Ciena Carrier Ethernet Solutions 3900/5100 Series ... · PDF fileCiena Carrier Ethernet...

Ciena Carrier Ethernet Solutions 3900/5100 Series

Supplemental Administrative Guidance Version 1.0

December 18, 2015

Ciena Corporation

7035 Ridge Road

Hanover, MD 21076

Prepared By:

Cyber Assurance Testing Laboratory

900 Elkridge Landing Road, Suite 100

Linthicum, MD 21090

1 | P a g e

Contents

1 Introduction ........................................................................................................................................... 3

2 Intended Audience ................................................................................................................................ 3

3 Terminology .......................................................................................................................................... 3

4 References ............................................................................................................................................. 4

5 Evaluated Configuration of the TOE .................................................................................................... 4

5.1 TOE Components .......................................................................................................................... 4

5.2 Supporting Environmental Components ....................................................................................... 5

5.3 Assumptions .................................................................................................................................. 6

5.4 Communications Protocols and Services ...................................................................................... 6

6 Secure Acceptance, Installation, and Configuration ............................................................................. 7

6.1 Enable Logging ............................................................................................................................. 8

6.2 Set up the SSH Server ................................................................................................................... 8

6.3 Set up the SFTP Client .................................................................................................................. 8

6.4 Set up the SFTP Server ................................................................................................................. 8

6.5 Enable FIPS Mode ........................................................................................................................ 9

6.6 Configuring SSH Algorithms........................................................................................................ 9

6.7 In-Band Management Configuration .......................................................................................... 13

7 Secure Management of the TOE ......................................................................................................... 13

7.1 Authenticating to the TOE .......................................................................................................... 13

7.2 User Lockout ............................................................................................................................... 14

7.3 Managing Users .......................................................................................................................... 14

7.4 Password Management ............................................................................................................... 15

7.5 Login Banner .............................................................................................................................. 15

7.6 Session Termination .................................................................................................................... 15

7.6.1 Admin Logout ..................................................................................................................... 15

7.6.2 Termination from Inactivity ................................................................................................ 15

7.7 System Time Configuration ........................................................................................................ 16

7.8 Secure Updates ............................................................................................................................ 16

8 Auditing .............................................................................................................................................. 16

8.1 Audit Storage .............................................................................................................................. 28

2 | P a g e

9 SFR Assurance Activities ................................................................................................................... 28

10 Operational Modes .......................................................................................................................... 30

11 Additional Support .......................................................................................................................... 30

Table of Tables

Table 5-1: TOE Models ................................................................................................................................ 5

Table 5-2: Supporting Environmental Components ..................................................................................... 5

Table 8-1: NDPP Auditable Events ............................................................................................................ 28

3 | P a g e

1 Introduction

Ciena Carrier Ethernet Solutions 3900/5100 Series is a network switch that receives data from an external

source and forwards that data to one or many ports. Carrier Ethernet provides a way to deliver Ethernet

services across many networks while providing bandwidth management. CES operates on quality-of-

service (QoS) capabilities and virtual switching functions to deliver different amounts of data to various

ports. CES also contains next-generation Ethernet features that transport different Ethernet services

through fiber or copper connections. The Target of Evaluation (TOE) is the general network device

functionality (I&A, auditing, security management, trusted communications, etc.) of the switch,

consistent with the claimed Protection Profile.

2 Intended Audience

This document is intended for administrators responsible for installing, configuring, and/or operating CES

devices. Guidance provided in this document allows the reader to deploy the product in an environment

that is consistent with the configuration that was evaluated as part of the product’s Common Criteria (CC)

testing process. It also provides the reader with instructions on how to exercise the security functions that

were claimed as part of the CC evaluation.

The reader is expected to be familiar with the Security Target for Ciena Carrier Ethernet Solutions

3900/5100 Series version 6.14 and the general CC terminology that is referenced in it. This document

references the Security Functional Requirements (SFRs) that are defined in the Security Target document

and provides instructions for how to perform the security functions that are defined by these SFRs. The

CES product as a whole provides a great deal of security functionality but only those functions that were

in the scope of the claimed PP are discussed here. Any functionality that is not described here or in the

Ciena Carrier Ethernet Solutions 3900/5100 Series Security Target was not evaluated and should be

exercised at the user’s risk.

