATE_FUN.1 ATE_IND.2 Cisco will provide the TOEfortesting. AVA_VAN.2 Cisco will provide the TOEfortesting. Cisco HyperFlex Systems HX Series SecurityTarget Page 37 of 48 6 TOE SUMMARY SPECIFICATION 6.1 TOE Security Functional Requirement Measures This section identifies and describes how the Security Functional Requirements identified above are met by the TOE. Table 15 How TOE SFRs Measures TOE SFRs How the SFR is Met FAU_GEN.1 Auditing is on bydefault at TOEstartup andcannotbe turnedoffA record is generated when the TOE starts andwhenthe TOEis shutdown,thusindicating the starting and stoppingofauditing. Each auditable event,the recorded information includes the userthat triggeredtheevent,the outcome orresult ofthe event andwhenthe event occurred. The userthattriggered the eventcould be a human userwherethe useridentityorrelated session ID would be included in the audit record. Foran IT entity ordevice,theIPaddress,MAC address,host name,orotherconfigured identificationis presented. The auditable events include: Auditable Events Rationale Additional Audit Record Contents FIA_UAU.2-All use ofthe authenticationmechanism. All login attempts (Successfuland failed)to the TOE CLI are logged. The record is logged to the local audit storage Provided useridentity, origin of the attempt (e.g.,IP address). FIA_UID.2- All use ofthe identification mechanism. FMT_MSA.3- Modificationsofthe default settingofpermissiveor restrictive rules and all modifications ofthe initial values ofsecurityattributes Successfuland failed attemptsto change the configurationdataare logged in the localaudit log None FMT_MTD.1-All modifications to the values of TSFdata Successfuland failed attemptsto change the configurationdataare logged in the localaudit log The identity ofthe authorized administrator performing the operation. FMT_SMF.1-Use ofthe management functions Successfuland failed attemptsto change the configurationdataare logged in the localaudit log The identity ofthe authorized administrator performing the operation. FPT_FLS.1 – Failure with a preservationofsecurestate Failure ofthe TSF None FAU_GEN.2 Cisco HyperFlex Systems HX Series SecurityTarget Page 38 of 48 TOE SFRs How the SFR is Met FPT_STM.1-Changesto the time Successfuland failed attemptsto change thetime zone and any time-related parameters includingNTP serverconfigurationare logged in the localaudit log. Manualsetting ofthe clock can only be performed via the CLI The identity ofthe authorized administrator performing the operation. FRU_FLT.2 – Limited fault tolerance Any failure detectedby the TSF. None FTA_SSL.3- Termination of an interactive sessionby the sessionlocking mechanism Termination ofthe inactive session. None FTP_TRP.1- Attemptsto use the trustedpath functions. Successfuland failed attemptsto use SSHv2or HTTPS/TLSare logged in the localaudit log Identificationofthe user associatedwith all trustedpath invocations including failures,if available. FAU_SAR.1 The TOE provides the Authorized Administratorthe ability to deletethe audit records to manage audit log space. These audit recordsare available forreviewthroughthe CLIinterface.There are no othermethods to viewthe audit records. The audit records include sufficient informationforthe Authorized Administratorto determine the event,the userwho initiatedthe event,the dateand time ofthe eventandthe outcome. Audit records are generatedforallof the ConvergedHost clustersanddatastores. FAU_STG.1 The audit records are stored in an internalfile and this internalfile cannotbe altered. Using the CLI commands,TaskViewer, the Authorized Administratorcan viewthe audit records once theyhave been successfully identified andauthenticated. The CLIcommands interfacealso provides the Authorized Administratorthe capability to delete theaudit logsto managethe audit log space. FDP_ACC.2 and FDP_ACF.1 The Converged Hostspans threeormore Cisco HyperFlexHX Series nodesto create a highly available Clusterand datastores. Each node includesa Cisco HyperFlexHX Data Platform controllerthat implementsthedistributedfile systemusinginternalflash-basedSSDdrives and high-capacityHDDs to storedata. The TOE implements whitelist accesscontrolsofthe Remote Host accessto the ConvergedHost clustersanddatastores. The whitelist is an IPtable that includesthe IPaddressesofthe Host VMs that have accesstothe HXnodesclustersand datastores. Ifthe IPaddressis included onthe whitelist and ifthere is sufficient storagecapacity,accessis grantedotherwise accessis denied. The Cisco HyperFlexHX Data Platformcontrollerhandles allread and write requestsforvolumes that the hypervisoraccessesandthusmediatesallI/Ofrom the virtualmachines.The