Validation Report Cisco MDS 9000 1 National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Cisco MDS 9000 Family with SAN-OS Release 3.2(2c) Report Number: CCEVS-VR-VID10015-2008 Dated: 25 September 2008 Version: 1.1 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road Suite 6757 Gaithersburg, MD 20899 Fort George Meade, MD 20755-6757 Validation Report Cisco MDS 9000 2 Table of Contents 1. EXECUTIVE SUMMARY 4 1.1. CISCO MDS 9000 FUNCTIONALITY 4 1.2. EVALUATION DETAILS 4 1.3. INTERPRETATIONS 5 2. IDENTIFICATION OF THE TOE 6 3. SECURITY POLICY 7 3.1 USER DATA PROTECTION 7 3.1.1 ZONING 7 3.1.2 VSAN (TRAFFIC ISOLATION) 7 3.1.3 IP‐BASED ACCESS CONTROL LISTS 8 3.2 IDENTIFICATION AND AUTHENTICATION 8 3.2.1 SWITCH AND HOST AUTHENTICATION 8 3.2.2 ADMINISTRATIVE CONTROL 8 3.2.3 AUTHENTICATED MANAGEMENT USER SESSIONS 8 3.2.4 RADIUS / TACACS+ SUPPORT 8 3.3 SECURITY MANAGEMENT 9 3.3.1 CLI 9 3.3.2 CISCO FABRIC MANAGER 9 3.3.3 ROLE BASED ACCESS CONTROL 9 3.4 PROTECTION OF THE TSF 9 3.4.1 DOMAIN SEPARATION AND NON‐BYPASSABILITY 9 3.4.2 RELIABLE TIME SOURCE 10 3.5 AUDIT 10 3.6 CRYPTOGRAPHIC SUPPORT 10 3.6.1 PASSWORD ENCRYPTION 10 3.6.2 SSH KEY GENERATION, DESTRUCTION & AUTHENTICATION SUPPORT 11 3.6.3 HASHED SHARED SECRET PASSWORD 11 3.7 TOE ACCESS 11 3.7.1 SESSION CONTROLS 11 3.7.2 USER SESSIONS 11 3.7.3 PORT SECURITY 12 3.7.4 FABRIC BINDING 12 3.8 TRUSTED PATH/CHANNEL 12 3.8.1 IP‐BASED ACCESS CONTROL LISTS 12 4. ASSUMPTIONS AND CLARIFICATION OF SCOPE 13 4.1 SECURE USAGE ASSUMPTIONS 13 4.2 THREATS TO SECURITY 14 5. ARCHITECTURAL INFORMATION 15 6. DOCUMENTATION 17 7. IT PRODUCT TESTING 18 7.1 DEVELOPER TESTING 18 7.2 EVALUATION TEAM INDEPENDENT TESTING 21 8. EVALUATED CONFIGURATION 22 9. RESULTS OF THE EVALUATION 23 10. LIST OF ACRONYMS 24 11. VALIDATION COMMENTS/RECOMMENDATIONS 25 Validation Report Cisco MDS 9000 3 List of Tables Table 1: Evaluation Details ..............................................................................................................4 Table 2: Applicable International Interpretations..........................................................................5 Table 3: CCEVS Precedents Applied to the Evaluation.............................................................5 Table 4: Hardware and software that can be combined to form valid TOE configurations ..6 Table 5: Secure Usage Assumptions...........................................................................................13 Table 6: Threats addressed by the TOE......................................................................................14 Table 7: Architecture Details..........................................................................................................16 Table 8: Hardware Subset Grouping............................................................................................19 Validation Report Cisco MDS 9000 4 1 Executive Summary The evaluation of the Cisco MDS 9000 Family with SAN-OS Release 3.2(2c) was performed by the ARCA Common Criteria Testing Laboratory in the United States and was completed on September 17, 2008. The evaluation was conducted in accordance with the requirements of the Common Criteria for Information Technology Security Evaluation, version 2.2, Evaluation Assurance Level 3, and the Common Evaluation Methodology for IT Security Evaluation (CEM), Part 2, Version 2.2. The ARCA Common Criteria Testing Laboratory is an approved National Information Assurance Partnership (NIAP) Common Criteria Testing Laboratory (CCTL). The CCTL concluded that the Common Criteria assurance requirements for Evaluation Assurance Level 3 (EAL3) have been met and that the conclusions in its Evaluation Technical Report are consistent with the evidence produced. This Validation Report is not an endorsement of the Cisco MDS 9000 by any agency of the US Government and no warranty of the product is either expressed or implied. The cryptography used in this product was not analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor. 1.1 Cisco MDS 9000 Functionality The Target of Evaluation (TOE) is a Storage Area Network (SAN) solution consisting of the SAN-OS operating system running on the MDS 9000 family of Multilayer Directors and Fabric Switches. The MDS 9000 family of switches provides the infrastructure that ties together file servers and back end storage. 1.2 Evaluation Details Table 1 below provides the required evaluation identification details. Item Identification Evaluation Scheme US Common Criteria Evaluation and Validation Scheme (CCEVS) Target of Evaluation Cisco MDS 9000 Family with SAN-OS Release 3.2(2c) EAL EAL3 Protection Profile None Security Target Cisco MDS 9000 Family SAN-OS Release 3.2(2c) Security Target, Version 3.0, August 2008 Developer Decisive Analytics/Cisco Systems Evaluators Rick West and Ken Dill ARCA CCTL 45901 Nokes Boulevard Sterling, VA 20166 Validators Ken Eggers and John Nilles Dates of Evaluation 20 July 2004 to 25 June 2008 Conformance Result Part 2 extended; and Part 3 EAL 3 augmented with ALC_FLR.1. Common Criteria (CC) Version CC, version 2.2, January 2004 Table 1: Evaluation Details Validation Report Cisco MDS 9000 5 1.3 Interpretations Following is a table that defines which CCIMB Interpretations that were effective on or before the kick-off date July 20th 2004 were applied to this evaluation: Number Title I-0432 List Of Subjects And Objects Refers To Types Thereof I-0347 Including Sensitive Information In Audit Records I-0420 Attribute Inheritance/Modification Rules Need To Be Included In Policy I-0459 CM Systems May Have Varying Degrees Of Rigor And Function I-0407 Empty Selections Or Assignments I-0410 Auditing Of Subject Identity For Unsuccessful Logins I-0414 Site-Configurable Prevention Of Audit Loss I-0429 Selecting One Or More I-0421 