Upload
buituong
View
274
Download
8
Embed Size (px)
Citation preview
Ciena 5400 Series Packet Optical Platform
Supplemental Administrative Guidance Version 1.0
December 18, 2015
Ciena Corporation
7035 Ridge Road
Hanover, MD 21076
Prepared By:
Cyber Assurance Testing Laboratory
900 Elkridge Landing Road, Suite 100
Linthicum, MD 21090
1 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
Contents
1 Introduction ........................................................................................................................................... 3
2 Intended Audience ................................................................................................................................ 3
3 Terminology .......................................................................................................................................... 3
4 References ............................................................................................................................................. 4
5 Evaluated Configuration of the TOE .................................................................................................... 4
5.1 TOE Components .......................................................................................................................... 4
5.2 Supporting Environmental Components ....................................................................................... 4
5.3 Assumptions .................................................................................................................................. 5
5.4 Communication Protocols and Services ....................................................................................... 5
6 Secure Installation and Configuration ................................................................................................... 6
6.1 Enable CC Mode ........................................................................................................................... 7
6.2 Enable Enhanced Security Profile from Commissioning CLI (CCLI) ......................................... 7
6.3 Configure the TOE Minimum Password Length to 15 Characters ............................................... 7
6.4 Configure the Syslog Server (MCLI) ............................................................................................ 7
6.5 Configure the Time ....................................................................................................................... 8
6.6 Performing a Secure Software Upgrade (MCLI) .......................................................................... 8
6.7 Configure the TOE for SSH Public/Private Key Authentication .................................................. 9
6.8 Configure Login Banner with the MCLI .................................................................................... 10
6.9 Lock All Insecure Ports............................................................................................................... 10
7 Secure Management of the TOE ......................................................................................................... 10
7.1 Administrative Roles .................................................................................................................. 10
7.2 Authenticating to the TOE .......................................................................................................... 11
7.3 User Lockout ............................................................................................................................... 11
7.4 Managing Users .......................................................................................................................... 11
7.5 Password Management ............................................................................................................... 12
7.6 Login Banner .............................................................................................................................. 12
7.7 Admin Logout ............................................................................................................................. 12
7.8 Self-Tests .................................................................................................................................... 12
8 Auditing .............................................................................................................................................. 13
8.1 Audit Storage .............................................................................................................................. 17
2 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
9 SFR Assurance Activities ................................................................................................................... 17
10 Operational Modes .......................................................................................................................... 21
11 Additional Support .......................................................................................................................... 21
Table of Tables
Table 5-1: TOE Models ................................................................................................................................ 4
Table 5-2: Supporting Environmental Components ..................................................................................... 5
Table 7-1: NDPP Auditable Events ............................................................................................................ 16
3 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
1 Introduction
The Ciena 5400 Series Packet Optical Platform (hereafter referred to as the 5400 Series or the TOE) is a
family of hardware devices that provides OSI Layer 2 network traffic management services. It is a packet-
optical switching platform that enables users to direct traffic to designated ports, giving them control of
network availability for specific services. The system features an agnostic switch fabric that is capable of
switching SONET/SDH, OTN, and Ethernet/MPLS networks. The 5400 Series contains two models: the
Ciena 5430 and Ciena 5410. Each of these devices runs Linux kernel version 3.4.36 and provides
identical security functionality to one another. The Target of Evaluation (TOE) is the general network
device functionality (I&A, auditing, security management, trusted communications, etc.) of the switch,
consistent with the claimed Protection Profile.
2 Intended Audience
This document is intended for administrators responsible for installing, configuring, and/or operating
5400 Series devices. Guidance provided in this document allows the reader to deploy the product in an
environment that is consistent with the configuration that was evaluated as part of the product’s Common
Criteria (CC) testing process. It also provides the reader with instructions on how to exercise the security
functions that were claimed as part of the CC evaluation.
The reader is expected to be familiar with the Security Target for Ciena 5400 Series Packet Optical
Platform version 1.0 and the general CC terminology that is referenced in it. This document references the
Security Functional Requirements (SFRs) that are defined in the Security Target document and provides
instructions for how to perform the security functions that are defined by these SFRs. The Ciena 5400
Series Packet Optical Platform product as a whole provides a great deal of security functionality but only
those functions that were in the scope of the claimed PP are discussed here. Any functionality that is not
described here or in the Ciena 5400 Series Packet Optical Platform Security Target was not evaluated and
should be exercised at the user’s risk.
3 Terminology
In reviewing this document, the reader should be aware of the terms listed below. These terms are also
described in the Ciena 5400 Series Packet Optical Platform Security Target.
CC: stands for Common Criteria. Common Criteria provides assurance that the process of specification,
implementation and evaluation of a computer security product has been conducted in a rigorous and
standard and repeatable manner at a level that is commensurate with the target environment for use.
SFR: stands for Security Functional Requirement. An SFR is a security capability that was tested as part
of the CC process.
TOE: stands for Target of Evaluation. This refers to the aspects of the Ciena 5400 Series products that
contain the security functions that were tested as part of the CC evaluation process.
4 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
4 References
The following security-relevant documents are included with the TOE. This is part of the standard
documentation set that is provided with the product. Documentation that is not related to the functionality
tested as part of the CC evaluation is not listed here.
[1] Turn-up and Test – 009-3251-002
[2] Alarm and Trouble Clearing Procedures Manual - 009-3251-003
[3] Service Manual - 009-3251-004
[4] Node Manager User Guide - 009-3251-005
[5] System Description - 009-3251-006
[6] 5430 Switch Hardware Installation – 009-3251-001
[7] 5410 Switch Hardware Installation – 009-3251-019
[8] TL1 Interface Manual – 009-2009-086
The following document was created in support of the Ciena Carrier Ethernet Solutions 3900/5100 Series
CC evaluation:
[9] Ciena 5400 Series Packet Optical Platform Security Target
5 Evaluated Configuration of the TOE
This section lists the components that have been included in the TOE’s evaluated configuration, whether
they are part of the TOE itself, environmental components that support the security behavior of the TOE,
or non-interfering environmental components that were present during testing but are not associated with
any security claims.