data platformimplements a log-structured file systemthat usesa cachinglayerin SSDdrives to accelerate read requestsandwrite responses,and a persistence layerimplemented with HDDs. Cisco HyperFlex Systems HX Series SecurityTarget Page 39 of 48 TOE SFRs How the SFR is Met FIA_ATD.1 The TOE supportsdefinitionof Authorized Administrator by individualuserIDs.Foreach Authorized Administrator,the TOEmaintains the followingattributes: a) useridentity b) password Authorized Administrator are administratorsthat are granted accesstospecific resourcesand permission to performspecific tasks. FIA_SOS.1 To prevent usersfromchoosinginsecure passwords,password should meet the following requirements:  At least eight characters long  includes upperand lowercharacters  Includesalpha numeric characters This requirement appliesto the localpassworddatabase and onthe passwordselection functions provided bythe TOE. FIA_UID.2 and FIA_UAU.2 By default,the TOEusesthe localdatabase foridentification and authentication. No accessis allowed priorencounteringan authenticationprompt and thenbeingsuccessfully identified and authenticated. Only afterauthentication,is the Authorized Administratorable to performany actions. FIA_UAU.7 When a userenters theirpassword forremote session authentication,theTOEdoes not echoany charactersastheyare entered. FMT_MSA.1 The TOE providesthe Authorized Administratorthe ability to modify the default security attribute values usedforresourceandaccesscontrol. FMT_MSA.3 The TOE providesrestrictivedefault valuesforresourcesand accesscontrol. No accessis allowed to the protectedresourcesunlessthe attributesmatch andresourcesare available. FMT_MTD.1 The TOE providesthe ability forAuthorized Administrator to accessTOEdata,suchas audit data,configuration data,securityattributes,sessionthresholdsandupdates. FMT_SMF.1 The TOE providesallthe capabilities necessary to securely manage the TOE. The Authorized Administratorcan connect to the TOEusing the CLIto performthesefunctionsvia SSHv2. The specific management capabilities available fromthe TOEinclude:  Administerthe TOEremotely  Manageaccess controlattributes  ManageAuthorized Administrator’ssecurity attributes  Reviewaudit record logs  Configure and manage thesystemtime FMT_SMR.1 The TOE maintains Authorized Administratorrole to administerthe TOEremotely. The TOE maintains Authorized Administratorrole to administerthe TOEremotely.During the installation of the TOEAuthorized Administratoruseris created. AdditionalAuthorized Administratorusers may be created;eachmust be assigned a unique username and password. Cisco HyperFlex Systems HX Series SecurityTarget Page 40 of 48 TOE SFRs How the SFR is Met All users ofthe TOEare consideredAuthorized Administrators.It is assumed alladministrators are trusted,trained,knowledgeable,and willfollow the guidance to ensure the TOEis properly monitored and operated in a securemanner. The Authorized Administrator can connect to the TOEusing the CLIto performthese functions via a secure SSHv2connection. FPT_FLS.1 The TOE providesthe capability to take a snapshotin time ofthe HX Data PlatformVMs. Snapshotshelpfacilitate backup and remote-replicationoperations where theorganization requires an ‘always-on’data availability. The snapshotis a reproductionofthe VM that includes the stateofthe dataon allVM disks and theVM poserstate ((on,offorsuspended)at the time, the snapshotis taken.The snapshotis saved so theAuthorized Administrator has the optionto revert to the savedstate. Foreach VM in yourstorage cluster,youcan schedule hourly,daily,orweekly snapshots. You can schedule snapshots to adjust to the organizations backup requirements. Forexample,you can retain more frequent snapshotsofcriticaldata soifthere is a failure, you can restore themost recent snapshots. Forexample, the initialHyperFlexnative snapshot with thevirtualmachine powered off.This createswhat is called theSentinelsnapshot.The Sentinelsnapshot becomes a base snapshotthat allfuture snapshotsare added. Snapshotscanbe schedule to occurat specific days andtimes. If a diskfailure happens,theTOEclusterstatesturnsto ‘unhealthy’anda rebalancingjob is triggered to returnthesystemto the specified replicationfactor,replicatingthe missing data onthe diskfromthe remaining copies and once the job completestheclusterreturns toa healthystate. FPT_STM.1 The TOE providesa source ofdate andtime information used in audit event timestamps. The TOE hardware supports a clock,thoughNTPis required to provide the timestamp for the TOE. NTP time source is usedto synchronize the timestamp forthe audit recordsand totrackinactivity of administrativesessions. The