Gigamon GigaVUE Supplemental Administrative … GigaVUE Supplemental Administrative Guidance Version: 1.0 January 28, ... Processor PowerPC 600 PowerPC 600 PowerPC 600 ... Stack Mgmt

Gigamon GigaVUE

Supplemental Administrative Guidance

Version: 1.0

January 28, 2016

Gigamon Inc.

3300 Olcott Street

Santa Clara, CA 95054

Prepared By:

Cyber Assurance Testing Laboratory

900 Elkridge Landing Road, Suite 100

Linthicum, MD 21090

1 | P a g e

Contents

1 Introduction ........................................................................................................................................... 3

2 Intended Audience ................................................................................................................................ 3

3 Terminology .......................................................................................................................................... 3

4 References ............................................................................................................................................. 4

5 Evaluated Configuration of the TOE .................................................................................................... 4

5.1 TOE Components .......................................................................................................................... 4

5.2 Supporting Environment Components .......................................................................................... 8

5.3 Assumptions .................................................................................................................................. 8

6 Secure Installation and Configuration ................................................................................................... 9

6.1 Initial out-of-the-box Setup: .......................................................................................................... 9

6.2 Verify Software Version ............................................................................................................. 10

6.3 Configure the TOE to use Enhanced Security Mode: ................................................................. 10

6.4 Configure the TOE to record log and audit data (locally): ......................................................... 10

6.5 Disable Telnet and Enable SSH2 ................................................................................................ 10

6.6 Configure and Access the WebGUI (aka H-VUE) ..................................................................... 11

7 Secure Management of Gigamon GigaVUE ....................................................................................... 11

7.1 Authenticating to Gigamon GigaVUE ........................................................................................ 11

7.1.1 Public-Key Based Authentication Configuration ................................................................ 12

7.1.2 LDAP Authentication Configuration (CLI) ........................................................................ 12

7.1.3 LDAP Authentication Configuration (WebGUI) ................................................................ 13

7.2 Managing Users .......................................................................................................................... 13

7.2.1 Create a New Admin User Account (CLI): ......................................................................... 13

7.2.2 Create a New Admin User Account (GUI): ........................................................................ 14

7.3 Password Management ............................................................................................................... 14

7.4 Session Termination .................................................................................................................... 14

7.4.1 Admin Logout ..................................................................................................................... 14

7.4.2 Termination from Inactivity ................................................................................................ 15

7.5 Login Banner .............................................................................................................................. 15

7.6 System Time Configuration ........................................................................................................ 16

7.6.1 Manually Configure the Time (CLI) ................................................................................... 16

2 | P a g e

7.6.2 Manually Configure the Time Configuration (WebGUI) ................................................... 16

7.6.3 Configure Connection to an NTP Server (CLI) .................................................................. 16

7.6.4 Configure Connection to an NTP Server (GUI) ................................................................. 16

7.7 Secure Updates ............................................................................................................................ 17

7.7.1 Display the Current Version (CLI) ..................................................................................... 17

7.7.2 Display the Current Version (WebGUI) ............................................................................. 17

7.7.3 Downloading and Installing the New Image (CLI) ............................................................. 17

7.7.4 Downloading and Installing the New Image (WebGUI) .................................................... 18

7.7.5 Rebooting TOE (CLI) ......................................................................................................... 18

7.7.6 Rebooting the TOE (WebGUI) ........................................................................................... 18

7.7.7 Actions to be taken upon Failure ........................................................................................ 18

8 Auditing .............................................................................................................................................. 18

8.1 Audit Storage .............................................................................................................................. 32

8.1.1 Assigning a Public-Key to the Syslog Server and enable SSH (CLI) ................................. 32

8.1.2 Configuring the Syslog Server (CLI) .................................................................................. 33

9 Communications Protocols and Services ............................................................................................ 33

10 Modes of Operation ........................................................................................................................ 34

11 Obtaining Technical Assistance ...................................................................................................... 34

Table of Tables

Table 5-1: HD8 and HD4 Series ................................................................................................................... 5

Table 5-2: HC2 Series ................................................................................................................................... 6

Table 5-3: HB1 Series ................................................................................................................................... 7

Table 5-4: TA10 Series ................................................................................................................................. 7

Table 5-5: TA40 Series ................................................................................................................................. 8

Table 5-6: Supporting Environmental Components ..................................................................................... 8

Table 8-1: NDPP Auditable Events ............................................................................................................ 32

3 | P a g e

1 Introduction

The Target of Evaluation (TOE) includes the models HD8, HD4, HC2, HB1, TA10 and TA40 with

software version 4.4.03. These models allow an Authorized Administrator to access the TOE through a

serial port, remote CLI via SSH, and a WebGUI via TLS/HTTPS. The TOE was evaluated against the

requirements defined in the Gigamon GigaVUE Security Target.

The GigaVUE's primary functionality is to use the Gigamon Forwarding Policy to receive out-of-band

copied network data from external sources (TAP or SPAN port) and forward that copied network data to

one or many tool ports for packet capture or analyzing tools based on user selected criteria. GigaVUE can

also copy the network traffic itself when sitting in-line with the network flow using passive, inline and

bypass taps or any combination. GigaVUE features extensive filtering abilities enabling authorized users

to forward precise customized data flows of copied data from many sources to a single tool, from a single

source to many tools, or from many sources to many tools. The TOE was evaluated as a network device

only and the GigaVUE’s network traffic capture, filter, and forwarding capabilities described above were

not assessed during this evaluation. The TOE is the general network device functionality (I&A, auditing,

security management, trusted communications, etc.) of the GigaVUE, consistent with the claimed

Protection Profile.

2 Intended Audience

This document is intended for administrators responsible for installing, configuring, and/or operating

Gigamon GigaVUE version 4.4.03. Guidance provided in this document allows the reader to deploy the

product in an environment that is consistent with the configuration that was evaluated as part of the

product’s Common Criteria (CC) testing process. It also provides the reader with instructions on how to

exercise the security functions that were claimed as part of the CC evaluation.

The reader is expected to be familiar with the Security Target for Gigamon GigaVUE version 4.4.03 and

the general CC terminology that is referenced in it. This document references the Security Functional

Requirements (SFRs) that are defined in the Security Target document and provides instructions on how

to perform the security functions that are defined by these SFRs. The GigaVUE product as a whole

provides a great deal of security functionality but only those functions that were in the scope of the

claimed PP are discussed here. Any functionality that is not described here or in the Gigamon GigaVUE

Security Target was not evaluated and should be exercised at the user’s risk.

3 Terminology

In reviewing this document, the reader should be aware of the terms listed below. These terms are also

described in the Gigamon GigaVUE Security Target.

CC: stand for Common Criteria. Common Criteria provides assurance that the process of specification,

implementation and evaluation of a computer security product has been conducted in a rigorous and

standard and repeatable manner at a level that is commensurate with the target environment for use.

4 | P a g e

SFR: stands for Security Functional Requirement. An SFR is a security capability that was tested as part

of the CC process.

TOE: stands for Target of Evaluation. This refers to the aspects of Gigamon GigaVUE that contain the

security functions that were tested as part of the CC evaluation process.

4 References

The following documents are part of the Gigamon GigaVUE version 4.4.03. This is the standard

documentation set that is provided with the product.