Application Notes In Protection Profiles Are Informative Only I-0427 Identification Of Standards I-0375 Elements Requiring Authentication Mechanism I-0405 American English Is An Acceptable Refinement I-0418 Evaluation Of The TOE Summary Specification:Part 1 Vs Part 3 I-0422 Clarification Of ``Audit Records'' I-0426 Content Of PP Claims Rationale I-0378 Meaning Of Compliance Claims I-0379 How To Require User/Admin Documentation For Functional Components Table 2: Applicable International Interpretations The Evaluation Team also complied with the CCEVS Precedents identified in Table 3 Precedent Precedent Title PD-106 Situations Where AGD_USR May Be Vacuously Satisfied PD-90 TOE Labels PD-84 Evaluation of TOE claiming compatibility with multiple IT environments PD-63 What Information Must Be Provided in the TSS Rationale? PD-62 What Must Be Tested for an ST Running On Multiple Platforms? PD-56 Exhaustiveness of ATE_IND Testing PD-54 What is an appropriate TOE Reference? PD-8 When should monitoring of the public domain for new 'obvious vulnerabilities' cease? Table 3: CCEVS Precedents Applied to the Evaluation Validation Report Cisco MDS 9000 6 2. Identification of the TOE The Target of Evaluation (TOE) is a Storage Area Network (SAN) solution consisting of the SAN-OS operating system running on the MDS 9000 family of Multilayer Directors and Fabric Switches. The MDS 9000 family of Directors and switches provides the infrastructure that ties together file servers and back end storage. The TOE includes Fabric Manager, a java based GUI for managing Directors/switches as an alternate to the CLI The specific hardware and software that can be combined to form valid TOE configurations are identified below and described in section 5 of this document. Hardware Software MDS 9506 Multilayer Director, MDS 9509 Multilayer Director, MDS 9513 Multilayer Director, MDS 9216 Multilayer Fabric Switch, MDS 9216A Multilayer Fabric Switch, MDS 9216i Multilayer Fabric Switch, MDS 9140 Multilayer Fabric Switch, MDS 9120 Multilayer Fabric Switch, Ethernet, Fibre Channel, Serial Port, Cisco MDS 9500 Series Supervisor Module, Cisco MDS 9500 Series Supervisor 2 Module, Cisco MDS 9000 Family Multiprotocol Services Module, Cisco MDS 9000 Family Storage Services Module, Cisco MDS 9000 IP Storage Services Modules, MDS 9000 Family Fibre Channel Switching Modules SAN-OS Maintenance Release 3.2(2c), including Fabric Manager for SANOS 3.2(2c). Table 4: Hardware and software that can be combined to form valid TOE configurations Validation Report Cisco MDS 9000 7 3. Security Policy The Security Functional Policies (SFPs) implemented by Cisco MDS 9000 are based on the following set of security policies: • User Data Protection • Identification and Authentication • Security Management • Protection of the TSF • Audit • Cryptographic Support • TOE Access • Trusted Path/Channel Note: Much of the description of the Cisco MDS 9000 security policy has been extracted and reworked from the Cisco MDS 9000 Security Target. 3.1 User Data Protection 3.1.1 Zoning Zoning provides a means of restricting visibility and connectivity between devices connected to a common Fibre Channel SAN. To avoid any compromise of critical data within the SAN, zoning allows the user to overlay a security map dictating which devices, namely hosts (servers), can see which targets (storage devices) thereby reducing the risk of data loss. Zoning enables the switch administrator to set up access control between storage devices or user groups. Zoning is enforced by examining the source and destination ID fields, which can be world wide names (WWNs), IP addresses, or Fibre Channel Identifiers. Logical Unit Number (LUN) zoning ensures that LUNs are accessible only by specific hosts. Zoning was not designed to address availability or scalability of a Fibre Channel infrastructure. Therefore while zoning provides a necessary service within a fabric, the use of VSANs along with zoning would be required to provide an optimal solution. 3.1.2 VSAN (Traffic Isolation) Traffic is contained within VSAN boundaries and devices reside only in one VSAN thus ensuring absolute separation between user groups. This ensures the confidentiality of data traversing the VSAN from users and devices belonging to other VSANs. Devices, such as file servers and tape storage devices, are not part of the TOE but part of the TOE environment and may be configured to participate in a VSAN. Each network interface of a device connected to the TOE may only participate in a single VSAN. Virtual SAN (VSAN) technology partitions a single physical SAN into multiple VSANs. VSAN capabilities allow the Cisco SAN-OS to logically divide a large physical fabric into separate isolated environments to improve Fibre Channel SAN scalability, availability, manageability, and network security. For IBM Fiber Connection (FICON), VSANs ensure that there is true hardware-based separation of FICON and open systems. Each VSAN is a logically and functionally separate SAN with its own set of Fibre Channel fabric services. This partitioning of fabric services greatly reduces network instability by containing fabric reconfigurations and error conditions within an individual VSAN. The strict traffic segregation provided by VSANs helps ensure that the control and data traffic of a given VSAN is confined within its own domain, increasing SAN security. Validation Report Cisco MDS 9000 8 Data traffic can be transported between specific hosts and targets on different VSANs using Inter- VSAN Routing without merging VSANs into a single logical fabric. Fibre Channel control traffic does not flow between VSANs, nor can initiators access any resources aside from the ones designated with Inter-VSAN Routing. This enables the TOE to share resources like tape libraries while reducing the risk of compromise from other VSAN users. 