5.1 TOE Components
The TOE is a family of standalone network appliances. Each model of the TOE can run independently
and all models have the Linux operating system, kernel version 3.4.36. There is no functional difference
in the behavior of each model based on the processor type. The TOE includes a Freescale MPC8572
processor which is used to provide entropy to the software deterministic random bit generation function.
Model
Ciena 5410 Packet Optical Platform
Ciena 5430 Packet Optical Platform
Table 5-1: TOE Models
5.2 Supporting Environmental Components
Component Definition
Management
Workstation
Any general-purpose computer that is used by an administrator to manage the TOE.
The TOE can be managed remotely, in which case the management workstation
requires an SSH client, or locally, in which case the management workstation must
5 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
be physically connected to the TOE using the serial port and must use a terminal
emulator that is compatible with serial communications.
NTP Server A system that provides an authoritative and reliable source of time using network
time protocol (NTP).
Syslog Server A general-purpose computer that is running a syslog server, which is used to store
audit data generated by the TOE.
Update Server An FTP server where software updates for the TOE can be made available.
Table 5-2: Supporting Environmental Components
Note that switched traffic is not addressed by the security requirements of the claimed Protection Profile
so the only use of data plane interfaces was used to perform in-band management of the TOE.
5.3 Assumptions
In order to ensure the product is capable of meeting its security requirements when deployed in its
evaluated configuration, the following conditions must be satisfied by the organization, as defined in the
claimed Protection Profile:
No general purpose computing capabilities: The Ciena 5400 Series product must only be used
for its intended purpose. General purpose computing applications, especially those with network-
visible interfaces, may compromise the security of the product if introduced.
Physical security: The Ciena 5400 Series product does not claim any sort of physical tamper-
evident or tamper-resistant security mechanisms. Therefore, it is necessary to deploy the product
in a locked or otherwise physically secured environment so that it is not subject to untrusted
physical modification.
Trusted administration: The Ciena 5400 Series product does not provide a mechanism to
protect against the threat of a rogue or otherwise malicious administrator. Therefore, it is the
responsibility of the organization to perform appropriate vetting and training for security
administrators prior to granting them the ability to manage the product.
5.4 Communication Protocols and Services
In the evaluated configuration, the SSH protocol was tested for remote administration. The TLS and SSH
protocol was tested for secure transfer of audit data. SSH was tested for transferring audit data to an
external SFTP server as well as pulling updates from the SFTP server. TLS protocol was tested for the
secure transfer of audit data to the external syslog server. The Telnet protocol is excluded from the
evaluated configuration because it does not provide security for data in transit. The product supports
numerous communications protocols that were not considered to be part of the Target of Evaluation
because they provide functionality that were outside the scope of the Security Target. These protocols are
facilitated by processes on the 5400 Packet-Optical Switch device that support their implementation and
include the following:
ARP
BFD
CFM
CORBA
DHCP
6 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
DHCPv6
FTP
802.1X
GMPLS
HTTP
HTTPS
ISIS
LDP
LLDP
MPLS
MSTP
NDP
NETCONF
NTP
OSPF
PBB-TE
PBT
RADIUS
RSTP
RSVP-TE
SNMP
TELNET_TLS
ORP
OSP
OSRP
6 Secure Installation and Configuration
Physical installation can be accomplished by following the steps outlined in the hardware specific
installation instructions, see 5430 Switch Hardware Installation [6] and 5410 Switch Hardware
Installation [7]. First-time setup of the TOE can be accomplished by following the steps outlined in Turn-
up and Test [1]. This document also describes how to verify the correct version of software running
during the initial startup and the steps the installer should take if the version is not the expected version.
Regardless of the specific device being installed, the menu-driven command-line interface (MCLI) and
Transaction Language 1 (TL1) interface are used to securely manage the devices via a local console or
SSH. These steps can be performed using the initial default user account. Once the TOE is fully set up,
follow the steps in Section 7.5 to change the password of the default user account.
NOTE: In the evaluated configuration, the CORBA interface will be disabled following initial setup so
that all remote administrative communications use SSH.
7 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
6.1 Enable CC Mode
The cryptographic algorithms used in SSH and TLS are restricted by placing the TOE into “CC mode”.
The algorithms are set to only those identified in Section 8.2.8 of the ST which meet the PP requirements.
All other algorithms are disabled.
CC mode is enabled using the following commands:
1. Authenticate to the TOE as superuser via the MCLI.
2. Choose Option 7 – Modify system configuration.
3. Choose Option 20 – Set Common Criteria Mode.
4. Enable Set Common Criteria Mode.
6.2 Enable Enhanced Security Profile from Commissioning CLI (CCLI)
1. Authenticate to the TOE as superuser via the MCLI using the local console (serial).
2. Choose Option 6 – Perform system operations.
3. Choose Option 5 – Control Plane Reset the Secondary CTM.
4. Choose Option 4 – Control Plane Reset the Primary CTM.
5. During the boot, interrupt the startup from the Primary CTM by pressing “ENTER” at the
countdown menu.
