Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 1 Huawei SSeries Ethernet Switches V200R008 Security Target Version: 2.2 Last Update: 2016-10-21 Author: Huawei Technologies Co., Ltd. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 2 Revision record Date Revision Version Change Description Author 2016-01-28 0.1 Initial Draft Liu Canhong 2016-03-14 1.0 Final version. Changed references to correct versions. Finalized layout Liu Canhong 2016-04-18 1.1 ST physical scope update and L3 function description update Liu Canhong 2016-05-09 1.2 Update linux distuibution Update E600 discription in table 4 Fix typographical error Update FCS_COP.1/AES Update talble 4 Liu Canhong 2016-05-10 1.3 Change FIPS SP 800-67 and FIPS SP 800-38A to NIST SP 800-67 and NIST SP 800-38A Reinstate FCS_CKM.1/3DES Liu Canhong 2016-05-12 1.4 Update 6.2.2.8 Liu Canhong 2016/5/26 1.5 Typo in table 4 Correct version in table 7 Liu Canhong 2016/7/8 1.6 Update guidance in table 7 Add S-telnet description in 7.1.6 Liu Canhong 2016/9/2 1.7 Change description “The TOE names S-Telnet as SSH” into “The TOE names SSH as S-Telnet” Change version to V200R008C00SPC500 Liu Canhong 2016/9/7 1.8 Update cryptographic suites Liu Canhong 2016/9/19 1.9 Update cryptographic suites for OSPF/BGP in section 1.4.3.9 and replacethe HMAC-MD5 to HMAC-SHA Liu Canhong 2016/10/07 2.0 Update cryptographic Liu Canhong 2016/10/13 2.1 Update tpyo Liu Canhong 2016/10/21 2.2 Update AGD version Liu Canhong Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 3 Table of Contents TABLE OF CONTENTS .......................................................................................................................3 LIST OF TABLES..................................................................................................................................5 LIST OF FIGURES................................................................................................................................5 1 INTRODUCTION ......................................................................................................................6 1.1 Security Target Identification.................................................................................. 6 1.2 TOE Identification.................................................................................................... 6 1.3 Target of Evaluation (TOE) Overview.................................................................... 11 1.4 TOE Description ..................................................................................................... 12 1.4.1 Architectural overview................................................................................... 12 1.4.2 Scope of Evaluation .......................................................................................... 16 1.4.3 Summary of Security Features ....................................................................... 28 1.4.4 TSF and Non-TSF data....................................................................................... 31 2 CC CONFORMANCE CLAIM ..............................................................................................31 3 TOE SECURITY PROBLEM DEFINITION........................................................................32 3.1 Threats ................................................................................................................... 32 3.1.1 Threats ............................................................................................................ 32 3.1.2 Threats Components ...................................................................................... 32 3.2 Assumptions .......................................................................................................... 33 3.2.1 Environment of use of the TOE ...................................................................... 33 4 SECURITY OBJECTIVES .....................................................................................................35 4.1 Objectives for the TOE........................................................................................... 35 4.2 Objectives for the Operational Environment ....................................................... 35 4.3 Security Objectives Rationale ............................................................................... 36 4.3.1 Coverage ......................................................................................................... 36 4.3.2 Sufficiency....................................................................................................... 36 5 EXTENDED COMPONENTS DEFINITION .......................................................................38 6 SECURITY REQUIREMENTS..............................................................................................38 6.1 Conventions ............................................................................................................... 38 6.2 TOE Security Functional Requirements .................................................................... 38 6.2.1 Security Audit (FAU) ........................................................................................... 38 6.2.2 Cryptographic Support (FCS) .............................................................................. 40 6.2.3 User Data Protection (FDP) ................................................................................ 41 6.2.4 Identification and Authentication (FIA)............................................................. 43 6.2.5 Security Management (FMT).............................................................................. 45 Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 4 6.2.6 Protection of the TSF (FPT)................................................................................. 46 6.2.7 Resource utilization (FRU).................................................................................. 46 6.2.8 TOE access (FTA) ................................................................................................. 46 6.2.9 Trusted Path/Channels (FTP) ............................................................................. 47 6.3 Security Functional Requirements Rationale ....................................................... 47 6.3.1 Sufficiency and coverage.................................................................................. 47 6.3.3 Security Requirements Dependency Rationale............................................... 49 6.4 Security Assurance Requirements ........................................................................ 50 6.5 Security Assurance Requirements Rationale........................................................ 50 7 TOE SUMMARY SPECIFICATION.....................................................................................50 7.1 TOE Security Functional Specification................................................................... 50 7.1.1 Authentication................................................................................................ 50 7.1.2 Access Control................................................................................................. 51 7.1.3 L2 Traffic Forwarding...................................................................................... 51 7.1.4 L3 Traffic Forwarding...................................................................................... 52 7.1.5 Auditing........................................................................................................... 53 7.1.6 Communication Security ................................................................................ 53 7.1.7 ACL................................................................................................................... 54 7.1.8 Security Management ...................................................................................... 54 7.1.9 Cryptographic functions ................................................................................. 56 7.1.10 Time............................................................................................................... 56 7.1.11 SNMP Trap ...................................................................................................... 56 7.1.12 STP................................................................................................................... 57 8 ABBREVIATIONS, TERMINOLOGY AND REFERENCES ............................................57 8.1 Abbreviations......................................................................................................... 57 8.2 Terminology........................................................................................................... 58 8.3 References ............................................................................................................. 58 Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 5 List of Tables Table 1: Naming rules of Box Switch ...............................................................................................8 Table 2: Naming rules of Chassis Switch .........................................................................................8 Table 3: The device list of Huawei S Series Ethernet Switches........................................................9 Table 4: Model Specifications........................................................................................................23 Table 5: Chassis Switch Interfaces Specifications..........................................................................25 Table 6: Box Switch Interfaces Specifications................................................................................25 Table 7 List of software and guidance...........................................................................................26 Table 8: Access Levels....................................................................................................................29 Table 9: Mapping Objectives to Threats........................................................................................36 Table 10: Mapping Objectives for the Environment to Threats, Assumptions..............................36 Table 11: Sufficiency analysis for threats ......................................................................................37 Table 12: Sufficiency analysis for assumptions .............................................................................38 Table 13: SFR sufficiency analysis..................................................................................................49 Table 14: Dependencies between TOE Security Functional Requirements...................................50 List of Figures Figure 1: Naming rules of Box Switch..............................................................................................7 Figure 2: Naming rules of Chassis Switch........................................................................................8 Figure 3: TOE Physical architecture of Box Switch ........................................................................12 Figure 4: TOE Physical architecture of Chassis Switch...................................................................14 Figure 5: TOE Software architecture .............................................................................................15 Figure 6: TOE logical scope............................................................................................................27 Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 6 1 Introduction This Security Target is for the evaluation of Huawei SSeries Ethernet SwitchesV200R008. 