3.1.3 IP-based Access Control Lists IP-ACLs restrict IP-related MDS 9000 out-of-band (i.e. Ethernet based) management traffic based on IP addresses (Layer 3 and Layer 4 information). An IP filter contains rules for matching an IP packet based on the protocol, address, and port. IP-ACLs are configurable on the management interface. 3.2 Identification and Authentication 3.2.1 Switch and Host Authentication The TOE allows fabric-wide authentication from one switch to another switch or from a switch to a host. These switch and host authentications are performed locally within each switch. Authentication between devices is performed using the Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP). Fibre Channel-level authentication allows only trusted authorized devices to be added to a fabric, thus preventing unauthorized devices from accessing the switch. Host authentication may also be performed for iSCSI hosts that request access to storage within the SAN. It is important to note that the use of iSCSI may only be achieved using a TOE configuration which includes the IP Storage Services Module or the Multiprotocol Services Module. Each switch uses its internal authentication mechanisms or RADIUS/TACACS+ can be leveraged for centralized switch and host authentication via the client modules in the SAN-OS software. 3.2.2 Administrative Control The network-admin(sw) role has the ability to specify the switch shell timeout (all sessions) and switch session timeout (current session). The network-admin(sw) role also has the ability to view and monitor the list of switch logged in users, log off a user, and specify an account timeout period upon creation of the user’s account. The network-admin(FM) role and network-admin(sw) role depending on FM authentication mode selected, as shown in the table in Section 6.1.1.1 have the ability to view and monitor the list of logged in Fabric Manager users and log off a user. The network- admin(FM) also has the responsibility during installation of the TOE for setting the initial communication parameters that will be used to establish connections with the Fabric Manager database. 3.2.3 Authenticated management user sessions Users with management access must successfully authenticate themselves using a unique identifier and authenticator prior to performing any actions on the TOE. Public key-based authentication is supported by the TOE through SSH. 3.2.4 RADIUS / TACACS+ Support The RADIUS / TACACS+ services are supported by the TOE through a component (client module) of SAN-OS. Through this module, client security management can be centralized including the specification of the RADIUS or TACACS+ pre-shared keys, server time-out intervals, and the display of server details. AAA event messages generated by the client module are recorded in the audit log and stored on the switch’s local disk. The Fabric Manager also interfaces with RADIUS/TACACS+ services for authentication purposes when RADIUS/ TACACS+ is selected as the FM authentication mode. These settings are configurable through the Fabric Manager Client and Fabric Manager Web Client. Validation Report Cisco MDS 9000 9 3.3 Security Management The TOE is managed by the Cisco Fabric Manager / Device Manager software accessed via the management workstation, or through the CLI using SSH or a serial connection. Management interfaces supported by each instance of a switch in the TOE include: • Command Line Interface (CLI) through a serial port or an SSH session over Out-of-band (OOB) management port • OOB Ethernet management, through a supervisor module front panel Ethernet port • SNMPv3 over OOB management port (for Fabric Manager and Device Manager access) Management interfaces supported by the Fabric Manager in the TOE include: • A local Fabric Manager Web Client and • an out-of-band Fabric Manager Client. 3.3.1 CLI The CLI allows the user to type and execute commands at the switch prompt. The CLI parser provides command help, command completion, and keyboard sequences that allow users to access previously executed commands from the buffer history. The CLI may be accessed via SSH or directly through the serial port on the TOE. The CLI adheres to the same syntax to that of the Cisco IOS CLI. 3.3.2 Cisco Fabric Manager The Cisco Fabric Manager is a Java and SNMPv3-based network fabric and device management tool with a Graphical User Interface that displays real-time views of your network fabric and installed devices. The Cisco Fabric Manager provides an alternative to the CLI for most switch configuration commands. 3.3.3 Role Based Access Control Role-based authorization limits access to management operations by assigning users to roles. This kind of authorization restricts an administrator to management operations based on the roles to which they have been added. When an administrator executes a command, performs command completion, obtains context sensitive help, or attempts to access a privileged web page, the switch and Fabric Manager software allow the operation to progress if the administrator has permission to access that command or page. On the switch each role can contain multiple users and each user can be a member of multiple roles. Up to 64 different switch user-defined roles can be created, each role may have zero or more members. The TOE has default roles: network-admin (sw), network-operator (sw), network-admin (FM), and network-operator (FM). Only the network-admin (sw) has write access to the security functions on the switch. The network-admin (sw) role has write access to the configuration of the switch. The network-admin(FM) role and network-admin(sw) role depending on FM authentication mode selected, as shown in the table in Section 6.1.1.1 have write acces to the configuration of the Fabric Manager. The network-admin(sw) and network-admin(FM) roles are able to create FM User roles. The network-admin(sw) role are able to create switch user roles. 