6. Login as superuser.
7. At the CTM Config Menu, choose Option 19 – Enhanced Security Profile.
8. Enable “Enhanced Security Profile”
9. Choose Option 29 to commit settings.
10. After the TOE has finished rebooting, Authenticate to the TOE as superuser via the MCLI.
6.3 Configure the TOE Minimum Password Length to 15 Characters
The minimum password length can be specified by performing the following steps:
1. Enable the CORBA interface.
2. Launch Ciena Node Manager and populate the following fields:
Node Url: <NODE_NAME>:<TOE_IP_ADDRESS>
User Name: administrator
Password: admin1!
3. Click “NE Defaults” tab > “Account Defaults” tab.
4. In the Password Character Minimum Length field enter “15”.
5. Click on “Accept” and then exit the Ciena Node Manager.
6.4 Configure the Syslog Server (MCLI)
Configure the syslog server using the following instructions:
8 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
1. Authenticate to the TOE.
2. Choose Option 7 – Modify system configuration
3. Choose Option 18 – Security Log Settings Menu
4. Choose Option 2 – Enable/Disable External Security Log Support (enable)
5. Choose Option 3 – Set Security Log Remote Destination IP (Input syslog IP address and port at
prompt)
6. Choose Option 4 – Set Security Log Connection Mode (tls)
7. Choose Option 6 – Commit pending Security Log configuration
NOTE: If the connection from the TOE to the external syslog is disconnected, reconnection will take
place automatically without any additional administrative action.
6.5 Configure the Time
Configure the NTP server using the following instructions:
1. Authenticate to the TOE through the MCLI.
2. Using the following commands configure the TOE to sync with the NTP server.
a) Option 7 – Modify System Configuration
b) Option 16 – NTP Settings Menu
a. Option 2 – Enable
b. Option 3 – Client mode
c. Option 4 – Enable/Disable Authentication Support
d. Option 7 – NTP Server Settings Menu
i. Option 4 – Set IP address for NTP = <NTP_SERVER_IP_ADDRESS>
ii. Option 5 – Set Server Authentication Key ID = 0
iii. Option 6 – Enable/Disable iburst mode = enable (default)
iv. Option 7 – Set Minimum Polling Interval = 64 (default)
v. Option 8 – Set Maximum Polling Interval = 1024 (default)
vi. Option 10 – Commit NTP Server
To set the time manually via the TL1 interface the administrator must enter the command:
ED-DAT:::abc::DATE=<DATE>,TIME=<TIME>;
Verifying that the time has been set the administrator must enter the command:
rtrv-TOD:::abc;
6.6 Performing a Secure Software Upgrade (MCLI)
Updates are both digitally signed and hashed, but the hash information is used only for internal
verification and not made public. The digital signature is a 2048-bit RSA signature that is provided by
Entrust. Prior to performing a secure software upgrade, the device will download the software release as
well as the hash for the release. It will then compare the downloaded hash with the hash of the software
release. If the hashes do not match, the upgrade process will stop and the downloaded software release
will be flushed from the device’s temporary memory. In addition the digital signature of the software
upgrade is verified once the update is downloaded. If the digital signature verification failed, the upgrade
9 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
process will stop and the downloaded software release will be flushed from the device’s temporary
memory. In the event of a failure of the upgrade mechanism, please see Section 11 for contacting Ciena
Customer Support. Otherwise, perform a secure software using the following instructions:
1. Authenticate to the TOE via the MCLI.
2. Option 3 – Upgrade or revert software release.
3. Option 3 – Download a new release.
4. Option 1 – List available software releases and scroll up to view RELEASE that is “good in-use”
for the current version.
5. Option 3 – Enter URL for software release file transfer – guided entry.
a) Enter the protocol (SFTP)
b) Enter the IP address (<TOE_IP_ADDRESS>)
c) (Optional) Enter port number
d) (Optional) Enter path of the file
6. Option 4 – Enter user name for file server access.
7. Option 5 – Enter password for file server access.
8. Option 7 – Transfer software release from the file server.
9. After the transfer is finished, choose Option 8 – Return to previous menu.
10. Option 5 – Upgrade to new software release.
11. Specify the name of the release to upgrade to from the list of available updates.
12. After the update has finished installing and a login prompt is returned, authenticate to the TOE.
13. Query the TOE for its current version and verify that the version number has increased.
To display the Software Release Signing Certificate information to verify correctness: Choose Option 7
prior to implementing step 10.
NOTE: If the SFTP server becomes disconnected from the TOE at any point in the download process, the
administrator must restart the download.
6.7 Configure the TOE for SSH Public/Private Key Authentication
Configure the TOE to accept user authentication using Public/Private Key
1. Generate keypair on the Bitvise client and upload the key to the SFTP Server
2. Upload key generated from Bitvise:
a) Authenticate to the MCLI as Superuser.
b) Option 7 Modify system configuration
c) Option 17 SSH Key Management Menu
d) Option 4 Download New Host Key Pair to Node
e) Option 2 Enter URL for SSH host key file transfer - Guided entry <URL of SFTP Server and
file path to keys>
f) Option 3 Enter user name for file server access <username from SFTP Server>
g) Option 4 Enter password for file server access <password for user of SFTP Server>
h) Option 6 Transfer SSH host key from the file server
10 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
6.8 Configure Login Banner with the MCLI
The login banner is created by following these instructions:
1. Enable the CORBA interface.
2. Login to the Ciena Node Manager
3. Click “NE Defaults” tab > “Account Defaults” tab.
4. In the “Pre Authentication Login Banner” field enter the desired banner text
The banner text can be edited by following the same instructions as above.