1.1 Security TargetIdentification Name: Huawei SSeries Ethernet SwitchesV200R008 Security Target Version: 2.2 Publication Date:2016-10-21 Author: Huawei Technologies Co., Ltd. 1.2 TOE Identification Name: Huawei S Series Ethernet Switches Version: V200R008C00SPC500 At the core of Huawei SSeries Ethernet SwitchesisVersatile Routing Platform (VRP).Product software version V200R008C00SPC500runs on VRP software Version 5 Release 16, the software version of data plane is V200R008C00SPC500. HuaweiSSeries Ethernet Switches are classified into Box Switches and Chassis Switches based on their physical forms. The forward capacity of Chassis Switches is larger than Box Switches and Chassis Switches can use different LPU (Line Processing Unit) to provide different ports with various types, but there is no difference in security functionality. HuaweiSSeries Ethernet Switchescan be classified into Layer 2 Switches and Layer 3 Switches based on their function. Layer 2 Switches support Ethernet forwarding. Layer 3 Switches support both Ethernet forwarding and IP forwarding. HuaweiSSeries Ethernet Switchescan be classified into Provider Switches (SX3XX Series), Enterprise Switches(SX7XXSeries) and Education Switches (E6XX Series). The difference among Provider Switches, Enterprise Switches and Education Switches is that they are sold in difference markets, the models are functionally identical. There are some minor security differences between the various series: not all series support all functionality:  The S23xx-EI/S53xx-LI and S27XX-EI/S57XX-LI do not support L3 forwarding  The S53xx-SI, S57xx-SI and E6XX only support static routing and no OSPF/BGP Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 7 The naming rules examplesof Huawei S Series Box Switches are as follows: Figure 1: Naming rules of Box Switch Identifier Description A Product series.  “S23” indicates the S2300 series.  “S27” indicates the S2700 series.  “S5700/S5710” indicates the S5700 series.  "S53/S5300/S5310" indicates the S5300 series.  "S67" indicates the S6700 series.  “S63” indicates the S6300 series  "E6" indicates the E600 series.  “S5720” indicates the S5720 series.  "S5320" indicates the S5320 series.  "S6720" indicates the S6720 series.  “S6320” indicates the S6320 series B Maximum number of interfaces. C Uplink port type:  C: The product supports extended cards and its uplink ports are provided by an extended card or are fixed 10GE ports for S5xxx series or fixed 40GE ports for S6x20 series.  PC: The product supports extended cards and its uplink ports are provided by an extended card or are fixed GE ports.  X: The product has fixed 10GE uplink ports.  P: The uplink ports of the product are fixed GE optical Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 8 ports.  TP: The uplink ports of the product include combo ports consisting of electrical and optical ports. D Supports Power over Ethernet (PoE). If this letter is not displayed, PoE is not supported. E Device type:  SI: standard version, supporting basic features  EI: enhanced version, supporting enhanced features  HI: advanced version, supporting high-performance Operation, Administration, and Maintenance (OAM) and built-in real-time clock (RTC)  LI:lightweight version F Downlink interface type. The value 24S indicates that 24 downlink interfaces are optical interfaces. If this letter is not displayed, all downlink interfaces are electrical interfaces. G Powering mode:  AC: alternating current power  DC: direct current power  BAT: battery LAN switch Some product models that support pluggable power modules are sold with AC or DC power modules (standard configuration), and their product names contain "-AC" or "-DC". However, the silkscreen or nameplate on the chassis does not contain "-AC" or "-DC" Table 1: Naming rules of Box Switch The naming rules examples of Huawei S Series Chassis Switches are as follows: Figure 2: Naming rules of Chassis Switch Identifier Description A Product series.  "127" indicates the S12700 series.  "77" indicates the S7700 series.  "93" indicates the S9300 series  "97" indicates the S9700 series D The capability of LPU numbers. Table 2: Naming rules of Chassis Switch The TOE scope has been limited in terms of evaluated configurations by choosing the most relevant configurations of each series as can be found in the table below. For each series, the minimum number of models has been selected in order to cover all the functionality that shall be tested as required by CC. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 9 The following table shows the evaluateddevices. Device Series Device Name S2700 S2750-20TP-PWR-EI-AC S2750-28TP-EI-AC S2750-28TP-PWR-EI-AC S2751-28TP-PWR-EI-AC S5700 S5701-28X-LI-AC S5701-28X-LI-24S-AC S5700-28P-LI-BAT S5700-28P-LI-4AH S5700-28P-LI-24S-BAT S5700-28P-LI-24S-4AH S5700-52X-LI-48CS-AC S5700-28TP-LI-AC S5700-28TP-PWR-LI-AC S5701-28TP-PWR-LI-AC S5700S-28X-LI-AC S5700S-52X-LI-AC S5700S-28P-PWR-LI-AC S5700-10P-LI-AC S5700-10P-PWR-LI-AC S5700-28P-LI-AC S5700-28P-LI-DC S5700-52P-LI-AC S5700-52P-LI-DC S5700-28P-PWR-LI-AC S5700-52P-PWR-LI-AC S5700-28X-LI-AC S5700-28X-LI-DC S5700-52X-LI-AC S5700-52X-LI-DC S5700-28X-PWR-LI-AC S5700-52X-PWR-LI-AC S5700S-28P-LI-AC S5700S-52P-LI-AC S5700-28X-LI-24S-DC S5700-28X-LI-24S-AC S5710-28X-LI-AC S5710-52X-LI-AC S5720 S5720-36C-EI-28S-AC S5720-56C-EI-48S-AC S5720-36C-EI-AC S5720-36PC-EI-AC S5720-56C-EI-AC S5720-56PC-EI-AC S5720-36C-PWR-EI-AC S5720-56C-PWR-EI-AC S5720-56C-PWR-EI-AC1 S5720-32X-EI-24S-AC S5720-50X-EI-46S-AC S5720-32X-EI-AC S5720-32P-EI-AC S5720-52X-EI-AC S5720-52P-EI-AC S5720-50X-EI-AC S5720S-28P-SI-AC S5720S-28X-SI-AC S5720S-52P-SI-AC S5720S-52X-SI-AC Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 10 S5720-28P-SI-AC S5720-28X-SI-AC S5720-52P-SI-AC S5720-52X-SI-AC S5720-28X-PWR-SI-AC S5720-52X-PWR-SI-AC S5720-52X-PWR-SI-ACF S5720-56C-HI-AC S5720-56C-PWR-HI-AC S5720-32C-HI-24S-AC S6720 S6720-30C-EI-24S-AC S6720-54C-EI-48S-AC S7700 S7703, S7706, S7706-POE S7712 S7712-POE S9700 S9703 S9703FCC S9706 S9706FCC S9712 S9712FCC S12700 S12704 S12708 S12712 S2300 S2350-28TP-PWR-EI-AC S2350-20TP-PWR-EI-AC S2350-28TP-EI-AC S2350-28TP-EI-DC S5300 S5300-10P-LI-AC S5300-28X-LI-24S-AC S5300-28X-LI-24S-DC S5300-28X-LI-AC S5300-28X-LI-DC S5300-52X-LI-AC S5300-52X-LI-DC S5300-28P-LI-BAT S5300-28P-LI-4AH S5300-28P-LI-24S-BAT S5300-28P-LI-24S-4AH S5300-52X-LI-48CS-AC S5300-52X-LI-48CS-DC S5300-28P-LI-AC S5300-28P-LI-DC S5300-52P-LI-AC S5300-52P-LI-DC S5320 S5320-36C-EI-28S-AC S5320-36C-EI-28S-DC S5320-56C-EI-48S-AC S5320-56C-EI-48S-DC S5320-36C-EI-AC S5320-36C-EI-DC S5320-36PC-EI-AC S5320-36PC-EI-DC S5320-56C-EI-AC S5320-56C-EI-DC S5320-56PC-EI-AC S5320-56PC-EI-DC S5320-36C-PWR-EI-AC Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 11 S5320-36C-PWR-EI-DC S5320-56C-PWR-EI-AC S5320-32X-EI-24S-AC S5320-32X-EI-24S-DC S5320-50X-EI-46S-AC S5320-50X-EI-46S-DC S5320-32X-EI-AC S5320-32X-EI-DC S5320-32P-EI-AC S5320-32P-EI-DC S5320-52X-EI-AC S5320-52X-EI-DC S5320-52P-EI-AC S5320-52P-EI-DC S5320-50X-EI-AC S5320-50X-EI-DC S5321-28P-SI-AC S5321-28X-SI-AC S5321-28X-SI-DC S5321-52P-SI-AC S5321-52X-SI-AC S5321-52X-SI-DC S5320-28P-SI-AC S5320-28X-SI-AC S5320-52P-SI-AC S5320-52X-SI-AC S5320-28X-PWR-SI-AC S5320-52X-PWR-SI-AC S6320 S6320-30C-EI-24S-AC S6320-30C-EI-24S-DC S6320-54C-EI-48S-AC S6320-54C-EI-48S-DC S9300 S9303 S9306 S9312 S9303E S9306E S9312E E600 E628 E628-X E652 E652-X Table 3: The device list of Huawei S Series Ethernet Switches Sponsor: Huawei Developer: Huawei Certification ID: SERTIT-088 Keywords: Huawei, VRP, Versatile Routing Platform, Ethernet Switches 1.3 Target of Evaluation (TOE) Overview Huawei S Series Ethernet SwitchesV200R008C00SPC500, the TOE, provides high-end networking capacities for telecom and enterprise core networks. It consists of both hardware and software. At the core of each switch is the Versatile Routing Platform (VRP), the software for managing and running the router’s networking functionality.VRP provides extensive Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 12 security features. These features include differentinterfaces with according access levels for administrators;enforcing authentications prior to establishment of administrative sessions with the TOE; auditing of security-relevant management activities; as well as the correct enforcement of routing decisions to ensure that network traffic gets forwarded to the correct interfaces. The Forwarding Engineis the actual hardware providing network traffic processing capacity. The TOE requires some non-TOE hardware/software, this may be found in section 1.4.2.2. 1.4 TOE Description 1.4.1 Architectural overview This section will introduce the Huawei S Series Ethernet SwitchesV200R008C00SPC500 from a physical architectural view and a software architectural view. Huawei S Series Ethernet Switches can be classified into Box Switches and Chassis Switches. They have different physical and software architecture.Box Switches adopt Centralized processing, Control plane and data forwarding plane are in the one board; Chassis Switches adopt distributed processing, control plane is in the SRU/MCU, data forwarding plane is in the LPU. In the software architectural, VRP uses VP(Virtual Path) to connect control plane and data forwarding plane, to avoid the difference between Box Switches and ChassisSwitches. Box Switches include:E600, S5320, S5720, S6320, S6720, S5300, S5700, S2300, S2700 ChassisSwitches include: S12700, S7700, S9700, S9300 1.4.1.1 Physical Architecture 1.4.1.1.1 Physical Architecture of Box Switch Figure 3: TOE Physical architecture of Box Switch Figure 3shows the physical architecture of Box Switch of the TOE with the AC/DC-input power supplymodules (*1) . The physical architecture includes the following systems:  Power system Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 13  Fan system  CPU(Control Process Unit)  Forwarding Engine All systems are in the integratedcabinet. The power system works in 1+1 backup mode (*2) . The functional host system processes data. In addition, it monitors and manages the entiresystem, including the power system. *1: Device lists which support both AC and DC power: S5700-28P-LI-BAT,S5700-28P-LI-24S-BAT,S5720-36C-EI-28S-AC,S5720-56C-EI -48S-AC,S5720-36C-EI-AC,S5720-36PC-EI-AC,S5720-56C-EI-AC,S5720-56PC-E I-AC,S5720-36C-PWR-EI-AC,S5720-56C-PWR-EI-AC,S5720-28P-SI-AC,S5720-2 8X-SI-AC,S5720-52P-SI-AC,S5720-52X-SI-AC,S5720-28X-PWR-SI-AC,S5720-52 X-PWR-SI-AC,S5720-56C-HI-AC,S5720-32C-HI-24S-AC,S6720-30C-EI-24S-AC,S 6720-54C-EI-48S-AC,S5300-28P-LI-BAT,S5300-28P-LI-24S-BAT,S5320-36C-EI-2 8S-AC,S5320-36C-EI-28S-DC,S5320-56C-EI-48S-AC,S5320-56C-EI-48S-DC,S53 20-36C-EI-AC,S5320-36C-EI-DC,S5320-36PC-EI-AC,S5320-36PC-EI-DC,S5320- 56C-EI-AC,S5320-56C-EI-DC,S5320-56PC-EI-AC,S5320-56PC-EI-DC,S5320-36C -PWR-EI-AC,S5320-36C-PWR-EI-DC,S5320-56C-PWR-EI-AC,S5320-28P-SI-AC, S5320-28X-SI-AC,S5320-52P-SI-AC,S5320-52X-SI-AC,S5320-28X-PWR-SI-AC,S 5320-52X-PWR-SI-AC,S6320-30C-EI-24S-AC,S6320-30C-EI-24S-DC,S6320-54C- EI-48S-AC,S6320-54C-EI-48S-DC *2: Device lists which support 1+1 backup power(others only support one power): S5700-28P-LI-BAT,S5700-28P-LI-24S-BAT,S5720-36C-EI-28S-AC,S5720-56C-EI -48S-AC,S5720-36C-EI-AC,S5720-36PC-EI-AC,S5720-56C-EI-AC,S5720-56PC-E I-AC,S5720-36C-PWR-EI-AC,S5720-56C-PWR-EI-AC,S5720-56C-PWR-EI-AC1,S 5720-28P-SI-AC,S5720-28X-SI-AC,S5720-52P-SI-AC,S5720-52X-SI-AC,S5720-2 8X-PWR-SI-AC,S5720-52X-PWR-SI-AC,S5720-52X-PWR-SI-ACF,S5720-56C-HI- AC,S5720-56C-PWR-HI-AC,S5720-32C-HI-24S-AC,S6720-30C-EI-24S-AC,S6720 -54C-EI-48S-AC,S5300-28P-LI-BAT,S5300-28P-LI-24S-BAT,S5320-36C-EI-28S-A C,S5320-36C-EI-28S-DC,S5320-56C-EI-48S-AC,S5320-56C-EI-48S-DC,S5320-3 6C-EI-AC,S5320-36C-EI-DC,S5320-36PC-EI-AC,S5320-36PC-EI-DC,S5320-56C- EI-AC,S5320-56C-EI-DC,S5320-56PC-EI-AC,S5320-56PC-EI-DC,S5320-36C-PW R-EI-AC,S5320-36C-PWR-EI-DC,S5320-56C-PWR-EI-AC,S5320-28P-SI-AC,S53 20-28X-SI-AC,S5320-52P-SI-AC,S5320-52X-SI-AC,S5320-28X-PWR-SI-AC,S532 0-52X-PWR-SI-AC,S6320-30C-EI-24S-AC,S6320-30C-EI-24S-DC,S6320-54C-EI- 48S-AC,S6320-54C-EI-48S-DC 1.4.1.1.2 Physical Architecture of Chassis Switch Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 14 Figure 4: TOE Physical architecture of Chassis Switch Figure 2 shows the physical architecture of the TOE with the AC/DC-input power supplymodules. The physical architecture includes the following systems:  Power system  Fan system  MCU/SRU/MPU  Switch fabric(SFU only separated on S12700 series)  LPU  Forwarding Engine All the systems are in the integratedcabinet. The power system works in 1+1 backup mode. Thefunctional host system(MCU/SRU/MPU) is the target of this evaluation and following introductions will focus onthe functional host systemonly. The functional host system is composed of the system backplane, SRUs/MCUs/MPUs, SFUs, and LPUs.SRU/MCU/MPU are the boards hosting the VRP which provides control and management functionalities. MCU also embeds a clock module as a source of system time. LPU is the board containing the forwarding engine and responsible for network traffic processing. Generally SRU/MCU/MPUare called MCU for simplicity in case of brief introduction. The functional host system processes data. In addition, it monitors and manages the entiresystem, including the power distribution system, heat dissipation system. 1.4.1.2 Software Architecture Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 15 Figure 5: TOE Software architecture In terms of the software, the TOE’s software architecture consists of three logical planes to support centralized forwarding and control and distributed forwarding mechanism.  Data plane  Control and management plane  Monitoring plane Note that the monitoring plane is to monitor the system environment by detecting the voltage, controlling power-on and power-off of the system, and monitoring the temperature and controlling the fan. The monitoring plane is not considered security-related thus will not be further covered. The control and management plane is the core of the entire system. It controls and managesthe system. The control and management unit processes protocols and signals, configuresand maintains the system status, and reports and controls the system status. The data plane is responsible for high speed processing and non-blocking switching of datapackets. It encapsulates or decapsulates packets, forwards IPv4/IPv6 packets, performsQualityof Service (QoS) and scheduling, completes inner high-speed switching, and collects statistics. Figure 5shows a brief illustration of the software architecture of the TOE. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 16 The VRP is the control and management platform that runs on the SRU/MCU. The VRP supports IPv4/IPv6, and routing protocols such as Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), calculates routes, generates forwarding tables, and delivers routing information to the LPU(s). The VRP includes Service Control Plane (SCP), System Manage Plane (SMP), General Control Plane (GCP) and other TSF, non-TSF sub-systems. The OS is supplied for the commercial use of embedded real-time operating system, a driving system for the CPU, and provide the basis for the VRP system scheduling mechanism. There is one difference between the software architecture of Box Switch and the Chassis Switch: in Box Switches the LPU and VP are done in SW, but in Chassis Switches, this is done in HW. Note that for the S23xx-EI/S53xx-LI and S27xx-EI/S57xx-LI (who do not support L3 forwarding), the S53xx-SI, E6xx and S57xx-SI (who only support static routing), the software architecture is identical, but the commands required to support non-existing functionality will simply return error messages. 1.4.2 Scope of Evaluation This section will define the scope of the Huawei SSeries Ethernet SwitchesV200R008 to be evaluated. 1.4.2.1 Physical scope The physical boundary of the TOE is the actual switch system itself -- in particular, thefunctional host system.The power distribution system and heat dissipation system are part of the TOE but not to be evaluated because they are security irrelevant. The TOE provides several models. These models differ in their modularity and throughput by supplying more slots in hosting chassis, but they offer exchangeable forwarding unit modules, switch fabrics, and use the same version of software. The following models will be covered during this evaluation: Model Types Typical System Configuration and Physical Parameters S5300 Item Typical Configuration Remark Processing unit Main frequency: 5300LI:1GHZ - SDRAM 5300LI: 256MB - Flash 5300LI: 200MB - CF card - - Switching capacity 5300-28P-LI:56Gbps 5300-52P-LI: 104Gbps 5300-28X-LI:128Gbps 5300-10P-LI:26Gbps (bidirectional) - Forwarding capacity 5300-28P-LI:41.66Mpps 5300-52P-LI: 77.4Mpps 5300-28X-LI:95.2Mpps 5300-10P-LI: 15Mpps - S5320 Item Typical Configuration Remark Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 17 Processing unit Main frequency: S5320SI: 800MHz S5320EI: 1GHz - SDRAM S5320SI: 512MB S5320EI: 2GB - Flash S5320SI: 240MB S5320EI: 340MB - CF card - - Switching capacity S5320-28P-SI: 168Gbps S5320-28X-SI: 168Gbps S5320-52P-SI: 336Gbps S5320-52X-SI: 336Gbps S5320-32P-EI: 220Gbps S5320-32X-EI: 220Gbps S5320-36C-EI: 220Gbps S5320-50X-EI: 260Gbps S5320-52P-EI: 260Gbps S5320-52X-EI: 260Gbps S5320-56C-EI: 260Gbps (bidirectional) - Forwarding capacity S5320-28P-SI: 41.7Mpps S5320-28X-SI: 95.2Mpps S5320-52P-SI: 77.4Mpps S5320-52X-SI: 131Mpps S5320-32P-EI: 47.6Mpps S5320-36PC-EI:77.4Mpps S5320-32X-EI: 101.2Mpps S5320-36C-EI: 131Mpps S5320-50X-EI: 128Mpps S5320-52P-EI: 77.4Mpps S5320-52X-EI: 131Mpps S5320-56C-EI: 160.7Mpps S5320-56PC-EI:107.1Mpps - S2300 Item Typical Configuration Remark Processing unit Main frequency: 800MHz - SDRAM 256 MB - Flash 200 MB - CF card - - Switching capacity S2350-20TP: 11.2Gbit/s S2350-28TP: 12.8Gbit/s (bidirectional) - Forwarding capacity S2350-20TP: 8.33Mpps S2350-28TP: 9.53Mpps - S6320 Item Typical Configuration Remark Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 18 Processing unit Main frequency: S6320EI: 1.2GHz - SDRAM S6320EI: 2GB - Flash S6320EI: 240MB - CF card - - Switching capacity S6320EI: 1.44Tbps (bidirectional) - Forwarding capacity S6320-30C-EI: 714.2Mpps S6320-54C-EI: 1071.4Mpps - S5700 Item Typical Configuration Remark Processing unit Main frequency: 5700LI:1GHZ - SDRAM 5700LI:256MB - Flash 5700LI:200MB - CF card - - Switching capacity 5700-28P-LI:56Gbps 5700-52P-LI: 104Gbps 5700-28X-LI:128Gbps 5700-52X-LI:256Gbps 5700-10P-LI:26Gbps(bidirectional) - Forwarding capacity 5700-28P-LI:41.66Mpps 5700-52P-LI: 77.4Mpps 5700-28X-LI:95.2Mpps 5700-52X-LI:132Mpps 5700-10P-LI: 15Mpps S5710-108C-HI: 504Mpps - S5720 Item Typical Configuration Remark Processing unit Main frequency: S5720SI: 800MHz S5720EI: 1GHz S5720HI: 1.2GHz - SDRAM S5720SI: 512MB S5720EI: 2GB S5720HI: 4GB - Flash S5720SI: 240MB S5720EI: 340MB S5720HI: 400MB - CF card - - Switching capacity S5720SI: 168Gbps S5720-52P-SI: 336Gbps S5720-52X-SI: 336Gbps S5720-32P-EI: 220Gbps - Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 19 S5720-32X-EI: 220Gbps S5720-36C-EI: 220Gbps S5720-50X-EI: 260Gbps S5720-52X-EI: 260Gbps S5720-56C-EI: 260Gbps S5720HI: 265Gbps(bidirectional) Forwarding capacity S5720-28P-SI: 41.7Mpps S5720-28X-SI: 95.2Mpps S5720-52P-SI: 77.4Mpps S5720-52X-SI: 131Mpps S5720-32P-EI: 47.6Mpps S5720-36PC-EI: 77.4Mpps S5720-52P-EI: 77.4Mpps S5720-32X-EI: 101.2Mpps S5720-56PC-EI: 107.1Mpps S5720-50X-EI: 128Mpps S5720-36C-EI: 131Mpps S5720-52X-EI: 131Mpps S5720-56C-EI: 160.7Mpps S5720-32C-HI: 166.7Mpps S5720-56C-HI: 190.5Mpps - S2700 Item Typical Configuration Remark Processing unit Main frequency: 800MHz - SDRAM 256 MB - Flash 240 MB - CF card - - Switching capacity S2750-20TP: 11.2Gbps S2750-28TP: 12.8Gbps (bidirectional) - Forwarding capacity S2750-20TP: 8.33Mpps S2750-28TP: 9.52Mpps - S6720 Item Typical Configuration Remark Processing unit Main frequency: S6720HI: 1.2GHz - SDRAM S6720HI: 2GB - Flash S6720HI: 240MB - CF card - - Switching capacity S6720HI: 1.44Tbps (bidirectional) - Forwarding capacity S6720-30C-EI: 714.2Mpps S6720-54C-EI: 1071.4Mpps - S9303 S7703 Item Typical Configuration Remark Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 20 Processing unit Main frequency: 500 MHz - SDRAM 512 MB CF card 512 MB CF cards with different capacities can be configured. Can be used as a mass storage device for storingdata files. There are two CF cards on the SRU. Switching capacity 1.92 Tbps - Forwarding capacity 1440Mpps - Max MCU slots 2 MCUs work in 1:1 redundancy. Max LPU slots 3 - Maximum interface rate per LPU 48*100Mbps 48*1Gbps 40*10Gbps 2*40Gbps 2*100Gbps/s - S9306 S7706 Item Typical Configuration Remark Processing unit Main frequency: 1.5 GHz - SDRAM 4 GB CF card - Switching capacity 3.84 Tbps - Forwarding capacity 2880Mpps - Max SRU slots 2 SRUs work in 1:1 redundancy. Max LPU slots 6 - Maximum interface rate per LPU 48*100Mbps 48*1Gbps 40*10Gbps 2*40Gbps 2*100Gbps/s - S9312 S7712 Item Typical Configuration Remark Processing unit Main frequency: 1.5 GHz - SDRAM 4 GB CF card - Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 21 Switching capacity 3.84 Tbps - Forwarding capacity 2880Mpps - Max SRU slots 2 SRUs work in 1:1 redundancy. Max LPU slots 12 - Maximum interface rate per LPU 48*100Mbps 48*1Gbps 40*10Gbps 2*40Gbps 2*100Gbps/s - S9303E S9703 Item Typical Configuration Remark Processing unit Main frequency: 500 MHz - SDRAM 512 MB CF card 512 MB CF cards with different capacities can be configured. Can be used as a mass storage device for storingdata files. There are two CF cards on the SRU. Switching capacity 2.88 Tbps - Forwarding capacity 2160Mpps - Max SRU slots 2 MCUs work in 1:1 redundancy. Max LPU slots 3 - Maximum interface rate per LPU 48*100Mbps 48*1Gbps 48*10Gbps 8*40Gbps 2*100Gbps/s - S9306E S9706 Item Typical Configuration Remark Processing unit Main frequency: 1.2G MHz - SDRAM 2GB CF card 512 MB CF cards with different capacities can be configured. Can be used as a mass storage device for storingdata files. There are two CF cards on Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 22 the SRU. Switching capacity 6.72 Tbps - Forwarding capacity 2880Mpps - Max SRU slots 2 SRUs work in 1:1 redundancy. Max LPU slots 6 - Maximum interface rate per LPU 48*100Mbps 48*1Gbps 48*10Gbps 8*40Gbps 2*100Gbps/s - S9312E S9712 Item Typical Configuration Remark Processing unit Main frequency: 1.2G MHz - SDRAM 2GB CF card 512 MB CF cards with different capacities can be configured. Can be used as a mass storage device for storingdata files. There are two CF cards on the SRU. Switching capacity 8.64 Tbps - Forwarding capacity 3840Mpps - Max SRU slots 2 SRUs work in 1:1 redundancy. Max LPU slots 12 - Maximum interface rate per LPU 48*100Mbps 48*1Gbps 48*10Gbps 8*40Gbps 2*100Gbps/s - S12700 Item Typical Configuration Remark Processing unit Main frequency: 1.5G MHz - SDRAM 4GB CF card - - Switching capacity S12704: 4.88 Tbps S12708: 12.32 Tbps S12712: 17.44 Tbps - Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 23 Forwarding capacity S12704: 3120 Mpps S12708: 6240 Mpps S12712: 9120 Mpps - Max SRU slots 2 SRUs work in 1:1 redundancy. Max LPU slots S12704: 4 S12708: 8 S12712: 12 - Maximum interface rate per LPU 48*100Mbps 48*1Gbps 48*10Gbps 8*40Gbps 2*100Gbps/s - E600 Item Typical Configuration Remark Processing unit Main frequency: 800 MHz - SDRAM E600: 512MB - Flash E600: 240MB - CF card - - Switching capacity E628: 168Gbps E628-X: 168Gbps E652: 336Gbps E652-X: 336Gbps (bidirectional) - Forwarding capacity E628: 41.664Mpps E628-X: 95.232Mpps E652: 77.376Mpps E652-X: 130.944Mpps - Table 4: Model Specifications Table 3/4 details all physical interfaces available in TOE along with respective usage: Boards Supported Interfaces and Usage MCU/SRU The following list shows a collection of interfaces which might be used during this evaluation for all models. The description about indicators on panel can be found in the guidance.  