3 Terminology

In reviewing this document, the reader should be aware of the terms listed below. These terms are also

described in the Ciena Carrier Ethernet Solutions 3900/5100 Series Security Target.

CC: stands for Common Criteria. Common Criteria provides assurance that the process of specification,

implementation and evaluation of a computer security product has been conducted in a rigorous and

standard and repeatable manner at a level that is commensurate with the target environment for use.

SFR: stands for Security Functional Requirement. An SFR is a security capability that was tested as part

of the CC process.

TOE: stands for Target of Evaluation. This refers to the aspects of the Ciena Carrier Ethernet Solutions

3900/5100 Series products that contain the security functions that were tested as part of the CC evaluation

process.

4 | P a g e

4 References

The following security-relevant documents are included with the TOE. This is part of the standard

documentation set that is provided with the product. Documentation that is not related to the functionality

tested as part of the CC evaluation is not listed here.

[1] 39XX/51XX SAOS 6.14 Product Fundamentals - 009-3257-006

[2] 39XX/51XX SAOS 6.14 Administration and Security - 009-3257-006

[3] 39XX/51XX SAOS 6.14 Configuration - 009-3257-008

[4] 39XX/51XX SAOS 6.14 Command Reference - 009-3257-010

[5] Hardware Installation and Start-up Manuals – names vary based on individual hardware

models, reference [1] for the full list

[6] 39XX/51XX SAOS 6.14 System Event Reference - 009-3257-024

[7] 39XX/51XX SAOS 6.14 Advanced Ethernet Configuration - 009-3257-040

[8] 39XX/51XX SAOS 6.14 Fault, Logging, and Performance Management - 009-3257-009

[9] 39XX/51XX SAOS 6.14 Advanced OAM Configuration - 009-3257-044

[10] 39XX/51XX SAOS 6.14 Software Management and Licensing - 009-3257-018

[11] 39XX/51XX SAOS 6.x Planning, Engineering, and Ordering Guide - 009-3299-029

The following document was created in support of the Ciena Carrier Ethernet Solutions 3900/5100 Series

CC evaluation:

[12] Ciena Carrier Ethernet Solutions 3900/5100 Series Common Criteria Security Target

5 Evaluated Configuration of the TOE

This section lists the components that have been included in the TOE’s evaluated configuration, whether

they are part of the TOE itself, environmental components that support the security behavior of the TOE,

or non-interfering environmental components that were present during testing but are not associated with

any security claims:

5.1 TOE Components

The TOE is a family of standalone network appliances. Each model of the TOE can run independently

and all models have the same SAOS 6.14 software. The only security-relevant differences between the

models are the processor type used and the presence or absence of a local Ethernet management port.

There is no functional difference in the behavior of each model based on the processor type; this only

affects how the SAOS 6.14 software image was built and is transparent to an administrator of the TOE.

The presence of absence of a dedicated Ethernet management port similarly does not affect the ability to

administer the TOE, but it does require remote administration to be performed in-band through a data

plane interface if no dedicated interface exists.

5 | P a g e

Platform 3903 /

3904 /

3905

3916 3930-

900/910

3931-

900/91

0

3932 /

3930-

930

3938

(Smart

NID)

3942 5142 CN

5150

5160

1G/10G RJ-

45

0 0 0 0 0 2 0 0 0 0

1G/10G

SFP+

0 0 2 2 2 2 4 4 0 24

10/100/1000

M RJ-45

0 0 0 4 0 8 0 0 0 0

100M/1G

SFP

2 4 4 4 4 8 0 20 48 0

XFP 0 0 0 0 0 0 0 0 4 0

Combo RJ-

45/SFP

3903 - 1

3904 - 2

3905 - 2

2 4 0 4 0 20 0 0 0

CPU 2x800

MHz

ARM

Cortex

A9

2x500

MHz

Cavium

5220

4x600

MHz

Cavium

5230

2x600

MHz

Cavium

5220

4x600

MHz

Cavium

5230

6x1 GHz

Cavium

6335

4x1 GHz

Cavium

6230

6x1 GHz

Cavium

6335

4x600

MHz

Cavium

5230

6x1 GHz

Cavium

6335

Ethernet

Management

Port

N N Y N Y Y Y Y Y Y

Power

Options

AC, DC AC, DC AC, DC

(modular)

AC, DC

(modular)

AC, DC

(modular)

AC AC, DC AC, DC

(modular)

AC, DC

(modular)

AC, DC

(modular)

Table 5-1: TOE Models

Note that a more extensive description of each model is provided in [1] and in each individual manual

referenced in [5].