Instructions for configuring the login banner on the TL1 interface can be found in Section 7.6
6.9 Lock All Insecure Ports
All insecure ports can be locked by performing the following steps:
1. Authenticate to the TOE as superuser via the MCLI.
2. Choose Option 6 – Perform system operations.
3. Choose Option 15 – Service and Port Lock Config Menu.
4. Choose Option 1 – Display Lock Configuration.
5. Choose Option 2 – Lock a Service or Port.
6. Follow the prompts to lock the following interfaces:
FTP
HTTP
TELNET
TELNET_TLS
SNMP
CORBA
7 Secure Management of the TOE
The following sections provide information on managing TOE functionality that is relevant to the claimed
Protection Profile. Note that this information is largely derived from [5] and [8], minus the specific
actions that are required as part of the ‘evaluated configuration’. The administrator is encouraged to
reference these documents in full in order to have in-depth awareness of the security functionality of the
5400 Series product family, including functions that may be beyond the scope of this evaluation.
7.1 Administrative Roles
The product provides five administrative roles on its TL1 interface: Account Administrator (AA),
Termination Point Provisioner (TP), Connection Provisioner (CP), Troubleshooter (TS), and Operator
(O). Each administrative role is given a fixed set of privileges. Of these five roles, only the AA role has
the ability to manage functions that are relevant to the TOE as defined by the NDPP. As such, the
manipulation of user data requires AA role privileges. For the MCLI interface there exists a separate
11 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
superuser role that is used for managing the TOE via the CLI. Both the superuser and AA roles are
analogous to the role of Security Administrator as defined by the NDPP.
7.2 Authenticating to the TOE
Local users log in to the Maintenance Command Line Interface (MCLI) using username and password
defined locally to the TOE, while remote users can log in via the MCLI using username and password or
certificates. User authentication information that is sent remotely via the MCLI is protected using SSHv2.
The TOE requires the use of locally-defined authentication credentials. Users are not allowed to perform
any functions on the TOE without first being successfully identified and authenticated by the TOE’s
authentication method. At initial login, the TOE will display a login banner and prompt the administrative
user to provide a username. After the user provides the username, the user is prompted to provide the
administrative password associated with the user account. The TOE then either grants administrative
access (if the combination of username and password is correct) or indicates that the login was
unsuccessful. The MCLI requires a separate superuser account that cannot be the same as an account that
is used to access the TL1 interface.
When authenticating via the MCLI using port 22 over SSH, the user is prompted for a SSH username
followed by a SSH password. This behaves like a regular SSH username/password authentication process.
Alternatively, if configured to do so, the user can use public-key authentication to log in to the MCLI
remotely using SSH.
When authenticating via the TL1 using port 10220 over SSH, the user is prompted for a SSH username.
At this prompt, the user can enter any string for the username and then the user is presented with a TL1
prompt; there is no “SSH password.” At this point, the TL1 prompt is listening waiting for commands.
Any commands that require TL1 authentication will not work until a user is authenticated via TL1. A TL1
username and password needs to be entered using the TL1 command syntax:
act-user::<username>:abc::<password>;
At this point, if the TL1 username/password is accepted, then the user is permitted to perform authorized
TL1 commands. If the trusted path for remote administration becomes disconnected, the
administrator/superuser will be required to perform the authentication process again in order to reconnect
to the TOE.
7.3 User Lockout
By default, the TOE locks out a user for an idle interactive session based on the duration specified during
account creation, this is enabled and set to the desired length of time by using the following commands
via the TL1 interface:
ed-user-secu::<username>:abc:::TMOUT=<number of minutes>;
Note: These commands can only be configured via the TL1 interface but the settings can be applied to
users that access the TOE via the local serial console, TL1 and MCLI interfaces.
7.4 Managing Users
Users can be created with the following commands via the TL1 interface:
12 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
ent-user-
secu:: <username>:abc::<password>,TL1,AA:TMOUT=<number of minutes>;
The TL1 interface will collect the password in an interactive prompt after this command is entered. This
prevents password data from being displayed in the command log.
7.5 Password Management
Passwords must be 6 to 16 characters long can and must include the following:
Two alphabetical characters
One numerical character
One special character
In addition, only the following special characters are acceptable:
! % ^ , + - [ ] ` ~ { } | _
In order to change the password for a user account following the account’s creation, use the following
command in the TL1 interface:
ed-pid::<username>:abc::<old_password>:<new_password>;
See Section 6.3 for instructions on configuring the minimum acceptable password length.
Note: This command can be used to change the MCLI’s superuser password. This should be completed
after initial configuration is complete.
7.6 Login Banner On the TL1 interface, the login banner can be configured using the following command:
ED-ECFG::CUSTOMERSETTINGS:MYSTAG::PREBANNER=<Message>;
7.7 Admin Logout
An administrator can manually log out at any time by entering the following command via the TL1
interface:
canc-user::<username>:abc;
On the MCLI interface, enter the “10” command to terminate the current session.
7.8 Self-Tests
The OpenSSL cryptographic module performs a series of known answer tests to verify the correct
functionality of the cryptographic functions as well as fingerprint and SHA file checksums to validate its
own integrity at initial start-up to verify its correct operation. In addition, the software image itself is
validated against a known hash to ensure its integrity. In the event of failure of the self-tests or
operational error, the device will reboot itself and initiate a new run of self-tests.
13 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
8 Auditing
In order to be compliant with Common Criteria, the TOE must audit the events in the table below. The
audit records that the TOE creates include the date and time, outcome of the event, event type, subject
identity and the source of the event.
Component Event Additional
Information Sample Log
FAU_GEN.1
Startup and
shutdown of audit
functions.
No additional
information
Shutdown of the TOE:
2016-01-07T12:03:04.000+00:00 <local3.notice> 1-A-CTM
(9476) exec EXEC: Shutdown : ss 6
Startup of the TOE:
2016-01-07T12:04:05.000+00:00 <local1.info> (none)
(initramfs 773) boot_exec In initialization of CTM HAL.
