1 of 21 National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Dell Networking Platforms running Dell Networking OS v9.11 Report Number: CCEVS-VR-VID10790 Dated: June 22, 2017 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6940 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6940 2 of 21 ACKNOWLEDGEMENTS Validation Team Mr. Paul A. Bicknell Dr. Patrick W. Mallett Ms. Linda Morrison Ms. Lisa Mitchell The MITRE Corporation Bedford, MA Common Criteria Testing Laboratory Ms. Dayanandini Pathmanathan Mr. Iain Holness CygnaCom Solutions McLean, Virginia Much of the material in this report was extracted from evaluation material prepared by the CCTL. The CCTL team deserves credit for their hard work in developing that material. Many of the product descriptions in this report were extracted from the Dell Networking Platforms Security Target. 3 of 21 Table of Contents 1. Executive Summary ................................................................................................... 5 2. Identification.............................................................................................................. 7 3. Security Policy............................................................................................................ 9 3.1. Security Audit............................................................................................................... 9 3.2. Cryptographic Support ............................................................................................... 9 3.3. Identification and Authentication............................................................................... 9 3.4. Security Management................................................................................................ 10 3.5. Protection of the TSF................................................................................................. 10 3.6. TOE Access................................................................................................................. 10 3.7. Trusted Path/Channels.............................................................................................. 10 3.8. Secure Usage Assumptions........................................................................................ 11 4. Clarification of Scope .............................................................................................. 12 5. Architectural Information ....................................................................................... 13 6. Documentation......................................................................................................... 15 6.1. Security Target........................................................................................................... 15 6.2. User Documentation .................................................................................................. 15 7. IT Product Testing ................................................................................................... 17 7.1. Developer Testing....................................................................................................... 17 7.2. Evaluator Independent Testing ................................................................................ 17 8. Results of Evaluation............................................................................................... 18 9. Validators Comments/Recommendations ............................................................... 19 10. Glossary................................................................................................................ 20 10.1. Acronyms.................................................................................................................... 20 11. Bibliography......................................................................................................... 21 4 of 21 List of Figures and Tables Figure 1: TOE Boundary .................................................................................................. 14 5 of 21 1. Executive Summary This Validation Report (VR) documents the evaluation and validation of the Dell Networking Platforms running Dell Networking OS v9.11 as defined in the Dell Networking Platforms Security Target v1.3. The evaluated Dell Networking Platforms running Dell Networking OS v9.11 consists of S5000, S3100, C9010, S6100-ON, S6010-ON, S3048-ON, S4048-ON, S4048T-ON top- of-rack data center switches, and Z9100 end-of-row data center switches. The Target of Evaluation (TOE) provides layer 2 and 3 network management and interconnectivity functionality by offering non-blocking, line-rate Ethernet switching with Quality of Service (QoS) and a full complement of IPv4 and IPv6 features. TOE consists of a hardware appliance with embedded software components. The TOE is a Network Device as defined by the Collaborative Protection Profile for Network Devices (NDcPP), 27 February 2015, Version 1.0: “A network device is a device composed of hardware and software that is connected to the network and has an infrastructure role in the overall enterprise”. The