5.2 Supporting Environmental Components Component Definition

Audit Server A file server running the secure file transfer protocol (SFTP) that is used by the TOE to securely

transmit audit data to a remote storage location.

Management

Workstation

Any general-purpose computer that is used by an administrator to manage the TOE. The TOE

can be managed remotely, in which case the management workstation requires an SSH client, or

locally, in which case the management workstation must be physically connected to the TOE

using the serial port and must use a terminal emulator that is compatible with serial

communications.

NTP Server A system that provides an authoritative and reliable source of time using network time protocol

(NTP).

Update Server A server running the secure file transfer protocol (SFTP) that is used as a location for storing

product updates that can be transferred to the TOE.

Table 5-2: Supporting Environmental Components

Note that switched traffic is not addressed by the security requirements of the claimed Protection Profile

so the only use of data plane interfaces was to perform in-band management of the TOE.

6 | P a g e

5.3 Assumptions

In order to ensure the product is capable of meeting its security requirements when deployed in its

evaluated configuration, the following conditions must be satisfied by the organization, as defined in the

claimed Protection Profile:

No general purpose computing capabilities: The Ciena CES product must only be used for its

intended purpose. General purpose computing applications, especially those with network-visible

interfaces, may compromise the security of the product if introduced.

Physical security: The Ciena CES product does not claim any sort of physical tamper-evident or

tamper-resistant security mechanisms. Therefore, it is necessary to deploy the product in a locked

or otherwise physically secured environment so that it is not subject to untrusted physical

modification.

Trusted administration: The Ciena CES product does not provide a mechanism to protect

against the threat of a rogue or otherwise malicious administrator. Therefore, it is the

responsibility of the organization to perform appropriate vetting and training for security

administrators prior to granting them the ability to manage the product.

5.4 Communications Protocols and Services

In the evaluated configuration, the SSH protocol was tested for remote administration and secure transfer

of audit data (which uses SSH as part of SFTP). The Telnet protocol is excluded from the evaluated

configuration of the CES product because it does not provide security for data in transit. The product

supports numerous communications protocols that were not considered to be part of the Target of

Evaluation because they provide functionality that were outside the scope of the Security Target. These

protocols are facilitated by processes on the CES device that support their implementation and include the

following:

ARP

BFD

CFM

DHCP

DHCPv6

802.1X

GMPLS

ISIS

LDP

LLDP

MPLS

MSTP

NDP

NETCONF

NTP

OSPF

PBB-TE

7 | P a g e

PBT

RADIUS

RSTP

RSVP-TE

SNMP

TACACS

Information about the configuration and usage of these protocols can be found in the standard Ciena

documentation for the product.

6 Secure Acceptance, Installation, and Configuration

Documentation for how to order and acquire the TOE is described in section 8 of [11]. This section also

lists the physical part numbers that are associated with each model. When receiving delivery of a TOE

model, this documentation should be checked as part of the acceptance procedures so that the correctness

of the hardware can be verified. Additionally, [11] can be referenced for physical requirements such as

power and environmental operating conditions in order to minimize the risk of compromise of TOE

functionality due to an improper physical environment. The TOE comes with the SAOS operating system

installed on it by default, but if additional validation is necessary, an administrator may acquire the

software image separately from Ciena and perform a software upgrade to the known version.

Physical installation and first-time setup of the TOE can be accomplished by following the steps outlined

in [5]. Regardless of the specific device being installed, the SAOS software is functionally identical so

secure management for each device is described in the remainder of this document. Note that these steps

can be performed using the initial default user account.

Upon the startup of the TOE, multiple Power-On Self Tests (POSTs) are run. The POSTs provide

environmental monitoring of the TOE’s components, in which early warnings can prevent whole

component failure. The following self-tests are performed:

Software integrity: hashed and validated against a known SHA-256 value which in storage that

can only be modified when a software update is performed.

Cryptographic module integrity: the cryptographic algorithm implementation is run through

known answer tests to ensure they are operating properly.

Hardware integrity: the field-programmable gate arrays (FPGAs) and data plane hardware are

tested for correct operation.