3.4 Protection of the TSF 3.4.1 Domain Separation and Non-bypassability The switch component of the TOE is hardware appliance in which all operations in the TOE scope are protected from interference and tampering by untrusted subjects, with all administration and Validation Report Cisco MDS 9000 10 configuration operations performed within the physical boundary of the TOE. Also, all TSP enforcement functions must be invoked and succeed prior to functions within the TSC proceeding. The TOE has been designed so that all locally maintained TSF data and switch data can only be manipulated via the CLI or SNMPv3 interfaces. All line cards that are included in the TOE rely on the main MDS switch for power, memory management, and access control. In order to access any functionality of the line cards, the Identification & Authentication mechanisms of the switch must be invoked and succeed. In addition, the line cards use a central memory pool that is managed by the switch. No processes outside of the TOE are allowed direct access to this memory. Finally, the line cards enforce IP-ACLs, Zone policies and VSAN policies at their interfaces before traffic passes into the switch. This design, combined with the fact that only a user with the ‘network-admin’ roles or a similarly privileged user defined role may access the TOE security functions, provides a distinct protected domain for the TSF. The Fabric Manager portion of the TOE (including its configuration files, logs, and PostgreSQL database) relies on the host OS in the IT environment for protection from interference and tampering and to ensure that TSP enforcement functions must be invoked. 3.4.2 Reliable Time Source The TOE maintains real time on the switch using an internal hardware clock that can interface to the Network Time Protocol (NTP) for a time source. The host operating system in the IT environment maintains real time for the Fabric Manager, and its database, using an internal hardware clock. 3.5 Audit The accounting and system message logs record all switch user actions such as login and logout, and configuration commands executed by the user. The accounting and system message logs are stored on the local disk of the switch for later review and analysis. Unauthorized access to ports on the TOE and AAA events generated by the TOEs internal authentication server are also recorded in the accounting and system message logs. The Fabric Manager Server and Web Server logs are a separate component, which can be viewed from the Fabric Manager Web Client while the Accounting and System Message Logs exist on the MDS switches. These logs record login/logout events to the Fabric Manager Server and Web Server. Note that although the switches can be configured to send log events to a syslog service listening on the Fabric Manager, that this functionality was not evaluated and cannot be enabled in the evaluated configuration. 3.6 Cryptographic Support 3.6.1 Password Encryption When the TOE maintains the user name and password locally (whether on the switch or in the PostgreSQL database for Fabric Manager) it stores the password information in encrypted form. Specifically, on the switch a user’s password is passed through a one-way hash algorithm (MD5) and the output value stored in the password file against the user’s name. In the PostgreSQL database for Fabric Manager, DES encryption is used to encrypt the username and password for end users of Fabric Manager (the credentials in the FMUSERS and SNMPUSERS table). The TOE also uses encryption to protect the initial connection data that is transferred between the Fabric Manager and the PostgreSQL database. This initial connection data contains a username and password that selects the correct PostgreSQL database and allows access to the database. Note that only the password is encrypted during the communications. This password is protected by Blowfish encryption where it is stored on the Fabric Manager, MD5 hashing before it is transferred in the connection request to the database, and MD5 hashing within the database itself. Validation Report Cisco MDS 9000 11 Note that the cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor. 3.6.2 SSH Key Generation, Destruction & Authentication Support A host key pair must be generated before enabling the SSH service on the TOE. The number of bits specified for the host key pair include 1024 and 2048. The TOE implements DSA and RSA cryptographic algorithms for key generation. Both SSH versions 1 and 2 have been implemented by the TOE. However, only SSH Version 2 is to be used in accordance with the evaluated configuration. A separate SSH key with the same parameters may also be assigned to each user for secure remote management sessions. SSH keys bound to a particular user may be deleted. Key destruction is performed using an overwrite method of the keys stored on the local disk. In order to support the authentication of a user, the TOE performs session key encryption based on the user’s public key stored in the user’s profile. This ‘session key’ is then sent back to the user where it is decrypted and verified by the SSH host to ensure its authenticity. Once the secure session is established, the user then submits his login credentials securely over the SSH tunnel to gain access to the TOE (refer to IA.LOCAL). Note that the cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor. 3.6.3 Hashed Shared Secret Password DH-CHAP authentication in each direction requires a shared secret password between the connected devices. This shared secret