[1] GigaVUE-OS-CLIUsersGuide-v4400

[2] GigaVUE-OS-HVUE-UsersGuide-v4400

[3] GV-TA-Series-UpgradeGuide-v4400

[4] GV-H-Series-UpgradeGuide-v4400

[5] GV-HB-Series-HardwareInstallationGuide-v4400

[6] GV-HC-Series-HardwareInstallationGuide-v4400

[7] GV-HD-Series-HardwareInstallationGuide-v4400

[8] GV-TA-Series-HardwareInstallationGuide-v4400

[9] GV-OS-ReleaseNote-v4400

[10] Gigamon GigaVUE Security Target v1.0 (ST)

[11] Gigamon Linux-Based Cryptographic Module CMVP certificate #2128

Note: [11] refers to the FIPS validated cryptographic module used by the GigaVUE products.

5 Evaluated Configuration of the TOE

This section lists the components that have been included in the TOE’s evaluated configuration, whether

they are part of the TOE itself, environmental components that support the security behavior of the TOE,

or non-interfering environmental components that were present during testing but are not associated with

any security claims:

5.1 TOE Components

Property HD8 HD8 HD4 HD4

Model Number GVS-HD8A1

GigaVUE-HD8 base

unit w/ chassis, CLI

GVS-HD8A2

GigaVUE-HD8 base


GVS-HD4A1

GigaVUE-HD4 base


GVS-HD4A2

GigaVUE-HD4 base


Size 14RU 14RU 5RU 5RU

Total Slots 8 8 5 5

Power AC DC AC DC

Control Cards 1 or 2 1 or 2 1 1

Port Blades PRT-H00-X12G04 Port Blade, HD Series, 12x10G 4x1G

5 | P a g e

PRT-H00-X12TS Port Blade, HD Series, 12x10G Time Stamp

PRT-H00-X04G44 Port Blade, HD Series, 4x10G 44x1G

PRT-H00-Q02X32 Port Blade, HD Series, 2x40G 32x10G (24 10G + 2 40G or 32 10G active)

PRT-HD0-Q08 Port Blade, HD Series, 8x40G

PRT-HD0-C01 Port Blade, HD Series, 1x100G

PRT-HD0-C02X08 Port Blade, HD Series, 2x100G CFP cages + 8x10G cages

PRT-HD0-C02X08A Port Blade, HD Series, 2x100G CFP2 cages + 8x10G cages

GigaSMART Module:

SMT-HD0-GigaSMART, HD Series blade (includes Slicing, Masking, Source Port,& GigaVUE

Tunneling De-Encapsulation SW

Power Supplies 4 4 2 2

Processor PowerPC 600 PowerPC 600 PowerPC 600 PowerPC 600

Memory

(RAM)

CCv1: 2GB

CCv2: 4GB

CCv1: 2GB

CCv2: 4GB

CCv1: 2GB

CCv2: 4GB

CCv1: 2GB

CCv2: 4GB

Logical Drive

Capacity

CCv1: 2GB

CCv2: 8GB

CCv1: 2GB

CCv2: 8GB

CCv1: 2GB

CCv2: 8GB

CCv1: 2GB

CCv2: 8GB

Fixed Ports None None None None

Configurable

Ports

Provided by Port

Blades

Provided by Port

Blades

Provided by Port

Blades

Provided by Port

Blades

Table 5-1: HD8 and HD4 Series

Property HC2 HC2

Model Number GVS-HC201

GigaVUE-HC2 base unit w/ chassis, CLI,

GVS-HC202

GigaVUE-HC2 base unit w/ chassis, CLI

Size 2RU 2RU

Front Bays 4 4

Rear Bays 1 1

Power AC DC

Main Board 1 1

TAP Modules TAP-HC0-D25AC0 TAP module, HC Series, SX/SR Internal TAP Module 50/125, 12 TAPs

TAP-HC0-D25BC0 TAP module, HC Series, SX/SR Internal TAP Module 62.5/125, 12

TAPs

TAP-HC0-D35CC0 TAP module, HC Series, LX/LR Internal TAP Module, 12 TAPs

TAP-HC0-G100C0 TAP and Bypass module, HC Series, Copper, 12 TAPs or BPS pairs

Bypass Combo

Modules

BPS-HC0-D25A4G Bypass Combo Module, HC Series, 4 SX/SR 50/125 BPS pairs, 16 10G

cages

BPS-HC0-D25B4G Bypass Combo Module, HC Series, 4 SX/SR 62.5/125 BPS pairs, 16

10G cages

6 | P a g e

BPS-HC0-D35C4G Bypass Combo Module, HC Series, 4 LX/LR BPS pairs, 16 10G cages

Port Modules PRT-HC0-X24 Port Module, HC Series, 24x10G

PRT-HC0-Q06 Port Module, HC Series, 6x40G

GigaSMART Modules:

SMT-HC0-R GigaSMART, HC Series rear module (includes Slicing, Masking, Source Port

& GigaVUE Tunneling De-Encapsulation SW)

SMT-HC0-X16 GigaSMART, HC Series, Front Module, 16 10G cages (includes Slicing,

Masking, Source Port & GigaVUE Tunneling De-Encapsulation SW

Power Supplies 2 2

Processor PowerPC 600 PowerPC 600

Memory (RAM) 4GB 4GB

Logical Drive

Capacity

8GB 8GB

Fixed Ports PTP IEEE 1588

Stack Mgmt. Port

Mgmt.

Console

PTP IEEE 1588

Stack Mgmt. Port

Mgmt.

Console

Configurable

Ports

Provided by TAP Modules,

Bypass combo modules,

Port Modules

Provided by TAP Modules,

Bypass combo modules,

Port Modules

Table 5-2: HC2 Series

Property HB1 HB1

Model Number GVS-HB101-0416

branch node

GVS-HB102-0416

branch node

Size 1RU 1RU

Cages 4 10G cages

8 1G cages

4 10G cages

8 1G cages

Copper 8 1G 8 1G

Power AC DC

Power Supplies 1 1

Processor PowerPC 600 PowerPC 600


Logical Drive

Capacity

2GB 2GB

Fixed Ports PTP 1588

Mgmt.

PTP 1588

Mgmt.

7 | P a g e

Console

8 10/100/1000 Ports,

8 1G Ports (SFP),

4 1G/10G (SFP+)

Console

8 10/100/1000 Ports,

8 1G Ports (SFP),

4 1G/10G (SFP+)

Configurable Ports None None

Table 5-3: HB1 Series

Property TA10 TA10

Model Number GigaVUE-TA10

Edge Traffic Aggregation Node

(SKU GVS-TAX01)

GigaVUE-TA10


(SKU GVS-TAX01)

Size 1RU 1RU

Power AC DC

Power Supplies 2 2

Processor PowerPC e500 PowerPC e500


Logical Drive

Capacity

8GB 8GB

Fixed Ports

Mgmt.

Console

48 1G/10G Ports (SFP+)

4 10G/40G QSFP Ports

Mgmt.

Console

48 1G/10G Ports (SFP+)



Table 5-4: TA10 Series

Property TA40 TA40

Model Number GigaVUE-TA40


(SKU GVS-TAQ01)

GigaVUE-TA40


(SKU GVS-TAQ01)

Size 1RU 1RU

Power AC DC

Power Supplies 2 2

Processor PowerPC e500 PowerPC e500


Logical Drive

Capacity

8GB 8GB

Fixed Ports Mgmt. Mgmt.

8 | P a g e

Console


Console



Table 5-5: TA40 Series

5.2 Supporting Environment Components

Component Definition

LDAP Server

A system that is capable of receiving authentication requests using LDAP over

TLS and validating these requests against identity and credential data that is

defined in an LDAP directory.