In the event that a self-test fails, the TOE will automatically reboot. If the TSF has been corrupted or the

hardware has failed such that rebooting will not resolve the issue, an administrator (Admin or Super) will

need to factory reset the TOE and/or replace the failed hardware component.

Once the TOE has fully booted, follow the steps in section 7.3 to change the password of the default user

account. Now verify the version of software operating on the TOE by issuing a “system show” command

and compare the displayed version to the expected version. If the version is not what is expected then

follow the instructions in Section 7.8 to obtain and install the correct software image from Ciena.

8 | P a g e

Note that the syntax ‘config save’ and ‘configuration save’ are used interchangeably in the reference

documentation. These are parsed by the TOE as identical and equivalent commands.

6.1 Enable Logging

In the evaluated configuration, all auditable events are logged by entering the following commands. Note

that there is logging to flash and logging to ram. The following shows the commands for flash.

1. Turn on logging to flash to the default filter:

2. Log flash add filter default all-mgrs

3. Log flash set filter default severity critical, major, minor, warning, config, info

6.2 Set up the SSH Server

To enable the SSH server for secure remote administration, enter the following commands:

1. ssh server key generate

2. ssh server enable

3. ssh server show

4. configuration save

6.3 Set up the SFTP Client

The TOE includes an SFTP client that must be set up in order to transfer audit data to a remote file server

via SFTP. It is enabled using the following commands:

1. system security log transfer set sftp-server <IP address> login-id <username> echoless-password

2. Enter password for the desired username when prompted

3. system security log transfer set dest-path <desired destination path to transfer files>

4. system security log transfer show

5. system security log transfer now

6. system security log show

7. config save

The command ‘system security log transfer now’ can be used to initiate a transfer of all log files. If the

connection is interrupted during a log transfer, the TOE will automatically continue the secure log transfer

over SSH once the connection is re-established.

Note that this requires that the other end of the connection be a network-accessible SFTP server running

on port 22 and that it is configured to support the SSH configuration.

6.4 Set up the SFTP Server

The SFTP server allows the TOE to securely accept software updates via SFTP. It is enabled using the

following commands:

1. system server sftp enable

2. system server sftp show


9 | P a g e

If the connection is interrupted during a software update download, the TOE will automatically continue

the software update download over SSH once the connection is re-established.

6.5 Enable FIPS Mode

Enabling FIPS mode allows the TOE to use only approved cipher suites for SSH communications and to

perform cryptographic self-tests on system startup. Note that when this mode is enabled, if any self-test

fails during system startup, the system will not become operational. If this happens, the system is

unusable and will have to be recovered and reloaded.

FIPS mode is enabled using the following commands:

1. system security set security-mode normal encryption-mode fips-140-2 software-signing-mode on


3. chassis restart

Note: The TOE must be run in the FIPS mode of operation. The use of the cryptographic engine in any

other mode was not evaluated nor tested during the CC evaluation of the TOE.

6.6 Configuring SSH Algorithms

The specific algorithms allowed by SSH in the evaluated configuration need to be enabled and the others

disabled, otherwise users can log in with the wrong algorithms. The following SSH algorithms are

supported in the evaluated configuration:

Key Exchange: diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-

sha2-nistp521

Encryption: aes128-cbc, aes256-cbc

MAC: hmac-sha1, hmac-sha1-256

Public Key Authentication: ssh-rsa

While the CES product supports several other cryptographic algorithms in support of SSH

communications, these were not within the scope of the Security Target so they were not evaluated or

tested during the CC testing for the product.

Disabling Algorithms for SSH:

The following show command provides information on the various SSH algorithms supports for SSH.

They include key-exchange, encryption, mac and public key authentication algorithms.

3904> ssh server algorithm show

+------------------- SSH SERVER KEX ALGORITHM CONFIGURATION -------------------+

| Algorithm Name | Priority | Admin State | Oper State |

+----------------------------------------+----------+-------------+------------+

| [email protected] | 1 | Disabled | Disabled |

| ecdh-sha2-nistp256 | 2 | Enabled | Enabled |



| diffie-hellman-group-exchange-sha256 | 5 | Disabled | Disabled |

| diffie-hellman-group-exchange-sha1 | 6 | Disabled | Disabled |

11 | P a g e

| ssh-ed25519 | Disabled | Disabled |

| ecdsa-sha2-nistp256 | Disabled | Disabled |



+---------------------------------------------------+-------------+------------+

When FIPS mode is enabled, some of these are automatically disabled. Others need to be enabled or

disabled manually in order to conform to the evaluated configuration defined in [12].