password is hashed using a negotiated hash algorithm before performing authentication. Supported hash algorithms include MD5 and SHA-1. Note that the cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor. 3.7 TOE Access 3.7.1 Session Controls The network-admin (sw) role can configure the shell session timeout value that specifies the lifetime of all terminal sessions on the TOE. When the time limit is exceeded the shell exits and closes that session. The default is 30 minutes. The network-admin (sw) role can configure different timeout values for a console or a virtual terminal line (VTY) session. The network-admin (sw) role can also configure the terminal session timeout value that specifies the automatic logout time for the current terminal session on that switch. When the time limit configured by this command is exceeded, the switch closes that session and exits. The default is 30 minutes. 3.7.2 User Sessions The network-admin (sw) and network-admin (FM) role can display a list of all logged in users, and has the ability to terminate a user session. In addition, the network-admin (sw) role can, on the switch, specify an account timeout period upon creation of the user’s account, display a user’s profile details, and view a user’s command history through the accounting log. Validation Report Cisco MDS 9000 12 3.7.3 Port Security The TOE can bind entities to fibre channel ports using the port, node or switch World Wide Name (an entity may be a host(server), target(storage device) or switch), thus preventing unauthorized access to a switch port. 3.7.4 Fabric Binding Fabric binding extends port security by binding inter-switch links within the SAN, thus preventing unauthorized switches from joining the fabric or disrupting current fabric operations. Fabric binding policies are enforced based on identities authenticated by DHCHAP. 3.8 Trusted Path/Channel 3.8.1 IP-based Access Control Lists IP-ACLs restrict IP-related MDS 9000 out-of-band (i.e. Ethernet based) management traffic based on IP addresses (Layer 3 and Layer 4 information). An IP filter contains rules for matching an IP packet based on the protocol, address, and port. IP-ACLs are configurable on the management interface. Validation Report Cisco MDS 9000 13 4. Assumptions and Clarification of Scope This section describes the security aspects of the environment in which the TOE is expected to operate. 4.1 Secure Usage Assumptions The following assumptions are made in relation to the TOE: Name Description A.NOEVIL Network administrators and operators of the TOE are assumed to be non-hostile, trusted to perform their duties in a secure manner, and expected to follow all security policies and procedures applicable to their deployment. A.PHYSICAL Internetworking equipment containing the TOE is assumed to be in a physically secure environment. A.ZONECONNECT Interconnected switches within the same management zone as the TOE are assumed to have protection against unauthorized access. A.NETPROTECT Data traversing the VSAN across different environment locations is assumed to be protected from threats of unauthorized disclosure and unauthorized modification. A.PERSONNEL It is assumed that administrators, operators and maintainers have been trained sufficiently to configure, operate, and maintain the TOE in a secure and trusted manner in accordance with the guidance documentation. A.TIMESOURCE Clock sources external to the scope of the TOE are stored in a secure location, and configured accurately so as to provide a trusted clock source for the TOE’s internal clock. A.VSANTIMESYNC All network devices within the VSAN will be configured to the same external clock. A.MANAGEMENTLAN The Management LAN is trusted. All services such as AAA or NTP provided by the management LAN, and all devices attached to the management LAN are trusted to perform in a secure manner. A.PASSWORD Administrators shall ensure that all users of the TOE use passwords that conform to the complexity requirements as described in the evaluated guidance documentation. A.HOSTOS The host operating system of the Fabric Manager is assumed to provide protection to files that are stored on it such that they cannot be deleted or altered without authorization. Table 5: Secure Usage Assumptions Validation Report Cisco MDS 9000 14 4.2 Threats to Security The Threat agents against the TOE are attackers with expertise, resources, and motivation that combine to be a low attack potential. The TOE addresses the following threats: Name Description T.USERATTACK An unauthorized individual may gain access to the TOE and compromise its security functions by altering its configuration and/ or audit records. T.EXCEEDPRIV An authorized user of the TOE exceeds his/her assigned security privileges resulting in the illegal modification of the TOE configuration. T.VSANCOMPROMISE An unauthorized user, switch, host or device within the SAN fabric may gain access to a VSAN they are not a member of, and view traffic belonging to that VSAN. T.ZONECOMPROMISE An unauthorized user or device within a VSAN may gain access to a zone they are not a member of, and view traffic belonging to that zone. T.SWITCHCOMPROMISE An unauthorized switch or host within the SAN fabric may gain access to a switch or host they are not permitted to access, and view the traffic destined for that switch or host. T.NODETECT An unauthorized user, switch, host or device attempts to mount an attack against the TOE security functions without detection. Table 6: Threats addressed by the TOE Validation Report Cisco MDS 9000 15 5. Architectural Information The following Physical Hardware and Software Included in the Target of Evaluation: Physical TOE Components Hardware/Software Component Description Software SAN-OS Maintenance Release 