1 ZTE IPN Solution Security Target ZTE IPN Solution Security Target 2 Proprietary Information of ZTE CORPORATION LEGAL INFORMATION Copyright © 2024 ZTE CORPORATION. All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE CORPORATION or of their respective owners. This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose, title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the use of or reliance on the information contained herein. ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications covering the subject matter of this document. Except as expressly provided in any written license between ZTE CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter herein. Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information. The ultimate right to interpret this product resides in ZTE CORPORATION. Revision History Version Date Comment 0.1 30/05/2023 First draft 0.2 25/06/2023 update 1.2,1.4.1.1,Appendix A 0.3 30/06/2023 updata 1.41.1 guidance Appendix A,remove QX infos 0.4 17/07/2023 Supplement the missing documents 0.5 28/07/2023 update M6000-SE document name 0.6 08/09/2023 update as Action item list ASE_ADV 0.7 21/09/2023 update 1.4.1.1 document list 0.8 01/12/2023 Clarify TOE physical scope and update TSS 0.9 15/01/2024 Update according to EM1 comments 1.0 19/01/2024 Reply opinion and update chapter 1.2、1.4.1 ... 1.1 14/03/2024 Delete comments in a document and update 1.4.1 Security Target ZTE IPN Solution Proprietary Information of ZTE CORPORATION 3 Contents 1 ST Introduction..................................................................................................... 6 1.1 ST References .................................................................................................... 6 1.2 TOE reference .................................................................................................... 6 1.3 TOE Overview and usage................................................................................... 7 1.3.1 Major security features..................................................................................... 8 1.3.2 Non-TOE Hardware/Software/Firmware.......................................................... 9 1.4 TOE Description................................................................................................ 10 1.4.1 Physical scope ............................................................................................... 10 1.4.1.1 Physical Scope IPN Equipment .................................................................. 10 1.4.2 Logical scope ................................................................................................. 22 2 Conformance Claims ......................................................................................... 23 3 Security Problem Definition.............................................................................. 24 3.1 Assets ............................................................................................................... 24 3.2 Threat agents.................................................................................................... 24 3.3 Threats.............................................................................................................. 24 3.4 Assumptions...................................................................................................... 25 4 Security Objectives............................................................................................ 26 4.1 Security objectives for the TOE ........................................................................ 26 4.2 Security objectives for the Operational Environment........................................ 26 5 Security Requirements...................................................................................... 28 5.1 Extended components definition....................................................................... 28 5.2 Definitions ......................................................................................................... 28 5.2.1 Subjects: ........................................................................................................ 28 5.2.2 Operations...................................................................................................... 28 5.2.2.1 User Management Operations.................................................................... 28 5.2.3 Objects........................................................................................................... 28 ZTE IPN Solution Security Target 4 Proprietary Information of ZTE CORPORATION 5.2.4 Security attributes .......................................................................................... 29 5.3 Security Functional Requirements.................................................................... 30 5.3.1 Identification & Authentication........................................................................ 31 5.3.1.1 FIA_UID.2 User identification before any action......................................... 31 5.3.1.2 FIA_UAU.2 User authentication before any action..................................... 31 5.3.1.3 FIA_AFL.1 Authentication failure handling ................................................. 31 5.3.1.4 FIA_SOS.1 Verification of secrets .............................................................. 31 5.3.1.5 FTA_SSL.3 TSF-initiated termination ......................................................... 32 5.3.1.6 FTA_MCS.1 Basic limitation on multiple concurrent sessions ................... 32 5.3.1.7 FIA_ATD.1 User attribute definition ............................................................ 32 5.3.2 Authorization & Security Management .......................................................... 33 5.3.2.1 FMT_SMR.1 Security roles......................................................................... 33 5.3.2.2 FMT_SMF.1 Specification of Management Functions................................ 33 5.3.2.3 FDP_ACC.2 Complete access control........................................................ 34 5.3.2.4 FDP_ACF.1 Security attribute based access control ................................. 35 5.3.2.5 FMT_MSA.1 Management of security attributes ........................................ 36 5.3.2.6 FMT_MSA.3 Static attribute initialisation .................................................... 36 5.3.3 Logging & Auditing......................................................................................... 36 5.3.3.1 FAU_GEN.1 Audit data generation............................................................. 37 5.3.3.2 FAU_SAR.1 Audit review............................................................................ 37 5.3.3.3 FAU_STG.1 Protected audit trail storage ................................................... 38 5.3.3.4 FAU_STG.4 Prevention of audit data loss.................................................. 38 5.3.4 Trusted Path .................................................................................................. 39 5.3.4.1 FTP_TRP.1 Trusted path............................................................................ 39 5.3.5 Secure Channel ............................................................................................. 39 5.3.5.1 FTP_ITC.1 Inter-TSF trusted channel ........................................................ 39 5.3.6 Information Flow Control................................................................................ 39 5.3.6.1 FDP_IFC.1 Subset information flow control................................................ 39 5.3.6.2 FDP_IFF.1 Simple security attributes ......................................................... 39 ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 5 5.4 Security Assurance Requirements ................................................................... 40 5.5 Security Assurance Requirements Rationale ................................................... 42 6 TOE Summary Specification............................................................................. 43 6.1 User identification and authentication............................................................... 43 6.2 Authorization & Security Management ............................................................. 44 6.3 Logging & Auditing............................................................................................ 44 6.4 Trusted Path and Trust Channel....................................................................... 