To enable/disable selected algorithms for the SSH server, the commands below can be used.

Configuration of the SSH client uses the same syntax except that ‘client’ is used instead of ‘server’ in all

cases.

Note that these commands represent sample syntax used to enable/disable arbitrarily chosen ciphers;

consult [12] and any site-specific security policies you may have to use these commands to configure the

product in a manner that is appropriate for your environment.

Enable/Disable Key Exchange Algorithms

Disabling Key-Exchange Algorithms

3942> ssh server algorithm kex disable algorithm <TAB>

[email protected]

diffie-hellman-group-exchange-sha1


diffie-hellman-group1-sha1


ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp521

3942> ssh server algorithm kex disable <algorithm>

Enabling Key-Exchange Algorithms

3942> ssh server algorithm kex enable algorithm <TAB>

[email protected]





ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp521

3942> ssh server algorithm kex disable algorithm

Enable/Disable Encryption Algorithms

3942> ssh server algorithm encryption disable algorithm <TAB>

3des-cbc [email protected]

aes128-cbc arcfour

aes128-ctr arcfour128

[email protected] arcfour256

aes192-cbc blowfish-cbc

aes192-ctr cast128-cbc

12 | P a g e

aes256-cbc [email protected]

aes256-ctr [email protected]

3942> ssh server algorithm encryption disable algorithm 3des-cbc,aes128-cbc

3942> ssh server algorithm encryption enable algorithm <TAB>

3des-cbc [email protected]

aes128-cbc arcfour

aes128-ctr arcfour128

[email protected] arcfour256

aes192-cbc blowfish-cbc

aes192-ctr cast128-cbc

aes256-cbc [email protected]

aes256-ctr [email protected]

3942> ssh server algorithm encryption enable algorithm 3des-cbc,aes128-cbc

Enable/Disable MAC Algorithms

3942*> ssh server algorithm mac enable algorithm <TAB>

hmac-md5 [email protected]

hmac-md5-96 hmac-sha2-256

[email protected] [email protected]

[email protected] hmac-sha2-512

hmac-ripemd160 [email protected]



hmac-sha1 [email protected]

hmac-sha1-96 [email protected]

[email protected]

3942*> ssh server algorithm mac enable algorithm hmac-md5

3942*> ssh server algorithm mac disable algorithm <TAB>

hmac-md5 [email protected]

hmac-md5-96 hmac-sha2-256


[email protected] hmac-sha2-512

hmac-ripemd160 [email protected]



hmac-sha1 [email protected]

hmac-sha1-96 [email protected]

[email protected]

3942*> ssh server algorithm mac disable algorithm hmac-md5

Enable/Disable Public Key Authentication Algorithms

3942*> ssh server algorithm public-key-authentication enable algorithm <TAB>

ecdsa-sha2-nistp256 ecdsa-sha2-nistp521 ssh-ed25519

ecdsa-sha2-nistp384 ssh-dss ssh-rsa

3942*> ssh server algorithm public-key-authentication enable algorithm ssh-dss

3942*> ssh server algorithm public-key-authentication disable algorithm <TAB>

ecdsa-sha2-nistp256 ecdsa-sha2-nistp521 ssh-ed25519

ecdsa-sha2-nistp384 ssh-dss ssh-rsa

3942*> ssh server algorithm public-key-authentication disable algorithm ssh-dss

13 | P a g e

6.7 In-Band Management Configuration In order to perform remote administration of systems that lack a dedicated Management Ethernet Port, it

is necessary to configure one or more data plane interfaces to direct traffic to the management plane of the

TOE. This is known as in-band management. This section describes the steps that are necessary to

perform in order to enable remote administration on these systems using a representative example that

makes the following assumptions:

DHCP is not used to obtain an IP address for the remote interface.

The factory default IP address and subnet for the remote interface is 0.0.0.0:0.0.0.0. These values

will be entered if the system is reset to factory defaults.

The default priority for the remote management interface defaults to 7 and is not configurable.

Ensure DHCP is disabled.

3942> dhcp client disable

Modify the remote management interface configuration.