FCS_SSH_EX
T.1
Failure to establish
an SSH session
Establishment/Ter
mination of an
SSH session
Reason for failure
Reason for failure
Non-TOE endpoint
of connection (IP
address) for both
successes and
failures.
Termination of SSH Session
2015-11-10T15:32:46.000+00:00 <auth.info> 1-A-CM1 (2)
sshd Disconnected from 10.41.71.100
Establishment of SSH Session
2015-11-10T15:32:51.000+00:00 <authpriv.info> 1-A-CM1
(10) sshd libpam_user_access_process(login:session): TL1
over SSH session detected. Return success.
Failure of SSH Session
2015-11-13T19:21:55.000+00:00 <auth.crit> 1-A-CM1 (3)
sshd fatal: Unable to negotiate with 10.41.71.210: no matching
cipher found. Their offer: 3des-cbc [preauth]
FIA_UIA_EX
T.1
All use of the
identification and
authentication
mechanism.
Provided user
identity, origin of
the attempt (e.g.,
IP address).
Successful authentication via Console:
2015-11-13T20:38:22.000+00:00 <authpriv.debug> 1-A-CM1
(585) login libpam_user_access_process(logintty:auth):
pam_sm_authenticate...success - user:superuser
2015-11-13T20:38:22.000+00:00 <local0.info> 1-A-CM1
(597) Ciena CreateTheUserSession- userName:superuser
sessionId:1014510046 clientInterface:SERIAL @
Failed authentication via Console:
2015-11-09T23:19:06.000+00:00 <auth.info> 1-A-CM1 (438)
usracc Authentication failed user:superuser
authMethodUsed:Local configAuthMethod:Local @
src/software/centaur/apps/user_acc/UAP_LoginTask.cpp:106
Successful authentication via TL1:
2015-11-13T16:36:48.000+00:00 <authpriv.debug> 1-A-CM1
(107) sshd libpam_user_access_process(login:auth):
pam_sm_authenticate user:administrator interface:SSH
14 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
rHost:10.41.71.210
Failed authentication via TL1:
2015-11-13T20:11:16.000+00:00 <authpriv.debug> 1-A-CM1
(257) sshd libpam_user_access_process(login:auth):
pam_sm_authenticate user:baduser interface:SSH
rHost:10.41.71.210
2015-11-13T20:11:19.000+00:00 <local0.info> 1-A-CM1
(266) Ciena UserAccountManager::IsPriviledgeExists-
Account:baduser does not exist @
src/software/centaur/apps/core/txn/Management/Managers/Use
rAccountManager.cpp:783
2015-11-13T20:11:19.000+00:00 <local0.info> 1-A-CM1
(267) Ciena Wrong password @
src/software/centaur/apps/core/txn/Management/Managers/Ma
nagementServices.cpp:1148
Successful authentication via MCLI:
2015-11-13T20:11:26.000+00:00 <auth.info> 1-A-CM1 (284)
sshd Connection from 10.41.71.210 port 58048 on 10.41.73.31
port 22
2015-11-13T20:11:34.000+00:00 <authpriv.debug> 1-A-CM1
(285) sshd libpam_user_access_process(login:auth):
pam_sm_authenticate user:superuser interface:SSH
rHost:10.41.71.210
Failed authentication via MCLI:
2015-11-13T20:11:43.000+00:00 <auth.info> 1-A-CM1 (310)
sshd Connection from 10.41.71.210 port 58051 on 10.41.73.31
port 22
2015-11-13T20:11:47.000+00:00 <authpriv.debug> 1-A-CM1
(311) sshd libpam_user_access_process(login:auth):
pam_sm_authenticate user:baduser2 interface:SSH
rHost:10.41.71.210
2015-11-13T20:11:49.000+00:00 <authpriv.info> 1-A-CM1
(328) sshd libpam_user_access_process(login:auth):
HandleLogonResponse: User failed authentication
FIA_UAU_EX
T.2
All use of the
authentication
mechanism.
Origin of the
attempt (e.g., IP
address).
See FIA_UIA_EXT.1 records
FPT_STM.1 Changes to the
time.
The old and new
values for the time.
Origin of the
attempt (e.g., IP
address).
Manually changing time via TL1:
/*EventType=AuditTrail,Category=Security,OpResult=OK,M
oName=/NE=txn543/T=EQUIPMENT/N=txn543,NETimeMill
iSec=0,LogId=2000115,ClientHostName=10.40.32.135,ClientI
nterface=TL1,NETime=01/07/2016
13:56:00,OpName=Configure,ProbableCause=ResponseFrom
Service,UserAccount=/NE=txn543/T=ACCOUNT/N=administ
rator,oldSecond=30,oldMinute=54,oldMonth=1,oldHour=13,ol
dDay=7,oldYear=2016,Hour=13,Second=0,Month=1,Year=20
16,Day=7,Minute=56*/
Change of time using NTP Server:
15 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
2016-01-07T12:03:26.000+00:00 <local1.info> 1-CTM1
(15576) secexec NTP Server add:10.41.88.5, keyid=0, iburst
2016-01-07T12:03:26.000+00:00 <local1.notice> 1-CTM1
(15577) MCLI 1266: Commit NTP Server: NTP server
committed successfully - '10.41.88.5', '0', 'enable', '64', '1024'
2016-01-07T19:32:11.000+00:00 <user.debug> 1-CTM1 (1)
Ciena cad_client_fetch_status: Client started with slot = 0
FPT_TUD_EX
T.1
Initiation of
update.
No additional
information
2016-01-07T17:32:46.000+00:00 <local3.info> 1-CTM2 (68)
exec INSTALLEVENT: 3 rel_cn5410_4.0.2.1_cl688569
Release rel_cn5410_4.0.2.1_cl688569 synced to all slots.