timestampsare synchronized acrossthe HyperFlexSystems HX Series Nodes andControllerVMs. FRU_FLT.2 The TOEs High Availability (HA)feature ensuresthat the storageclustermaintainsat least two copies ofalldata during normaloperation with threeormore fully functionalnodes. If one ormore nodesin the storage clusterfail,the state ofthestorage clusteris affected.Ifmore than one nodeand/ordiskfail,it is called a simultaneousfailure. The numberofnodesin the storage cluster,and theData Replication FactorandAccessPolicy settingsdetermine the state ofthe storage clusterthatresultsfromnode failures. Data Replication Factorprovidesthe optionto set thenumberofredundantreplicasofdata across the storage cluster. FTA_SSL.3 When a sessionis inactive (i.e.no sessioninput)formore than the Authorized Administrator configuredtime,the TOE will terminate the sessionandno furtheractivity is allowed,requiring the Authorized Administrator to log in (be successfully identified andauthenticated)again to establish a newsession. The timeout value is configurable. The default settingis 120 minutes ofidle time. FTP_TRP.1 The TOE ensures the communicationpath and the remote administerinterfaces is protected and distinct fromothercommunicationspaths. The CLI usesSSHv2. Cisco HyperFlex Systems HX Series SecurityTarget Page 41 of 48 6.2 TOE Bypass and interference/logical tampering Protection Measures The TOE consists of a hardware platform in which all operations in the TOE scope are protected from interference and tampering by untrusted subjects. All administration and configuration operations are performed within the physical boundary of the TOE. In addition, all security policy enforcement functions must be invoked and succeed prior to functions proceeding. The TOE has been designed so that all locally maintained TSF data can only be manipulate d via the CLI interface. There are no undocumented interfaces for managing the product. All sub-components included in the TOE rely on the main chassis for power and memory while the TOE software provides the management functions and control. In order to access any portion of the TOE, the Identification and Authentication mechanisms of the TOE must be invoked and succeed. No processes outside of the TOE are allowed direct access to any TOE memory. The TOE only accepts traffic through legitimate TOE interfaces. Specifically, processes outside the TOE are not able to execute code on the TOE. None of these interfaces provides any access to internal TOE resources. Only the Authorized Administrator has access to the TOE security functions. There are no unmediated traffic flows into or out of the TOE or unauthenticated access, thus providing a distinct protected domain for the TOE that is logically protected from interference and is not bypassable. 7 RATIONALE This section describes the rationale for the Security Objectives and Security Functional Requirements as defined within this Security Target. 7.1 Rationale for TOE Security Objectives Table 16 Threats & IT SecurityObjectives Mappings T.ACCOUNTABILITY T.NOAUTH T.RESOURCE_AVAILABILITY T.TIME O.ACCESS_CONTROL X O.ADMIN X X O.AUDIT_GEN X X Cisco HyperFlex Systems HX Series SecurityTarget Page 42 of 48 T.ACCOUNTABILITY T.NOAUTH T.RESOURCE_AVAILABILITY T.TIME O.AVAILABILITY X O.AUDIT_VIEW X O. DATA X O.IDAUTH X O.SELFPRO X O.TIME X X Table 17 TOE Threat/Policy/Objective Rationale Threat / Policy Rationale for Coverage T.ACCOUNTABILITY An authorized administrative is notheld accountable fortheir actions onthe TOEbecause the audit recordsare not generatedor reviewed.The O.AUDIT_GENobjective mitigates the threat by requiring the TOEgenerateaudit records foreventsperformed on the TOE. The O.AUDIT_VIEW requires the TOE to provide the authorized administrator with the capability to view audit data. The O.TIME objective mitigates this threat by providing the accurate time to the TOE for use in the audit records O.AUDIT_GEN. T.NOAUTH O.SELFPRO objective ensures that an unauthorized person (attacker) that may attempt to bypass the security ofthe TOE to access and use security functions and/ornon-security functions provided by the TOE to disrupt operations ofthe TOE is not successful. The O.DATA objective protects the configuration and userdata from unauthorized modifications. The O.IDAUTH objective requires the administrativeuserto entera unique identifierand authenticationcredentials beforemanagement accessis granted. The O.ADMINobjectiveensuresthe authorized administratorhas accesstothe TOEto configure accesscontrols and the O.ACCESS_CONTROLobjective restricts accessto the TOE management functions to the Authorized Administrator. T.RESOURCE_AVAILABILITY