Management

Workstation

Any general-purpose computer that is used by an administrator to manage the

TOE. The TOE can be managed remotely, in which case the management

workstation requires an SSH client to access the CLI or a web browser (Microsoft

Internet Explorer 11 or higher and Google Chrome 36 or higher) to access the

WebGUI, or locally, in which case the management workstation must be

physically connected to the TOE using the serial port and must use a terminal

emulator that is compatible with serial communications.

NTP Server

A server that provides reliable time data to the TOE’s system clock so that the

timestamps on its audit records can be synchronized with other devices in the

Operational Environment that connect to the same server.

SPAN This component provides the TOE with copied network data, but only if the TOE

is configured to receive data from an external TAP or SPAN device.

Syslog Server

The Syslog Server connects to the TOE and allows the TOE to send Syslog

messages to it for remote storage. This is used to send copies of audit data to be

stored in a remote location for data redundancy purposes.

TAP

This component provides the TOE with copied network data, either from an

internal GigaVUE TAP or an external TAP. The TOE can also be configured to

receive data from an external source, meaning a TAP device or SPAN port.

Tool

This component is any analysis, capture or troubleshooting tool connected to a

tool port. This component is required for the TOE to forward data. The connection

to the tool is a physical connection.

Update Server

A general-purpose computer that includes a web server and is used to store

software update packages that can be retrieved by the TOE using TLS/HTTPS.

The update server can be a server maintained by Gigamon or it can be set up

locally in the Operational Environment by an administrator if the TOE’s

deployment prevents it from being able to access Gigamon’s web domain.

Table 5-6: Supporting Environmental Components

5.3 Assumptions

In order to ensure the product is capable of meeting its security requirements when deployed in its

evaluated configuration, the following conditions must be satisfied by the organization, as defined in the

claimed Protection Profile:

No general purpose computing capabilities: The GigaVUE product must only be used for its

intended purpose. General purpose computing applications, especially those with network-visible

interfaces, may compromise the security of the product if introduced.

9 | P a g e

Physical security: The GigaVUE product does not claim any sort of physical tamper-evident or

tamper-resistant security mechanisms. Therefore, it is necessary to deploy the product in a locked

or otherwise physically secured environment so that it is not subject to untrusted physical

modification.

Trusted administration: The GigaVUE product does not provide a mechanism to protect against

the threat of a rogue or otherwise malicious administrator. Therefore, it is the responsibility of the

organization to perform appropriate vetting and training for security administrators prior to

granting them the ability to manage the product.

6 Secure Installation and Configuration

Documentation for how to order and acquire the TOE is described in the ‘Contacting Sales’ section of

documents [5] through [8]. When receiving delivery of a TOE model, this documentation should be

checked as part of the acceptance procedures so that the correctness of the hardware can be verified.

Additionally, documents [5] through [8] can be referenced for physical requirements such as unpacking

the TOE, installing modules, racking the TOE, cabling (i.e. network and power), as well as verifying

power and environmental operating conditions. The TOE comes with the software image installed on it by

default, but if additional validation is necessary, an administrator may acquire the software image

separately from Gigamon and perform a software upgrade to the known version.

Regardless of the specific model being installed, the software is functionally identical with respect to the

Common Criteria security requirements, so secure management for each device is described in the

remainder of this document. Note that these steps can be performed using the initial default user account.

Note: Use the write memory command in the CLI to save configuration changes to flash. Otherwise,

changes will be added to the active configuration immediately but will not be saved across a reboot

unless the write memory command is used.

6.1 Initial out-of-the-box Setup

1. Connect to the TOE via the local console using the following settings on a terminal application:

115,200 Baud

8 data bits

No parity

1 stop bit

No flow control

2. Authenticate using the default credentials:

Username: admin

Password: admin123A!

3. Start the jump-start script by entering the following commands on the TOE:

enable

config terminal

config jump-start

10 | P a g e

Refer to the ‘Run the Jump-Start Script’ Section in documents [5] through [8] for more information on

completing the jump-start setup.

Note: Ensure to modify the default password for the default ‘admin’ account.

6.2 Verify Software Version

Now verify the version of software operating on the TOE by issuing a “show version” command and

compare the displayed version to the expected version. If the version is not what is expected then follow

the instructions in Section 7.7 to obtain and install the correct software image from Gigamon.

6.3 Configure the TOE to use Enhanced Security Mode

Enhanced Security Mode must be configured to limit the cryptographic options to be consistent with the

claims made for the Common Criteria evaluation.

1. Enter the following commands to enable secure cryptography mode:

enable

config terminal

system security crypto enhanced

reload

2. Respond “yes” to “Configuration has been modified; save first?” and then confirm the reload.

3. Authenticate to the TOE.

4. Verify that after authenticating, the TOE reports “System in secure cryptography mode.”

6.4 Configure the TOE to record log and audit data (locally)

In the evaluated configuration, all auditable events relevant to the Common Criteria evaluation are logged

locally by entering the following commands.

enable

config terminal

logging level audit mgmt info

logging level cli commands info

logging local info

6.5 Disable Telnet and Enable SSH2

Both Telnet and SSH2 can be configured for remote connections to the GigaVUE’s Ethernet Management

Port. By default, SSH2 is enabled and Telnet is disabled. In the Common Criteria evaluated configuration,

Telnet must remain disabled.

If Telnet is enabled, enter the following commands:

enable

config terminal

no telnet-server enable

If SSH2 is disabled, enter the following commands:

enable

11 | P a g e

config terminal

ssh server enable

After verifying that Telnet is disabled and SSH2 is enabled, attempt to authenticate to the TOE with a

SSH2 client by pointing the client at the TOE’s IP address and using the default ‘admin’ account’s

credentials. To be able to connect to the TOE, the SSH2 client must support diffie-hellman-group14-sha1

as the key exchange method, and one or more of the following encryption and data integrity algorithms.

Encryption Algorithms: AES-CBC-128 or AES-CBC-256

Data Integrity Algorithms: hmac-sha1, hmac-sha2-256, or hmac-sha2-512

6.6 Configure and Access the WebGUI (aka H-VUE)

Follow the instructions for enabling the WebGUI by following the directions under ‘Enabling the

<MODEL NAME> Web Server’ Section in documents [5] through [8]. Then continue with that Section’s

directions for connecting and authenticating to the WebGUI. The WebGUI can be accessed by navigating

to https://<TOE_IP_ADDRESS> in a web browser. Web browsers that should be used in the Common

Criteria evaluated configuration are Microsoft Internet Explorer 11 or higher and Google Chrome 36 or

higher. These web browsers must be configured to support TLS 1.0, and one or more of the following

ciphersuites:

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

The TOE supports HTTPS and HTTP for the WebGUI. By default, HTTPS is enabled and HTTP is

disabled. In the Common Criteria evaluated configuration, HTTP must remain disabled.

If HTTP is enabled, enter the following commands:

enable

config terminal

no web http enable

Note: Ensure to modify the default password for the default ‘admin’ account.

7 Secure Management of Gigamon GigaVUE

7.1 Authenticating to Gigamon GigaVUE

Users must authenticate to Gigamon GigaVUE in order to perform any management functions. Section

8.4 of the ST discusses the process in which Gigamon GigaVUE authenticates users via the CLI,

WebGUI or remotely via LDAP. Section 8.8.2 also discusses the trusted channels that are invoked in

order to send the data securely.

Local users login to the Command line interface (CLI) using username and password, while remote users

can login to GigaVUE via the CLI using username and password or public key based authentication. User

authentication information that is sent remotely via the CLI is protected using SSHv2. Users may also

12 | P a g e

authenticate remotely via a WebGUI that is protected using TLS/HTTPS. Remote authentication is

possible using an LDAP server for its user store.

Note: Connections to the LDAP server are protected with TLS. The TLS session for an LDAP request

establishes and terminates almost immediately, making it nearly impossible to interrupt the TLS session.

If the LDAP server is unreachable, the TOE will only perform a single attempt to connect to the LDAP

server and will then default to verifying the authentication credential’s to the TOE’s local store.

7.1.1 Public-Key Based Authentication Configuration

SSH public/private key pairs must be generated or loaded on the TOE so that SSH authentication using a

public- key is possible. Perform the following steps to add an authorized public-key to a user on the TOE:

1. Authenticate to the TOE via the CLI as an Admin user.

2. Enter the following commands on the TOE:

enable

config terminal

ssh client user <USERNAME> authorized-key sshv2 “<PUBLIC KEY>”

3. Provide the user the corresponding private key for their use to authenticate via SSH.

4. The user would then load the private key on their SSH client when attempting to authenticate.

7.1.2 LDAP Authentication Configuration (CLI)

Perform the following steps to configure the LDAP server on the TOE via the CLI. Refer to ‘Adding an

LDAP Server’ Section in document [1] for more information.

1. Authenticate to the TOE via the CLI as an Admin user

2. Enter the following commands on the TOE to install the public-key for the LDAP server:

enable

config terminal

crypto certificate name <NAME> public-cert pem “-----BEGIN CERTIFICATE-----

<CERT_DATA_HERE>-----END CERTIFICATE-----”

crypto certificate ca-list default-ca-list name <INSTALLED CERTIFICATE>

3. Refer to the ‘ldap’ section in document [1] between pages 773 and 776 to configure the LDAP

parameters. The commands below are provided as an example of the LDAP parameters that need

to be defined for a working configuration. The commands in bold must be configured as such in

the evaluated configuration.

ldap base-dn <STRING>

ldap bind-dn <STRING>

ldap bind-password <PASSWORD HERE>

ldap group-attribute <STRING>

ldap host <LDAP_SERVER_IP_ADDRESS_HERE>

ldap login-attribute <STRING>

ldap ssl mode tls

ldap ssl ca-list default-ca-list

ldap ssl cert-verify

ldap version 3

13 | P a g e

4. Refer to the ‘aaa authentication’ section in document [1] between pages 661 and 664 to configure

the AAA Authentication parameters. The command below is provided as an example of the AAA

Authentication parameters that need to be defined for a working configuration. The command is

in bold because it must be configured as such in the evaluated configuration.

aaa authentication login default ldap local

5. Refer to the ‘aaa authorization’ section in document [1] between pages 664 and 665 to configure

the AAA Authorization parameters. The commands below are provided as an example of the

AAA Authorization parameters that need to be defined for a working configuration.

aaa authorization map order <POLICY>

aaa authorization map default-user <USER>

7.1.3 LDAP Authentication Configuration (WebGUI)

Perform the following steps to configure the LDAP server on the TOE via the WebGUI.

1. Authenticate to the TOE via the WebGUI as an Admin user.

2. Refer to the ‘Configuring Authentication and Authorization (AAA)’ section in document [2]

between pages 182 and 183 to configure AAA. The following options must be chosen:

a. First Priority: LDAP

b. Second Priority: Local

3. Refer to the ‘Adding an LDAP Server’ section in document [2] on page 190 to add an LDAP

server.

4. Refer to the ‘Configuring LDAP Authentication’ section in document [2] between pages 195 and

196 to configure LDAP authentication. The following options must be chosen:

a. LDAP Version: v3

b. SSL Mode tls

c. SSL Cert Check: on

d. SSL ca-list: default CA list

Note: Installing the public-key for the LDAP server must be performed via the CLI. Refer to Section 7.1.2

steps 1 and 2 for directions for installing the public-key.

7.2 Managing Users

GigaVUE has role based authentication. There are three roles which can be Admin, Operator, or Monitor,

depending on the role assigned by an Authorized Administrator and each has different levels of

authorization in terms of the functions that can be performed by them. All SFR relevant management

activity is performed by the Admin role. The Admin user corresponds to the PP’s definition of Authorized

Administrator. Only Admin users have the ability to assign roles to users and more than one role may be

assigned to a user.

7.2.1 Create a New Admin User Account (CLI):


2. Select a password that meets the password strength requirements in section 6.4.

3. Enter the following commands to create a new user account:

enable

config terminal

username <USERNAME> password <PASSWORD>

14 | P a g e

username < USERNAME> roles add admin

Note: An Admin user can delete user accounts with the ‘no username’ command.

7.2.2 Create a New Admin User Account (GUI):


2. Click on “Roles and Users” > “Users”

3. Click on “Add.”

4. Fill in the fields as appropriate.

5. Assign the user the “admin” capability and click “Save.”

Note: An Admin user can delete user accounts under the “Roles and Users” > “Users” by selecting the

user and clicking “Delete”.

7.3 Password Management

Passwords can be composed using any combination of upper case and lower case letters, numbers and

special characters. The special characters that are supported include the following: “!”, “@”, “#”, “$”,

“%”, “^”, “&”, “*”, “(“, and “)”.

The password policy includes a configurable minimum length, which can be configured by an Admin user

to any value between 15 and 30 in the evaluated configuration. Perform the following steps to configure

minimum length for passwords:


2. Enter the following commands to enable secure passwords mode:

enable

config terminal

system security passwords enhanced

system security passwords min-length 15

show system

3. Verify the TOE reports “Configured secure passwords mode : enabled” and “Minimum password

length : 15.”

In order to minimize the risk of account compromise, it is recommended to use a password that includes a

mixture of uppercase, lowercase, numeric, and special characters and is not a common word or phrase,

but is not so complex that it must be written down in order to be remembered.

7.4 Session Termination

7.4.1 Admin Logout

The Admin is able to terminate their own session by entering the "Exit" command when logged into the

local console or remote CLI via SSH. The Admin can terminate their own session by clicking on the

"logout" tab when logged into the WebGUI.

15 | P a g e

7.4.2 Termination from Inactivity

The TOE is designed to terminate a local session after a specified period of time with a default setting of

15 minutes.

The TOE has a single configuration for the CLI accessed via the serial port and the CLI accessed via

SSH. In the event that the inactivity setting is met while users are logged into the CLI via the serial port,

the session will end. In the event that the inactivity setting is met while users are logged into the CLI via

SSH, the TOE tears down the SSH connection. This setting can be configured between 0-35791 minutes.

The value of 0 means that this setting is disabled and there is no timeout configured. The CLI timeout is

configured via the CLI by an Admin user with the following commands:

enable

config terminal

cli default auto-logout <MINUTES>

In the event that the inactivity setting is reached while a user is logged into the WebGUI, the session will

end. This setting can be configured between 0-999999999 minutes. The value of 0 means that this setting

is disabled and there is no timeout configured. The WebGUI timeout can be configured via the CLI by an

Admin user with the following commands:

enable

config terminal

web auto-logout <MINUTES>

Additionally, an Admin user authenticated to the WebGUI can only configure the timeout setting for the

WebGUI and they would use the following steps:

1. Authenticate to the TOE via the WebGUI as an Admin user

2. Click on “Settings” > “Global Settings” > “Web.”

3. Click “Edit.”

4. In the field for “Auto logout Timeout” enter <MINUTES>

5. Click “Save”

7.5 Login Banner

The CLI login banner is created by an Admin user authenticated to the CLI with the following

commands:

enable

config terminal

banner login <STRING>

The WebGUI login banner is created by an Admin user authenticated to the WebGUI with the following

steps:


2. Click on “Settings” > “Global Settings” > “Hostname”

3. Click on “Edit”

4. Enter <BANNER TEXT> in the “Login Message” box.

5. Click “Save”

16 | P a g e

7.6 System Time Configuration

In the evaluated configuration of the TOE, the system time can either be set manually or by synchronizing

with an NTP server in the TOE’s Operational Environment. Only an Admin user is able to perform these

operations.

7.6.1 Manually Configure the Time (CLI)


2. Enter the following command to view the current time:

show clock

3. Enter the following commands to set the date and time:

enable

config terminal

clock set <hh:mm:ss> [<yyyy/mm/dd>]

7.6.2 Manually Configure the Time Configuration (WebGUI)


2. Click on “Settings” > “Date And Time”. This step will also allow the Admin user to view the

current time.

3. Click on “Edit”

4. Specify a new date and time in the fields and then click “Save.”

7.6.3 Configure Connection to an NTP Server (CLI)

The TOE can be configured to connect to an NTP server by an Admin user authenticated to the CLI with

the following commands:

enable

config terminal

ntp enable

ntp server [NTP_SERVER_IP_ADDRESS]

Refer to the ‘ntp’ section of document [1] on pages 808 and 809 for more information regarding

configuring a connection to an NTP server.

7.6.4 Configure Connection to an NTP Server (GUI)

The TOE can be configured to connect to an NTP server by an Admin user authenticated to the Web with

the following steps:

1. Authenticate to the WebGUI

2. Click on “Settings”>”Date and Time”>”NTP”

3. Click “Add”

4. Populate the Server IP field with the NTP server IP address and version field

5. Check the server enabled box, and uncheck the key enabled box

6. Click on “Settings”> and check “Enabled” for NTP time synchronization and click “Save”

17 | P a g e

7.7 Secure Updates

To maintain security throughout the lifecycle of the GigaVUE product, the TOE provides a mechanism to

apply software upgrades. To upgrade the software, the new software image must be either available on the

Gigamon update server or on a local update server. The Gigamon update server is a Gigamon hosted site

and the Admin user must enter a username and password to download the image. The local update server

is under the control of the Admin user and is used by the Admin user to store a downloaded image.

The following sections describe the steps which must be taken in order to install a new software image

either by using the CLI or by using the WebGUI. Both communications channels are protected by

TLS/HTTPS.

If the connection is interrupted during a download of the software update but the TLS/HTTPS session has

not timed out, the TOE will automatically continue the software update download over TLS/HTTPS once

the connection has been re-established. If the TLS/HTTPS session has timed out, the Admin user will

have to re-initiate the download of the software update.

7.7.1 Display the Current Version (CLI)

Before downloading a new image, the current version of the software image should be identified. The

current version of the software image is displayed via the CLI by using the command “show version”.

7.7.2 Display the Current Version (WebGUI)

The current version of the software image is displayed via the WebGUI by following these steps:


2. Click on “Settings” > “Reboot and Upgrade” > “Images.”

3. Note the current version of the “currently booted” partition.

7.7.3 Downloading and Installing the New Image (CLI)

The “image” command is used via the CLI to download and install the new image. For more information

on the “image” command, refer to the ‘image’ Section in document [1] between pages 741 and 743.


2. Enter the following commands to fetch an update to the TOE:

enable

config terminal

image fetch https://<HOSTNAME><PATH><FILENAME>

3. After the update has been fetched, enter the following commands on the TOE to initiate the

update:

image install <FILENAME> install-boot

image boot next

4. If prompted to save modified configuration, answer “yes”.

5. Once the TOE reboots, enter the “write memory” command.

18 | P a g e

7.7.4 Downloading and Installing the New Image (WebGUI)

On the WebGUI the following steps must be performed in order to download and install the new image.


2. Click on “Settings”>”Reboot and Upgrade”>”Images”

3. Click on “New”

4. Choose the “install from local file” option if installing from the local file server and select

“choose file”

5. Alternatively if installing from the Gigamon or local update server, choose the “Install from url”

option and provide the url.

7.7.5 Rebooting TOE (CLI)

Once the image has been installed, the TOE must be rebooted for the new image to take effect and

become the executing image. On the CLI this is achieved by using the following command:

Reload

Once the TOE fully reboots, the new version of the software can be checked by performing the steps of

section 7.7.1 or 7.7.2 above.

7.7.6 Rebooting the TOE (WebGUI)

On the WebGUI the Admin user must navigate to the “Settings”>”Reboot and Upgrade”>”Reboot”

screen.

Once the TOE fully reboots, the new version of the software can be checked by performing the steps of

section 7.7.1 or 7.7.2 above.

7.7.7 Actions to be Taken Upon Failure

The software image for the TOE contains a digital signature. If an attempt is made to download and

install an illegitimate update, the Admin user must obey the verification warning from the TOE that the

digital signature has failed and reject the software image by not installing. The Admin user can attempt to

repeat the process to determine if the error condition disappears. However if the error continues then the

attempts to perform a software update should be halted.

8 Auditing

In order to be compliant with Common Criteria, GigaVUE must audit the events in the table below. The

audit records that GigaVUE creates include the date and time, outcome of the event, event type, subject

identity and the source of the event.

Auditing is turned on and off by using the ‘logging’ command, refer to Section 6.4 for more information.

The ‘show log’ or ‘show logs’ command displays audit information. It is possible to use regular

expressions in the show log command to restrict the search.

19 | P a g e

Component Event Additional Information Audit Examples

FAU_GEN.1 Startup and

shutdown of

audit

functions

Startup of audit functions:

Nov 5 17:15:59 GigaVUE-HD mgmtd[1957]:

[mgmtd.INFO]: Config change ID 8: requested by:

user admin (System Administrator) via CLI, 1 item(s)

changed


[mgmtd.INFO]: Config change ID 8: item 1: CLI

command log level changed from "none" to "info"

Shutdown of audit functions:

Nov 5 17:07:44 GigaVUE-HD cli[2441]: [cli.INFO]:

user admin: Executing command: logging level cli

commands none

FCS_TLS_EX

T.1

Failure to

establish an

TLS session

Establishme

nt/Terminati

on of a TLS

session.

Reason for failure.

Non-TOE endpoint of

connection (IP address)

for both successes and

failures.

Failure to establish session (TLS):

Jan 27 17:05:12 GigamonHD4 httpd[20125]: [Wed

Jan 27 17:05:12 2016] [notice] [client 192.168.1.99]

Connection to child 7 established (server

GigamonHD4:443)


Jan 27 17:05:12 2016] [error] [client 192.168.1.99]

(70014)End of file found: SSL handshake interrupted

by system [Hint: No shared ciphers or stop button

pressed in browser?!]



Connection closed to child 7 with abortive shutdown

(server GigamonHD4:443)

Session establishment (TLS):




GigamonHD4:443)



Connection to child 3 completed successfully (server

GigamonHD4:443)

Session termination (TLS):



Connection closed to child 3 with standard shutdown

(server GigamonHD4:443)

FCS_SSH_EX Failure to Reason for failure. Failure to establish SSH session:

20 | P a g e

T.1 establish an

SSH session

Establishme

nt/Terminati

on of an

SSH

session.

Non-TOE endpoint of



failures.