3942> interface remote set {[ip], [vlan], [gateway]}

Note that you can change the IPv4 gateway in the same command line as the IP address to avoid loss of

connectivity due to mismatch between IP and gateway. If you specified a gateway IP address in the

previous command, skip to the last step.

Configure a default gateway.

3942> interface set gateway <IpAddress>

Validate that your changes were made.

3942> interface remote show

Save and complete the process.

3942> configuration save

7 Secure Management of the TOE

The following sections provide information on managing TOE functionality that is relevant to the claimed

Protection Profile. Note that this information is largely derived from [3] and [4], minus the specific

actions that are required as part of the ‘evaluated configuration’. The administrator is encouraged to

reference these documents in full in order to have in-depth awareness of the security functionality of the

CES product family, including functions that may be beyond the scope of this evaluation.

7.1 Authenticating to the TOE

Users must authenticate to the TOE in order to perform any management functions. Section 8.4 of the ST

discusses the process in which the TOE authenticates users via the CLI. Section 8.8.2 of the ST also

discusses the trusted channels that are invoked in order to send the data securely.

14 | P a g e

Local users log in to the Command line interface (CLI) using username and password defined locally to

the TOE, while remote users can log in via the CLI using username and either password or SSH public

key. User authentication information that is sent remotely via the CLI is protected using SSHv2.

Procedure 5.2 of [2] provides instructions for connecting to the TOE using Telnet. In the evaluated

configuration, telnet for remote access must be disabled in favor of SSH. To connect to the TOE over

SSH, the administrator must make sure the SSH server is configured as per section 6.2. The administrator

can connect using a valid username/password or can connect using public key-based authentication by

performing the following steps:

1. On the SSH client system, generate a new client key pair.

2. Export the public key into a file called <user>.pk2

3. Place this file in the system’s SFTP server under the root directory

4. On the TOE, run the following command to transfer and install the key for <user>: ‘ssh server key

install user <user> sftp-server <ip address> login-id <sftp user> echoless-password’

Note that the TOE has role based authentication. Only a user with Super level privileges can manage

other users. The following are the three roles supported by the TOE:

Super: Have access to all ports on the TOE regardless of the lock-level and can perform all

configuration commands. Accounts in this group are used to manage secure access to the switch

through the creation, deletion and modification of user accounts. Although users in this group can

also make significant system state changes, and modify the configuration, the primary purpose of

this group is user account maintenance. This is the only operational group with access to all user

administration commands.

Admin: Accounts in this group are used to make significant system state changes and modify the

system configuration.

Limited: Accounts in this group are used primarily in system monitoring and in the gathering of

information about the configuration and performance of the system. A restricted command set

protects user accounts in this group from changing the state of the system in a significant way or

changing the system configuration.

7.2 User Lockout

By default, the TOE does not lock out a user for an idle interactive session unless configured to do so. In

the evaluated configuration, this is enabled and set to the desired length of time by using the following

commands (Admin or Super level privileges required):

system shell set global-inactivity-timer on

system shell set global-inactivity-timeout <number of minutes>

7.3 Managing Users

Users can be created with the following command:

user create user <username> access-level <limited|admin|super> echoless-password

The CLI will collect the password in an interactive prompt after this command is entered. This prevents

password data from being displayed in the command log.

15 | P a g e

A user can be edited using the ‘user set’ command, which uses the same syntax as the ‘user create’

command described above. A user can be displayed or deleted using the commands ‘user show user

<username>’ and ‘user delete user <username>’, respectively.

Note that manipulation of user data requires the Super level privilege, but any user with Limited, Admin,

or Super privilege can view the attributes of another user (minus password-related data).

7.4 Password Management

Passwords can be composed using any combination of upper case and lower case letters, numbers and

special characters. The special characters that are supported include the following: “!”, “@”, “#”, “$”,

“%”, “^”, “&”, “*”, “(“, and “)”.

The password policy includes a configurable minimum length, which can be configured by an

administrator with Super level privileges to any value between 15 and 128 and in the evaluated

configuration. The minimum password length can be set using the command ‘user password-policy set

min-length <value>’. 128 characters is the maximum length for any password. In order to minimize the

risk of account compromise, it is recommended to use a password that includes a mixture of uppercase,

lowercase, numeric, and special characters and is not a common word or phrase, but is not so complex

that it must be written down in order to be remembered.