evaluation was performed by the CygnaCom Common Criteria Testing Laboratory (CCTL), and was completed in May 2017. The information in this report is derived from the Evaluation Technical Report (ETR) and associated test reports, all written by the CygnaCom CCTL. The evaluation team determined that the product is:  Common Criteria version 3.1 R4 Part 2 extended and Part 3 conformant, and demonstrates exact compliance to Collaborative Protection Profile for Network Devices, 27 February 2015, Version 1.0 as changed/clarified by Supporting Document Mandatory Technical Document and all applicable Technical Decisions. The following NIAP Technical Decisions apply to this PP and have been accounted for in the ST development and the conduct of the evaluation:  TD0167: NIT Technical Decision for Testing SSH 2^28 packets  TD0165: NIT Technical Decision for Sending the ServerKeyExchange message when using RSA  TD0164: NIT Technical Decision for Negative testing for additional ciphers for SSH  TD0152: NIT Technical Decision for Reference identifiers for TLS in the NDcPP v1.0 and FW cPP v1.0  TD0150: NIT Technical Decision for Removal of SSH re-key audit events in the NDcPP v1.0 and FW cPP v1.0  TD0143 - NIT Technical Decision for Failure testing for TLS session establishment in NDcPP and FWcPP  TD0130- NIT Technical Decision for Requirements for Destruction of Cryptographic Keys  TD0126 - NIT Technical Decision for TLS Mutual Authentication 6 of 21 o Note: FCS_TLSC_EXT.2 is still claimed in this ST as the TOE supports mutual authentication over TLS.  TD0117 - NIT Technical Decision for FIA_X509_EXT.1.1 Requirement in NDcPP  TD0116 - NIT Technical Decision for a Typo in reference to RSASSA- PKCS1v1_5 in NDcPP and FWcPP  TD0112 - NIT Technical Decision for TLS testing in the NDcPP v1.0 and FW cPP v1.0.  TD0094 - NIT Technical Decision for validating a published hash in NDcPP  TD0093 - NIT Technical Decision for FIA_X509_EXT.1.1 Requirement in NDcPP  TD0090 - NIT Technical Decision for FMT_SMF.1.1 Requirement in NDcPP The evaluation and validation were consistent with National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) policies and practices as described on their web site www.niap-ccevs.org. 7 of 21 2. Identification Target of Evaluation: Dell Networking Platforms running Dell Networking OS v9.11 Platform Model Processor Form Specs Dell Networking S- SeriesSwitches S3124 ARM Cortex A9 1U 24 x 1000BASE-T S3124P ARM Cortex A9 1U 24 x 1000BASE-T PoE+ S3124F ARM Cortex A9 1U 24 x 1GbE SFP S3148 ARM Cortex A9 1U 48 x 1000BASE-T S3148P ARM Cortex A9 1U 48 x 1000BASE-T PoE+ S3048-ON Intel Atom 1U 48 x 100BASE-T 4 x 1-GbE SFP+ S4048-ON Intel Atom 1U 48 x 10GbE SFP+ 6 x 40GbE QSFP+ S4048T-ON Intel Atom 1U 48 x 10GBASE-T 6 x 40GbE QSFP+ S5000 FreeScale PowerPC e500 1U 4x40GbE QSFP+ 4 module bays with: 12 x 1/10G SFP+ or 12 x 2/4/8Gbps FC modules S6010-ON Intel Atom 1U 32x 40GbE QSFP+ S6100-ON Intel Atom 2U 2 x 10GbE SFP+ 4 module bays with: 16 x QSFP+ 40GbE Or 8 x QSFP28 100GbE Dell Networking C- Series Switches C9010 Intel Atom 8U 10 module bays with: 24-port 10GbE 10GBASE-T Line Card or 24-port 10GbE SFP+ Line Card or 6-port 40GbE QSFP+ Line Card Or Dell Networking Z- Series Switches Z9100-ON Intel Atom 1U 32 x 100GbE QSFP28 8 of 21 Developer: Dell USA L.P. CCTL: CygnaCom Solutions 7925 Jones Branch Dr, Suite 5400 McLean, VA 22102-3321 Evaluators: Dayanandini Pathmanathan Iain Holness Validation Scheme: National Information Assurance Partnership CCEVS Validators: Paul A. Bicknell, Patrick W. Mallett, Linda Morrison, Lisa Mitchell CC Identification: Common Criteria for Information Technology Security Evaluation, Version 3.1 R4, Sept 2012 CEM Identification: Common Methodology for Information Technology Security Evaluation, Version 3.1 R4, Sept 2012 9 of 21 3. Security Policy The TOE enforces the following security policies as described in the Security Target (ST):  Security Audit  Cryptographic Support  Identification and Authentication  Security Management  Protection of the TSF  TOE Access  Trusted path/Channel 3.1. Security Audit The TOE generates audit records for all security-relevant events. For each event, the TOE records the date and time, the type of event, the subject identity, and the outcome of the event logged. The resulting logs can be stored locally to be viewed by an administrator or securely sent to a designated syslog server for archiving. The logs can be viewed by administrators using the appropriate Command Line Interface (CLI) commands. The TOE also implements timestamps to ensure reliable audit information is available. 3.2. Cryptographic Support The TOE performs the following cryptographic operations:  Secure channel with following parameters: o AES128-CBC, AES256-CBC for data encryption o RSA for host key algorithm o HMAC-SHA1, HMAC-SHA1-96, HMAC-SHA2-256 for data integrity o diffie-hellman-group14-sha1 for key exchange  Random Bit Generation using CTR-DRBG (AES-256)  Critical Security Parameters (CSPs) zeroization  X509 Certificate authentication integrated with TLS protocol The TOE uses a dedicated cryptographic module to manage CSPs and implements zeroization procedures to mitigate the possibility of disclosure or modification of CSPs. Additionally, the TOE provides commands to on-demand zeroize CSPs (e.g. host RSA keys), that can be invoked by an authorized administrator with appropriate permissions. 