Nov 4 14:07:44 GigaVUE-HD sshd[4691]:

Connection from 192.168.1.99 port 55592

Nov 4 14:07:44 GigaVUE-HD sshd[4691]: fatal:

Unable to negotiate a key exchange method [preauth]



Nov 4 14:08:28 GigaVUE-HD sshd[4714]: fatal: no

matching mac found: client hmac-md5 server hmac-

sha1,hmac-sha2-256,hmac-sha2-512 [preauth]




matching cipher found: client 3des-cbc server aes128-

cbc,aes256-cbc [preauth]

Session establishment (SSH):



Session termination (SSH):


Connection closed by 192.168.1.99 [preauth]

FCS_HTTPS_

EXT.1

Failure to

establish an

HTTPS

session.

Establishme

nt/Terminati

on of an

HTTPS

session.

Reason for failure.

Non-TOE endpoint of



failures.

Failure to establish session (HTTPS):

Refer to 'Audit log(s) for FCS_TLS_EXT.1'

Session establishment (HTTPS):




GigamonHD4:443)



Connection to child 3 completed successfully (server

GigamonHD4:443)

Session termination (HTTPS):

Nov 4 13:20:04 GigaVUE-HD ugwd[2088]:

[ugwd.INFO]: ugwd_release_session_ptr: sessions

IIj5UbD9HXxluUE5IqvnBxxRCheg67fQWLpBeD35

BEBmAAg= count 0 logout 1

Nov 4 13:20:04 GigaVUE-HD ugwd[2088]:

[ugwd.INFO]: session 1: closing for peer mgmtd user

21 | P a g e

i:1954-0-0 (0/0) 0


[mgmtd.INFO]: session 37: closing for peer ugwc.8-

2088 user admin (0/0) 1

Nov 4 13:20:04 GigaVUE-HD wsmd[2078]:

[wsmd.NOTICE]: User admin (System Administrator)

from 192.168.1.99 logged out of Web UI


[wsmd.INFO]: session 1: closing for peer mgmtd user

i:1954-0-0 (0/0) 0


[wsmd.INFO]: Web session 8 closed


[mgmtd.INFO]: EVENT:

/mgmtd/session/events/logout


[wsmd.INFO]: Recording web logout of user admin

on device /dev/web/8


[mgmtd.INFO]: Calling internal interest callback for

event /mgmtd/session/events/logout





[mgmtd.NOTICE]: User admin: logout from 127.0.0.1

through trusted ugwc.8 channel.


[mgmtd.INFO]: session 36: closing for peer wsmd.8-

2078 user admin (0/0) 1


[mgmtd.INFO]: EVENT:

/mgmtd/session/events/logout








[mgmtd.NOTICE]: User admin: logout from

22 | P a g e

192.168.1.99 through trusted web channel.

Nov 4 13:20:08 GigaVUE-HD gsd[2079]:

[gsd.INFO]: gsd_mon_handle_get(), gsd_mgmt.c:422:

bname: /gv/internal/state/liveness/gsd

FIA_UIA_EX

T.1

All use of

the

identificatio

n and

authenticati

on

mechanism.

Provided user identity,

origin of the attempt

(e.g., IP address).

Local console login:

Oct 29 02:50:25 GigaVUE-HD mgmtd[2115]:

[mgmtd.NOTICE]: User admin (local user admin)

authentication method: local


[mgmtd.NOTICE]: User admin: login from local

through trusted cli channel.

GUI login:

Oct 29 04:59:16 GigaVUE-HD

<EF><BB><BF><14>tornado.login: [INFO]: user

admin attempting login from 192.168.1.241

Oct 29 04:59:16 GigaVUE-HD wsmd[2237]:

[wsmd.INFO]: Web session 13 created


[wsmd.INFO]: Recording web login of user admin on

device /dev/web/13


[mgmtd.INFO]: Opened session: 73


[mgmtd.INFO]: session 73: opened for client

wsmd.13-2237 user admin (0/0) 1


[wsmd.INFO]: session 1: client open for peer mgmtd

(local name wsmd.13-2237)


[mgmtd.INFO]: TRUSTED_AUTH_INFO (user

admin/admin): validated OK

LDAP GUI login:

Oct 29 05:06:04 GigaVUE-HD


testUser1 attempting login from 192.168.1.241


[wsmd.INFO]: Web session 14 created


[wsmd.INFO]: Recording web login of user admin on

device /dev/web/14


[mgmtd.INFO]: Opened session: 75

23 | P a g e


[mgmtd.INFO]: session 75: opened for client

wsmd.14-2237 user testUser1 (0/0) 1


[wsmd.NOTICE]: User testUser1 local user admin

(System Administrator) logged into Web UI from

192.168.1.241


[mgmtd.INFO]: TRUSTED_AUTH_INFO (user

testUser1/admin): validated OK

Oct 29 05:06:09 GigaVUE-HD ugwd[2247]:

[ugwd.INFO]: remote user id: testUser1, local user id:

admin


[mgmtd.NOTICE]: User testUser1 (local user admin)

authentication method: ldap

SSH login using public key:

Jan 27 12:57:39 GigamonHD4 sshd[18546]:


Jan 27 12:57:41 GigamonHD4 sshd[18546]: Found

matching RSA key:

de:2c:f2:4b:e6:f7:37:5e:41:18:96:c3:51:27:59:5a:09:3

c:47:c9 [SHA-1]


Postponed publickey for cctl from 192.168.1.99 port

46556 ssh2 [preauth]

Jan 27 12:57:41 GigamonHD4 sshd[18546]: Found

matching RSA key:

de:2c:f2:4b:e6:f7:37:5e:41:18:96:c3:51:27:59:5a:09:3

c:47:c9 [SHA-1]

Jan 27 12:57:41 GigamonHD4 sshd[18546]: Accepted

publickey for cctl from 192.168.1.99 port 46556 ssh2

Jan 27 12:57:41 GigamonHD4 sshd[18546]: User cctl

logged in via ssh2 from 192.168.1.99

SSH login using password:

Oct 29 02:58:04 GigaVUE-HD sshd[3477]:


Oct 29 02:58:11 GigaVUE-HD sshd[3477]: Accepted

keyboard-interactive/pam for admin from

192.168.1.241 port 59394 ssh2

Oct 29 02:58:11 GigaVUE-HD sshd[3477]: User

24 | P a g e

admin (System Administrator) logged in via ssh2 from

192.168.1.241

FIA_UAU_E

XT.2

All use of

the

authenticati

on

mechanism.

Origin of the attempt

(e.g., IP address). See FIA_UIA_EXT.1

FPT_STM.1 Changes to

the time.

The old and new values

for the time.

Origin of the attempt

(e.g., IP address).

CLI Changes to time:


user admin: Executing command: show clock


user admin: Executing command: show log


user admin: Getting command line help: "clock set

13:44:00 ?"


user admin: Executing command: clock set 13:44:00

2015/11/04


[mgmtd.INFO]: Action ID 27: requested by: user

admin (System Administrator) via CLI


[mgmtd.INFO]: Action ID 27: descr: system clock: set

date and time


[mgmtd.INFO]: Action ID 27: param: date and time:

2015/11/04 13:44:00

Nov 4 13:44:00 GigaVUE-HD pm[1953]: [pm.INFO]:

Restarting process crond (Cron Daemon) from

RUNNING state

GUI changes to time:

Jan 27 15:15:03 GigamonHD4 mgmtd[1944]:

[mgmtd.INFO]: Action ID 51: descr: system clock: set

date and time


[mgmtd.INFO]: Action ID 51: param: date and time:

2015/01/27 19:14:48

Jan 27 19:14:48 GigamonHD4 pm[1943]: [pm.INFO]:

Restarting process crond (Cron Daemon) from

RUNNING state

Jan 27 19:14:48 GigamonHD4 pm[1943]:

[pm.NOTICE]: Terminating process crond (Cron

25 | P a g e

Daemon)

NTP changes to time:

Nov 16 16:07:49 gigamon-20016a ntpd[3114]:

synchronized to 10.224.0.13, stratum 1

Nov 18 18:18:04 gigamon-20016a ntpd[3114]: time

reset +180615.125342 s

FPT_TUD_E

XT.1

Initiation of

update.

No additional

information

Initiation of update (CLI):


user admin: Executing command: image install

hdccv2_2015-10-26.img install-boot


user admin: Tracking progress on operation ID cli-

2377-167





[mgmtd.INFO]: Action ID 8: descr: install system

software image


[mgmtd.INFO]: Action ID 8: param: image filename:

hdccv2_2015-10-26.img, version: GigaVUE-OS

4.5.00hd_4402_bah #11264 2015-10-26 12:41:06 ppc

gvcc2 build_master@jenkins-slave021:svn57106

Initiation of update (GUI):


[ugwd.INFO]: :wsmd_user_id: admin, and

wsmd_local_user_id :admin



admin (System Administrator) via ugwc-2085


[mgmtd.INFO]: Action ID 7: descr: install system

software image


[mgmtd.INFO]: Action ID 7: param: image filename:

hdccv2_2015-10-26.img, version: GigaVUE-OS

4.5.00hd_4402_bah #11264 2015-10-26 12:41:06 ppc

gvcc2 build_master@jenkins-slave021:svn57106

FTA_SSL_EX

T.1

Any

attempts at

unlocking

No additional

information.

Session termination due to inactivity (local

console):

26 | P a g e

of an

interactive

session.

Oct 28 20:00:42 GigaVUE-HD cli[10349]:

[cli.NOTICE]: user admin: Inactive for 3 minutes --

automatically logging out

FTA_SSL.3 The

termination

of a remote

session by

the session

locking

mechanism.

No additional

information.

Session termination due to inactivity (remote CLI):


[cli.NOTICE]: user admin: Inactive for 3 minutes --

automatically logging out

Session termination due to inactivity (remote

WebGUI):


[wsmd.INFO]: Web session 21 timed out due to

inactivity

FTA_SSL.4 The

termination

of an

interactive

session.

No additional

information.

Manual session termination by admin (local

console):


[cli.INFO]: user admin: Executing command: exit


[mgmtd.NOTICE]: User admin: logout from local

through trusted cli channel.


[cli.INFO]: user admin: session 1: closing, but already

closed


[cli.NOTICE]: user admin: CLI exiting

Oct 29 11:10:22 GigaVUE-HD login:

pam_unix(login:session): session closed for user

admin

Manual session termination by admin (remote

CLI):


[cli.INFO]: user admin: Executing command: exi



192.168.1.241 through trusted cli channel.


[cli.INFO]: user admin: session 1: closing, but already

closed


[cli.NOTICE]: user admin: CLI exiting


Connection closed by 192.168.1.241

27 | P a g e


pam_unix(sshd:session): session closed for user admin


Transferred: sent 3408, received 3056 bytes

Oct 29 11:13:20 GigaVUE-HD sshd[29832]: Closing

connection to 192.168.1.241 port 50844

Manual session termination by admin (remote

WebGUI):


[ugwd.INFO]: ugwd_release_session_ptr: sessions

IKklQOWsG3GsGsAHUT7LronYyFy54sZej6VCAhc

ZgCYCABs= count 0 logout 1


[ugwd.INFO]: session 1: closing for peer mgmtd user

i:2115-0-0 (0/0) 0


[mgmtd.INFO]: session 129: closing for peer

ugwc.26-2247 user admin (0/0) 1


[wsmd.NOTICE]: User admin (System Administrator)

from 192.168.1.241 logged out of Web UI


[wsmd.INFO]: session 1: closing for peer mgmtd user

i:2115-0-0 (0/0) 0


[wsmd.INFO]: Web session 27 closed

FTP_ITC.1 Initiation of

the trusted

channel.

Termination

of the

trusted

channel.

Failure of

the trusted

channel

functions.

Identification of the

initiator and target of

failed trusted channels

establishment attempt.

Initiation & termination of the trusted channel

(HTTPS update web server):


user admin: Executing command: image fetch

https://chris.cctl.com/4.4.03/hdccv2_2015-10-26.img


user admin: Tracking progress on operation ID cli-

2377-62





[mgmtd.INFO]: Action ID 7: descr: download file

Nov 2 12:27:30 GigaVUE-HD progress[2401]:

28 | P a g e

[progress.INFO]: session 1: closing, but already

closed

Nov 2 12:27:30 GigaVUE-HD progress[2401]:

[progress.INFO]: Progress wrapper exiting


[mgmtd.INFO]: Download of

/var/opt/tms/images/.temp/hdccv2_2015-10-26.img

complete, now 0 downloads active


[mgmtd.INFO]: Action ID 7: status: completed with

success

Failure of the trusted channel functions (HTTPS

update web server):


user admin: Executing command: image fetch

https://chris.cctl.com/4.4.03/hb1_2015-10-26.img


[mgmtd.INFO]: Download of

/var/opt/tms/images/.temp/hb1_2015-10-26.img

complete, now 0 downloads active


[mgmtd.ERR]: Set commit return status: code 0x1,

message: SSL certificate verification failed.


[mgmtd.INFO]: Action ID 18: status: completed with

failure

Initiation of the trusted channel (Remote syslog via

SSH):


[mgmtd.INFO]: md_syslog_create_ssh: Creating ssh

connection to [email protected]:6514 from local port

61001


[mgmtd.NOTICE]: Respawning ssh process to

[email protected]:6514 from localhost:61001


[mgmtd.INFO]: md_syslog_create_netcat: Creating

netcat for 192.168.1.51:61001 through /tmp/fifo-

192.168.1.51


[mgmtd.INFO]: md_syslog_create_fifo: Fifofile

/tmp/fifo-192.168.1.51 exist, no need to recreate.

29 | P a g e




61001


[mgmtd.NOTICE]: Respawning ssh process to

[email protected]:6514 from localhost:61001




192.168.1.51

Termination of the trusted channel (Remote syslog

via SSH):


[mgmtd.INFO]: Config change ID 33: requested by:

user admin (System Administrator) via CLI, 6 item(s)

changed


[mgmtd.INFO]: Config change ID 33: item 1: syslog:

remote sink 192.168.1.51 deleted



remote sink 192.168.1.51: minimum log severity was

"info" before deletion



remote sink 192.168.1.51: per-facility override was

enabled before deletion



remote sink 192.168.1.51: TCP forwarding port was

6514 before deletion



remote sink 192.168.1.51: SSH enabled was enabled

before deletion



remote sink 192.168.1.51: SSH username was "cctl"

before deletion

Failure of the trusted channel (Remote syslog via

SSH):

30 | P a g e




61001


[mgmtd.ERR]: SSH connection to

[email protected]:6514 failed

Jan 29 14:40:49 GigamonHD4 pm[2108]:

[pm.NOTICE]: Output from mgmtd (Management

Daemon) (pid 2109): [mgmtd.ERR]: SSH connection

to 61001 failed


[mgmtd.INFO]: md_syslog_create_ssh: Running

/opt/tms/bin/gv_syslog_ssh.sh 61001 192.168.1.51

cctl 6514




192.168.1.51

Initiation of the trusted channel (LDAP

authentication server):


pam_ldap: session established to LDAP server

tacacs.cctl.com:389:

Termination of the trusted channel (LDAP


Jan 29 15:14:24 GigamonHD4 sshd[6462]: pam_ldap:

connection closed to LDAP admin@server

tacacs.cctl.com:389:

Failure of the trusted channel (LDAP


Nov 6 11:01:39 GigaVUE-HD


testUser1 attempting login from 192.168.1.99


pam_ldap: ldap_starttls_s: server tacacs.cctl.com:389:

Connect error: certificate verify failed

FTP_TRP.1 Initiation of

the trusted

channel.