The TOE data (user) could become corrupted or unavailable due to hardware or systemoperation failures. The O.AVAILABILITY objective to maintain a secure state and to protect data from loss or corruption due to hardware or system operation failures. The O.ADMIN ensures the administrator Cisco HyperFlex Systems HX Series SecurityTarget Page 43 of 48 Threat / Policy Rationale for Coverage has the capabilities to ensure properconfiguration for maintaining a secure state and resource availability. T.TIME Evidence of a compromise by an unauthorized user (attacker) or malfunction of the TOE may go unnoticed ornot be properly traceable if recorded events are not properly sequenced through application of correct timestamps. The O.TIME objective mitigates this threat by providing the accurate time to the TOE for use in the audit records O.AUDIT_GEN. 7.2 Rationale for the Security Objectives for the Environment The security requirements are derived according to the general model presented in Part 1 of the Common Criteria. Specifically, the tables below illustrate the mapping between the security requirements and the security objectives and the relationship between the threats, policies and IT security objectives. The functional and assurance requirements presented in this Security Target are mutually supportive and their combination meets the stated security objectives. Table 18 Threats & IT SecurityObjectives Mappings for the Environment A.ADMIN A.CONNECTIONS A.LOCATE OE.ADMIN X OE.CONNECTION X OE.LOCATE X Table 19 Assumptions/Threats/Objectives Rationale Assumptions Rationale for Coverage ofEnvironmental Objectives A.ADMIN All Authorized Administrator are assumed not evil, will follow the administrative guidance and will not disrupt the operation of the TOE intentionally. The OE.ADMIN objective ensures that Authorized Administrator are not careless,willfully negligent,or hostile, and will follow and abide by the instructions provided by the TOE documentation, including the administrator guidance; however,they are capable of error. Cisco HyperFlex Systems HX Series SecurityTarget Page 44 of 48 Assumptions Rationale for Coverage ofEnvironmental Objectives A.CONNECTIONS The operationalenvironment in which the TOE is installed will allow the users ofthe TOE to access the stored information. The OE.CONNECTION objective ensures the operationalenvironment provides a protected networkto prevent unauthorized access to the TOE. A.LOCATE The processing resources ofthe TOE and those services provided by the operationalenvironment will be located within controlled access facilities, which will prevent unauthorized physicalaccess. The OE.LOCATE objective ensures the processing resourcesofthe TOE and those services provided by the operational environment will be located within controlled access facilities, which will prevent unauthorized physicalaccess. 7.3 Rationale for requirements/TOEObjectives The security requirements are derived according to the general model presented in Part 1 of the Common Criteria. Specifically, the tables below illustrate the mapping between the security requirements and the security objectives and the relationship between the threats, and IT security objectives. Table 20 SecurityObjective to SecurityRequirements Mappings O.ACCESS_CONTROLL O.ADMIN O.AUDIT_GEN O.AVAILABILITY O.AUDIT_VIEW O.DATA O.IDAUTH O.SELPRO O.TIME FAU_GEN.1 X X X FAU_GEN.2 X X FAU_SAR.1 X FAU_STG.1 X FDP_ACC.1 X X FDP_ACF.1 X X FIA_ATD.1 X X X FIA_SOS.1 X Cisco HyperFlex Systems HX Series SecurityTarget Page 45 of 48 O.ACCESS_CONTROLL O.ADMIN O.AUDIT_GEN O.AVAILABILITY O.AUDIT_VIEW O.DATA O.IDAUTH O.SELPRO O.TIME FIA_UAU.2 X X FIA_UAU.7 X FIA_UID.2 X X FMT_MSA.1 X X X FMT_MSA.3 X X X FMT_MTD.1 X X FMT_SMF.1 X X FMT_SMR.1 X X FPT_FLS.1 X FPT_STM.1 X X FRU_FLT.2 X FTA_SSL.3 X X X FTP_TRP.1 X X X Table 21 Objectives to Requirements Rationale Objective Rationale O.ACCESS_CONTROL The TOE will restrict accessto the TOEManagementfunctionsto the Authorized Administrator. The TOEis required to providethe ability to restrict the use ofTOEmanagement/administration/security functionstoAuthorized Administratorofthe TOE.The Authorized Administratorperforms thesefunctionson the TOE. Only Authorized Administratorofthe TOEmay modify TSF data [FMT_MTD.1]and delete audit data stored locally onthe TOE[FAU_STG.1].The TOE must be able to recognize the administrative privilegelevelthat exists for the TOE [FIA_ATD.1,FMT_SMR.1].The TOE must allowthe Authorized Administrator to specify alternate initialvalueswhenan object is created[FMT_MSA.1,FMT_MSA.3].The TOEensures that all useractions resultingin the accessto