3.3. Identification and Authentication The TOE supports Role-Based Access Control (RBAC) managed by an Authentication, Authorization, and Accounting (AAA) module that stores and manages permissions of all 10 of 21 users and their roles. Before any other action, each user is identified with a login name and authenticated with a password. Each authorized user is associated with assigned role and specific permissions that determine access to TOE features. The AAA module stores the assigned role of each user along with all other information required that user to access the TOE. 3.4. Security Management The TOE allows remote administration using an SSHv2 session over an out of band LAN management RJ-45 port and local administration using a console via a separate RJ-45 running RS-232 signaling/USB port. Both remote and local administration are conducted over a CLI terminal that facilitates access to all management functions used to administer the TOE. All of the management functions are restricted to the authorized administrators of the TOE. Authorized administrators can perform the following actions: manage user accounts and roles, reboot and apply software updates, administer system configuration, and review the audit records. The term “authorized administrator” is used to refer to any administrative user with the appropriate role to perform the relevant functions. 3.5. Protection of the TSF The TOE implements a number of measures to protect the integrity of its security features. The TOE protects CSPs, including stored passwords and cryptographic keys, so they are not directly viewable in plaintext. The TOE also ensures that reliable time information is available for both log accountability and synchronization with the operating environment. The TOE employs both dedicated communication channels as well as cryptographic means to protect communication between itself and other components in the operational environment. The TOE performs self-tests to detect internal failures and protect itself from malicious updates. 3.6. TOE Access The TOE will display a customizable banner when an administrator initiates an interactive local or remote session. The TOE also enforces an administrator-defined inactivity timeout after which the inactive session is automatically terminated. Once a session (local or remote) has been terminated, the TOE requires the administrator to re- authenticate. 3.7. Trusted Path/Channels The TOE protects remote sessions by establishing a trusted path between itself and the administrator. The TOE prevents disclosure or modification of logs by establishing a trusted channel between itself and the Syslog server. To implement trusted path/secure 11 of 21 channel the TOE uses an SSHv2 protocol with password-based or public key-based authentication. To implement trusted channel, the TOE uses TLS v1.2 protocol using TLS 1.2 with X.509v3 PKI. 3.8. Secure Usage Assumptions The ST identifies the following assumptions about the use of the product: 1. It is assumed that there are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE. The TOE hardware and software critical to security policy enforcement will be protected from unauthorized physical modification. 2. Physical security, commensurate with the value of the TOE and the data it contains, is assumed to be provided by the environment. 3. TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner. 12 of 21 4. Clarification of Scope All evaluations (and all products) have limitations, as well as potential misconceptions that need clarifying. This text covers some of the more important limitations and clarifications of this evaluation. Note that:  As with any evaluation, this evaluation only shows that the evaluated configuration meets the security claims made, with a certain level of assurance (the assurance activities specified in the claimed PPs and performed by the evaluation team).  This evaluation covers only the specific device models and software version identified in this document, and not any earlier or later versions released or in process.  The evaluation of security functionality of the product was limited to the functionality specified in the claimed PPs. Any additional security related functional capabilities of the product were not covered by this evaluation.  Consistent with the expectations of the Protection Profile, this evaluation did not specifically search for, nor seriously attempt to counter, vulnerabilities that were not “obvious” or vulnerabilities to security functionality not claimed in the ST. The CEM defines an “obvious” vulnerability as one that is easily exploited with a minimum of understanding of the TOE, technical sophistication and resources.  