3.2(2c), including Fabric Manager for SANOS 3.2(2c). Fabric Manager 3.2(2c) includes: • Fabric Manager Server • Fabric Manager Client • Performance Manager • Device Manager • Fabric Manager Web Services Fabric Manager also relies on the PostgreSQL, version 8.2.4 DBMS package, that is included on the Fabric Manager distribution CD and is within the TOE boundary. Fabric Manager also uses JBoss 4.2.0. MDS 9509 Multilayer Director Cisco MDS 9509 multilayer directors contain two slots for supervisor modules and 7 slots for switching or services modules providing up to 224 ports (32 ports x 7 slots). MDS 9506 Multilayer Director Cisco MDS 9506 multilayer directors contain two slots for supervisor modules and 4 slots for switching or services modules providing up to 128 ports (32 ports x 4 slots). MDS 9513 Multilayer Director Cisco MDS 9513 multilayer directors contain two slots for supervisor modules and 11 slot s for switching or services modules providing up to 352 ports (32 ports x 11 slots). MDS 9216 Multilayer Fabric Switch Cisco MDS 9216 multilayer fabric switches contain one fixed integrated supervisor module with 16 Fibre Channel ports and an expansion slot which can support up to 32 additional ports (for a total of 48 ports). MDS 9216A Multilayer Fabric Switch Cisco MDS 9216A multilayer fabric switches contain one fixed integrated supervisor module with 16 Fibre Channel ports and an expansion slot which can support up to 48 additional ports (for a total of 64 ports). MDS 9216i Multilayer Fabric Switch Cisco MDS 9216i multilayer fabric switches support 14 2-Gbps Fibre Channel interfaces for high-performance storage area network (SAN) connectivity and Small Computer System Interface over IP (iSCSI) storage services and an expansion slot which can support up to 48 additional ports (for a total of 62 ports). Validation Report Cisco MDS 9000 16 MDS 9140 Multilayer Fabric Switch Cisco MDS 9140 multilayer switches contains 40 ports (8 full rate ports, 32 host-optimized ports) MDS 9120 Multilayer Fabric Switch Cisco MDS 9120 multilayer switches contains 20 ports (4 full rate ports, 16 host-optimized ports) Ethernet, Fibre Channel, Serial Port These components make up the physical connectivity layer to the TOE. The Ethernet and Fibre Channel interfaces are used to connect to the switch fabric or to server / device components. The serial port is used for local administrative access. Cisco MDS 9500 Series Supervisor Module The Cisco MDS 9500 Series Supervisor Module is designed to allow for non-disruptive software upgrades and hardware redundancy for maximum availability and performance. This module may be used with the MDS 9509 and 9506 Multilayer Directors. Cisco MDS 9500 Series Supervisor 2 Module The Cisco MDS 9500 Series Supervisor 2 Module is designed to allow for non-disruptive software upgrades and hardware redundancy for maximum availability and performance. This module may be used with any of the 9500 Multilayer Directors. Cisco MDS 9000 Family Multiprotocol Services Module This Module offers fourteen 2-Gbps Fibre Channel interfaces and two Gigabit Ethernet ports. The module enables Small Computer System Interface over IP (iSCSI) for Ethernet attached servers without sacrificing Fibre Channel port density. This module may be used with the MDS 9509 and 9506 Multilayer Directors, as well as the MDS 9216 Multilayer Fabric Switch. Cisco MDS 9000 Family Storage Services Module This module provides the same features as the MDS 9000 Family Fibre Channel Switching Module, but additionally has the capability to perform Fibre Channel Write Acceleration and Network-Accelerated Serverless Backup. This module may be used with the MDS 9509 and 9506 Multilayer Directors, as well as the MDS 9216 Multilayer Fabric Switch, but the Fibre Channel Write Acceleration and Network- Accelerated Serverless Backup features are not able to be used in the evaluated configuration as they require a separate boot image to be installed on the SSM card. Cisco MDS 9000 IP Storage Services Modules A module that provides four or eight gigabit Ethernet ports for use with iSCSI. This module expands the number of ethernet ports that may be utilised by the switch. This module may be used with the MDS 9509 and 9506 Multilayer Directors, as well as the MDS 9216 Multilayer Fabric Switch MDS 9000 Family Fibre Channel Switching Modules A basic 16 or 32 port fibre channel switching module. This module expands the number of fibre channel ports that may be utilised by the switch. This module may be used with the MDS 9509 and 9506 Multilayer Directors, as well as the MDS 9216 Multilayer Fabric Switch. Table 7: Architecture Details Validation Report Cisco MDS 9000 17 6. Documentation • Cisco MDS 9000 Family SAN-OS Release 3.2(2c) Security Target, Version 3.0, August 2008 • Cisco MDS 9000 Family CLI Configuration Guide, Release 3.x Cisco MDS SAN-OS for Release 3.0(1) Through 3.2(2b), November 2007 • Cisco MDS 9000 Family Quick Configuration Guide • Cisco MDS 9000 Family Command Reference, Cisco MDS SAN-OS Release 3.0(1) Through 3.2(2b), November 2007 • Cisco MDS 9000 Family Fabric Manager Configuration Guide, Release 3.x, Cisco MDS SAN-OS Release 3.0(3) Through 3.2(2b), November 2007 • Cisco MDS 9000 Family Fabric Manager Quick Configuration Guide, November 2007 • Cisco MDS 9000 Family Release Notes for Cisco MDS SAN-OS Release 3.2(2c) • Cisco MDS 9000 Family System Messages Reference, November 2007 • Cisco MDS 9000 Family MIB Quick Reference, November 2007 • Cisco MDS 9100 Series Hardware Installation Guide • Cisco MDS 9216 Switch Hardware Installation Guide • Cisco MDS 9500 Series Hardware Installation Guide • Cisco MDS 9000 Family CWDM Passive Optical System Installation Note, June 2007 • Cisco MDS 9000 Family CWDM SFP Installation Note, June 