7.5 Login Banner

The login banner is created by using the banner command:

system shell banner create banner login <banner text>

The banner text can be deleted or edited using the same command as above with ‘delete banner’ and ‘edit

banner’, respectively, substituted for ‘create banner’. Note that if the ‘edit banner’ command is used, the

banner will only be edited for the specific interface from which the command was initiated. This can be

used if, for example, it is desired to use separate banners for local versus remote access. If synchronized

changes are desired, it is recommended to delete and then re-create the banner. Super level privileges are

required to perform these operations.

7.6 Session Termination

7.6.1 Admin Logout

An administrator can manually log out at any time by entering the ‘exit’ command. Note that if the

administrator is currently navigating a sub-menu, the ‘quit’ command will bring them up one level to the

previous menu. It may therefore be necessary to issue the ‘quit’ command multiple times before issuing

the ‘exit’ command to close the session.

7.6.2 Termination from Inactivity

Refer to section 7.2 above.

16 | P a g e

7.7 System Time Configuration

In the evaluated configuration of the TOE, the system time can either be set manually or by synchronizing

with an NTP server in the TOE’s Operational Environment. Admin or Super level privileges are required

to perform these operations. To set the time manually, the following command is used:

system set [date <yyyy-mm-dd>|<yy-mm-dd>|<mm-dd>] [time <hh:mm:ss>|<hh:mm>] [time-offset

<SECONDS: -43200..50400>] [timestamp <local|UTC>]

This allows the date and time to be set as well as the UTC offset (in seconds) and whether or not the

offset should be applied in audit log timestamps.

To configure NTP, there are several steps that must be performed, summarized below:

1. Configure the NTP client to use broadcast, multicast, or polling mode.

2. Define one or more NTP servers for the client to connect to using the selected mode.

3. Add the defined NTP servers to the NTP client’s server list.

4. Configuring NTP authentication, if required.

In order to maintain an accurate system time, [2] also includes procedures for clearing the drift file and

displaying the current NTP status.

These procedures are described in detail from Procedure 3-17 through Procedure 3-22 of [2].

7.8 Secure Updates

To maintain security throughout the lifecycle of the CES product, the TOE provides a mechanism to

apply software upgrades. The current version of the software can be displayed at any time using the

‘software show’ command. To upgrade the software, the new software image must be acquired from

Ciena and placed on an SFTP server in the environment. An administrator with Admin or Super level

privileges can then use the ‘software upgrade’ command to retrieve the software image from the server.

Configuration of the SFTP server is described in section 6.4 of this document and the process for

upgrading the TOE software is described in Procedure 4-6 of [10]. The TOE ensures the integrity of

Ciena updates through the use of a 2048-bit RSA certificate that is traceable back to Entrust root CA. An

update will not be applied until the TOE checks the validity of the update’s digital signature. If this

validation fails, the update is aborted and the software update is discarded automatically.

8 Auditing

In order to be compliant with Common Criteria, the TOE must audit the events in the table below. The

audit records that the TOE creates include the date and time, outcome of the event, event type, subject

identity and the source of the event. The show log or show logs command displays audit information. It is

possible to use regular expressions in the show log command to restrict the search.

Component Event Additional Information Audit Examples

FAU_GEN.1

su user logged out, system shutdown,

rebooted and becomes active, su user

logged back in

17 | P a g e

21: Sat Jan 1 00:03:04.428 2000 [local]

Sev:8 chassis(1): Local RS-232 User

su:User 'su' logged out from ttyS0 due to

shutdown

22: Sat Jan 1 00:03:05.000 2000 [local]

Sev:8 1 Shutdown

25: Sat Jan 1 00:01:06.000 2000 [local]

Sev:8 1 Active, MAC 00:23:8A:0B:D1:5E,

Chassis MAC 00:23:8A:0B:D1:40

26: Sat Jan 1 00:01:28.895 2000 [local]


su:User 'su' successfully logged in from

ttyS0

FCS_SSH_EXT.

1

Failure to establish

an SSH session

Establishment/Termi

nation of an SSH

session

Reason for failure

Reason for failure

Non-TOE endpoint of

connection (IP address)

for both successes and

failures.