The functionality evaluated is scoped exclusively to the security functional requirements specified in the ST. All other functionality provided by the software needs to be assessed separately and no further conclusions can be drawn about their effectiveness. 13 of 21 5. Architectural Information The underlying architecture of each TOE appliance consists of hardware that supports physical network connections, memory, and processor and software that implements routing and switching functions, configuration information and drivers. While hardware varies between different appliance models, the software (Dell Networking OS v9.11) is shared across all platforms. Dell Networking OS v9.11 is composed of subsystems designed to implement operational, security, management, and networking functions. Hardware-specific device drivers that reside in the kernel provide abstraction of the hardware components. Dedicated cryptographic module provides functionality that implements secure channel and protects critical security parameters. Control plane subsystem that includes Internet Protocol (IP) host stack, which can be further subdivided into protocol and control layers, implements switching and routing functions. The system management subsystem, which includes an AAA module, implements administrative interface and maintains configuration information. The physical boundary of the TOE is the Dell Networking Platforms running Dell Networking OS v9.11, which includes:  The appliance hardware o RJ-45/RS-232 management ports o USB port o Dedicated Ethernet management port  Embedded software installed on the appliance o CLI management interface The Operational Environment of the TOE includes:  The SSH client that is used to remotely access the management interface  The management workstation that hosts the SSH client  External IT servers: o Audit server for external storage of audit records o NTP server for synchronizing system time (optional) o Certificate Authority and OCSP servers to support X.509 (optional) 14 of 21 Figure 1: TOE Boundary The TOE supports a number of features that are not part of the core functionality. These features are not included in the scope of the evaluation:  Any integration and/or communication with authentication servers such as Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control Systems (TACACS) is excluded from the evaluated configuration.  Remote management using web interface (Secure HTTP or HTTPS) is excluded. The TOE does not satisfy all NDcPP requirements for this administrative interface and it is disabled in the evaluated configuration.  Routing protocols that integrate authentication or encryption such as Routing Information Protocol (RIPv1, RIPv2), Open Shortest Path First (OSPFv2), Border Gateway Protocol (BGP), Intermediate System to Intermediate System (IS-IS), and Virtual Router Redundancy Protocol (VRRP), due to RFC-compliant implementations, are unable to satisfy NDcPP cryptographic requirements.  Use of the FTP server is excluded and it is disabled by default.  Use of the Simple Network Management Protocol (SNMP) functionality is excluded and it is disabled by default. The use of SNMPv3 is not restricted; however, it is an excluded function in NDcPP evaluations. 15 of 21 6. Documentation The following documents were available for the evaluation. These documents are developed and maintained by Dell and delivered to the end user of the TOE: 6.1. Security Target Dell Networking Platforms Security Target, Version 1.3, June 8, 2017 6.2. User Documentation Reference Title Based on Model Dell Command Line Reference Guide for the S4048 System, September 23 2016 Dell Configuration Guide for the S4048 System, September 23 2016 Dell Release Notes for the S4048 System, Dell Networking OS v9.11, September 2016 Dell Command Line Reference Guide for the S3048-ON System, September 23 2016 Dell Configuration Guide for the S3048-ON System, September 23 2016 Dell Release Notes for the S3048-ON System, Dell Networking OS v9.11, September 2016 Dell Command Line Reference Guide for the S5000 System, September 23 2016 Dell Configuration Guide for the S5000 System, September 23 2016 Dell Release Notes for the S5000 System, Dell Networking OS v9.11, September 2016 Dell Command Line Reference Guide for the S6000 System, September 23 2016 Dell Configuration Guide for the S6000 System, September 23 2016 Dell Release Notes for the S6000 System, Dell Networking OS v9.11, September 2016 Dell Command Line Reference Guide for the S6010-ON System, September 23 2016 Dell Configuration Guide for the S6010-ON System, September 23 2016 Dell Release Notes for the S6010-ON System, Dell Networking OS v9.11, September 2016 16 of 21 Dell Command Line Reference Guide for the S6100-ON System, September 23 2016 Dell Configuration Guide for the S6100-ON System, September 23 2016 Dell Release Notes for the S6100-ON System, Dell Networking OS v9.11, September 2016 Dell Command Line Reference Guide for the Z9100-ON System, September 23 2016 Dell Configuration Guide for the Z9100-ON System, September 23 2016 Dell Release Notes for the Z9100-ON System, Dell Networking OS v9.11, September 2016 Dell Command Line Reference Guide for the C9000 System, September 23 2016 Dell Configuration Guide for the C9000 System, June September 23 2016 Dell Release Notes for the C9000 System, Dell Networking OS v9.11, September 2016 CC Addendum applicable to all models Dell Common Criteria Addendum Guide, Dell Networking OS v9.11, April 2017 17 of 21 7. IT Product Testing This section describes the testing efforts of the Evaluation Team. The information is derived from the Evaluator Test Report for Dell Networking Platforms document. The purpose of this activity was to confirm that the TOE behaves in accordance with security functional requirements specified in the ST. 7.1. Developer Testing NDcPP evaluations do not require developer testing evidence for assurance activities. 