2007 • Cisco MDS 9000 Family SSM Configuration Note, September 2007 • Cisco MDS 9000 Family Fabric Manager Server Database Schema - December 2006 • Regulatory Compliance and Safety Information for the Cisco MDS 9000 Family • Installation and Configuration for Common Criteria EAL3 Evaluated Cisco MDS 9000 Family – SAN-OS Release 3.2(2c), April 2008 Version 0-17 Validation Report Cisco MDS 9000 18 7. IT Product Testing This section describes the testing efforts of the developer and the evaluation team. The cryptography used in this product was not analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor. 7.1 Developer Testing The developer performed a testing and coverage analysis, which examined each SFR and developed one or more Cisco test cases that verify the function or command requirement. These tests were documented in the EAL3 Detailed Test Plan. The scope of the developer tests included all TOE Security Functions. The developer testing addressed all the security functions claimed by the TOE. The developer used existing test cases to test the TOE. The evaluation team determined that the developer’s test methodology met the coverage and depth requirements and that the actual test results matched the expected results. The following hardware equivalence rationale addresses various TOE components and establishes what equivalent hardware is present in the test configuration and why that hardware subset is sufficient. In the interests of efficiency, the evaluation team selected a subset of hardware platforms to test. The subset selected ensures that each software version is tested, and hardware product family is tested, though not all hardware models are tested. The rationale for this is that it is considered suitable that several versions TOE hardware that differ in non-security implementing functionality may be represented in the test setup by a TSF-equivalent component of TOE hardware. The TOE presents the same interfaces (TSFI) regardless of the hardware differences among different TOE models within each representative model set. Testing multiple configurations would not result in differences in test cases or procedures and would not yield different results. Some of the modules that are included in the TOE are available in several slot/performance backplane capacity configurations. In this situation, since the number of available interfaces does not impact of the security functionality of the TOE, modules of the same type but varying port density are considered equivalent from a security perspective. The following hardware equivalence rationale addresses various TOE components and establishes what equivalent hardware is present in the test configuration and why that hardware subset is sufficient. The subsets can be logically separated into 3 groupings: Group A: 9506, 9509, 9513 Multi-layer Directors: Group B: 9216, 9216A, 9216i Multi-layer Fabric Switch Group C: 9100 Series Fabric Switches Group Model Storage Networking Module Tested by A 9506 Cisco MDS 9000 Family 14/2-port Multiprotocol Services Module 16-port Fibre channel switching module CCTL Validation Report Cisco MDS 9000 19 Supervisor-1 Module A 9509 IP Storage Services Module 16-port Fibre channel switching module Supervisor-1 Module Vendor A 9509 MDS 9000 1/2/4-Gbps 48-port Fibre Channel Switching Module Supervisor-1 Module CCTL 9513 16-port Fibre channel switching module Supervisor-1 Module Vendor 9513 24-port Fibre channel switching module 12-port Fibre channel switching module Supervisor-2 Module CCTL B 9216i N/A (The 9216i module includes an integrated IP storage services module.) Vendor and CCTL C Cisco 9100 Series N/A Vendor Table 8: Hardware Subset Grouping Hardware model group A 9506, 9509, 9513 Multi-layer Directors: All hardware models in this group were tested. Hardware model group B 9216i Multi-layer Fabric Switch: All hardware models in this group were tested. Hardware model group C 9100 Series Fabric Switches: By selecting the 9140 TOE model, the evaluation team determined this group would be sufficiently tested. The 9120 is identical to the 9140, except it has fewer ports (20 versus 40). This was acceptable to the evaluation team. Storage Networking Modules: The storage networking modules in the TOE are categorized below: Validation Report Cisco MDS 9000 20 • Cisco MDS 9500 Series Supervisor Module • Cisco MDS 9500 Series Supervisor 2 Module • Cisco MDS 9000 Family Multiprotocol Services Module • Cisco MDS 9000 Family Storage Services Module • Cisco MDS 9000 IP Storage Services Modules • Cisco MDS 9000 Family Fibre Channel Switching Modules The following modules were tested: • Cisco MDS 9500 Series Supervisor Module • Cisco MDS 9500 Series Supervisor 2 Module • Cisco MDS 9000 Family Multiprotocol Services Module • Cisco MDS 9000 IP Storage Services Modules • Cisco MDS 9000 Family Fibre Channel Switching Modules Features on the Cisco Multiprotocol Services Module (FC-IP and FICON) are disabled within the evaluated configuration. Similarly, features on the IP Storage services module (FC-IP, Fibre Channel Write Acceleration, FICON) are disabled within the evaluated configuration. This leaves the only difference among both modules to be Fibre channel port density. The only module not tested was the Cisco MDS 9000 Family Storage Services Module. This module, includes the following features: • Fibre Channel switching. • Fibre Channel Write Acceleration (FC-WA) and Small Computer System Interface (SCSI) flow-statistics monitoring. • Network-Accelerated Serverless Backup with standards-based SCSI-2 EXTENDED COPY command. • Network-Assisted Storage Applications with the SANTap protocol. • Network-Hosted Storage Applications with the Fabric Application Interface Standard (FAIS)- based Intelligent Storage Application Programmatic Interface (ISAPI). These features are further explained below: 1. Fibre Channel ports for native Fibre Channel communication; 2. The Fibre Channel Write Acceleration (FC-WA) and SCSI flow-statistics monitoring allows synchronous replication over greater distances by minimizing latency. 