45 6.5 Information Flow Control................................................................................... 46 7 Rationales........................................................................................................... 47 7.1 Security Objectives Rationale........................................................................... 47 7.2 Security Functional Requirements Rationale.................................................... 49 7.3 Dependencies ................................................................................................... 50 ZTE IPN Solution Security Target 6 Proprietary Information of ZTE CORPORATION 1 ST Introduction 1.1 ST References Title ZTE IPN Solution Security Target Version 1.1 Date 14 March 2024 Author ZTE Corporation 1.2 TOE reference TOE Name ZTE IPN Solution TOE version V1.2 TOE Components ZXCTN 9000-E Series Routers ZXCTN 9000-3EA ZXCTN 9000-8EA ZXCTN 9000-18EA ZXR10 5960M Series Switches ZXR10 5960M-56QU-HI ZXR10 5960M-4M-HI ZXR10 5960M-8M-HI ZXR10 5960X Series Switches ZXR10 5960X-56QU-HF ZXR10 5960X-56QU-HG ZXR10 5960X-54DU-HF ZXR10 5960X-54DU-HG ZXR10 5960X-24U-HF ZXR10 9900X Series Switches ZXR10 9904X ZXR10 9908X ZXR10 9916X ZXR10 M6000-2S ZXR10 M6000-2S6 ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 7 Series Routers ZXR10 M6000-2S16 ZXR10 M6000-S Series Routers ZXR10 M6000-18S ZXR10 M6000-8S Plus ZXR10 M6000-8S ZXR10 M6000-5S ZXR10 M6000-3S Plus ZXR10 M6000-3S ZXR10 M6000-SE Series Routers ZXR10 M6000-16SE ZXR10 M6000-8SE ZXR10 M6000-4SE Developer ZTE Corporation 1.3 TOE Overview and usage The TOE is the ZTE IPN solution focused on the requirements of core Internet nodes, backbone tandem nodes, core egress nodes of large MANs, and data center gateways, ZTE is committed to building flat networks and unified bearing of all services, helping customers build ultra-wide, efficient, and secure new IP backbone networks. The TOE is widely used in metro network (including core layer, aggregation layer, and access layer) and backbone network. They provide transmission solutions with various capacities, transmission distances, and intelligent service applications. The TOE is depicted in Figure 1, together with relevant entities in its environment. Figure 1: The TOE in its environment ZTE IPN Solution Security Target 8 Proprietary Information of ZTE CORPORATION These entities are: • A DCN network to manage the TOE. This management network is considered to be trusted, and contains (apart from the TOE): o EMS client/server1: This is a Network Management System2 used by a network operator to monitor and configure its entire optical transmission network. o SSH client: a command line interface to manage the TOE. o SFTP client: a command line interface to upload TOE patches or download syslog files. o Netconf client: a proprietary XML-based command interface to manage the TOE. o TACACS+ server: a TACACS+ server as a remote authentication server. o Syslog server: an external syslog server to keep the audit log. o SNMP client: an external SNMP client for receiving the SNMP trap generated by the TOE. o NTP server: an external server that provides time source. • An IPN network, consisting of other devices, connected to the TOE. The IPN network is considered to be trusted. 1.3.1 Major security features The major security features of the TOE are: 1. Secure management and usage of the TOE, to ensure that only properly authorized staff can manage and/or use the TOE; 2. Secure interaction between various parts of the TOE and between the TOE and various machines in the environment, so that the management data and commands cannot be read or modified in-between; 3. Logging and auditing of user actions; 4. Information flow control for management traffic. 1 EMS server is acting as a Netconf client and connects to the TOE Netconf interface. It is considered equivalent as the Netconf client in this evaluation. EMS client connects to the EMS server to operate the EMS. 2 Some operators refer to an NMS as an OSS (Operations Support System). ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 9 1.3.2 Non-TOE Hardware/Software/Firmware The environment for TOE comprises the following software as shown in Figure 1: • Management Clients: o EMS client/server o SSH client o SFTP client o Netconf client o SNMP client • Supporting Servers: o TACACS+ server o Syslog server o NTP server The environment for TOE comprises the following: • Local PCs are used by administrators to connect to the TOE for accessing the services with a secure channel by a SSH/SFTP client. The TOE is accessed by using a command line terminal. • Remote PCs/workstations used by administrators to connect to the TOE for access with a SSH/SFTP client, Netconf client or EMS client. • Servers hosting the following servers: o EMS server, for TOE management through the Netconf interface. It is equivalent to the Netconf client in this evaluation. o TACACS+ server is optional and may be used instead of local authentication. o Syslog server is optional and is used for receiving audit information from the TOE via SYSLOG protocol. o SNMP client is optional and is used for receiving alarm information from the TOE via SNMP protocol. o NTP server is used for synchronizing time to the TOE. • Other devices ZTE IPN Solution Security Target 10 Proprietary Information of ZTE CORPORATION 1.4 TOE Description 1.4.1 Physical scope The TOE consists of both TOE hardware, software and guidance documents. The TOE software is provisioned in the TOE hardware. Both are delivered to the customer physically with a contracted shipping company. The customer needs to download the software package as well as the guidance documents as zed or pdf files from ZTE’s support website and the user has to verify the versions provided in the following table for all TOE parts for secure acceptance. 1.4.1.1 Physical Scope IPN Equipment The TOE consists of one of the hardware models listed in Table 1, its corresponding software and guidance documents, and all of the Common Criteria guidance documents. Type Delivery Items Version ZXCTN 9000-E Series Routers Hardware Contains one of the following hardware models: ZXCTN 9000-3EA ZXCTN 9000-8EA ZXCTN 9000-18EA N/A3 Software package name 9000E_5.00.10.72_rel.set CTN90 00-E V5.00.1 0.72 Guidance SJ-20230404101353-001-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Safety Precautions.pdf R1.0, 2023- 04-18 SJ-20230404101353-002-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Product Description.pdf R1.0, 2023- 04-18 SJ-20230404101353-003-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Hardware Description.pdf R1.0, 2023- 04-18 3 TOE hardware model name is the hardware unique identifier and served as the version of the hardware ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 11 Type Delivery Items Version SJ-20230404101353-004-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Feature Description.pdf R1.0, 2023- 04-18 SJ-20230404101353-005-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Security Description.pdf R1.0, 2023- 04-18 SJ-20230404101353-006-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Hardware Installation Guide.pdf R1.0, 2023- 04-18 SJ-20230404101353-007-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform License Operation Guide.pdf R1.0, 2023- 04-18 SJ-20230404101353-008-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Initial Configuration Guide_R1.1.pdf R1.1, 2023- 05-31 SJ-20230404101353-009-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Configuration Guide.pdf R1.0, 2023- 04-18 SJ-20230404101353-010-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Backup and Recovery.pdf R1.0, 2023- 04-18 SJ-20230404101353-011-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Routine Maintenance.pdf R1.0, 2023- 04-18 SJ-20230404101353-012-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Parts Replacement Guide.pdf R1.0, 2023- 04-18 SJ-20230404101353-013-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Troubleshooting.pdf R1.0, 2023- 04-18 SJ-20230404101353-014-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Emergency Maintenance.pdf R1.0, 2023- 04-18 SJ-20230404101353-015-ZXCTN 9000-EA (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Alarm Handling.pdf R1.0, 2023- 04-18 SJ-20230404101353-016-ZXCTN 9000-EA R1.0, ZTE IPN Solution Security Target 12 Proprietary Information of ZTE CORPORATION Type Delivery Items Version (V5.00.10.72) Carrier-Class Multi-Service Packet- Based Platform Command Reference.chm 2023- 04-18 SJ-20230404101353-017-ZXCTN 9000-EA (V5.00.10.72) Carrier Class Multi-Service Packet- Based Platform Security Hardening.pdf R1.0, 2023- 05-31 ZXR10 5960M Series Switches Hardware Contains one of the following model: ZXR10 5960M-56QU-HI ZXR10 5960M-4M-HI ZXR10 5960M-8M-HI N/A Software package name 5960M_61P64.set patchname:V7.00.00.61P64_HP_348390.pat 5960 V7.00.0 0.61P6 4 patch version : ZXR10 5960V7 .00.00.6 1P64_H P_3483 90 Guidance SJ-20230817094310-001-ZXR10 5960M Series (V7.00.00.61) Data Center Switch Product Description.pdf R1.0 , 2023- 08-30 SJ-20230817094310-002-ZXR10 5960M Series (V7.00.00.61) Data Center Switch Hardware Description.pdf R1.0 , 2023- 08-30 SJ-20230817094310-005-ZXR10 5960M Series (V7.00.00.61) Data Center Switch Hardware Installation Guide.pdf R1.0 , 2023- 08-30 SJ-20230817094310-008-ZXR10 5960M Series (V7.00.00.61) Data Center Switch Configuration Guide.pdf R1.0 , 2023- 09-30 ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 13 Type Delivery Items Version SJ-20230817094310-009-ZXR10 5960M Series (V7.00.00.61) Data Center Switch Routine Maintenance.pdf R1.0 , 2023- 09-30 SJ-20230817094310-010-ZXR10 5960M Series (V7.00.00.61) Data Center Switch Troubleshooting.pdf R1.0 , 2023- 09-30 SJ-20230817094310-011-ZXR10 5960M Series (V7.00.00.61) Data Center Switch Alarm Handling.pdf R1.0 , 2023- 09-30 ZXR10 5960X Series Switches Hardware Contains one of the following hardware models: ZXR10 5960X-56QU-HF ZXR10 5960X-54DU-HF ZXR10 5960X-24U-HF ZXR10 5960X-56QU-HG ZXR10 5960X-54DU-HG N/A Software package name 5960X_LS2088A.set patchname:V6.00.03.92P02_HP_348390.pat 5900 V6.00.0 3.92P0 2 patch version : ZXR10 5960X V6.00.0 3.92P0 2_HP_3 48390 Guidance SJ-20230524100811-001-ZXR10 5960X Series (V6.00.03.92) Data Center Core Switch Product Description.pdf R1.0 , 2023- 07-30 SJ-20230524100811-002-ZXR10 5960X Series (V6.00.03.92) Data Center Core Switch Hardware Description.pdf R1.0 , 2023- 07-30 ZTE IPN Solution Security Target 14 Proprietary Information of ZTE CORPORATION Type Delivery Items Version SJ-20230524100811-003-ZXR10 5960X Series (V6.00.03.92) Data Center Core Switch Hardware Installation Guide.pdf R1.0 , 2023- 07-30 SJ-20230524100811-004-ZXR10 5960X Series (V6.00.03.92) Data Center Core Switch Initial Configuration Guide.pdf R1.0 , 2023- 06-30 SJ-20230524100811-005-ZXR10 5960X Series (V6.00.03.92) Data Center Core Switch Security Hardening.pdf R1.0 , 2023- 06-30 SJ-20230524100811-006-ZXR10 5960X Series (V6.00.03.92) Data Center Core Switch Configuration Guide.pdf R1.0 , 2023- 07-20 SJ-20230524100811-007-ZXR10 5960X Series (V6.00.03.92) Data Center Core Switch Routine Maintenance.pdf R1.0 , 2023- 06-30 SJ-20230524100811-008-ZXR10 5960X Series (V6.00.03.92) Data Center Core Switch Troubleshooting.pdf R1.0 , 2023- 07-15 SJ-20230524100811-009-ZXR10 5960X Series (V6.00.03.92) Data Center Core Switch Alarm Handling.pdf R1.0 , 2023- 07-15 SJ-20230524100811-011-ZXR10 5960X Series (V6.00.03.92) Data Center Core Switch Feature Description.pdf R1.0 , 2023- 07-15 ZXR10 9900X Series Switches Hardware Contains one of the following hardware models: ZXR10 9904X, ZXR10 9908X, ZXR10 9916X N/A Software package name base.set patch name:Patch-V1.00.30.01P26_HP_965767.pat V1.00.3 0.01P2 6 patch version: V1.00.3 0.01P2 ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 15 Type Delivery Items Version 6_HP_9 65767 Guidance SJ-20230210102038-002-ZXR10 9900X Series (V1.00.30) Data Center Core Switch Product Description.pdf R1.0 2023- 06-30 SJ-20230210102038-003-ZXR10 9900X Series (V1.00.30) Data Center Core Switch Hardware Description.pdf SJ-20230210102038-005-ZXR10 9900X Series (V1.00.30) Data Center Core Switch Hardware Installation Guide.pdf R1.0 2023- 06-30 R1.0 2023- 06-30 SJ-20230210102038-007-ZXR10 9900X Series (V1.00.30) Data Center Core Switch Routine Maintenance.pdf R1.0 2023- 06-30 SJ-20230210102038-008-ZXR10 9900X Series (V1.00.30) Data Center Core Switch Parts Replacement Guide.pdf R1.0 2023- 06-30 SJ-20230210102038-009-ZXR10 9900X Series (V1.00.30) Data Center Core Switch Troubleshooting.pdf R1.0 2023- 06-30 SJ-20230210102038-013-ZXR10 9900X Series (V1.00.30) Data Center Core Switch Initial Configuration Guide.pdf R1.0 2023- 06-30 SJ-20230210102038-014-ZXR10 9900X Series (V1.00.30) Data Center Core Switch Security Hardening.pdf R1.0 2023- 06-30 ZXR10 M6000-2S Series Routers Hardware Contains one of the following hardware models: ZXR10 M6000-2S6, ZXR10 M6000-2S16 N/A ZTE IPN Solution Security Target 16 Proprietary Information of ZTE CORPORATION Type Delivery Items Version Software package name ZXCTNM600090002E8A_V5.10.10.30B34.set M6000 V5.10 .10.3 0 Guidance SJ-20230202173055-001-ZXR10 M6000-2S (V5.10.10.30) Safety Precautions.pdf R1.0 2023- 02-28 SJ-20230202173055-002-ZXR10 M6000-2S (V5.10.10.30) Security Description.pdf R1.0 2023- 02-28 SJ-20230202173055-003-ZXR10 M6000-2S (V5.10.10.30) Commissioning Guide.pdf R1.0 2023- 01-30 SJ-20230202173055-004-ZXR10 M6000-2S (V5.10.10.30) Initial Configuration Guide.pdf R1.0 2023- 01-30 SJ-20230202173055-005-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (System Management).pdf R1.0 2023- 03-30 SJ-20230202173055-006-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (Interface Management).pdf R1.0 2023- 03-30 SJ-20230202173055-007-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (IP Service).pdf R1.0 2023- 01-30 SJ-20230202173055-008-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (IP Routing).pdf R1.0 2023- 03-30 SJ-20230202173055-009-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (IP Multicast).pdf R1.0 2023- 03-30 SJ-20230202173055-010-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (MPLS).pdf R1.0 2023- 03-30 SJ-20230202173055-011-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (VPN).pdf R1.0 2023- ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 17 Type Delivery Items Version 01-30 SJ-20230202173055-012-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (QoS).pdf R1.0 2023- 01-30 SJ-20230202173055-013-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (Security).pdf R1.0 2023- 03-30 SJ-20230202173055-014-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (Reliability).pdf R1.0 2023- 03-30 SJ-20230202173055-015-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (SR).pdf R1.0 2023- 03-30 SJ-20230202173055-016-ZXR10 M6000-2S (V5.10.10.30) Configuration Guide (SRv6).pdf R1.0 2023- 03-30 SJ-20230202173055-017-ZXR10 M6000-2S (V5.10.10.30) Backup and Recovery.pdf R1.0 2023- 03-30 SJ-20230202173055-018-ZXR10 M6000-2S (V5.10.10.30) Routine Maintenance.pdf R1.0 2023- 03-30 SJ-20230202173055-019-ZXR10 M6000-2S (V5.10.10.30) Fault Management Overview.pdf R1.0 2023- 02-28 SJ-20230202173055-020-ZXR10 M6000-2S (V5.10.10.30) Emergency Handling.pdf R1.0 2023- 02-28 SJ-20230202173055-021-ZXR10 M6000-2S (V5.10.10.30) Alarm Handling.pdf R1.0 2023- 02-28 SJ-20230202173055-022-ZXR10 M6000-2S (V5.10.10.30) Troubleshooting.pdf R1.0 2023- 02-28 ZTE IPN Solution Security Target 18 Proprietary Information of ZTE CORPORATION Type Delivery Items Version SJ-20230202173055-023-ZXR10 M6000-2S (V5.10.10.30) Fault Information Collecting.pdf R1.0 2023- 03-30 SJ-20230202173055-024-ZXR10 M6000-2S (V5.10.10.30) Performance Reference.pdf R1.0 2023- 03-31 SJ-20230202173055-025-ZXR10 M6000-2S (V5.10.10.30) Command Reference.chm R1.1 2023- 06-30 ZXR10 M6000-S Series Routers Hardware Contains one of the following hardware models: M6000-18S, M6000-8S, M6000-8S Plus, M6000-5S, M6000-3S, M6000-3S Plus N/A Software package name M6000-S_5.00.10.72_rel.set M6000- S V5.00.1 0.72 Guidance SJ-20230220175532-001-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Safety Precautions.pdf R1.0 2023- 02-28 SJ-20230220175532-002-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Product Description.pdf R1.0 2023- 02-28 SJ-20230220175532-003-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Hardware Description.pdf R1.0 2023- 02-28 SJ-20230220175532-004-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Feature Description.pdf R1.0 2023- 02-28 ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 19 Type Delivery Items Version SJ-20230220175532-005-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Security Description.pdf R1.0 2023- 02-28 SJ-20230220175532-006-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Hardware Installation Guide.pdf R1.0 2023- 02-28 SJ-20230220175532-007-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router License Operation Guide.pdf R1.0 2023- 02-28 SJ-20230220175532-008-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Initial Configuration Guide_R1.1.pdf R1.1 2023- 05-31 SJ-20230220175532-009-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Configuration Guide.pdf R1.0 2023- 02-28 SJ-20230220175532-010-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Backup and Recovery.pdf R1.0 2023- 02-28 SJ-20230220175532-011-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Routine Maintenance.pdf R1.0 2023- 02-28 SJ-20230220175532-012-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Parts Replacement Guide.pdf R1.0 2023- 02-28 SJ-20230220175532-013-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Troubleshooting.pdf R1.0 2023- 02-28 SJ-20230220175532-014-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Emergency Maintenance.pdf R1.0 2023- 02-28 SJ-20230220175532-015-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Alarm Handling.pdf R1.0 2023- 02-28 SJ-20230220175532-016-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Command Reference.chm R1.0 2023- 02-28 ZTE IPN Solution Security Target 20 Proprietary Information of ZTE CORPORATION Type Delivery Items Version SJ-20230220175532-017-ZXR10 M6000-S (V5.00.10.72) Carrier-Class Router Security Hardening.pdf R1.0 2023- 05-31 ZXR10 M6000-SE Series Routers Hardware Contains one of the following hardware models: M6000-16SE, M6000-8SE, M6000-4SE N/A Software package name M6000-SE_V6.00.10.10_rel.set M6000- SE V6.00.1 0.10 Guidance SJ-20230727183755-001-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Safety Precautions.pdf R1.0 2023- 10-20 SJ-20230727183755-002-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Product Description.pdf R1.0 2023- 10-20 SJ-20230727183755-003-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Hardware Description.pdf R1.0 2023- 10-20 SJ-20230727183755-004-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Feature Description.pdf R1.0 2023- 10-20 SJ-20230727183755-005-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Security Description.pdf R1.0 2023- 10-20 SJ-20230727183755-006-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Hardware Installation Guide.pdf R1.0 2023- 10-20 SJ-20230727183755-007-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Initial Configuration Guide.pdf R1.0 2023- 03-06 ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 21 Type Delivery Items Version SJ-20230727183755-008-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router License Operation Guide.pdf R1.0 2023- 10-20 SJ-20230727183755-009-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Configuration Guide.pdf R1.0 2023- 10-20 SJ-20230727183755-010-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Security Hardening.pdf R1.0 2023- 10-20 SJ-20230727183755-011-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Parts Replacement Guide.pdf R1.0 2023- 10-20 SJ-20230727183755-012-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Routine Maintenance.pdf R1.0 2023- 10-20 SJ-20230727183755-013-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Backup and Recovery.pdf R1.0 2023- 10-20 SJ-20230727183755-014-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Emergency Maintenance.pdf R1.0 2023- 10-20 SJ-20230727183755-015-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Alarm Handling.chm R1.0 2023- 10-20 SJ-20230727183755-016-ZXR10 M6000-SE (V6.00.10.10) Carrier-Class Router Troubleshooting.pdf R1.0 2023- 10-20 Common Criteria Guidance Documents ZTE IPN Common Criteria Security Evaluation - Certified Configuration.pdf R1.4, 2024- 03-14 ZTE IPN Solution Security Target 22 Proprietary Information of ZTE CORPORATION Table 1 List of TOE physical scope 1.4.2 Logical scope Figure 2 shows the logical architecture of the TOE. All the software components are included in the TOE software bundle listed in section1.4.1. Figure 2 Logical Architecture of the TOE The TOE provides the following security functionalities: 1. Users identification and authentication is enforced, so users must be authenticated by password before using or managing the TOE. User sessions are monitored and passwords are verified to enforce secure authentication; 2. Access control is strictly enforced to TOE users based on their privilege level and the access control policy; 3. User management functionalities are provided to control the users and their attributes (privilege level, password, idle time, account lock, etc.); 4. TOE communications with the management client or EMS server are protected against modification or disclosure; 5. User actions are logged. The log trail is protected against unauthorized modification. The TOE provides administrators with log review capabilities. 6. Information flow control: The TOE accepts management traffic from the DCN network according to the ACL rules. ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 23 2 Conformance Claims This ST conforms to Common Criteria, version 3.1R5, as defined by [CC] with  CC Part 2 conformant  CC Part 3 conformant This ST claims conformance to EAL 3 augmented with ALC_FLR.2. This ST conforms to no Protection Profile. ZTE IPN Solution Security Target 24 Proprietary Information of ZTE CORPORATION 3 Security Problem Definition This section describes the assets, threat agents and threats to the TOE. 3.1 Assets USER_DATA User data from a user device that is transmitted by the TOE. ADMIN_ACCESS Administrative access to the TOE. TSF_DATA TSF data stored and managed by the Management Clients and that is used to enforce the security mechanism, such as the stored user passwords, the user attributes, or the encryption keys for the trusted channels. This data shall only be modified by users with ADMIN_ACCESS. TSF_ACTIVITY_LOGS User and administrator log records generated by the TSF. 3.2 Threat agents TA.REMOTE An attacker with access to the DCN Network that is connected to the TOE. This agent does not have authorized access to the TOE. TA.USER An attacker with authorised access to the TOE, but without any administrative rights. 3.3 Threats T.COMMUNICATION_CH TA.REMOTE may be able to disclose or modify USER_DATA or TSF_DATA data while being transmitted through unsecure networks. T.UNAUTHENTICATED_USER TA.REMOTE may be able to bypass the user authentication and to access the TOE and perform administrative actions (ADMIN_ACCESS) on the TOE and modify TSF_DATA. T.UNAUTHORIZED_ADMIN TA.USER may be able to bypass the access control policy or information flow control policy of the TOE and perform administrative actions (ADMIN_ACCESS) without administrative rights and modify TSF_DATA. T.UNDETECTED_ACTIVITY TA.REMOTE or TA.USER may be able to attempt or perform abusive actions on the TOE without administrator ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 25 awareness (TSF_ACTIVITY_LOGS). T.UNKNOWN_SOURCE TA.REMOTE may be able to bypass the information flow access control and to access the TOE and perform administrative actions (ADMIN_ACCESS) on the TOE and modify TSF_DATA. 3.4 Assumptions A.TIME The environment will provide a reliable timestamp for the TOE. A.TRUSTED_NETWORK The TOE, SYSLOG server, SNMP client, TACACS+ server and other TOEs are deployed in a controlled environment; at the operator's equipment room in trusted networks. The TOE and the TOE management clients/servers are segregated from the core network and IP management network so only authorized network traffic is allowed. A.PHYSICAL_PROTECTION TOE hardware equipment and the required clients/servers are placed in a safe and controllable space. These devices shall be maintained and operated only by authorized personnel. A.ADMINISTRATORS The personnel working as authorized administrators are trustworthy and trained for the TOE administration. A.MANAGEMENT_DEVICE The administrator uses a secure remote management terminal and server for remote access to the TOE. The client or server is up to date regarding security upgrades and cryptographic support. ZTE IPN Solution Security Target 26 Proprietary Information of ZTE CORPORATION 4 Security Objectives These security objectives describe how the threats described in the previous section will be addressed. It is divided into:  The Security Objectives for the TOE, describing what the TOE will do to address the threats  The Security Objectives for the Operational Environment, describing what other entities must do to address the threats A rationale that the combination of all of these security objectives indeed addresses the threats may be found in section 7.1 of this Security Target. 4.1 Security objectives for the TOE O.SECURE_COMMUNICATION The TOE shall provide the means to establish the secure communication channels between the TOE and the Management Clients. O.USER_AUTHENTICATION The TOE shall enforce the user authentication on all user access to the TOE. O.ACCESS_CONTROL The TOE shall implement a flexible privilege-based authorization framework. Each privilege allows a user to perform certain actions, and the TOE shall ensure that users can only perform actions when they have a privilege that allows them to perform such action. O.AUDITING The TOE shall enforce logging of user actions and provide auditing capabilities to the audit review privilege. O.INFORMATION_FLOW_CONT ROL The TOE shall ensure that only accept the clients/servers from the accepted network sources to manage the TOE. 4.2 Security objectives for the Operational Environment OE.TIME The TOE environment shall provide reliable time via trusted NTP service and protect the communication between the TOE and the NTP service. OE. TRUSTED_NETWORK The TOE, SYSLOG server, SNMP client, TACACS+ server and other OTEs are deployed in controlled ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 27 environments; at the operator's equipment room in a trusted network. The TOE and the TOE management clients/servers are segregated from the core network and IP management network so only authorized network traffic is allowed. OE.PHYSICAL_PROTECTION TOE hardware equipment, and the required clients/servers shall be placed in a safe and controllable space. These devices shall be maintained and operated only by authorized personnel. OE.ADMINISTRATORS The personnel working as authorized administrators shall be trustworthy and thoroughly trained for the TOE administration and will follow the TOE’s user guidance. OE.MANAGEMENT_DEVICE The TOE administrator shall use a secure remote management terminal and server for remote access to the TOE. The client or server shall be up to date regarding security upgrades and cryptographic support. ZTE IPN Solution Security Target 28 Proprietary Information of ZTE CORPORATION 5 Security Requirements 5.1 Extended components definition There are no extended components defined. 5.2 Definitions The following terms are used in the security requirements: 5.2.1 Subjects: • S.User: the users with access to the TOE and that are responsible for the TOE management and that are connected through the DCN Management network. 5.2.2 Operations 5.2.2.1 User Management Operations • OP.lockUnlockUser: to unlock or lock a user. A locked user is not able to log-in to the TOE; • OP.userManagement: to perform user management functions, which include adding, removing users or modifying user attributes from TOE; • OP.logReview: to review the logs generated by the TOE; • OP.RuleManagement: to perform security rule management functions, which include adding, removing or modifying security rules; • OP.idleTimeout: to set the amount of time that a user can remain idle before it is logged out from the TOE. 5.2.3 Objects • O.user: this object includes all information of the user account. The specific fields can be seen in the following section as these are considered security attributes; • O.rule: this object includes all information of the security rule. The specific fields can be seen in the following section as these are considered security attributes; • O.setting: this object includes all information of the security common settings. The specific fields can be seen in the following section as these are considered security attributes. ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 29 5.2.4 Security attributes • User o User.username: User unique identifier; o User.password: the user password; o User.passwordHistory: the user password change history; o User.privilegeLevel: the privilege level of this user; o User.rule: the security rule of the user; o User.isLocked: this indicates if the user account is locked or not. Only not locked users are allowed to login. • Rule o Rule.passwordExpirationDate: is the expiration date of user password if used; o Rule.passwordHistoryNumber: is the history number of the last passwords. When set, the user cannot use the passwords in this password history for when changing the password; o Rule.allowedIPs: is the list of the allowed source IPs for the user to log-in. If the log-in is requested from other IPs, access is denied; o Rule.authenticationAttempts: is the maximum authentication attempts allowed for the user before locking its account; o Rule.lockedPeriod: is the period of time that the user account will remain locked. • Setting o Setting.idleTimeout: is the amount of time that the user can remain idle before it is logged out from the TOE. ZTE IPN Solution Security Target 30 Proprietary Information of ZTE CORPORATION 5.3 Security Functional Requirements The following notational conventions are used in the requirements: •Assignments are indicated in bold text; •Selections are indicated in bold underlined text; •Refinements are indicated with bold italic text and strikethroughs. In general refinements were applied to clarify requirements and/or make them more readable; •Iterations are indicated by adding three letters to the component name; •References are indicated with [square brackets]. The SFRs have been divided into six major groups: • Identification & Authentication • Authorization & Security Management • Logging & Auditing • Trusted Path • Secure Channel • Information Flow Control ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 31 5.3.1 Identification & Authentication 5.3.1.1 FIA_UID.2 User identification before any action FIA_UID.2.1 The TSF shall require each S.User user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. 5.3.1.2 FIA_UAU.2 User authentication before any action FIA_UAU.2.1 The TSF shall require each S.User user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. 5.3.1.3 FIA_AFL.1 Authentication failure handling FIA_AFL.1.1 The TSF shall detect when an administrator configurable positive integer within 0 and 16 (Rule.authenticationAttempts, default 5) for SSH and Netconf interface; unsuccessful authentication attempts occur related to S.User authentication. FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met, the TSF shall lock the S.User account: • Until is unlocked by the security administrator, or • Until a security administrator configurable time (Rule.lockedPeriod) have passed, if the account has not been set to permanent locking. Application Note: The security administrator is an S.User with the privilege level containing the corresponding rights (OP.lockUnlockUser, OP.RuleManagement) 5.3.1.4 FIA_SOS.1 Verification of secrets FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets User.password meet: • At least 8 characters including four types: number, upper case letter, lower case letter, special characters; ZTE IPN Solution Security Target 32 Proprietary Information of ZTE CORPORATION • Cannot be the same as the username, the username in reverse4 or a common password dictionary word; • The new password cannot be the same as one of the last (Rule.passwordHistoryNumber) passwords set in User.passwordHistory. 5.3.1.5 FTA_SSL.3 TSF-initiated termination • FTA_SSL.3.1 The TSF shall terminate an interactive session after a period of inactivity that equals the configured time (Setting.idleTimeout). 5.3.1.6 FTA_MCS.1 Basic limitation on multiple concurrent sessions FTA_MCS.1.1 The TSF shall restrict the maximum number of concurrent sessions that belong to the same user S.User. FTA_MCS.1.2 The TSF shall enforce,by default,a limit of 3 sessions per user S.User. 5.3.1.7 FIA_ATD.1 User attribute definition FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users S.User: • User.username; • User.password; • User.passwordHistory; • User.privilegeLevel; • User.rule; • User.isLocked. 4 If the username is chang, “gnahc” is not allowed ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 33 5.3.2 Authorization & Security Management 5.3.2.1 FMT_SMR.1 Security roles FMT_SMR.1.1 The TSF shall maintain the roles: o For CLI Interface: ZXCTN 9000-8EA、ZXR10 M6000-16SE、ZXR10 M6000-3S Privilege level 0 to 18;ZXR10 5960M-4M-HI、ZXR10 5960X- 56QU-HF、ZXR10 9904X、ZXR10 M6000-2S16 Privilege level 0 to 15. o For Netconf interface: User defined roles which can be assigned with different operations. Application note: For CLI interface, there are 16 or 19 privilege levels,refer to the above description. Each privilege level is treated as a distinct role. However, a user can only belong to one privilege level (role). FMT_SMR.1.2 The TSF shall be able to associate users with roles. Application note: For CLI interface, the role of a user is identified by his privilege level. 5.3.2.2 FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: Management function Related to SFR OP.ruleManagement -> User.Rule.allowedIPs Set whether a user(assigned the rule) can only login from certain IP-addresses, and if so, which IP addresses FDP_ACF.1 OP.idleTimeout -> Setting.idleTimeout Set the time that users may remain logged in while inactive FTA_SSL.3 OP.ruleManagement -> User.Rule.allowedWorkSchedule Set whether a user (assigned the rule) is only allowed to work at certain times, and if so, at which times FDP_ACF.1 OP.ruleManagement -> User.Rule.authenticationAttempts Set the number of allowed unsuccessful authentication attempts FIA_AFL.1 OP.ruleManagement -> User.Rule.lockedPeriod Set the time that an account(assigned the rule) remains FIA_AFL.1 ZTE IPN Solution Security Target 34 Proprietary Information of ZTE CORPORATION locked OP.lockUnlockUser -> User.isLocked Unlock a user account FIA_AFL.1 OP.ruleManagement -> User.Rule.passwordExpirationDate Set whether a user (assigned the rule) password expires after a certain time, and if so, after how long FDP_ACF.1 OP.ruleManagement -> Rule.passwordHistoryNumber Set the length password history that it is maintained to prevent the users from using the same password. E.g. if set to 3, then the users cannot use the last 3 passwords FIA_SOS.1 OP.userManagement -> User.privilegeLevel Assign the privilege level of a user FMT_SMR.1 OP.ruleManagement -> Rule.allowedIPs Configure the accepted management traffic FDP_IFF.1 OP.userManagement Create, edit and delete user accounts FIA_ATD.1 FIA_SOS.1 OP.logReview Log review FAU_SAR.1 Application Note: Not all management functions are implemented in all TSFIs. Actual implemented functions are described in the guidance documents mentioned in chapter 1.4.1. 5.3.2.3 FDP_ACC.2 Complete access control FDP_ACC.2.1 The TSF shall enforce the Privilege-based Access Control Policy on • Subjects: o S.User • Objects: o O.user; o O.rule; o O.setting. and all operations among subjects and objects covered by the SFP. ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 35 FDP_ACC.2.2 The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. 5.3.2.4 FDP_ACF.1 Security attribute based access control FDP_ACF.1.1 The TSF shall enforce the Privilege-based Access Control Policy to objects based on the following: • Subjects: o S.User, with security attributes: ▪ User.privilegeLevel; ▪ User.rule; ▪ User.isLocked; • Objects: o O.user; o O.rule; o O.setting. FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: • S.User is allowed to perform all operations defined in FMT_SMF.1.1, if and only if the user is authenticated and his User.privilegeLevel has the corresponding operation right; • S.User is allowed to perform OP.logReview, if the user is authenticated and his User.privilegeLevel includes the log view right. FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: None. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules: • S.User is locked (User.isLocked is True); • S.User’s User.privilegeLevel does not include the right to perform the operation; • S.User password has expired (current time >= User.rule.passwordExpirationDate); ZTE IPN Solution Security Target 36 Proprietary Information of ZTE CORPORATION • S.User session has been terminated due to: o Inactivity (Setting.idleTimeout). 5.3.2.5 FMT_MSA.1 Management of security attributes FMT_MSA.1.1 The TSF shall enforce the Access Control Policy to restrict the ability to change_default, modify, delete the security attributes: • Rule.passwordExpirationDate • Rule.passwordHistoryNumber • Rule.allowedIPs • Rule.authenticationAttempts • Rule.lockedPeriod • Setting.idleTimeout • User.username • User.password • User.passwordHistory • User.privilegeLevel • User.rule • User.isLocked to S.User. 5.3.2.6 FMT_MSA.3 Static attribute initialisation FMT_MSA.3.1 The TSF shall enforce the Access Control Policy to provide restrictive default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the S.User with privilege level 15 to specify alternative initial values to override the default values when an object or information is created. 5.3.3 Logging & Auditing ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 37 5.3.3.1 FAU_GEN.1 Audit data generation FAU_GEN.1.1 The TOE shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the not specified level of audit; and c) The following auditable events: • S.User authentication (security log); • OP.lockUnlockUser (security log); • OP.enableDisableUser (operation log); • OP.userManagement (operation log); • OP.ruleManagement (operation log); • OP.idleTimeout (operation log). FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, none. Application note: Start-up and shutdown of the audit functions is not explicitly logged, however the logging functionality is enabled at start-up and cannot be disabled. 5.3.3.2 FAU_SAR.1 Audit review FAU_SAR.1.1 The TSF shall provide S.User with OP.logReview right with the capability to read all log records from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. ZTE IPN Solution Security Target 38 Proprietary Information of ZTE CORPORATION 5.3.3.3 FAU_STG.1 Protected audit trail storage FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorised deletion. FAU_STG.1.2 The TSF shall be able to prevent unauthorised modifications to the stored audit records in the audit trail. 5.3.3.4 FAU_STG.4 Prevention of audit data loss FAU_STG.4.1 The TSF shall overwrite the oldest stored audit records5 and no other actions if the audit trail is full. Application note: Audit records can be exported to a backup server. 5 The operation was completed to “take no other actions”, and this was subsequently refined away to make the sentence more readable. ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 39 5.3.4 Trusted Path 5.3.4.1 FTP_TRP.1 Trusted path FTP_TRP.1.1 The TSF shall provide a communication path between itself and remote users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from modification and disclosure. FTP_TRP.1.2 The TSF shall permit remote users to initiate communication via the trusted path. FTP_TRP.1.3 The TSF shall require the use of the trusted path for initial user authentication and all TOE management functions defined in FMT_SMF.1. Application note: This SFR addresses the SSH CLI secure communication where the TOE is acting as the SSH server. 5.3.5 Secure Channel 5.3.5.1 FTP_ITC.1 Inter-TSF trusted channel FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification and disclosure. FTP_ITC.1.2 The TSF shall permit another trusted IT product to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for TOE management. 5.3.6 Information Flow Control 5.3.6.1 FDP_IFC.1 Subset information flow control FDP_IFC.1.1 The TSF shall enforce the Management Traffic Policy on • Subjects: Management device; • Information: IP packages; • Operation: accept or deny the IP packages. 5.3.6.2 FDP_IFF.1 Simple security attributes FDP_IFF.1.1 The TSF shall enforce the Management Traffic Policy based on the following types of subject and information security attributes: • Subject security attributes: IP address, Port number; ZTE IPN Solution Security Target 40 Proprietary Information of ZTE CORPORATION • Information security attributes: IP protocol, source IP address, source port number, destination IP address, destination port number. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: • The TOE uses the Access Control List to match the IP packets of the management traffic. If the IP packet match an ACL rule, the TOE discards or accepts the packets based on the action specified in the ACL rule; • An ACL rule is constructed by one or more of the following attributes: IP protocol number, source IP address, source port number, destination IP address, destination port number. FDP_IFF.1.3 The TSF shall enforce the no other information flow control SFP rules. FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following rules: none. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: none. 5.4 Security Assurance Requirements The assurance requirements are EAL3+ALC_FLR.2 and have been summarized in the following table: Assurance Class Assurance Components Identifier Name ADV: Development ADV_ARC.1 Security architecture description ADV_FSP.3 Functional specification with complete summary ADV_TDS.2 Architectural design AGD: Guidance documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC: Life-cycle support ALC_CMC.3 Authorisation controls ALC_CMS.3 Implementation representation CM coverage ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 41 ALC_DEL.1 Delivery procedures ALC_DVS.1 Identification of security measures ALC_LCD.1 Developer defined life-cycle model ALC_FLR.2 Flaw reporting procedures ASE: Security Target evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification ATE: Tests ATE_COV.2 Analysis of coverage ATE_DPT.1 Testing: basic design ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample AVA: Vulnerability assessment AVA_VAN.2 Vulnerability analysis ZTE IPN Solution Security Target 42 Proprietary Information of ZTE CORPORATION 5.5 Security Assurance Requirements Rationale The Security Assurance Requirements for this Security Target are EAL3+ ALC_FLR.2. The reasons for this choice are that:  EAL 3 is deemed to provide a good balance between assurance and costs and is in line with ZTE customer requirements.  ALC_FLR.2 provides assurance that ZTE has a clear and functioning process of accepting security flaws from users and updating the TOE when required. This is also in line with ZTE customer requirements. ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 43 6 TOE Summary Specification This chapter describes how the TOE implements the security functional requirements defined in chapter 5. 6.1 User identification and authentication The TOE users are required to identify and authenticate themselves before they can perform any action using the TOE. User authentication is based on the username and password provided by the users and has a limited number of attempts before the user account is locked. Users can be unlocked by the security administrator. Users can also wait to be automatically unlocked after a period of time that is configurable by the security administrator. The TOE maintains user information in order to enforce authentication and access control. The following information is maintained for each user: • User name and password; • Password history; • User privilege level; • User rules, including expiration date, the length of password history, allowed IPs, allowed authentication time, number of authentication attempts and locked period; • Locked and enabled status indicators. User concurrent sessions are limited to: a maximum 50 for each user in the TOE (with 3 as the default value). the sessions are automatically terminated after period of inactivity that is configurable by the security administrator in the TOE. The security administrator can also restrict the time when a user can be authenticated in the TOE by 1. setting the expiration time of the password of users, 2. managing the activation status of a user (e.g. automatically deactivate a user after N days of inactivity, re-activate a user) and 3. revoking the access right when the user is already logged in. ZTE IPN Solution Security Target 44 Proprietary Information of ZTE CORPORATION User passwords have to meet certain rules to ensure that the passwords cannot be easily guessed or broken by brute force: • The range of the password minimum length is 6~128, and the default recommended value is 8, including four types: number, upper case letter, lower case letter, other characters; • The password cannot be the same as the username, the username in reverse or a common password dictionary word; • The new password cannot be the same as one of the last (Rule.passwordHistoryNumber) passwords set in User.passwordHistory. Locally managed passwords that do not meet these rules are rejected by the TOE. (FIA_UID.2, FIA_UAU.2, FIA_AFL.1, FIA_ATD.1, FTA_MCS.1, FIA_SOS.1 and FTA_SSL.3) 6.2 Authorization & Security Management The TOE enforces access control on users based on user privileges and user roles. Each user privilege or role has an allowed set of allowed actions (including various management actions). ZXCTN 9000-8EA、ZXR10 M6000-16SE、ZXR10 M6000-3S Privilege levels are divided into level 0-18 and level 18 is the highest and ZXR10 5960M-4M-HI、 ZXR10 5960X-56QU-HF、ZXR10 9904X、ZXR10 M6000-2S16 Privilege levels are divided into level 0-15 and level 15 is the highest.User roles are divided into three types: Administrator, common user, and monitor. The administrator has the level-15 permission, the common user has the level-1 permission, and the monitor has level-0 permission (view only). The common user and the monitor can view the configuration information but cannot modify it. Access control also verifies that user information is correct, such as that the user is enabled and not locked, user is not idle, user's password is not expired. The access control on the TOE also checks the user's allowed time interval. (FMT_SMR.1, FDP_ACC.2, FDP_ACF.1, FMT_SMF.1, FMT_MSA.1 and FMT_MSA.3) 6.3 Logging & Auditing The TOE generates audit logs to record the following events: ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 45 • User authentication; • Locking or unlocking a user account; • Enabling or disabling a user account; • Add, remove or modify a user account; • Add, remove or modify a user’s rule; • When a user session is terminated by timeout; The log records include date and time of event, subject identity (if applicable), and the outcome (success or failure) of the event. The TOE provides the capability to review the logs to the security administrator of the TOE. The audit store is protected against manipulation. Log records cannot be edited and can only be deleted by the administrator of the TOE. The log records overwrite themselves when the log trail is full in the TOE. Nonetheless, the records can be automatically sent to a remote server set on the DCN management network. (FAU_GEN.1, FAU_SAR.1, FAU_STG.1 and FAU_STG.4) 6.4 Trusted Path and Trust Channel The TOE provides secure interaction between itself and various machines in the environment, so that management commands cannot be read or modified in between. Communication between the TOE and the Management Client is protected by SSH. The supported cryptographic algorithms for each protocol are provided below: Channel Security Technology Algorithms Key Length ZTE IPN Solution Security Target 46 Proprietary Information of ZTE CORPORATION Management Client SSH Key exchange is performed using diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 The public key algorithm of the SSH transport implementation are ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519 For data encryption are aes256-ctr aes192-ctr aes128-ctr aes128-gcm aes256-gcm For data integrity protection are hmac-sha2-256 hmac-sha2-512 The TOE can also acted as an SSH client to manage other network elements, as shown in Figure 1. However TOE acting as an SSH client is explicitly excluded from the evaluation scope. For the user who wants to use the TOE to manage other network elements, the communication between the TOE and the managed network element must be protected by the environment as per OE.TRUSTED_NETWORK describes. (FTP_TRP.1, FTP_ITC.1) 6.5 Information Flow Control The TOE enforces the following Management Traffic Policy: User authentication can be restricted based on the user’s IP address, port number and IP protocol. The administrator can set an allowed IP (or set of IPs) in the ACL rules so the user can only be successfully authenticated by connecting from the allowed IP. (FDP_IFC.1, FDP_IFF.1) ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 47 7 Rationales 7.1 Security Objectives Rationale Assumptions/Threats Objectives T.COMMUNICATION_CH This threat is directly covered by O.SECURE_COMMUNICATION as it enforce to use secure communication channels on all communications between the TOE and the Management Clients. T.UNAUTHENTICATED_USER This threat is directly covered by O.USER_AUTHENTICATION as it enforces user authentication in the TOE. T.UNAUTHORIZED_ADMIN This threat is directly covered by O.USER_AUTHENTICATION and O.ACCESS_CONTROL as these enforce user authentication and authorization based on the user’s privilege. T.UNDETECTED_ACTIVITY This threat is directly covered by O.USER_AUTHENTICATION and O.AUDITING as these enforce user authentication and logging of user actions on the TOE. T.UNKNOWN_SOURCE This threat is covered by O.INFORMATION_FLOW_CONTROL and OE.TRUSTED_NETWORK as only authorised users in the secure DCN network can manage the information flow control rules. And the TOE enforces correct management traffic according to the ACL rules. A.TIME This assumption is upheld by OE.TIME, which directly covers the assumption. A. TRUSTED_NETWORK This assumption is upheld by OE.TRUSTED_NETWORK, which directly covers the assumption. A.PHYSICAL_PROTECTION This assumption is upheld by OE.PHYSICAL_PROTECTION, which directly covers the assumption. A.ADMINISTRATORS This assumption is upheld by OE.ADMINISTRATORS, which directly covers the assumption. A.MANAGEMENT_DEVICE This assumption is upheld by OE.MANAGEMENT_DEVICE, which directly covers ZTE IPN Solution Security Target 48 Proprietary Information of ZTE CORPORATION the assumption. ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 49 7.2 Security Functional Requirements Rationale Security objectives SFRs addressing the security objectives O.SECURE_COMMUNICATION This objective is met by: • FTP_TRP.1 for the secure communication between the TOE and the client; • FTP_ITC.1 for the secure communication between the TOE and other trusted IT products. O.USER_AUTHENTICATION This objective is met by: • User identification and authentication before any action (FIA_UID.2, FIA_UAU.2); • Limited user authentication attempts (FIA_AFL.1); • Complex user password (FIA_SOS.1); • Limitation of user session (FTA_SSL.3, FTA_MCS.1); • Supporting user configuration (FMT_SMF.1). O.ACCESS_CONTROL This objective is met by: • User roles (privilege) and attributes implementation (FIA_ATD.1, FMT_SMR.1); • Enforcing access control based on user privilege and attributes (FDP_ACC.2, FDP_ACF.1, FMT_MSA.1, FMT_MSA.3); • Supporting access control configuration (FMT_SMF.1). O.AUDITING This objective is met by: • Audit data generation (FAU_GEN.1) • Audit data protection (FAU_STG.1, FAU_STG.4); • Supporting audit data review (FAU_SAR.1, FMT_SMF.1). O.INFORMATION_FLOW_CONTROL. This objective is met by: • Information flow control (FDP_IFC.1, FDP_IFF.1) ZTE IPN Solution Security Target 50 Proprietary Information of ZTE CORPORATION 7.3 Dependencies SFR Dependency Coverage FIA_UID.2 None. None. FIA_UAU.2 FIA_UID.1 FIA_UID.2 FIA_AFL.1 FIA_UAU.1 FIA_UAU.2 FIA_SOS.1 None. None. FTA_SSL.3 None. None. FTA_MCS.1 FIA_UID.1 FIA_UID.2 FAU_GEN.1 FPT_STM.1 N/A. See below FAU_SAR.1 FAU_GEN.1 FAU_GEN.1 FAU_STG.1 FAU_GEN.1 FAU_GEN.1 FAU_STG.4 FAU_STG.1 FAU_STG.1 FTP_TRP.1 None. None. FTP_ITC.1 None. None. FIA_ATD.1 None. None. FMT_SMF.1 None. None. FMT_SMR.1 FIA_UID.1 FIA_UID.2 FDP_ACC.2 FDP_ACF.1 FDP_ACF.1 FDP_ACF.1 FDP_ACC.1 FMT_MSA.3 FDP_ACC.2 FMT_MSA.3 FMT_MSA.1 FDP_ACC.1 FMT_SMR.1 FMT_SMF.1 FDP_ACC.2 FMT_SMR.1 FMT_SMF.1 FMT_MSA.3 FMT_MSA.1 FMT_SMR.1 FMT_MSA.1 FMT_SMR.1 FDP_IFC.1 FDP_IFF.1 FDP_IFF.1 FDP_IFF.1 FDP_IFC.1 FDP_IFC.1 ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 51 FMT_MSA.3 FMT_MSA.3 FPT_STM.1 cannot be implemented by the TOE because it does not have the capability to generate reliable time stamps, therefore the time information is provided by a NTP server in the TOE network (OE.TIME). Security Target ZTE IPN Solution Proprietary Information of ZTE CORPORATION 52 A The different TOEs The different TOEs can be distinguished by capacity (number of ports/cards) and by the protocols they support. The management interfaces supported by the TOEs are listed in Table 2 Table 2: Supported Protocols TOE Series TSFI NETCONF SSH SFTP TACACS+ ZXCTN 9000-E Series Switches Support Support Support Support ZXR10 5960M Series Switches Support Support Support Support ZXR10 5960X Series Switches Support Support Support Support ZXR10 9900X Series Switches Support Support Support Support ZXR10 M6000-2S Series Switches Support Support Support Support ZXR10 M6000-S V5.00.10 Series Switches Support Support Support Support ZXR10 M6000-SE Series Switches Support Support Support Support The physical interfaces supported by the IPN TOEs are listed in Table 3 Table 3: Supported interfaces ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 53 ZTE IPN Solution Security Target 54 Proprietary Information of ZTE CORPORATION B List of Acronyms ACL Access Control Level CC Common Criteria CM Customer Management DCN Data Communications Network DST Daylight Saving Time EMS Equipment Management System ICT Information and Communications Technology IP Internet Protocol MAC Media Access Control NMS Network Management System NNI Network-to-network Interface NTP Network Time Protocol PC Personal Computer PP Protect Profile SFR Security Functional Requirement SFTP Secure File Transfer Protocol SNMP Simple Network Management Protocol SSH Secure Shell ST Security Target TACACS+ Terminal Access Controller Access-Control System Plus TLS Transport Layer Security TOE Target of Evaluation TSF TOE Security Functions UME Unified Management Expert UNI User Network Interface VLAN Virtual Local Area Network ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 55 C References [CC] Common Criteria for Information Technology Security Evaluation, Part 1-3, Version 3.1 Revision 5, April 2017 [CEM] Common Methodology for Information Technology Security Evaluation, Evaluation methodology, Version 3.1 Revision 5, April 2017 [AIS20] Functionality Classes and Evaluation Methodology for Deterministic Random Number Generators, Version 2.0, 2 December 1999 [FIPS 180-4] FIPS PUB 180-4 – Secure Hash Standard (SHS) [FIPS 186-4] FIPS PUB 186-4 – Digital Signature Standard (DSS), July 2013 [FIPS 197] FIPS PUB 197 – Advanced Encryption Standard (AES), November 26, 2001 [FIPS 198-1] FIPS PUB 198-1 - The Keyed-Hash Message Authentication Code (HMAC), July 2008 [NIST SP800-38A] NIST Special Publication 800-38A – Recommendation for Block Cipher Modes of Operation: Methods and Techniques, December 2001 [NIST SP800-38D] NIST Special Publication 800-38D – Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007 [NIST SP800-56A] NIST Special Publication 800-56A Rev. 3 – Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, April 2018 [NIST SP800-56B] NIST Special Publication 800-56B Rev. 2 – Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography, July 2018 [NIST SP800-90A] NIST Special Publication 800-90A Rev. 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators, June 2015 [PKCS#1 V2.1] PKCS #1 v2.1: RSA Cryptography Standard, April 2004 [PKCS#3] PKCS #3: Diffie-Hellman Key- Agreement Standard, version 1.4, November 1993 [RFC 1321] The MD5 Message-Digest Algorithm, R. Rivest, April 1992 ZTE IPN Solution Security Target 56 Proprietary Information of ZTE CORPORATION [RFC 2104] RFC 2104 - HMAC: Keyed-Hashing for Message Authentication, February 1997 [RFC 3268] Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS), P. Chown, June 2002 [RFC 3447] Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications, Version 2.1, J. Jonsson, B. Kaliski, 2003-02-01 [RFC 3526] RFC 3526 - More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE), May 2003 [RFC 4251] RFC 4251 – The Secure Shell (SSH) Protocol Architecture, January 2006 [RFC 4252] RFC 4252 - The Secure Shell (SSH) Authentication Protocol, January 2006 [RFC 4253] RFC 4253 - The Secure Shell (SSH) Transport Layer Protocol, January 2006 [RFC 4254] RFC 4254 - The Secure Shell (SSH) Connection Protocol, January 2006 [RFC 4344] The Secure Shell (SSH) Transport Layer Encryption Modes, M. Bellare, T. Kohno, C. Namprempre, 2006-01-01 [RFC 4346] RFC 4346 - The Transport Layer Security (TLS) Protocol Version 1.1, April 2006 [RFC 5246] RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2, August 2008 [RFC 5288] AES Galois Counter Mode (GCM) Cipher suited for TLS, J. Salowey, A. Choudhury, D. McGrew 2008-08-01 [RFC 5289] TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM), August 2008 [RFC 8439] ChaCha20 and Poly1305 for IETF Protocols, June 2018 [RFC 6655] AES-500CCM Cipher Suites for Transport Layer Security (TLS), July 2012 [RFC 5116] An Interface and Algorithms for Authenticated Encryption, January 2008 [RFC 8018] PKCS #5: Password-Based Cryptography Specification Verion 2.1, B. Kaliski, 2017-01-01 [RFC 8446] RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3, August 2018 ZTE IPN Solution Security Target Proprietary Information of ZTE CORPORATION 57