CF card interface, connector type TYPE II compatible with TYPE I, isused to hold a CF card to store data files as a massive storage device. The CF card is inserted and sealed within the TOE and is to be accessed only by authorized personnel. User configuration profiles, paf and licensing files, log data, system software and patches if exist are stored in the CF card.  ETH interface, connector type RJ45, operation mode 10M/100M Base-TX auto-sensing, supporting half-duplex and full-duplex, compliant to IEEE 802.3-2002, used for connections initiated by users and/or administrators from a local maintenance terminal via SSH to perform managementand maintenance operations. Management and maintenance on NMS workstation is not within Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 24 the scope of this evaluation thus NMS related accounts should be disabled during the evaluation.  Console interface, connector type RJ45, operation mode Duplex Universal Asynchronous Receiver/Transmitter (UART) with electrical attribute RS-232, baud rate 9600 bit/s which can be changed as required, used for users and/or administrators to connect to console for the on-site configuration of the system. The following interfaceswill be disabled during this evaluation if available according to hardware specification.  BITS0 and BITS1 interface, connector type RJ45, used for External synchronous clock/time interface LPU Interfaces supported by LPU are listed as below. More details about these interfaces can be found in the guidance.  ETH interface, connector type RJ45, operation mode 10M/100M/1000M Base-TX auto-sensing, supporting half-duplex and full-duplex, used for receiving and transmitting network traffic.  FE interface, connector type LC/PC optical connector, compliant to SFP optical module 100M-FX, supporting full-duplex, used for receiving and transmitting network traffic.  GE interface, connector type LC/PC optical connector, compliant to SFP optical module1000Base-X-SFP, supporting full-duplex, used for receiving and transmitting network traffic.  10GE interface, connector type LC/PC optical connector, compliant to XFP optical module10GBase LAN-XFP, supporting full-duplex, used for receiving and transmitting network traffic  40GE interface, connector type LC/MPOopticalconnector,compliant to QSFP+ optical module40GBase LAN -QSFP, supporting full-duplex, used for receiving and transmitting network traffic  100GE interface, connector type LC/MPOopticalconnector,compliant to CFP optical module100GBase LAN -CFP, supporting full-duplex, used for receiving and transmitting network traffic The following interfaces are supported by the TOE, but not to be evaluated in this evaluation.  POS interface, connector type LC/PC optical connector, compliant to SFP optical moduleOC-3c/STM-1c POS-SFP, supporting full-duplex, used for receiving and transmitting network traffic.  POS interface, connector type LC/PC optical connector, compliant to SFP optical moduleOC-12c/STM-4c POS-SFP, supporting full-duplex, used for receiving and transmitting network traffic.  POS interface, connector type LC/PC optical connector, compliant to SFP optical moduleOC-48c/STM-16c POS-SFP, supporting full-duplex, used for receiving and transmitting network traffic. The network traffic being received and transmitted by these interfaces, canbe further described as non-TSF data (information flow to be forwarded to other network interfaces and information flow destined to TOE but not security-related) and TSF data (destined to Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 25 TOE for control and management purpose and for security-related functionalities). The definition for non-TSF data and TSF data will be further explained in Chapter 1.4.4. Table 5:Chassis Switch Interfaces Specifications Supported Interfaces and Usage The following list shows a collection of interfaces which might be used during this evaluation for all models. The description about indicators on panel can be found in the guidance.  ETH interface, connector type RJ45, operation mode 10M/100M Base-TX auto-sensing, supporting half-duplex and full-duplex, compliant to IEEE 802.3-2002, used for connections initiated by users and/or administrators from a local maintenance terminal via SSH to perform management and maintenance operations. Management and maintenance on NMS workstation is not within the scope of this evaluation thus NMS related accounts should be disabled during the evaluation.  Console interface, connector type RJ45, operation mode Duplex Universal Asynchronous Receiver/Transmitter (UART) with electrical attribute RS-232, baud rate 9600 bit/s which can be changed as required, used for users and/or administrators to connect to console for the on-site configuration of the system.  MEH interface, connector type RJ45, operation mode 10M/100M Base-TX auto-sensing, supporting half-duplex and full-duplex, compliant to IEEE 802.3-2002, used for connections initiated by users and/or administrators from a local maintenance terminal via SSH to perform management and maintenance operations. Management and maintenance on NMS workstation is not within the scope of this evaluation thus NMS related accounts should be disabled during the evaluation.  FE interface, connector type LC/PC optical connector, compliant to SFP optical module 100M-FX, supporting full-duplex, used for receiving and transmitting network traffic.  GE interface, connector type LC/PC optical connector, compliant to SFP optical module 1000Base-X-SFP, supporting full-duplex, used for receiving and transmitting network traffic.  10GE interface, connector type LC/PC optical connector, compliant to XFP optical module 10GBase LAN -XFP, supporting full-duplex, used for receiving and transmitting network traffic  40GE interface, connector type LC/MPOopticalconnector,compliant to QSFP+ optical module40GBase LAN -QSFP, supporting full-duplex, used for receiving and transmitting network traffic The network traffic being received and transmitted by these interfaces, can be further described as non-TSF data (information flow to be forwarded to other network interfaces and information flow destined to TOE but not security-related) and TSF data (destined to TOE for control and management purpose and for security-related functionalities). The definition for non-TSF data and TSF data will be further explained in Chapter 1.4.4. Table 6: Box Switch Interfaces Specifications The software and the guidance is listed in Table 7 Type Name Version Software Product software V200R008C Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 26 00SPC500 VRP Version 5 Release 16 VxWorks (S2700\S5700\S7700\S9700\S2300\S5300\S9300) 5.5 Windriver(Linux kernel 2.6.34) (S5720\S6720\S5320\S6320\E600\S12700) 4.3 Guidance S2350&S5300&S6320 Series Ethernet Switches V200R008(C00&C10) Product Documentation 03 S9300&S9300E Series Switches V200R008(C00&C10) Product Documentation 04 S2750EI&S5700&S6720 Series Ethernet Switches V200R008C00 Product Documentation 02 S7700&S9700 Series Switches V200R008C00 Product Documentation 02 S12700 Series Agile Switches V200R008C00 Product Documentation 02 E600 教育网系列交换机 V200R008C00 产品文档 02 CC Huawei S Series Ethernet Switches V200R008 - AGD_OPE V0.5 CC Huawei S Series Ethernet Switches V200R008 - AGD_PRE V0.6 Table 7List of software and guidance 1.4.2.2 Logical scope The logical boundary is represented by the elements that are displayed with a white background within the rectangle with dashed border. These elements are part of the Versatile Routing Platform (VRP), a software platform from view of software architecture, and the forwarding engine that processes the incoming and outgoing network traffic. Figure 5 shows the TOE’s logical scope with supporting network devices of the environment. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 27 Figure 6:TOE logicalscope TOE can be classified into Layer 2 forwarding and Layer 3 forwarding based on traffic forwarding. All Switches support Layer 2 forwarding,S23XX-EI/S53XX-LI/S27XX-EI/ S57XX-LI Series Switches don’t support Layer 3 forwarding;S53XX-SI/S57XX-SI/E6XX Series Switches only supports Layer 3 forwarding by static routes, don’t support routing protocol like OSPF/BGP. When working as Layer 2 forwarding devices,theforwarding engine of TOE will forward the trafficaccording to MAC address. The MAC table entry will be automatically created by forwarding engine when Layer 2 forwarding. When working as Layer 3 forwarding devices,The TOE controls the flow of IP traffic (datagrams) between network interfaces by matching information contained in the headers of connection-oriented or connectionless IP packets against routing table in forwarding engine. The routing table in forwarding engine is delivered from VRP’s routing unit whereas the routing table in VRP’s routing module can be statically configured or imported through dynamic routing protocol such as BGP, Open Shortest Path First(OSPF). Note that BGP/OSPF functionality configuration must be performed via s secure channel enforcing SSH prior to routing table importing. System control and security managements are performed either through interfaces Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 28 via a secure channel enforcing SSH. Based on physical scope and logical scope described so far, a list of configuration is to be added:  For management via the console, authentication is always enabled. Authentication mode is password. Length of password is no less than 8 characters  For management via the ETH interface in MCU/SRU/MPU, authentication is always enabled. Authentication mode is password. Length of password is no less than 8 characters  Service of TELNETand FTP are disabled in this evaluation.  Authentication of users via RSA when using SSH connections is supported. SSH server compatibility with version number less than 1.99 is considered a weakness, therefore to be disabled. The environment for TOE comprises the following components:  An optional Radius server providing authentication and authorization decisions to the TOE.  Otherswitches and routersused to connect the TOE for L2/L3 network forward, L3 switch providing routing information to the TOE via dynamic protocols, such as BGP, OSPF.  Local PCs used by administrators to connect to the TOE for access of the command line interface either through TOE’s console interface or TOE’s ETH interface via a secure channel enforcing SSH.  Remote PCs used by administrators to connect to the TOE for access to the command line interfacethrough interfaces on LPU within the TOE via a secure channel enforcing SSH.  Physical networks, such as Ethernet subnets, interconnecting various networking devices. 1.4.3 Summary of Security Features 1.4.3.1 Authentication The TOE can authenticate administrative users by user name and password. VRP provides a local authentication scheme for this, or can optionally enforce authentication decisions obtained from a Radius server in the IT environment. Authentication is always enforced for virtual terminal sessions via SSH, and SFTP (Secured FTP) sessions. 1.4.3.2 Access Control The TOE controls access by levels. Four hierarchical access control levels are offered that can be assigned to individual user accounts: User level Level name Purpose Commands for access 0 Visit Network diagnosis and establishment of remote connections. ping, tracert, language-mode,quit, display 1 Monitoring System maintenance and fault diagnosis. Level 0 and display, debugging, reset, refresh, terminal, send 2 Configurat Service configuration. Level 0, 1 and all configuration Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 29 User level Level name Purpose Commands for access ion commands. 3 Managem ent System management (file system, user management, internal parameters …). All commands. Table 8: Access Levels The TOE can either decide the authorization level of a user based on its local database, or make use of Radius servers to obtain the decision whether a specific user is granted a specific level. If no authentication for the console is configured, it operates at level 3. 1.4.3.3L2 Traffic Forwarding The TOE handles layer 2 forwarding policy at their core. The forwarding engine controls the flow of network packets by making (and enforcing) a decision with regard to the network interface that a packet gets forwarded to. These decisions are made based on a MAC table. The MAC table is either maintained by administrators (static MAC) or gets updated dynamically by MAC learning function when an unknown MAC address packet has been received. 1.4.3.4 L3 Traffic Forwarding The TOE handles forwarding policy at their core. The forwarding engine controls the flow of network packets by making (and enforcing) a decision with regard to the network interface that a packet gets forwarded to. These decisions are made based on a routing table. The routing table is either maintained by administrators (static routing) or gets updated dynamically by the TOE when exchanging routing information with peer routers, through OSPFv2/v3 or BGPv4/4+. S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI Series Switches don’t support Layer 3 forwarding;S53XX-SI/S57XX-SI/E6XX Series Switches only supports Layer 3 forwarding by static routes, don’t support routing protocol like OSPF/BGP. 1.4.3.5Auditing The TOEgenerates audit records for security-relevant management actions and stores the audit records in memory or CF card in the TOE.  By default all correctly input and executed commands along with a timestamp when they are executed are logged.  Attempts to access regardless success or failure are logged, along with user id, source IP address, timestamp etc.  For security management purpose, the administrators can select which events are being audited by enabling auditing for individual modules (enabling audit record generation for related to functional areas), and by selecting a severity level. Based on the hard-coded association of audit records with modules and severity levels, this allows control over the types of audit events being recorded.  Output logs to various channels such as monitor, log buffer, trap buffer, file, etc.  Review functionality is provided via the command line interface, which allows administrators to inspect the audit log. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 30 1.4.3.6 Communication Security The TOE provides communication security by implementing SSH protocol. Two versions of SSH: SSH1 (SSH1.5) and SSH2 (SSH2.0) are implemented. But SSH2 is recommendedas it provides more secure and effectiveness in terms of functionality and performance, To protect the TOE from eavesdrop and to ensure data transmission security and confidentiality, SSH provides:  authentication by password or by RSA;  AES encryption algorithms;  Secure cryptographic key exchange. Besides default TCP port 22, manually specifying a listening port is also implemented since it can effectively reduce attack. SFTP is provided to substitute FTP which has known security issues. 1.4.3.7ACL TOE offers a feature Access Control List (ACL) for filtering incoming and outgoing information flow to and from interfaces. The administrator can create, delete, and modify rules for ACL configuration to filter, prioritize, rate-limit the information flow destined to TOE or other network devices through interfaces by matching information contained in the headers of connection-oriented or connectionless packets against ACL rules specified. Source MAC address, Destination MAC address, Ethernet protocol type, Source IP address, destination IP address, IP protocol number, source port number if TCP/UDP protocol, destination port number if TCP/UDP protocol, TCP flag if TCP protocol, type and code if ICMP protocol, fragment flag etc., can be used for ACL rule configuration. 1.4.3.8 Security functionality management Security functionality management includes not only authentication, access level, but also managing security related data consisting of configuration profile and runtime parameters. According to security functionality management, customized security is provided. More functionalities include:  Setup to enable SSH  Setup to enable BGP, OSPF, ARP  Setup to enable audit, as well as suppression of repeated log records  Setup to change default rate limit plan 1.4.3.9 Cryptographic functions Cryptographic functions are required by security features as dependencies, where: 1) AES256 is used as encryption algorithm for SSH; 2) RSA is used in user authentication when user tries to authenticate and gain access to the TOE; 3) MD5 is used as verification algorithm for packets of BGP and OSPF protocols from peer network devices; 1.4.3.10 SNMP Trap The Simple Network Management Protocol (SNMP) is a network management protocol widely used in the TCP/IP network. SNMP is a method of managing network elements through a network console workstation which runs network management software. A trap is a type of message used to report an alert or important event about a managed device to the NM Station. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 31 The TOE uses SNMP traps to notify a fault occurs or the system does not operate properly. 1.4.3.112STP STP (Spanning-Tree Protocol) is a protocol used in the local area network (LAN) to eliminate loops. The S-switch devices enabled with STP communicate and find the loops in the network, and they block certain interfaces to eliminate loops. Due to the rapid increase of LAN, STP has become one of the most important LAN protocols. In the Layer 2 switching network, loops on the network cause packets to be continuously duplicated and propagated in the loops, leading to the broadcast storm, which exhausts all the available bandwidth resources and renders the network unavailable. In an STP region, a loop-free tree is generated. Thus, broadcast storms are prevented and redundancy is implemented. 1.4.4TSF and Non-TSF data All data from and to the interfaces available on the TOE is categorized into TSF data and non-TSF data. The following is an enumeration of the subjects and objects participating in the policy. TSFdata:  User account data, including the following security attributes: o User identities. o Locally managed passwords. o Locally managed access levels.  Audit configuration data.  Audit records.  Configuration data of security feature and functions  Routing and other network forwarding-related tables, including the following security attributes: o Network layer routing tables. o Link layer address resolution tables. o Link layer MAC address table. o BGP, OSPF databases.  Network traffic destined to the TOE processed by security feature and functions. Non-TSF data:  Network traffic to be forwarded to other network interfaces.  Network traffic destined to the TOEprocessedby non-security feature and functions. 2 CC Conformance Claim This ST is CC Part 2 conformant and CC Part 3 conformant. The CC version of [CC] is 3.1R4. No conformance to a Protection Profile is claimed. No conformance rationaleto a Protection Profile is claimed. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 32 The TOE claims EAL3+ augmented with ALC_FLR.2. 3 TOE Security problem definition 3.1 Threats The assumed security threats are listed below. The information assets to be protected arethe information stored, processed or generated by the TOE. Configuration data for the TOE, TSF data (such as user account information and passwords, audit records, etc.) and other information that the TOE facilitates access to (such as system software, patches and network traffic routed by the TOE) are all considered part of information assets. 3.1.1 Threats T.UnwantedL2NetworkTraffic Unwanted L2 network traffic sent to the TOE will causethe MAC table gets updated dynamically by MAC learning function. This may due the MAC table overload. In the TOE Layer 2 switching network, loops on the network cause packets to be continuously duplicated and propagated in the loops, leading to the broadcast storm, which exhausts all the available bandwidth resources and renders the network unavailable. T.UnwantedL3NetworkTraffic Unwanted L3 network traffic sent to the TOE will not only cause the TOE’s processing capacity for incoming network traffic is consumed thus fails to process traffic expected to be processed, but an internal traffic jam might happen when those traffic are sent to the Control Plane. This may further cause the TOE to fail to respond to system control and security management operations. Routing information exchanged between the TOE and peer routes may also be affected due the traffic overload. T.UnauthenticatedAccess A user who is not an administratorgains access to the TOE. T.UnauthorizedAccess A user authorized to perform certain actions and access certain information gains access to commands or information he is not authorized for. T.Eavesdrop An eavesdropper (remote attacker) is able to intercept, and potentially modify or re-use information assets that are exchanged between TOE and LMT/RMT. 3.1.2Threats Components  T.UnwantedL2NetworkTraffic o Threat agent: User who is not an administrator o Asset: TOE availability o Adverse action: Disturbance on TOE operation Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 33  T.UnwantedL3NetworkTraffic o Threat agent: User who is not an administrator o Asset: TOE availability. o Adverse action: Disturbance on TOE operation.  T.UnauthenticatedAccess o Threat agent: User who is not an administrator. o Asset: TOE integrity and availability, user data confidentiality. o Adverse action: access to the TOE.  T.UnauthorizedAccess o Threat agent: An unauthorized personnel: attacker or administrator without certain privileges. o Asset: TOE integrity and availability, user data confidentiality. o Adverse action: perform unauthorized actions and unauthorized access to TOE information and user data.  T.Eavesdrop o Threat agent: An eavesdropper (remote attacker) in the management network. o Asset:TOE integrity and availability, user data confidentiality and L3 network traffic. o Adverse action:intercept, and potentially modify or re-use information assets that are exchanged between TOE and LMT/RMT. 3.2 Assumptions 3.2.1 Environment of use of the TOE 3.2.1.1 Physical A.PhysicalProtection It is assumed that the TOE (including any console attached, access of CF card) is protected against unauthorized physical access. 3.2.1.2Network Elements A.NetworkElements The environment is supposed to provide supporting mechanism to the TOE:  A Radiusserverfor external authentication/authorization decisions;  Peerrouter(s)for the exchange of dynamic routing information;  A remote entities (PCs) used for administration of the TOE.  An SNMP Server used for collecting SNMP traps 3.2.1.3Network Segregation A.NetworkSegregation It is assumed that the ETH interface in the TOE will be accessed only through an independent local network. Thisnetworkis separate from the application (or, public) networks where the interfaces in the TOE are accessible. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 34 3.2.1.4Authorized Administrators A.NoEvil The authorized administrators are not careless, willfully negligent or hostile, and will follow and abide by the instructions provided by the TOE documentation. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 35 4 Security Objectives 4.1 Objectives for the TOE The following objectives must be met by the TOE:  O.Forwarding (all series except S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI) The TOE shall forward network traffic (i.e., individual packets) only to the network interface that corresponds with a configured route for the destination IP address of the packet, or corresponds with a MAC address for the destination MAC address of the packet.When TOE works as Layer 2 forwarding device, users should be isolated between VLANs. And TOE can find the loops in the network, and block certain interfaces to eliminate loops.  O.Forwarding (S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI) The TOE shall forward network traffic (i.e., individual packets) only to the network interface that corresponds with a MAC address for the destination MAC address of the packet. Users should be isolated between VLANs. And TOE can find the loops in the network, and block certain interfaces to eliminate loops.  O.CommunicationThe TOE must implement logical protection measures for network communication between the TOE and LMT/RMT from the operational environment.  O.Authorization The TOE shall implement different authorization levels that can be assigned to administrators in order to restrict the functionality that is available to individual administrators.  O.AuthenticationThe TOE must authenticate users of its user access.  O.Audit The TOE shall provide functionality to generate audit records for security-relevant administrator actions.  O.Resource The TOE shall provide functionalities and management for assigning a priority (used as configured bandwidth), enforcing maximum quotas for bandwidthand MAC address table entries,to prevent internal collapse due to traffic overload.  O.Filter The TOE shall provide ACL or packet filter to drop unwanted L2 or L3 network traffic. 4.2 Objectives for the Operational Environment  OE.NetworkElements The operational environment shall provide securely and correctly workingnetwork devices as resources that the TOE needs to cooperate with.Behaviors of such network devices provided by operational environment shall be also secure and correct. For example, other routers for the exchange of routing information, PCs used for TOE administration, SNMP Servers and Radius servers for obtaining authentication and authorization decisions.  OE.Physical The TOE (i.e., the complete system including attached peripherals, such as a console, and CF card insertedin the Switch) shall be protected against unauthorized physical access.  OE.NetworkSegregation Theoperational environment shall provide segregation by deploying the management interface in TOE into an independent local -network. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 36  OE.Person Personnel working as authorized administrators shall be carefully selected for trustworthyness and trained for proper operation of the TOE. 4.3 Security Objectives Rationale 4.3.1 Coverage The following table provides a mapping of TOE objectives to threats and policies, showing that each objective is at least covered by one threat or policy. Objective Threat O.Forwarding T.UnwantedL2NetworkTraffic T. UnwantedL3NetworkTraffic O.Communication T.Eavesdrop O.Authentication T.UnauthenticatedAccess O.Authorization T.UnauthorizedAccess O.Audit T.UnauthenticatedAccess T.UnauthorizedAccess O.Resource T.UnwantedL2NetworkTraffic T.UnwantedL3NetworkTraffic O.Filter T.UnwantedL2NetworkTraffic T.UnwantedL3NetworkTraffic Table 9: Mapping Objectives to Threats The following table provides a mapping of the objectives for the operational environment to assumptions, threats and policies, showing that each objective is at least covered by one assumption, threat or policy. Environmental Objective Threat / Assumption OE.NetworkElements A.NetworkElements OE.Physical A.PhysicalProtection OE.NetworkSegregation A.NetworkSegregation OE.Person A.NoEvil Table 10: Mapping Objectives for the Environment to Threats, Assumptions 4.3.2 Sufficiency The following rationale provides justification that the security objectives are suitable to counter each individual threat and that each security objective tracing back to a threat, when achieved, actually contributes to the removal of that threat: Threat Rationale for security objectives to remove threats Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 37 T.UnwantedL2NetworkTraffic The L2 layer traffic should be isolated between VLANs. STP implementation assures an optimum forwarding path, preventing network from infinite loops, which can cause serious problems in the forwarding system and network efficiency. (O.Forwarding) MAC address limit configuration can avoid the overload of MAC table entry caused by fake MAC address attack.(O.Resource) ACL or Packet filter can deny unwanted L2 network traffic enter or pass TOE. (O.Filter) T.UnwantedL3NetworkTraffic (for all series except S23XX-EI/S53XX-LI/S27XX-EI/ S57XX-LI) The threat that unwanted network traffic sent to TOE causing the TOE a management failure and internal traffic jam is countered by specifying static routes to filter those traffic (O.Forwarding). ACL can also be configured to limit the bandwidth of that traffic (O.Resource). ACL or Packet filter can deny unwanted L3 network traffic enter or pass TOE. (O.Filter) T.UnauthenticatedAccess The threat of unauthenticated access to the TOE is countered by requiring the TOE to implement an authentication mechanism for its users (O.Authentication). In addition, login attempts are logged allowing detection of attempts and possibly tracing of culprits (O.Audit) T.UnauthorizedAccess The threat of unauthorized access is countered by requiring the TOE to implement an access control mechanism (O.Authorization). In addition, actions are logged allowing detection of attempts and possibly tracing of culprits (O.Audit) T.Eavesdrop The threat of eavesdropping is countered by requiring communications security via SSH (protocol v.2) protocol for network communication between LMT/RMT and the TOE .To avoid middle attacks, public server key is pre-loaded to client(O.Communication). Table 11: Sufficiency analysis for threats The following rationale provides justification that the security objectives for the environment are suitable to cover each individual assumption, that each security objective for the environment that traces back to an assumption about the environment of use of the TOE, when achieved, actually contributes to the environment achieving consistency with the assumption, and that if all security objectives for the environment that trace back to an assumption are achieved, the intended usage is supported: Assumption Rationale for security objectives A.NetworkElements The assumption that the external network devices such as Radius server as an external authentication/authorization source, peer router for routing information exchange, and LMT/RMT for TOE control and management are addressed in Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 38 OE.NetworkElements. A.PhysicalProtection The assumption that the TOE will be protected against unauthorized physical access is expressed by a corresponding requirement in OE.Physical. A.NetworkSegregation The assumption that the TOE is not accessible via the application networks hosted by the networking device is addressed by requiring just this in OE.NetworkSegregation. A.NoEvil The assumption that the personnel are not careless, willfully negligent, or hostile is addressed in OE.Person. Table 12: Sufficiency analysis for assumptions 5 Extended Components Definition No extended components have been defined for this ST. 6 Security Requirements 6.1 Conventions  Strikethrough indicates text removed as a refinement  (underlined text in parentheses) indicates    6.2TOE Security Functional Requirements 6.2.1Security Audit (FAU) 6.2.1.1 FAU_GEN.1 Audit data generation a) Start-up and shutdown of the audit functions; b) All auditable events for the not specified level of audit; and c) The following auditable events: i. user activity 1. login, logout Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 39 2. operation requests ii. user management 1. add, delete, modify 2. password change 3. operation authority change 4. online user query 5. session termination iii. command group management 1. add, delete, modify iv. authentication policy modification v. system management 1. reset to factory settings vi. log management 1. log policy modification a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, interface (if applicable), workstation IP (if applicable), User ID (if applicable), and CLI command name (if applicable). 6.2.1.2 FAU_GEN.2 User identity association 6.2.1.3 FAU_SAR.1 Audit review 6.2.1.4 FAU_SAR.3 Selectable audit review 6.2.1.5 FAU_STG.1Protected audit trail storage Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 40 6.2.1.6a FAU_STG.3 Action in case of possible audit data loss 6.2.2Cryptographic Support (FCS) 6.2.2.1 FCS_COP.1/AES Cryptographic operation 6.2.2.2 FCS_COP.1/RSA Cryptographic operation 6.2.2.3 FCS_COP.1/DHKeyExchange Cryptographic operation 6.2.2.4 FCS_COP.1/HMAC-SHA256 Cryptographic operation 6.2.2.6 FCS_COP.1/MD5 Cryptographic operation 6.2.2.7FCS_CKM.1/AES Cryptographic key generation 6.2.2.8FCS_CKM.1/RSA Cryptographic key generation Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 41 6.2.2.9 FCS_CKM.1/DHKey Cryptographic key generation 6.2.2.10FCS_CKM.4/RSA Cryptographic key destruction 6.2.2.11FCS_CKM.4/AES-DHKey Cryptographic key destruction 6.2.3User Data Protection (FDP) 6.2.3.1FDP_ACC.1 Subset access control 6.2.3.2FDP_ACF.1 Security attribute based access control a) users and their following security attributes: O. b) commands and their following security attributes: O. a) the user has beengranted authorization for the commands targeted by the request, and b) the user isassociated with a Command Group that contains the requested command FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 42 based on the following additional rules: a) the user has beengranted authorization for the commands targeted by the request, and b) the user isassociated with a Command Group that contains the requested command FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules: a) the user has not beengranted authorization for the commands targeted by the request, or b) the user isnotassociated with a Command Group that contains the requested command 6.2.3.3aFDP_DAU.1 Basic Data Authentication (for all series except S23XX-EI,S53XX-LI/SI,S27XX-EI,S57XX-LI/SI,E6XX) 6.2.3.3bFDP_DAU.1 Basic Data Authentication (for S23XX-EI/S53XX-LI/ S23XX-EI,S53XX-LI/SI,S27XX-EI,S57XX-LI/SI,E6XX) 6.2.3.4 FDP_IFC.1Subset information flow control 6.2.3.5a FDP_IFF.1Simple security attributes (for all series except S23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI) Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 43 6.2.3.5b FDP_IFF.1Simple security attributes (forS23XX-EI/S53XX-LI/S27XX-EI/S57XX-LI) 6.2.4Identification and Authentication (FIA) 6.2.4.1FIA_AFL.1 Authentication failure handling (this does not apply to Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 44 RADIUS authentication) 6.2.4.2 FIA_ATD.1 User attribute definition a) user ID b) user level c) password 6.2.4.3FIA_SOS.1Verification of secrets 6.2.4.4 FIA_UAU.2 User authentication before any action Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 45 6.2.4.5FIA_UID.2 User identification before any action 6.2.5Security Management (FMT) 6.2.5.1 FMT_MOF.1 Management of security functions behavior 6.2.5.2 FMT_MSA.1 Management of security attributes 6.2.5.3 FMT_MSA.3 Static attribute initialization 6.2.5.4 FMT_SMF.1 Specification of Management Functions a) authentication, authorization, encryption 1 policy b) ACL policy c) user management d) definition of Managed Object Groups and Command Groups e) definition of IP addresses and address ranges that will be acceptedas source addresses in client session establishment requests 1 The encryption policy dictates which cryptographic algorithm / key length is used in which situation Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 46 f) routing and forwarding, such as BGP (not for , OSPF(not for , ARP g) L2 forwarding, such as MAC, VLAN 6.2.5.5 FMT_SMR.1 Securityroles 6.2.6Protection of the TSF (FPT) 6.2.6.1 FPT_STM.1Reliable time stamps 6.2.6.2 FPT_FLS.1Fail secure 6.2.7Resource utilization(FRU) 6.2.7.1FRU_PRS.1Limited priority of service 6.2.7.2 FRU_RSA.1Maximum quotas 6.2.7.3FRU_FLT.1 Degraded fault tolerance 6.2.8TOE access (FTA) 6.2.8.1FTA_SSL.3 TSF-initiated termination Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 47 6.2.8.2 FTA_TSE.1 TOE session establishment a) authentication failure b) Source IP address. 6.2.9Trusted Path/Channels (FTP) 6.2.9.1FTP_TRP.1Trusted path 6.3Security Functional Requirements Rationale 6.3.1Sufficiency and coverage The following rationale provides justification for each security objective for the TOE, showing that the security functional requirements are suitable to meet and achieve the security objectives: From this table, it can also be seen that each security functional requirement addresses at least one security objective. Security objectives Rationale O.Forwarding The goal of secure traffic forwarding is achieved by following: Prior to forwarding related service configuration, authentication (FIA_UID.2, FIA_UAU.2, FDP_DAU.1), authorization (FDP_ACC.1) and access control policy (FDP_ACF.1) are implemented and applicable. A trusted path (FTP_TRP.1) for forwarding related service configuration should be established for users, which also require Cryptographic Support (FCS_COP.1). Cryptographic Support(FCS_COP.1) are also required where routing information exchange takes place. In order to prevent packets to enter in an infinite loop, provoking slow performance to network (FRU_FLT.1, FPT_FLS.1) STP is implemented. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 48 O.Audit The generation of audit records is implemented by FAU_GEN.1. Audit records are supposed to include timestamp (FPT_STM.1) and user identities (FAU_GEN.2) where applicable, which aresupplied by the authentication mechanism (FIA_UID.2). Audit records are in a string format,regularexpressions are provisioned to read and search theserecords (FAU_SAR.1, FAU_SAR.3). The protection of the stored audit records is implemented in FAU_STG.1. Functionality to delete the oldest audit file is provided if the size of the log files becomes larger than the capacity of the store device (FAU_STG.3). Management functionality for the audit mechanism is spelled out in FMT_SMF.1. O.Communication Communications security is implemented by a trusted path for remote users in FTP_TRP.1. FCS_COP.1 addresses the AES encryption of SSH channels.FCS_CKM.1 addresses keys generation of AES/RSA. FCS_CKM.4/RSA addresses key destruction of RSA. FCS_CKM.4AESkeys are session keys only, these are created and stored in a trunk of internal memory dynamically allocatedwithin the TOE upon session establishment and are destroyed upon session termination. The allocated memory is freed as well.Management functionality to enable these mechanisms is provided in FMT_SMF.1. O.Authentication User authentication is implemented by FIA_UAU.2, FDP_DAU.1 and supported by individual user identifies in FIA_UID.2. The necessary user attributes (passwords) are spelled out in FIA_ATD.1. The authentication mechanism supports authentication failure handling (FIA_AFL.1), restrictions as to the validity of accounts for logon (FTA_TSE.1), automatic logout after inacitivty (FTA_SSL.3) and a password policy (FIA_SOS.1).A trusted path is provided (FTP_TRP.1) supported by cryptography (FCS_COP.1). Management functionality is provided in FMT_SMF.1. O.Authorization The requirement for access control is spelled out in FDP_ACC.1, and the access control policies are modeled in FDP_ACF.1. Unique user IDs are necessary foraccess control provisioning (FIA_UID.2), and user-related attributes are spelled out in FIA_ATD.1. Access control is based on the definition of roles as subject and functions as object(FMT_SMR.1, FMT_MOF.1), The termination of an interactive session is provided in FTA_SSL.3. management functionality for the definition of access control policies is provided (FMT_MSA.1, FMT_MSA.3, FMT_SMF.1). O.Resource The requirement for assigning a priority(used as configured bandwidth)is spelled out inFRU_PRS.1, enforcing the maximum quotas for bandwidth and limited the MAC address table entries is spelled out inFRU_RSA.1 Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 49 O.Filter The requirement of ACL or packet filter is spelled out in FDP_IFF.1 and FDP_IFC.1. management functionality for the definition of ACL is provided (FMT_MSA.1, FMT_MSA.3, FMT_SMF.1). Table 13: SFR sufficiency analysis 6.3.3 Security Requirements Dependency Rationale Dependencies within the EAL3 package selected for the security assurance requirements have been considered by the authors of CC Part 3 and are not analyzed here again. The security functional requirements in this Security Target do not introduce dependencies on any security assurance requirement; neither do the security assurance requirements in this Security Target introduce dependencies on any security functional requirement. The following table demonstrates the dependencies of SFRs modeled in CC Part 2 and how the SFRs for the TOE resolve those dependencies: Security Functional Requirement Dependencies Resolution FAU_GEN.1 FPT_STM.1 FPT_STM.1 FAU_GEN.2 FAU_GEN.1 FIA_UID.1 FAU_GEN.1 FIA_UID.2 FAU_SAR.1 FAU_GEN.1 FAU_GEN.1 FAU_SAR.3 FAU_SAR.1 FAU_SAR.1 FAU_STG.1 FAU_GEN.1 FAU_GEN.1 FAU_STG.3 FAU_STG.1 FAU_STG.1 FCS_COP.1 FCS_CKM.1 FCS_CKM.4 FCS_CKM.1 FCS_CKM.4 Except for MD-5, HMAC-SHA256 use no key , so the dependencies are unnecessary there. FCS_CKM.1 FCS_COP.1 FCS_CKM.4 FCS_COP.1 FCS_CKM.4 FCS_CKM.4 FCS_CKM.1 FCS_CKM.1 FDP_ACC.1 FDP_ACF.1 FDP_ACF.1 FDP_ACF.1 FDP_ACC.1 FMT_MSA.3 FDP_ACC.1 FMT_MSA.3 FDP_DAU.1 None FDP_IFC.1 FDP_IFF.1 FDP_IFF.1 FDP_IFF.1 FDP_IFC.1 FMT_MSA.3 FDP_IFC.1 FMT_MSA.3 FIA_AFL.1 FIA_UAU.1 FIA_UAU.2 FIA_ATD.1 None FIA_SOS.1 None FIA_UAU.2 FIA_UID.1 FIA_UID.2 FIA_UID.2 None Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 50 FMT_MOF.1 FMT_SMF.1 FMT_SMR.1 FMT_SMF.1 FMT_SMR.1 FMT_MSA.1 [FDP_ACC.1 or FDP_IFC.1] FMT_SMR.1 FMT_SMF.1 FDP_ACC.1 FMT_SMR.1 FMT_SMF.1 FMT_MSA.3 FMT_MSA.1 FMT_SMR.1 FMT_MSA.1 FMT_SMR.1 FMT_SMF.1 None FMT_SMR.1 FIA_UID.1 FIA_UID.2 FRU_PRS.1 None FRU_RSA.1 None FTA_SSL.3 None FTA_TSE.1 None FTP_TRP.1 None FTP_STM.1 None FRU_FLT.1 FPT_FLS.1 FPT_FLS.1 FPT_FLS.1 None Table 14: Dependencies between TOE Security Functional Requirements 6.4Security Assurance Requirements The security assurance requirements for the TOE are the Evaluation Assurance Level 3 components augmented ALC_FLR.2, as specified in [CC] Part 3. No operations are applied to the assurance components. 6.5Security Assurance Requirements Rationale The evaluation assurance level 3 augmented with ALC_FLR.2, has been chosen commensurate with the threat environment that is experienced by typical consumers of the TOE. 7 TOE Summary Specification 7.1TOE Security Functional Specification 7.1.1 Authentication The TOE can identify administrators by a unique ID and enforces their authentication before granting them access to any TSF management interfaces.Detailed functions include: 1) Support authentication via local password. This function is achieved by comparing user information input with pre-defined user information stored in memory. 2) Support authentication via remote RADIUS authentication server. This function is achieved by performing pass/fail action based on result from remote Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 51 authentication server. 3) Support authenticate user login using SSH, by password authentication, RSA authentication, or combination of both. This function is achieved by performing authentication for SSH user based on method mentioned in 1). 4) Support logout when no operation is performed on the user session within a given interval. This function is achieved by performing count-down through timing related to clock function. 5) Support max attemptsdue to authentication failure within certain period of time. This function is achieved by providing counts on authentication failure. 6) Support limiting access by IP address. This function is achieved by comparing IP address of requesting session with configured value stored in memory. 7) Support for user individual attributes in order to achieve all the enumerated features: user ID, user level, and password. (FIA_AFL.1, FIA_ATD.1, FIA_UAU.2, FIA_UID.2, FTA_TSE.1, FTA_SSL.3, FCS_CKM.1,FCS_CKM.4) 7.1.2 Access Control The TOE enforces an access control by supporting following functionalities: 1) Support 16 access levels. This function is achieved by storing number as level in memory. 2) Support assigning access level to commands. This function is achieved by associating access levelnumberwith commands registered. 3) Support assigning access level to user ID. This function is achieved by associating access level number with user ID. 4) Support limiting executing commands of which the access level is less or equal to the level of user. This function is achieved by performing an evaluation that level of commands is less or equal to level of user. This limitation of access also prevents users from accessing or deleting log files if they have insufficient rights. (FDP_ACC.1, FDP_ACF.1, FMT_MSA.1, FMT_MSA.3, FMT_SMR.1, FMT_MOF.1, FAU_STG.1) 7.1.3 L2 Traffic Forwarding The TOE forwards network traffic, enforcing decisions about the correct forwarding interface and assembling the outgoing network packets using correct MAC addresses: 1) Support traffic isolation with VLANs 2) Support MAC address learning automatically Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 52 3) Support Layer 2 traffic forwarding based on MAC table entry 4) Support to configure MAC addressstatically 5) Support to configure black hole MAC address statically 6) Support to limit the learning number of MAC address 7) Support to convert the MAC address learnt dynamically to static MAC address 8) Support MAC address flapping protection 9) In order to configure all the enumerated settingsthe user must be an authenticated user with administrator-defined role. (FRU_PRS.1, FRU_RSA.1,FMT_MSA.3) 7.1.4L3 Traffic Forwarding The TOE forwards network traffic, enforcing decisions about the correct forwarding interface and assembling the outgoing network packets using correct MAC addresses: 1) Support ARP/BGP/OSPF protocol. This function is achieved by providing implementation of ARP/BGP/OSPF protocol. 2) Support routing information generation via OSPF protocol. This function is provided by implementation of OSPF protocol. 3) Support routing information generation via BGP protocol. This function is provided by implementation of BGP protocol. 4) Support routing information generation via manual configuration. This function is achieved by storing static routes in memory. 5) Support importing BGP/static routing information for OSPF. This function is provided by implementation of OSPF protocol. 6) Support importing OSPF/static routing information for BGP. This function is provided by implementation of BGP protocol. 7) BGP support cryptographic algorithm MD5. This function is achieved by performing verification for incoming BGP packets using MD5 algorithm. 8) OSPF support cryptographic algorithmMD5. This function is achieved by performing verification for incoming OSPF packets using MD5 algorithm. 9) Support disconnection session with neighbor network devices. This function is achieved by locating and cleaning session information. 10) OSPF support routing information aggregation. This function is achieved by manipulating routes stored in memory. 11) OSPF support routing information filtering. This function is achieved by manipulating routes stored in memory. 12) Support ARP strict learning. This function is achieved by regulating ARP feature to accept entry generated by own ARP requests. 13) Support IPv4 traffic forwarding via physical interface. This function is achieved by making routing decision based on routes generated by BGP/OSPF/static Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 53 configuration. 14) Support sending network traffic to VRP for central process where destination IP address is one of the interfaces’ IP addresses of the TOE. This is achieved by checking whether the traffic’s destination IP address is within the configured interfaces’ IP addresses in the TOE. If it is, the traffic will be sent to VRP in MCU for central process. (FIA_UAU.2, FTP_TRP.1, FCS_COP.1, FIA_SOS.1, FDP_DAU.1) Notes:S23XX-EI/S53XX-LI/S27XX-EI/ S57XX-LI Series Switches don’t support Layer 3 forwarding;S53XX-SI/S57XX-SI Series Switches only supports Layer 3 forwarding by static routes, don’t support routing protocol like OSPF/BGP; E6xx Series Switches only supports Layer 3 forwarding by static routes and RIP, don’t support routing protocol like OSPF/BGP. 7.1.5Auditing The TOE can provide auditing ability by receiving all types of logs and processing them according to user’s configuration: 1) Support classification based on severity level. This function is achieved where logging messages are encoded with severity level and output to log buffer. 2) Support enabling, disabling log output. This function is achieved by interpreting enable/disable commands and storing results in memory. Log output is performed based on this result. 3) Support redirecting logs to various output channels: monitor, log buffer, trap buffer, log file. This function is achieved by interpreting commands and storing results in memory or in log files in CF card. Log channelfor output is selectedprior to execution of redirecting. 4) Support log output screening, based on filename. This function is performed by providing filtering on output. 5) Support querying log buffer. This function is achieved by performing querying operation with conditions input. 6) Support cleaning log buffer. This function is achieved by cleaning log buffer in memory. 7) Support to automatically remove oldest log files if audit files exceed the sizeof store device. (FAU_GEN.1, FAU_GEN.2, FAU_SAR.1, FAU_SAR.3, FAU_STG.3, FMT_SMF.1) 7.1.6Communication Security The TOE provides communication security by implementing SSH protocol. Two versions of SSH: SSHv1 (SSH1.5) and SSHv2 (SSH2.0) are implemented. But SSH2 is recommended for most cases by providing more secure and effectiveness in terms of functionality and performance. SFTP is provided implementing secure . Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 54 1) Support SSHv1 and SSHv2. This function is achieved by providing implementation of SSHv1 and SSHv2. 2) Support dh_group_exchange_sha1 as key exchange algorithm of SSH. This function is achieved by providing implementation of dh_group_exchange_sha1 algorithm. 3) Support AES encryption algorithm. This function is achieved by providing implementation of AES algorithm. 4) Support HMAC-SHA verification algorithm. This function is achieved by providing implementation of HMAC-SHA algorithm. 5) Support using different encryption algorithm for client-to-server encryption and server-to-client encryption. This function is achieved by interpreting related commands and storing the result in memory. 6) Support Secure-FTP. This function is achieved by providing implementation of Secure-FTP. 7) Support for RSA key destruction, overwriting it with 0. 8) The TOE names SSH as S-Telnet. (FCS_COP.1,FCS_CKM.1, FCS_CKM.4, FMT_SMF.1, FDP_DAU.1) 7.1.7 ACL The TOE supports Access Control List (ACL) to filter trafficdestined to TOE to prevent internal traffic overload and service interruption.And the TOE also use ACL to deny unwanted network traffic to pass through itself. The TOE also uses the ACL to identify flows and perform flow control to prevent the CPU and related services from being attacked. 1) Support enabling ACLs by associating ACLs to blacklist. This function is achieved by interpreting ACL configurations then storing interpreted value in memory. 2) Support screening,filteringtraffic destined to CPU. This function is achieved by downloading blacklist ACL configurations into hardware. 3) Support rate limiting traffic based on screened traffic. This function is achieved by downloading configuration of rate into hardware. ( FRU_PRS.1, FRU_RSA.1, FDP_IFC.1, FDP_IFF.1) 7.1.8Security Management The TOE offers management functionality for its security functions, where appropriate. This is partially already addressed in more detail in the previous sections of the TSS, but includes: • User management, including user name, passwords, etc. Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 55 • Access control management, including the association of users and corresponding privileged functionalities. • Enabling/disabling of SSH for the communication between LMT clients and the TOE. • Defining IP addresses and address ranges for clients that are allowed to connect to the TOE. All of these management options are typically available via the LMT GUI. Detailed function specification include following: 1) Support Local configuration through console port. Parameters include console port baudrate, data bit, parity, etc; 2) Support configuration for authentication and authorization on user logging in via console port; 3) Support configuration for authentication mode and authorization mode on user logging in via console port; 4) Support remotely managing the TOE using SSH. 5) Support enabling, disabling S-FTP; 6) Support configuration on service port for SSH; 7) Support configuration on RSA key for SSH; 8) Support configuration on authentication type, encryption algorithm for SSH; 9) Support authenticate user logged in using SSH, by password authentication, RSA authentication, or combination of both; 10) Support configuration on logout when no operation is performed on the user session within a given interval; 11) Support configuration on max attempts due to authentication failure within certain period of time; 12) Support configuration on limiting access by IP address; 13) Support configuration on commands’ access level; 14) Support management on OSPF by enabling, disabling OSPF; 15) Support configuration on area, IP address range, authentication type of OSPF; 16) Support managementon BGP by enabling, disabling BGP; 17) Support configuration on peer address, authentication type of BGP; 18) Support management on ARP by specifying static ARP entry, aging time and frequency of dynamical ARP entry. This function is achieved by interpreting commands input and storing value in memory. 19) Support management on log by enabling, disabling log output; 20) Support configuration on log output channel, output host; 21) Support configuration ACLs based on IP protocol number, source and/or destination IP address, source and/or destination port number if TCP/UDP; 22) Support enabling, disabling SNMP Agent and Trap message sending function; Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 56 23) Support enabling, disabling the switch to Send an Alarm Message of a Specified Feature to the NM Station; 24) Support setting the Source Interface, Queue Length and Lifetime of Trap message; 25) Support enabling, disabling STP function. Above functions are achieved by providing interpreting input commands and storing result of interpreting in memory. Some results like routes generated, ACLs will be downloaded into hardware to assist forwarding and other TSF functions. (FMT_SMF.1, FTP_TRP.1) 7.1.9 Cryptographic functions Cryptographic functions are required by security features as dependencies. The following cryptographic algorithms are supported: 1) Support AES256/RSA algorithms. This is achieved by providing implementations of AES256/RSA algorithms. 2) Support HMAC-SHA algorithms. This is achieved by providing implementations of HMAC-SHA algorithms. 3) Support for RSA key destruction overwriting it with 0 (FCS_COP.1, FCS_CKM.4) 7.1.10Time The TOE supports its own clock, to support logging and timed log-outs. (FPT_STM.1, FTA_SSL.3) 7.1.11 SNMP Trap The TOE uses SNMP traps to notify a fault occurs or the system does not operate properly. 1) Support management on trap by enabling, disabling trap output; 2) Support configuration on trap output interface, output host; 3) Support configuration on trap based on fault categories, fault functionality, or modules where the faults occur. 4) Support SNMPv3 which provides: a) Encrypted communication using AES algorithm. b) Packet authentication using MD5 algorithms Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 57 (FPT_STM.1, FDP_DAU.1) 7.1.12 STP The TOE supports Spanning Tree Protocol(STP) to cut offthe potential loops on the network and provide Link redundancy. 1) Support blocking a certain interface to prevent replication and circular propagation of packets on the network. 2) Support sending configuration BPDUs and Hello packets to detect link faults with a certain time. 3) Support delay for interface status transition to prevent transient loops. 4) Support configuration on max aging time to specifies the aging time of BPDUs, (FRU_FLT.1, FPT_FLS.1) 8 Abbreviations, Terminology and References 8.1 Abbreviations ACL Access Control List CC Common Criteria CLI Command Line Interface GUI Graphical User Interface LMT Local Maintenance Terminal LPU Line Process Unit MCU Main Control Unit NTP Network Time Protocol PP Protection Profile RMT Remote Maintenance Terminal SFR Security Functional Requirement SFU Switching Fabric Unit SNMP Simple Network Management Protocol SPU Service Process Unit SRU Switch Router Unit Huawei SSeries Ethernet SwitchesV200R008 Security Target Huawei Technologies Co., Ltd. Page 58 ST Security Target STP Spanning-Tree Protocol TOE Target of Evaluation TSF TOE Security Functions VP Virtual Path VRP Versatile Routing Platform 8.2 Terminology This section contains definitions of technical terms that are used with a meaning specific to this document. Terms defined in the [CC] are not reiterated here, unless stated otherwise. Administrator: An administrator is a user of the TOE who may have been assigned specific administrative privileges within the TOE. This ST may use the term administrator occasionally in an informal context, and not in order to refer to a specific role definition – from the TOE’s point of view, an administrator is simply a user who is authorized to perform certain administrative actions on the TOE and the objects managed by the TOE. User: A user is a human or a product/application using the TOE. 8.3 References [CC] Common Criteria for Information Technology Security Evaluation. Part 1-3. September 2012. Version 3.1 Revision 4. [CEM] Common Methodology for Information Technology Security Evaluation. September 2012. Version 3.1 Revision 4.