3. Network-Accelerated “serverless” Backup. This feature enables backup applications to use the network for data movement using the SCSI-2 Extended Copy command, thereby offloading I/O and processing from media servers. 4. Network-Assisted Storage Applications with the Cisco SANTap protocol. SANTap is a proprietary protocol that allows a storage appliance to get an I/O copy without impacting the integrity, availability, and performance of the primary I/O between servers and storage. The SSM intercepts I/O on the network and performs duplication for the purposes of secondary data processing functions such as data replication, continuous data protection, and data migration. Thus network-assisted storage applications can be deployed without appliances residing in the primary data path. 5. Network-Hosted Storage Applications with the Fabric Application Interface Standard (FAIS)- based Intelligent Storage Application Programming Interface (ISAPI). Cisco also provides an API that allows the SSM to be used for data-path transactions only Validation Report Cisco MDS 9000 21 while control information flows through an external processor that the software vendor is responsible for maintaining. In this scenario, the SSM and external processor communicate either via an external IP network or in-band via IP over Fibre Channel. Feature 1 above was sufficiently tested with the Fibre Channel Switching Modules. Features 2-5 above are disabled within the TOE evaluated configuration. Therefore they do not impact the TSF and are not considered security relevant. 7.2 Evaluation Team Independent Testing The evaluation team ensured that the TOE performed as described in the design documentation and demonstrated that the TOE enforces the TOE security functional requirements. Specifically, the evaluation team ensured that the developer test documentation sufficiently addresses the security functions as described in the functional specification. The evaluation team also ensured that all subsystem interfaces were tested by the developer. The evaluation team performed a sample of the developer’s test suite and devised an independent set of team tests and penetration tests. The evaluation team reran a subset of the developer’s test suite that tested all of eight of the TSFs. The evaluation team also performed a penetration flaw hypothesis analysis of the product to prepare for a penetration testing effort. The analysis examined each SFR line by line to determine whether it was possible that the evaluated configuration could be susceptible to vulnerability. It’s to be noted that many of the functional testing concentrated on unauthorized access to a switch fabric or storage device. Therefore, a number of functional tests are also considered penetration tests. The evaluation team did construct and execute its own penetration tests below: • Use a port scanner to check for open ports on the MDS switch and Fabric Manager using Nessus. • Determine if the TOE will enforce CHAP authentication on all iSCSI requests. Validation Report Cisco MDS 9000 22 8. Evaluated Configuration The evaluated configuration was tested in the configuration identified in Figure 1, below. The evaluation results are valid for all configurations of the TOE identified in section 5 of this report Figure 1: Testing Environment Test models covered in team test activity • MDS 9506 Multilayer Director Cisco MDS 9000 Multi-Protocol Services Module Cisco MDS 9500 Series Supervisor-1 Module 24 port Fibre Channel Switching Modules • MDS 9509 Multilayer Director Cisco MDS 9500 Series Supervisor-1 Module 48 port Fibre Channel Switching Modules • MDS 9513 Multilayer Director Cisco MDS 9500 Series Supervisor-2 Module 12 port Fibre Channel Switching Modules 24 port Fibre Channel Switching Modules • MDS 9216i Multilayer Fabric Switch (Integrated Fibre Channel and IP storage services) Validation Report Cisco MDS 9000 23 9. Results of the Evaluation The Cisco MDS 9000 Family with SAN-OS Release 3.2(2c) satisfies all of the EAL3 assurance requirements against which it was evaluated. The Security Target provides a detailed description of how Cisco MDS 9000 meets each of the listed components. Validation Report Cisco MDS 9000 24 10. List of Acronyms AAA Authentication, Authorization, and Auditing ACL Access Control List CC Common Criteria CLI Command Line Interface CUP Control Unit Port DH-CHAP Diffie Hellmann – Challenge Handshake Authentication Protocol EAL Evaluation Assurance Level EMS Element Management System FCIP Fibre Channel over IP FCP Fibre Channel Protocol FC-SP Fibre Channel – Security Protocol FICON IBM Fiber Connection GUI Graphical user Interface IP Internet Protocol IPFC IP over Fibre Channel iSCSI Small Computer System Interface over IP IT Information Technology LUN Logical Unit Number OOB Out of Band PP Protection Profile RADIUS Remote Access Dial-In User Service RBAC Role Based Access Control SAN Storage Area Network SF Security Function SFP Security Function Policy SFTP Secure File Transfer Protocol SNMP Simple Network Management Protocol SOF Strength of Function SSH Secure Shell ST Security Target TACACS+ Terminal Access Controller Access Control System Plus TOE Target of Evaluation TSC TSF Scope of Control TSF TOE Security Functions TSFI TSF Interface TSP TOE Security Policy VSAN Virtual Storage Area Network WWN World Wide Name Validation Report Cisco MDS 9000 25 11. Validation Comments/Recommendations The cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor.