National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
Brocade Communications Systems, Inc. VDX Product Series
Report Number: CCEVS-VR-VID10579-2014
Dated: 11 July 2014
Version: 1.0
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6940
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6940
®
TM
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
ii
ACKNOWLEDGEMENTS
Validation Team
Jerome Myers
The Aerospace Corporation
Jean Petty
The MITRE Corporation
Common Criteria Testing Laboratory
Leidos Inc. (formerly SAIC, Inc.)
Columbia, MD
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
iii
Table of Contents
1 Executive Summary....................................................................................................1
1.1 Evaluation Details.................................................................................................1
1.2 Interpretations .......................................................................................................2
1.3 Threats...................................................................................................................2
1.4 Organizational Security Policies...........................................................................3
2 Identification...............................................................................................................3
3 Security Policy............................................................................................................3
3.1 Security Audit.......................................................................................................3
3.2 Cryptographic Support..........................................................................................3
3.3 User Data Protection.............................................................................................3
3.4 Identification & Authentication............................................................................3
3.5 Security Management ...........................................................................................4
3.6 Protection of the TOE’s Security Functions .........................................................4
3.7 TOE Access ..........................................................................................................4
3.8 Trusted Path/Channels ..........................................................................................4
4 Assumptions................................................................................................................4
4.1 Clarification of Scope ...........................................................................................4
5 Architectural Information ...........................................................................................5
6 Documentation............................................................................................................6
7 Product Testing...........................................................................................................6
7.1 Developer Testing.................................................................................................6
7.2 Evaluation Team Independent Testing .................................................................7
7.3 Penetration Testing ...............................................................................................8
8 Evaluated Configuration.............................................................................................8
9 Results of the Evaluation ............................................................................................9
10 Validator Comments/Recommendations ....................................................................9
11 Annexes.....................................................................................................................10
12 Security Target..........................................................................................................10
13 Bibliography .............................................................................................................10
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
List of Tables
Table 1 – Evaluation Details.................................................................................................. 1
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
1
1 Executive Summary
The evaluation of the Brocade Communications Systems, Inc. VDX Product Series with Network OS
3.0.1a5 was performed by Leidos Inc. (formerly Science Applications International Corporation)
Common Criteria Testing Laboratory (CCTL) in Columbia, Maryland, United States of America and was
completed in July 2014. The evaluation was conducted in accordance with the requirements of the
Common Criteria and Common Methodology for IT Security Evaluation (CEM), version 3.1 and
assurance activities specified in Protection Profile for Network Devices, Version 1.1, 8 June 2012. The
evaluation was consistent with National Information Assurance Partnership (NIAP) Common Criteria
Evaluation and Validation Scheme (CCEVS) policies and practices as described on their web site
(www.niap-ccevs.org).
The Leidos evaluation team determined that the product is conformant to Protection Profile for Network
Devices, Version 1.1, 8 June 2012. The information in this Validation Report is largely derived from the
Assurance Activities Report (AAR) and associated test reports produced by the Leidos evaluation team.
This Validation Report is not an endorsement of the Target of Evaluation by any agency of the U.S.
government, and no warranty is either expressed or implied.
The VDX Product Series comprises the VDX 6710-54, VDX 6720-24, VDX 6720-60, VDX 6730-32,
VDX 6730-76, VDX 8770-4 and VDX 8770-8 switch/router devices, each running Brocade’s Network
Operating System (NOS)—v3.0.1a5 in the evaluated configuration.
The VDX switch/routers, in the context of the evaluation, are network devices that provide a secure base
(comprising auditing, cryptographic support for network communications and update integrity, user
identification and authentication, and secure management) for operational functions related to switching
and routing IP network traffic.
The products, when configured as specified in the guidance documentation, satisfy all of the security
functional requirements stated in the Brocade Communications Systems, Inc. VDX Product Series
Security Target (ST).