Termination

of the

trusted

channel.

Failures of

the trusted

path

Identification of the

claimed user identity.

Initiation & termination of the trusted path (SSH):



Nov 5 17:59:34 GigaVUE-HD sshd[3870]: Postponed

keyboard-interactive for admin from 192.168.1.99

port 7274 ssh2 [preauth]

Nov 5 17:59:36 GigaVUE-HD sshd[3870]: Postponed


31 | P a g e

functions. 192.168.1.99 port 7274 ssh2 [preauth]

Nov 5 17:59:36 GigaVUE-HD sshd[3870]: Accepted


192.168.1.99 port 7274 ssh2

Nov 5 17:59:36 GigaVUE-HD sshd[3870]: User

admin (System Administrator) logged in via ssh2 from

192.168.1.99


Connection closed by 192.168.1.99


pam_unix(sshd:session): session closed for user admin


Transferred: sent 1920, received 2096 bytes

Nov 5 17:59:39 GigaVUE-HD sshd[3870]: Closing

connection to 192.168.1.99 port 7274

Failure of the trusted path functions (SSH):



Nov 4 14:07:44 GigaVUE-HD sshd[4691]: fatal:

Unable to negotiate a key exchange method [preauth]




matching mac found: client hmac-md5 server hmac-

sha1,hmac-sha2-256,hmac-sha2-512 [preauth]




matching cipher found: client 3des-cbc server aes128-

cbc,aes256-cbc [preauth]

Initiation & termination of the trusted channel

(HTTPS WebGUI):


[mgmtd.NOTICE]: User admin: login from





32 | P a g e

Failure of the trusted path functions (HTTPS

WebGUI):


Jan 27 17:05:12 2016] [error] [client 192.168.1.99]

(70014)End of file found: SSL handshake interrupted

by system

Table 8-1: NDPP Auditable Events

The right most column in Table 8-1 provides examples for each audit event for which the TOE needs to

produce a record. The following is one example of an audit record to describe the contents of the record:

Oct 29 01:22:24 GigaVUE-HD mgmtd[2115]: [mgmtd.NOTICE]: User cctl: login from

192.168.1.241 through trusted CLI channel.

The following are the fields for this audit record:

Oct 29 01:22:24 = This is the date and time the event occurred

GigaVUE-HD = This is the GigaVUE model that recorded the event

mgmtd[2115]: [mgmtd.NOTICE]: = This is the management channel for the event

User cctl: = This is the subject identity; which for this case is the username of the user that

caused the event

login from 192.168.1.241 through trusted CLI channel. = This is a message that indicates the

type of event as well as identifies the IP address of the remote system connecting to the TOE.

8.1 Audit Storage

The TOE generates audit records which are stored locally or on a configured Syslog Server. Once the

Syslog Server is configured audit records are stored both locally and also sent immediately to the Syslog

Server over an SSH encrypted channel. The following sections show how to create an SSH RSA key and

configure the Syslog Server.

If the connection is interrupted during a log transfer, the TOE will automatically continue the secure log

transfer over SSH once the connection is re-established.

8.1.1 Assigning a Public-Key to the Syslog Server and Enable SSH (CLI)

In order for the communications between the TOE and the Syslog Server to be encrypted by SSH, an

RSA key must be generated on the TOE, which acts as the SSH client, and copied over to the Syslog

Server which acts as the SSH server. This is achieved by the following steps.

1. Create the RSA key on the TOE using the command:

enable

config terminal

ssh client user <USERNAME> identity rsa2 generate

show ssh client

2. Copy the RSA public key to the Syslog Server and insert it into the “~/ssh/authorized_keys”

file.

33 | P a g e

8.1.2 Configuring the Syslog Server (CLI)

The “logging” command is used to configure the Syslog Server. For more information on the “logging”

command, refer to the ‘logging’ Section in document [1] between pages 777 and 780. The configuration

must be performed by an Admin user via the CLI and the following commands must be used in the

evaluated configuration of the TOE for connecting to a Syslog Server.

enable

config terminal

logging < SYSLOG_SERVER_IP_ADDRESS > tcp <0-65535> ssh username <USERNAME>

logging trap info

9 Communications Protocols and Services

In the evaluated configuration, the SSH2 protocol was tested for remote administration and secure

transfer of audit data to the Syslog Server. TLS/HTTPS was also tested in the evaluated configuration to

secure the WebGUI, update server and LDAP server (TLS only) trusted channels The Telnet protocol is

excluded from the evaluated configuration of the GigaVUE product because it does not provide security

for data in transit. The product supports numerous communications protocols that were not evaluated as

part of the Common Criteria evaluation because they provide functionality that is not assessed by the

Protection Profile. These protocols are facilitated by processes on the GigaVUE device that support their

implementation and include the following:

ARP

CDP

DHCP

DHCPv6

FTP

GRE

GTP

HTTP

IGMP

ICMP

ISL

IPv4

IPv6

LLDP

MPLS

NTP

PDP

RADIUS

RSVP

SCP

SFTP

34 | P a g e

SNMP

SSL

TACACS+

TCP

Telnet

TFTP

TLS

UDP

Information about the configuration and usage of these protocols can be found in the standard Gigamon

documentation for the product as specified in Section 4 of this document.

10 Modes of Operation

The TOE has two modes of operation, these modes are as follows:

Booting – While booting, the GigaVUE does not allow access to the administrator interfaces or process

network traffic until the software image and configuration have loaded. During this mode of operation the

TOE’s Power-on self-tests (POST) are performed. As long as there are no errors during the POST, this

mode of operation automatically progresses to the Normal mode of operation.

Normal – The GigaVUE software image and configuration are loaded and the GigaVUE is operating as

configured. It should be noted that all levels of administrative access occur in this mode and that all

GigaVUE based security functions are operating.

The POST includes self-tests for the cryptographic module’s operations, an integrity check of the

configuration database, and a hardware inspection for anomalies. If there is a self-test failure during the

POST, then the TOE will display error messages providing information regarding the self-test that failed

via the serial console. If any of the POST self-tests fail, the following actions should be taken:

Restart the TOE to perform POST again and determine if normal operation can be resumed

If the problem persists, refer to Section 11 to contact Gigamon

11 Obtaining Technical Assistance

Gigamon offers technical assistance through their website: www.gigamon.com under the heading

“Support and Services”. There is a specific customer support portal with website:

https://gigamoncp.force.com/gigamoncp/ where customers can login with a username and password.

Support in North American can be contacted using the telephone number: +1 855-430-0813 (Toll Free).

In addition the support team can be contacted by email at: [email protected]

Other support contact information can be found at: https://www.gigamon.com/support-and-

services/contact-support

http://www.gigamon.com/

https://gigamoncp.force.com/gigamoncp/

mailto:[email protected]

https://www.gigamon.com/support-and-services/contact-support

https://www.gigamon.com/support-and-services/contact-support

Documents

Gigamon GigaVUE Supplemental Administrative … GigaVUE Supplemental Administrative Guidance Version: 1.0 January 28, ... Processor PowerPC 600 PowerPC 600 PowerPC 600 ... Stack Mgmt