FTA_SSL_EX
T.1
Any attempts at
unlocking of an
interactive session.
No additional
information.
Termination of a local session by the locking mechanism:
2015-11-19T14:48:10.806-05:00 10.41.73.34 220 <86>1
2015-11-20T18:59:00.081+00:00 1-A-CM1 usracc 4053 -
[meta sequenceId="84"] SecurityLog - Category=Security,
OpName=CloseSession, SessionID=297273786,
UserAccount=superuser, Interface=SERIAL,
LogonHost=HOST_UNKNOWN
FTA_SSL.3 The termination of
a remote session
by the session
locking
mechanism.
No additional
information.
2015-11-19T13:35:14.079-05:00 10.41.73.31 217 <86>1
2015-11-19T18:33:40.342+00:00 1-C-CM2 usracc 4161 -
[meta sequenceId="75"] SecurityLog - Category=Security,
OpName=CloseSession, SessionID=854797633,
UserAccount=superuser, Interface=SSH,
LogonHost=10.41.71.210
FTA_SSL.4 The termination of
an interactive
session.
No additional
information.
User termination of a local session:
2015-11-09T20:01:08.000+00:00 <auth.info> 1-A-CM1 (43)
usracc LogOff sessID:82307218, pam_tty:SERIAL @
src/software/centaur/apps/user_acc/UAP_LoginTask.cpp:1656
User termination of a remote session (MCLI):
2015-11-17T21:30:34.000+00:00 <local1.notice> 1-A-CM1
(303) MCLI 6642: menu choice 10 - Log off
2015-11-17T21:30:34.000+00:00 <local1.notice> 1-A-CM1
(304) MCLI 6642: CLI session 6642 ended.
User termination of a remote session (TL1):
2015-11-14T21:06:28.692+00:00 <authpriv.info> 1-A-CM1
(4) usracc SecurityLog - Category=Security,
OpName=CloseSession, SessionID=1326102656,
UserAccount=administrator, Interface=TL1,
LogonHost=127.0.0.1
FTP_ITC.1 Initiation of the
trusted channel.
Termination of the
trusted channel.
Failure of the
trusted channel
functions.
Identification of
the initiator and
target of failed
trusted channels
establishment
attempt.
Failure of a Connection:
2016-01-08T14:40:22.000+00:00 <local1.info> 1-CTM2
(22576) x secsyslog ip:10.41.88.17, port:2999, mode:tls,
cipher:AES256-SHA256
2016-01-08T14:40:22.356+00:00 <syslog.notice> 1-CTM2
(22589) 1-C-CM2 syslog-ng[3426]: Syslog connection
established; fd='13', server='AF_INET(10.41.88.17:2999)',
local='AF_INET(0.0.0.0:0)'
2016-01-08T14:40:22.359+00:00 <syslog.err> 1-CTM2
(22590) 1-C-CM2 syslog-ng[3426]: SSL error while writing
stream; tls_error='SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure'
2016-01-08T14:40:22.359+00:00 <syslog.err> 1-CTM2
(22591) 1-C-CM2 syslog-ng[3426]: I/O error occurred while
16 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
writing; fd='13', error='Broken pipe (32)
Initiation of a trusted channel:
2016-01-08T14:42:09.000+00:00 <local1.info> 1-CTM2
(22825) secsyslog_config.sh 7139: Invoked with 'syslog true
10.41.88.17 2999 tls AES256-SHA', restarting syslog-ng-sec.
2016-01-08T14:42:10.000+00:00 <user.notice> 1-CTM2
(22826) logger Enforcing reset rate limit. Will resume in 3
seconds.
2016-01-08T14:42:13.000+00:00 <local1.notice> 1-CTM2
(22827) MCLI 6668: menu choice 1 - Display current Security
Log configuration
2016-01-08T14:42:13.058+00:00 <syslog.notice> 1-CTM2
(22828) 1-C-CM2 syslog-ng[3426]: Configuration reload
request received, reloading configuration;
2016-01-08T14:42:13.058+00:00 <syslog.notice> 1-CTM2
(22829) 1-C-CM2 syslog-ng[3426]: Syslog connection
established; fd='14', server='AF_INET(10.41.88.17:2999)',
local='AF_INET(0.0.0.0:0)'
Termination of a trusted channel:
2015-11-18T21:42:13.034+00:00 <syslog.err> 1-C-CTM
(233714) 1-C-CM2 syslog-ng[3225]: SSL error while writing
stream; tls_error='SSL routines:SSL23_WRITE:ssl handshake
failure'
2015-11-18T21:42:13.034+00:00 <syslog.err> 1-C-CTM
(233715) 1-C-CM2 syslog-ng[3225]: I/O error occurred while
writing; fd='13', error='Broken pipe (32)'
2015-11-18T21:42:13.034+00:00 <syslog.notice> 1-C-CTM
(233716) 1-C-CM2 syslog-ng[3225]: Syslog connection
broken; fd='13', server='AF_INET(10.41.73.110:2999)',
time_reopen='10
FTP_TRP.1 Initiation of the
trusted channel.
Termination of the
trusted channel.
Failures of the
trusted path
functions.
Identification of
the claimed user
identity.
See FCS_SSH_EXT.1 and FIA_UIA_EXT.1.
Table 8-1: NDPP Auditable Events
The following is an example of a security audit record that the 5400 series produces.