TOEsecurityfunctionsand Cisco HyperFlex Systems HX Series SecurityTarget Page 46 of 48 Objective Rationale configurationdataare controlled [FMT_SMF.1]and audited [FAU_GEN.1, FAU_GEN.2]. The SFR FTA_SSL.3also meets this objective by terminatinga sessiondueto meeting/exceeding the inactivity time limit. O.ADMIN The TOE will provide administrativefunctions to isolate administrative actions by configuringandassigning Authorized Administratoraccounts [FIA_ATD.1,FMT_SMR.1],thuscontrolling accessto theTSFdata andconfiguration [FMT_MSA.1, FMT_MSA.3,FMT_MTD.1,FMT_SMF.1,FMT_SMR.1]. The TOE will also make the administrative functionsavailable remotely via SSHv2 [FTP_TRP.1]. O.AUDIT_GEN The TOE will generate audit recordswhich willinclude the time [FPT_STM.1]that the event occurred and ifapplicable,the identityof the userperforming the event[FAU_GEN.2]. All TOE security relevant eventsare auditable andwill include the required information to identify when theevent occurred,the event,who performed the action,and thesuccessorfailure ofthe event[FAU_GEN.1and FAU_GEN.2]. Timestamps associatedwith the audit recordmust be reliable [FPT_STM.1]. O.AVAILABILITY The TOE will provide mechanisms to maintain a secure state and mitigate against data loss or corruption due to hardware or system operation failures [FPT_FLS.1, FRU_FTL.2]. O.AUDIT_VIEW The TOE will provide theAuthorized Administratorthecapability to reviewAudit data via theCLI interface. Security relevant events are available forreviewby Authorized Administrator [FAU_SAR.1]. O.DATA The TOE is required to protect theTSFdata fromunauthorized modifications andaccess therefore eachAuthorized Administrator must be identified and authenticatedpriorto gainingaccess [FIA_UAU.2and FIA_UID.2]. The TOEensuresthataccessto TOE configurationsettings(CLIcommands),data andresourcesis done in accordancewith the management functions[FMT_SMF.1]. The TOE is also required to restrict accessto theHXclustersand datastores[FDP_ACC.1,FDP_ACF.1]. O.IDAUTH The TOE must uniquely identify andauthenticate theclaimed identity of all administrative users before grantingmanagementaccess. The Authorized Administrators’password mustmeet formatting requirementsto prevent theuse ofweakcredentials[FIA_SOS.1]. The TOE is required to store usersecurity attributesto enforce the authenticationpolicy ofthe TOEand to associate security attributes with users [FIA_ATD.1].Users authorized to accessthe TOEmust be defined using an identification and authentication process andall users mustbe successfully identified and authenticated [FIA_UID.2 and FIA_UAU.2]. The passwordis obscuredwhenentered [FIA_UAU.7]. If the period ofinactivityhasbeen exceeded,the user is required to re-authenticateto re-establishthesession [FTA_SSL.3]. Cisco HyperFlex Systems HX Series SecurityTarget Page 47 of 48 Objective Rationale O.SELFPRO The TOE must protectitselfagainst attemptsby unauthorized usersto bypass,deactivate,ortamperwith TOEsecurity functions. [FDP_ACC.1, FDP_ACF.1,FIA_UID.2and FIA_UAU.2]supports this objective by ensuringaccessto theresources is controlled and only Authorized Administrator canmanagethe resources [FMT_MSA.1and FMT_MSA.3]. The [FTP_TRP.1]ensuresthe communication path and the remote administerinterfaces is protected and distinctfromothercommunicationspaths. The SFR [FTA_SSL.3]also meet this objective by terminatinga sessiondueto meeting/exceeding the inactivitytime limit thus ensuringthe session does notremain active andsubject toattack. O.TIME The TSFwill provide a reliable time stamp forits own use. The TOE is required to providereliable timestampsforuse with theaudit record [FAU_GEN.1, FPT_STM.1]. An NTPServeris required in the operationalenvironment;therefore,the TOEis configuredto allow clockupdates fromthe designatedNTPserver. Cisco HyperFlex Systems HX Series SecurityTarget Page 48 of 48 8 ANNEX A: REFERENCES The following documentation was used to prepare this ST: Table 22 References Identifier Description [CC_PART1] Common Criteria for Information TechnologySecurityEvaluation – Part 1: Introduction and generalmodel,dated September2012, version 3.1,Revision 4,CCMB-2012-009-001 [CC_PART2] Common Criteria for Information TechnologySecurityEvaluation – Part 2: Security functionalcomponents,dated September2012, version3.1,Revision 4,CCMB-2012-009- 002 [CC_PART3] Common Criteria for Information TechnologySecurityEvaluation – Part 3: Security assurance components,dated September2012,version 3.1,Revision 4,CCMB-2012-009- 003 [CEM] Common MethodologyforInformation Technology SecurityEvaluation – Evaluation Methodology,dated September2012, version 3.1,Revision 4,CCMB-2012-009-004