1.1 Evaluation Details
Table 1 – Evaluation Details
Evaluated Product: VDX Product Series with NOS 3.0.1a5, including the following
series Hardware Platforms: VDX 6710-54, VDX 6720-24, VDX
6720-60, VDX 6730-32, VDX 6730-76, VDX 8770-4 and VDX
8770-8.
Sponsor: Brocade Communications Systems, Inc.
130 Holger Way
San Jose, CA 95134
Developer: Brocade Communications Systems, Inc.
130 Holger Way
San Jose, CA 95134
CCTL: Leidos Inc. (formerly Science Applications International
Corporation)
6841 Benjamin Franklin Drive
Columbia, MD 21046
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
2
Kickoff Date: 6 June 2014
Completion Date: 11 July 2014
CC: Common Criteria for Information Technology Security
Evaluation, Version 3.1, Revision 3, July 2009.
Interpretations: None
CEM: Common Methodology for Information Technology Security
Evaluation: Evaluation Methodology, Version 3.1, Revision 3,
July 2009.
Evaluation Class: None
Description: The TOE provides a secure base, comprising auditing,
cryptographic support for network communications and update
integrity, user identification and authentication, and secure
management, for operational functions related to switching and
routing IP network traffic.
Disclaimer: The information contained in this Validation Report is not an
endorsement of the Brocade Communications Systems, Inc. VDX
Product Series by any agency of the U.S. Government and no
warranty of the product is either expressed or implied.
PP: Protection Profile for Network Devices, Version 1.1, 8 June 2012
Evaluation Personnel: Leidos Inc.
Anthony J. Apted
Dawn Campbell
Validation Body: National Information Assurance Partnership CCEVS
1.2 Interpretations
Not applicable.
1.3 Threats
The ST identifies the following threats that the TOE and its operational environment are intended to
counter:
• An administrator may unintentionally install or configure the TOE incorrectly, resulting in
ineffective security mechanisms.
• Security mechanisms of the TOE may fail, leading to a compromise of the TSF.
• A user may gain unauthorized access to the TOE data and TOE executable code. A malicious
user, process, or external IT entity may masquerade as an authorized entity in order to gain
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
3
unauthorized access to data or TOE resources. A malicious user, process, or external IT entity
may misrepresent itself as the TOE to obtain identification and authentication data.
• A malicious party attempts to supply the end user with an update to the product that may
compromise the security features of the TOE.
• Malicious remote users or external IT entities may take actions that adversely affect the security
of the TOE. These actions may remain undetected and thus their effects cannot be effectively
mitigated.
• User data may be inadvertently sent to a destination not intended by the original sender.
1.4 Organizational Security Policies
The ST identifies the following organizational security policy that the TOE and its operational
environment are intended to fulfill:
• The TOE shall display an initial banner describing restrictions of use, legal agreements, or any
other appropriate information to which users consent by accessing the TOE.
2 Identification
The evaluated product is Brocade Communications Systems, Inc. VDX Product Series with NOS
3.0.1a5.
3 Security Policy
The TOE enforces the following security policies as described in the ST.
Note: Much of the description of the security policy has been derived from the Brocade
Communications System, Inc. VDX Product Series Security Target and Final ETR.
3.1 Security Audit
The TOE is designed to be able to generate logs for a wide range of security relevant events. The TOE
can be configured to store the logs locally so they can be accessed by an authorized TOE User and also to
send the logs to a designated log server using TLS to protect the logs on the network.
3.2 Cryptographic Support
The TOE includes a FIPS-certified cryptographic module that provides key management, random bit
generation, encryption/decryption, digital signature and secure hashing and key-hashing features in
support of higher level cryptographic protocols (SSH and TLS).
3.3 User Data Protection
The TOE performs a wide variety of network switching and routing functions, passing network traffic
among its various network connections. While implementing applicable network protocols associated
with network traffic routing, the TOE is carefully designed to ensure that it does not inadvertently reuse
data found in network traffic. This is accomplished primarily by controlling the size of all buffers, fully
overwriting buffer contents, and zero-padding of memory structures and buffers when necessary.
3.4 Identification & Authentication
The TOE requires users to be identified and authenticated before they can use functions mediated by the
TOE, with the exception of passing network traffic in accordance with its configured switching/routing
rules.
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
4
3.5 Security Management
The TOE provides a Command Line Interface (CLI) to access the security management functions used to
configure and manage its security functionality. Security management commands are limited to
authorized users and available only after they have provided acceptable user identification and
authentication data to the TOE.
3.6 Protection of the TOE’s Security Functions
The TOE implements a number of features designed to protect itself to ensure the reliability and integrity
of its security features.
It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not
accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable
time information is available (e.g., for log accountability).
The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes
mechanisms (i.e., verification of the digital signature of each new image) so that the TOE itself can be
updated while ensuring that the updates will not introduce malicious or other unexpected changes in the
TOE.
3.7 TOE Access
The TOE can be configured to display an informative banner when an administrator establishes an
interactive session and subsequently will enforce an administrator-defined inactivity timeout value after
which the inactive session (local or remote) will be terminated.
3.8 Trusted Path/Channels
The TOE protects interactive communication with administrators using SSHv2 for CLI access, ensuring
both integrity and disclosure protection. If the negotiation of an encrypted session fails or if the user does
not have authorization for remote administration, an attempted connection will not be established.
The TOE protects communication with external audit servers using TLS connections to prevent
unintended disclosure or modification of logs. SSH v2 is used to support SCP which the TOE uses for
secure download of TOE updates.
4 Assumptions
The ST identifies the following assumptions about the use of the product:
• It is assumed that there are no general-purpose computing capabilities (e.g., compilers or user
applications) available on the TOE, other than those services necessary for the operation,
administration and support of the TOE.
• Physical security, commensurate with the value of the TOE and the data it contains, is assumed to
be provided by the environment.
• TOE Administrators are trusted to follow and apply all administrator guidance in a trusted
manner.
4.1 Clarification of Scope
All evaluations (and all products) have limitations, as well as potential misconceptions that need
clarifying. This text covers some of the more important limitations and clarifications of this evaluation.
Note that:
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
5
1. As with any evaluation, this evaluation only shows that the evaluated configuration meets the
security claims made, with a certain level of assurance (the assurance activities specified in
Protection Profile for Network Devices and performed by the evaluation team).
2. This evaluation covers only the specific device models and software version identified in this
document, and not any earlier or later versions released or in process.
3. This evaluation did not specifically search for, nor attempt to exploit, vulnerabilities that were not
“obvious” or vulnerabilities to objectives not claimed in the ST. The CEM defines an “obvious”
vulnerability as one that is easily exploited with a minimum of understanding of the TOE,
technical sophistication and resources.
5 Architectural Information
This section provides a high level description of the TOE and its components as described in the Security
Target and guidance documentation.
The TOE consists of a hardware appliance with embedded software installed on a management processor.
The embedded software is a version of Brocade’s proprietary Multiservice Network Operating System
(NOS). The NOS controls the switching and routing of network frames and packets among the
connections available on the hardware appliance.
All TOE appliances are configured at the factory with default parameters and an admin and user account
with default passwords. Users must login to access the system’s basic features through its Command
Line Interface (CLI). However, the product should be configured in accordance with the evaluated
configuration prior to being placed into operation. The CLI is a text based interface which is accessible
from a directly connected terminal or via a remote terminal using SSH.
The VDX 6710 switch is a fixed port switch with 48 1-Gigabit Ethernet copper interfaces and six 10
Gigabit Ethernet SFP+ interfaces. The VDX 6720 switches are also fixed port switches with either 24 10-
Gigabit LAN ports or 60 10-Gigabit LAN ports, depending on the model. The VDX 6730 switch is a 10-
Gigabit Ethernet fixed port switch with LAN and native Fibre Channel ports. Depending on the model, it
either provides 24 10-Gigabit Ethernet LAN ports and eight 8-Gbps native Fibre Channel ports, or 60 10-
Gigabit Ethernet LAN ports and 16 8-Gbps native Fibre Channel ports. The 6710, 6720 and 6730
hardware platforms that support the TOE have a number of common hardware characteristics:
• A system motherboard that features a Reduced Instruction Set Computer (RISC) CPU running at
1.3 GHz with integrated peripherals
• Extensive diagnostics and system-monitoring capabilities for enhanced high Reliability,
Availability, and Serviceability (RAS)
• A USB port for firmware upgrades and system log downloads
• Support for long-range and short-range SFP+ 10-Gigabit Ethernet transceivers
The VDX 8770-4 switch provides up to 192 10-Gigabit Ethernet or 1 Gigabit Ethernet external ports or
48 40-Gigabit Ethernet external ports, while the VDX 8770-8 switch provides up to 384 10-Gigabit
Ethernet or 1 Gigabit external ports or 96 40-Gigabit Ethernet external ports. The 8770 hardware
platforms that support the TOE have a number of common hardware characteristics:
• Dual, redundant management modules
• Serial (console), Ethernet, and USB connections for management modules (though only Brocade-
branded USB devices are supported)
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
6
• Support for short-range and long-range 1 Gbps SFP transceivers
• Support for short-range and long range 10 Gbps SFP+ transceivers
• Support for 40 Gbps QSFP transceivers
During normal operation, IP packets are sent to the management IP address or through the appliance over
one or more of its physical network interfaces, which processes them according to the system’s
configuration and state information dynamically maintained by the appliance. This processing typically
results in the frames or packets being forwarded out of the device over another interface, or dropped in
accordance with a configured policy.
6 Documentation
6.1 Product Guidance
The guidance documentation examined during the course of the evaluation and delivered with the TOE is
as follows:
• Network OS Administrator’s Guide—Supporting Network OS v3.0.1a5, 28 March 2013
• Network OS Command Reference—Supporting Network OS v3.0.1a5, 28 March 2013
• Network OS Message Reference—Supporting Network OS v3.0.1a5, 17 December 2012
• Brocade VDX 6710-54 Hardware Reference Manual, 10 August 2012
• Brocade VDX 6710-54 QuickStart Guide, 10 August 2012
• Brocade VDX 6720 Hardware Reference Manual, 16 May 2012
• Brocade VDX 6720 QuickStart Guide, 15 December 2011
• Brocade VDX 6730 Hardware Reference Manual, 16 May 2012
• Brocade VDX 6730 QuickStart Guide, 30 September 2011
• Brocade VDX 8770-4 Hardware Reference Manual, 21 September 2012
• Brocade VDX 8770-4 QuickStart Guide, 22 August 2012
• Brocade VDX 8770-8 Hardware Reference Manual, 21 September 2012
• Brocade VDX 8770-8 Hardware Reference Manual, 22 August 2012.
7 Product Testing
This section describes the testing efforts of the Evaluation Team. It is derived from information contained
in the following:
• Evaluation Team Test Report for Brocade Communications Systems, Inc. VDX 6730
• Evaluation Team Test Report for Brocade Communications Systems, Inc. VDX 8770.
7.1 Developer Testing
The assurance activities in the Protection Profile for Network Devices do not specify any requirement for
developer testing of the TOE.
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
7
7.2 Evaluation Team Independent Testing
The evaluation team devised a Test Plan based on the Testing Assurance Activities specified in the
Protection Profile for Network Devices. The Test Plan described how each test activity was to be
instantiated within the TOE test environment. The evaluation team executed the tests specified in the Test
Plan and documented the results in the Team Test Report for Brocade Communications Systems,
Inc.VDX 6730 and Team Test Report for Brocade Communications Systems, Inc. VDX 8770. Tests were
executed on the following sample of platforms claimed in the ST:
• VDX 6730-76—the other VDX 67xx platforms included in the TOE are functionally equivalent.
They share a common underlying processor architecture and run the same firmware image. The
only differences are related to the number and type of external network connectors.
• VDX 8770-8—the VDX 8770-4 device included in the TOE is functionally equivalent. The same
firmware image is executed on both platforms and the only differences are in the number of ports.
Testing was conducted the week of May 20, 2013 at the vendor’s facility in San Jose, CA. The developer
assisted during the testing phase. The testing demonstrated the TOE satisfies the security functional
requirements specified in the Protection Profile for Network Devices.
The testing performed by the evaluation team is summarized as follows:
• The evaluation team confirmed the TOE’s ability to generate the audit events specified in the ST
• The evaluation team confirmed the TOE’s ability to establish a trusted channel with an external
audit server and transfer audit records to the audit server via the trusted channel
• The evaluation team confirmed the TOE supports RSA for public key authentication and
password-based authentication over SSH
• The evaluation confirmed the TOE drops an SSH connection if it receives a packet over 256K
bytes in length
• The evaluation team confirmed the TOE supports SSH connections using AES-CBC-128 and
AES-CBC-256
• The evaluation team confirmed the TOE does not support DH Group 1 and that it does support
DH Group 14
• The evaluation team confirmed the TOE supports each of the TLSv1.0 ciphersuites specified in
the ST
• The evaluation team confirmed the TOE supports the specified password composition
requirements, including the specified minimum length
• The evaluation team confirmed the TOE provides only obscured feedback when authentication
information is entered at the local console
• The evaluation team confirmed, for all supported methods of administrator access, the TOE
allows access to the CLI when the correct authentication credentials are provided, and denies
access when incorrect credentials are provided, and that the services available without
authentication are as specified in the ST
• The evaluation team confirmed the time could be set by the administrator and synchronized using
an external NTP server. Note, the ST does not make any claims about using cryptographic
protocols to protect the connection to the NTP server, so testing with the NTP server occurred
only over TCP/IP
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
8
• The evaluation team confirmed a legitimate update could be installed successfully on the TOE
and that an illegitimate update was rejected
• The evaluation team confirmed the TOE terminated a remote interactive session after the
configured period of inactivity had elapsed. The evaluation team used values of 2, 5, and 8
minutes
• The evaluation team confirmed the user was able to terminate both an interactive local session at
the TOE console and a remote interactive session over the SSH-provided trusted path
• The evaluation team confirmed the TOE terminated a local interactive session after the
configured period of inactivity had elapsed. The evaluation team used values of 2, 5, and 8
minutes. Note that the TOE terminates a local interactive session after the inactivity time period
has elapsed, rather than locking the session. This is consistent with the selection made in
FTA_SSL_EXT.1.1 in the ST
• The evaluation team confirmed the TOE displayed a configured notice and consent warning
message for each method of access supported by the TOE, i.e., local interactive console, remote
interactive SSH using password authentication, and remote interactive SSH using public-key
authentication
• The evaluation team confirmed the TOE was able to establish a trusted channel with an external
syslog server using TLSv1.0. Testing additionally demonstrated the trusted channel was
established with the appropriate cryptographic protocol and algorithms to ensure channel data
was not sent in plaintext and modification of channel data would be detected by the TOE. A test
was also performed to physically interrupt the connection between the TOE and the external
syslog server and to verify that communications remained protected when connectivity was
restored
• The evaluation team confirmed the only method of remote administration for the TOE is via
SSH—the evaluation team did not identify any interface that could be used to establish a remote
administrative session without invoking the trusted path. Testing additionally demonstrated the
trusted path was established with the appropriate cryptographic protocol and algorithms to ensure
channel data was not sent in plaintext and modification of channel data would be detected by the
TOE.