/*EventType=AuditTrail,Category=Security,OpResult=OK,MoName=/NE=TXN542A/T=EQUIPMENT/
N=TXN542A,NETimeMilliSec=0,LogId=4005456,ClientHostName=127.0.0.1,ClientInterface=TL1,NET
ime=11/11/2015
09:40:22,OpName=Configure,ProbableCause=ResponseFromService,UserAccount=/NE=TXN542A/T=
ACCOUNT/N=administrator,Hour=9,Second=22,Month=11,Year=2015,Day=11,Minute=40*/"AuditTrai
l"
17 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
It can be seen from the example record that this includes a timestamp value (November 11, 2015
09:40:22 [UTC]), the client interface was the TL1 interface, the IP address of the event (127.0.0.1), the
user causing the event to occur (administrator), and the trigger (response from a service).
8.1 Audit Storage
In the evaluated configuration, the TOE is configured to transmit its collected audit data to a syslog server
in the Operational Environment. The TOE uses syslog-ng to transmit audit data remotely to an audit
server using TCP. This channel is protected using TLS. SFTP is used for pushing logs manually to a
configured destination server.
Locally, the TOE maintains the security-relevant audit data in two locations on the filesystem,
summarized below:
/rel/<rel-name>/ctm30/<core>/ps/data/AuditTrail: audit log, records all authentication events and
management activities performed on the MCLI and TL1 interfaces
/var/log/secmessages: security syslog, records all events related to user account management
The audit data is stored in up to four files for each audit storage location. Each audit log file stores up to
1,000 records and each security syslog file stores up to 10 MB of data. When storage space is exhausted
for either audit storage location, the oldest log file will be overwritten when storage space is exhausted.
The TOE does not provide a mechanism to delete the locally-stored audit data. See Section 6.4 of this
document for instructions on configuration the Syslog Server interface.
To manually push audit data to an external SFTP server for storage use to following steps:
1. Authenticate to the TOE.
2. Option 6 – Perform system operations
3. Option 23 – Support menu
4. Option 5 – Upload logs, no crash dump files
5. Option 1 – Create log archive
6. For the module, type: “all”.
7. Option 3 – Enter URL for logs archive file transfer – guided entry
8. For the transfer protocol, type “sftp”.
9. Specify SFTP server IP address and port, destination path, username (Option 4), and password
(Option 5).
10. Option 7 to initiate the transfer
NOTE: If the connection to the SFTP server is disconnected during the transfer, the administrator must
restart the transfer process.
9 SFR Assurance Activities
In this section we identify the SFR assurance activities and specify where in the Ciena documentation this
information can be found.
FAU_GEN.1 –
18 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
“The evaluator shall check the administrative guide and ensure that it lists all of the auditable events and
provides a format for audit records. Each audit record format type must be covered, along with a brief
description of each field. The evaluator shall check to make sure that every audit event type mandated by
the PP is described and that the description of the fields contains the information required in
FAU_GEN1.2, and the additional information specified in Table 1.”
The AGD does not contain examples of audit data outside of this document. Additionally, [8] provides an
overview of the log format under ‘Retrieve Audit Security Log Information’.
“The evaluator shall also make a determination of the administrative actions that are relevant in the
context of this PP. The evaluator shall examine the administrative guide and make a determination of
which administrative commands, including subcommands, scripts, and configuration files, are related to
the configuration (including enabling or disabling) of the mechanisms implemented in the TOE that are
necessary to enforce the requirements specified in the PP. The evaluator shall document the methodology
or approach taken while determining which actions in the administrative guide are security relevant with
respect to this PP. The evaluator may perform this activity as part of the activities associated with
ensuring the AGD_OPE guidance satisfies the requirements.”
Auditing is always functional and thus cannot be disabled or enabled. As a result, the starting up and
shutting down of audit functions is synonymous with the startup and shutdown of the TOE.
FAU_STG_EXT.1 –
“The evaluator shall also examine the operational guidance to determine that it describes the
relationship between the local audit data and the audit data that are sent to the audit log server (for
TOEs that are not acting as an audit log server).”
In the evaluated configuration, the TOE is configured to transmit its collected audit data to a syslog server
in the Operational Environment. The steps in Section 6.4 indicate how to enable a remote audit server and
securely transfer audit data to it using TCP.
“The evaluator shall also examine the operational guidance to ensure it describes how to establish the
trusted channel to the audit server, as well as describe any requirements on the audit server (particular
audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed
to communicate with the audit server.”
The procedures for establishing a trusted channel to the audit server are described in Section 6 of this
document.
FCS_SSH_EXT.1.4 –
“The evaluator shall also check the operational guidance to ensure that it contains instructions on
configuring the TOE so that SSH conforms to the description in the TSS (for instance, the set of
algorithms advertised by the TOE may have to be restricted to meet the requirements).”
Configuration of the SSH server and SSH client cryptographic algorithms is not under administrator
control. The algorithms are restricted by placing the TOE into “CC mode” to those identified in Section
8.2.8 of the ST which meets the PP requirements. All other algorithms are disabled. Refer to Section 6.1
for enabling CC Mode.
FCS_SSH_EXT.1.6 –
19 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
“The evaluator shall also check the operational guidance to ensure that it contains instructions to the
administrator on how to ensure that only the allowed data integrity algorithms are used in SSH
connections with the TOE (specifically, that the “none” MAC algorithm is not allowed).”
See FCS_SSH_EXT.1.4
FCS_SSH_EXT.1.7 –
“The evaluator shall ensure that operational guidance contains configuration information that will allow
the security administrator to configure the TOE so that all key exchanges for SSH are performed using
DH group 14 and any groups specified from the selection in the ST.”
See FCS_SSH_EXT.1.4
FIA_PMG_EXT.1 –
“The evaluator shall examine the operational guidance to determine that it provides guidance to security
administrators on the composition of strong passwords, and that it provides instructions on setting the
minimum password length.”
Password management is described in Section 7.5 of this document.
FIA_UIA_EXT.1 –
“The evaluator shall examine the operational guidance to determine that any necessary preparatory steps
(e.g., establishing credential material such as pre-shared keys, tunnels, certificates, etc.) to logging in are
described.”
Creating usernames and passwords is described in Sections 7.4 and 7.5 of this document. Configuring the
TOE for SSH Public/Private key authentication is described in Section 6.7. Authenticating to the TOE is
described in Section 7.2 of this document.
“For each supported the login method, the evaluator shall ensure the operational guidance provides
clear instructions for successfully logging on.”
See above.
“If configuration is necessary to ensure the services provided before login are limited, the evaluator shall
determine that the operational guidance provides sufficient instruction on limiting the allowed services.”
Sections 6.8 and 7.6 of this document provide instructions on how to configure the pre-authentication
login banner. There is no other method by which a user or administrator can view or interact with TSF
data prior to authentication.
FMT_MTD.1 –
“The evaluator shall review the operational guidance to determine that each of the TSF-data-
manipulating functions implemented in response to the requirements of this PP is identified, and that
configuration information is provided to ensure that only administrators have access to the functions.”
The TOE has a fixed set of administrative roles with a fixed set of privileges. Document [5] provides a
listing of administrative access levels and the privilege required allowed. Only the AA role has the ability
to manage functions that are relevant to the TOE as defined by the NDPP. The remaining functions
pertain to the management of switching functions that are outside the scope of the NDPP. The TOE also
20 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
provides a CLI (referred to as the MCLI) for many security-relevant features, typically those that are not
managed frequently (such as configuring communications with remote audit and NTP servers). The
MCLI defines a superuser role that is separate from the roles defined for the TL1 interface, and is the only
role that is defined for the MCLI.
The user and interface required to execute functionality as defined by the PP are outlined throughout the
AGD but in particular Section 6 and 7 covers the configuration and management procedures..
FMT_SMR.2 –
“The evaluator shall review the operational guidance to ensure that it contains instructions for
administering the TOE both locally and remotely, including any configuration that needs to be performed
on the client for remote administration.”
Configuration of the TOE can occur locally via the serial console or remotely over the dedicated
management Ethernet port via SSH. Section 7.2 of this document provides instructions for how to log in
to the TOE once an appropriate encryption is configured as described in Section 6.1. Additionally, if for
SSH Public/Private Key Authentication will be used refer to section 6.7 for configuration.
FPT_STM.1 –
“The evaluator examines the operational guidance to ensure it instructs the administrator how to set the
time. If the TOE supports the use of an NTP server, the operational guidance instructs how a
communication path is established between the TOE and the NTP server, and any configuration of the
NTP client on the TOE to support this communication.”
The “System Maintenance” section of [8] provides instructions on how to manually set the system time.
Section 6.5 provides instructions on how to set up and administer NTP.
FPT_TST_EXT.1 –
“The evaluator shall also ensure that the operational guidance describes the possible errors that may
result from such tests, and actions the administrator should take in response; these possible errors shall
correspond to those described in the TSS.”
Section 6.1 of this document references procedures for enabling CC mode. The TOE uses a cryptographic
module (but which cannot be claimed as being FIPS validated); however, the algorithms the TOE uses
have been put through CAVP testing. Section 7.8 explains how the TOE performs self-tests and the
actions taken in the event of self-test failure. Also see [2] for instructions on troubleshooting and clearing
problems with the TOE.
FPT_TUD_EXT.1 –
“The evaluator also ensures that the TSS (or the operational guidance) describes how the candidate
updates are obtained; the processing associated with verifying the digital signature or calculating the
hash of the updates; and the actions that take place for successful (hash or signature was verified) and
unsuccessful (hash or signature could not be verified) cases.”
Section 6.6 of this document describes the process for performing a system upgrade. The general
instructions for acquiring, verifying, and performing trusted updates are described in detail in [1].
21 | P a g e
Booz Allen Hamilton – CATL / Ciena Proprietary
FTA_SSL_EXT.1, FTA_SSL.3, FTA_SSL.4 – There is no specific guidance assurance activity.
However, the assurance activity for testing requires the tester to follow the operational guidance to
configure the system inactivity period. Section 7.3 of this document provides information on manual and
automatic session termination activities.
FTA_TAB.1 – There is no specific guidance assurance activity. However, the assurance activity for
testing requires the tester to follow the operational guidance to configure the banner. Section 6.8 of this
document provides instructions on how to configure the login banner.
FTP_ITC.1 –
“The evaluator shall confirm that the operational guidance contains instructions for establishing the
allowed protocols with each authorized IT entity, and that it contains recovery instructions should a
connection be unintentionally broken.”
Section 6.4 discusses that in the case of disconnected channel between the TOE and the syslog server, the
connection will automatically re-establish with not further input from the administrator. Section 6.6
discusses that if the channel becomes disconnected between the TOE and SFTP server during a software
download, the administrator is required to perform the listed steps in order to download the full update.
As discussed in Section 6.6, Section 8.1 also states that the administrator must perform all steps listed in
the case of the communication disconnect during the manual push of audit data to the SFTP server.
FTP_TRP.1 –
“The evaluator shall confirm that the operational guidance contains instructions for establishing the
remote administrative sessions for each supported method.”
Section 7.2 states that in the event the administrator/superuser gets disconnected while remotely
administering the TOE, they must re-authenticate in order to resume management activities.
10 Operational Modes
The device has two configurable settings for its operational modes: normal mode and CC mode. Refer to
Section 6.1 for instructions on enabling CC mode. When not in CC mode, the device can be considered as
operating in normal mode.
11 Additional Support
Ciena provides technical support for its products if needed. Customers can register for a support account
at www.ciena.com/support. Additionally, direct support can be reached toll-free in North America at 1-
800-243-6224.