7.2. Evaluator Independent Testing A test plan was developed in accordance with the Testing Assurance Activities specified in the NDcPPv1.0. Testing was conducted March 28-29, April 5-7, 10-13, May 1-3, 2017 at the Cygnacom Lab at 1000 Innovation Drive, ON, Canada K2K 3E7. The Evaluator successfully performed the following activities during independent testing:  Placed TOE into evaluated configuration by executing the preparative procedures  Successfully executed the NDcPP Assurance-defined tests including the optional SSH tests  Planned and executed a series of vulnerability/penetration tests It was determined after examining the Test Report and full set of test results provided by the evaluators the testing requirements for NDcPPv1.0 are fulfilled. 18 of 21 8. Results of Evaluation The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation (CC), Version 3.1 Revision 4. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation (CEM), Version 3.1 Revision 4. A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding evaluator action elements. The evaluation was conducted based upon version 3.1 R4 of the CC and the CEM. Additionally, the evaluators performed the assurance activities specified in the - collaborative Protection Profile for Network Devices Version 1.0. The evaluation determined the TOE meets the SARs contained the PP. The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled by CygnaCom CCTL (proprietary). Below lists the assurance requirements the TOE was required to be evaluated at Evaluation Assurance Level 1. All assurance activities and work units received a passing verdict. The following components are taken from CC part 3: • ADV_FSP.1 Basic functional specification • AGD_OPE.1 Operational user guidance • AGD_PRE.1 Preparative procedures • ALC_CMC.1 Labelling of the TOE • ALC_CMS.1 TOE CM coverage • ASE_CCL.1 Conformance claims • ASE_ECD.1 Extended components definition • ASE_INT.1 ST Introduction • ASE_OBJ.1 Security objectives • ASE_REQ.1 Derived security requirements • ASE_TSS.1 TOE summary specification • ATE_IND.1 Independent testing – conformance • AVA_VAN.1 Vulnerability survey The evaluators concluded that the overall evaluation result for the target of evaluation is PASS. The validators reviewed the findings of the evaluation team, and have concurred that the evidence and documentation of the work performed support the assigned rating. 19 of 21 9. Validators Comments/Recommendations The validators have no further comments about the evaluation results. 20 of 21 10. Glossary 10.1.Acronyms The following are product specific and CC specific acronyms. Not all of these acronyms are used in this document. BGP Border Gateway Protocol CLI Command Line Interface DNS Domain Name System FTP File Transfer Protocol GUI Graphical User Interface HTTP HyperText Transmission Protocol HTTPS HyperText Transmission Protocol, Secure IP Internet Protocol IPS Intrusion Protection System LAN Local Area Network LDAP Lightweight Directory Access Protocol NTP Network Time Protocol OSPFv2 Open Shortest Path First PDF Portable Document Format RADIUS Remote Authentication Dial-In User Service RIP Routing Information Protocol SNMP Simple Network Management Protocol SSH Secure Shell Network Protocol SSL Secure Sockets Layer, ST Security Target TACACS Terminal Access Controller Access-Control System TCP Transmission Control Protocol TCP/IP Transmission Control Protocol/Internet Protocol TLS Transport Layer Security, UDP User Datagram Protocol VRRP Virtual Router Redundancy Protocol WAN Wide Area Network 21 of 21 11. Bibliography URLs [1] Common Criteria Evaluation and Validation Scheme (CCEVS): (http://www.niap-ccevs.org/cc-scheme). [2] CygnaCom Solutions CCTL (http://www.cygnacom.com). CCEVS Documents [1] Common Criteria for Information Technology Security Evaluation - Part 1: Introduction and general model, July 2009 Version 3.1 Revision 4 Final, CCMB- 2012-09-001. [2] Common Criteria for Information Technology Security Evaluation - Part 2: Security functional components, July 2009 Version 3.1 Revision 4 Final, CCMB- 2012-09-002. [3] Common Criteria for Information Technology Security Evaluation - Part 3: Security assurance components, July 2009, Version 3.1 Revision 4 Final, CCMB- 2012-09-003. [4] Common Methodology for Information Technology Security Evaluation - Evaluation methodology, July 2009, Version 3.1 Revision 4 Final, CCMB-2012- 09-004.