7.3 Penetration Testing
The evaluation team conducted an open source search for vulnerabilities in the product. The open source
search did not identify any vulnerabilities applicable to the TOE in its evaluated configuration, but did
identify a vulnerability related to another Brocade product (BigIron). The evaluation team outlined a test
for determining if the TOE was susceptible, but analysis of the vulnerability (bypassing ACL rules by
using 179 as the source port of a packet) determined it was not relevant as it represents a vulnerability in a
TOE capability (packet filtering) that was not subject to evaluation.
8 Evaluated Configuration
The evaluated version of the TOE is Brocade Communication Systems, Inc. VDX Product Series with
NOS 3.0.1a5, including the following series Hardware Platforms:
• VDX 6710-54
• VDX 6720-24
• VDX 6720-60
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
9
• VDX 6730-32
• VDX 6730-76
• VDX 8770-4
• VDX 8770-8.
9 Results of the Evaluation
The evaluation was conducted based upon the assurance activities specified in Protection Profile for
Network Devices, Version 1.1, 8 June 2012 (NDPP), in conjunction with version 3.1, revision 3 of the CC
and the CEM. A verdict for an assurance component is determined by the resulting verdicts assigned to
the corresponding evaluator action elements. The evaluation team assigned a Pass, Fail, or Inconclusive
verdict to each work unit of each assurance component. For Fail or Inconclusive work unit verdicts, the
evaluation team advised the developer of issues requiring resolution or clarification within the evaluation
evidence. In this way, the evaluation team assigned an overall Pass verdict to the assurance component
only when all of the work units for that component had been assigned a Pass verdict.
The validation team’s assessment of the evidence provided by the evaluation team is that it demonstrates
that the evaluation team performed the assurance activities in the NDPP, and correctly verified that the
product meets the claims in the ST.
The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled
by the Leidos CCTL. The security assurance requirements are listed in the following table.
TOE Security Assurance Requirements
Assurance Component ID Assurance Component Name
ADV_FSP.1 Basic functional specification
AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
ALC_CMC.1 Labeling of the TOE
ALC_CMS.1 TOE CM coverage
ATE_IND.1 Independent testing - conformance
AVA_VAN.1 Vulnerability survey
10 Validator Comments/Recommendations
The validators suggest that the consumer pay particular attention to the evaluated configuration of the
device(s). In order to remain CC compliant, the device(s) must first be configured into FIPS mode, then
into Common Criteria mode as specified in the Brocade FIPS Configuration Manual. Note that the
product includes FIPS validated cryptographic algorithms.
Please note that the functionality evaluated is scoped exclusively to the security functional requirements
specified in the Security Target. Other functionality included in the product was not assessed as part of
this evaluation. Please note further that certain network related functionality is excluded from the
VALIDATION REPORT
Brocade Communications Systems, Inc. VDX Product Series
10
approved configuration and that some networking functions relative to the devices were not tested, nor are
any claims made relative to their security.
The product contains more functionality than was covered by the evaluation. Only the functionality
implemented by the SFR’s within the Security Target was evaluated. All other functionality provided by
the devices needs to be assessed separately and no further conclusions can be drawn about their
effectiveness.
11 Annexes
Not applicable.
12 Security Target
The ST for this product’s evaluation is Brocade Communications Systems, Inc. VDX Product Series
Security Target, Version 1.0, 3 April 2014.
13 Bibliography
1. Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and
general model, Version 3.1, Revision 4, September 2012, CCMB-2012-09-001.
2. Common Criteria for Information Technology Security Evaluation – Part 2: Security functional
requirements, Version 3.1, Revision 4, September 2012, CCMB-2012-09-002.
3. Common Criteria for Information Technology Security Evaluation – Part 3: Security assurance
requirements, Version 3.1, Revision 4, September 2012, CCMB-2012-09-003.
4. Common Methodology for Information Technology Security: Evaluation Methodology, Version
3.1, Revision 4, September 2012, CCMB-2012-09-004.
5. Protection Profile for Network Devices, Version 1.1, 8 June 2012.
6. Brocade Communications Systems, Inc. VDX Product Series Security Target, Version 1.0, 3
April 2014.