SSH Initial Configuration Audit Records:

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 1144 | Wed Jan 20 15:58:43 2016 |

su(super) ttyS0

|

| ssh server key generate

| | Wed Jan 20 15:58:44 2016 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 1145 | Wed Jan 20 15:58:47 2016 |

su(super) ttyS0

|

| ssh server enable

| | Wed Jan 20 15:58:47 2016 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 1146 | Wed Jan 20 15:59:07 2016 |

su(super) /ssh_shell_10.25.42.15:60059

|

| ! login su on /dev/pts/0

| | Wed Jan 20 15:59:07 2016 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 1147 | Wed Jan 20 15:59:13 2016 |


|

| ssh server show

| | Wed Jan 20 15:59:15 2016 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

18 | P a g e

---------------------------+

Failure to establish an SSH session using

Triple-DES

- IP address of remote host

- Reason for failure

900: Sat Jan 1 00:04:41.570 2000 [local]

Sev:8 chassis(1): :SSHD sshd[1643]: fatal:

Unable to negotiate with 192.168.100.2: no

matching cipher found. Their offer: 3des-

cbc [preauth]

Successful SSH login

Audit Record of successful logon

148: January 1, 2000 22:56:35.205 [UTC]

Sev:8 chassis(1): SSH IP 192.168.100.2

User su:User 'su' successfully logged in

from 192.168.100.2

Successful SSH logout:

301: Wed Jan 20 15:53:40.054 2016 [local]

Sev:8 chassis(1): SSH IP 10.25.42.15 User

su:User 'su' logged out from 10.25.42.15

SSH Termination:

302: Wed Jan 20 15:56:20.981 2016 [local]



10.25.42.15

303: Wed Jan 20 15:56:27.676 2016 [local]


su:User 'su' logged out from 10.25.42.15

unexpectedly

FIA_UIA_EXT.

1

All use of the

identification and

authentication

mechanism.

Provided user identity,

origin of the attempt

(e.g., IP address).

CLI: Audit records showing 4 login

attempts

good user good password

348: January 1, 2000 21:26:06.283 [UTC]



ttyS0

349: January 1, 2000 21:27:31.717 [UTC]


su:User 'su' logged out from ttyS0

good user bad password

350: January 1, 2000 21:28:20.242 [UTC]

Sev:6 chassis(1): :User authentication failed

from IP ttyS0 user name 'su'

19 | P a g e

bad user good password

351: January 1, 2000 21:30:07.169 [UTC]

Sev:6 chassis(1): :User authenticationfailed

from IP ttyS0 user name 'xxxxx'

bad user bad password

352: January 1, 2000 21:31:34.309 [UTC]


from IP ttyS0 user name 'yyyyy'

Remote SSH audit records showing 4

login attempts:

good user good password

357: January 1, 2000 21:44:18.356 [UTC]



from 192.168.100.2

358: January 1, 2000 21:45:38.204 [UTC]


User su:User 'su' logged out from

192.168.100.2

good user bad password

359: January 1, 2000 21:45:54.061 [UTC]


from IP shell user name 'su'

bad user good password

360: January 1, 2000 21:47:48.264 [UTC]

Sev:6

bad user bad password

chassis(1): :User authentication failed from

IP shell user name 'xxxxx'

361: January 1, 2000 21:49:02.442 [UTC]


from IP shell user name 'yyyyy'

FIA_UAU_EXT

.2

All use of the

authentication

mechanism.

Origin of the attempt

(e.g., IP address). See FIA_UIA_EXT.1

FPT_STM.1 Changes to the time.

The old and new values

for the time.

Origin of the attempt

(e.g., IP address).

The audit logs show the time was changed

manually back and then forward by the

ntp server

389: November 12, 2015 10:00:07.560

[UTC] Sev:6 chassis(1): :System time

changed backward by 1h56m11s

390: November 12, 2015 16:59:10.120

[UTC] Sev:6 chassis(1): :System time

changed forward by 6h56m53s

20 | P a g e

command-log file shows the commands

that were issued

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 327 | Thu Nov 12 11:56:11 2015 |


|

| system set time 10:00:00

| | Thu Nov 12 10:00:00 2015 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 328 | Thu Nov 12 10:00:06 2015 |


|

| system show date time

| | Thu Nov 12 10:00:06 2015 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 329 | Thu Nov 12 10:02:15 2015 |


|

| ntp client add server 192.168.100.9

| | Thu Nov 12 10:02:18 2015 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 330 | Thu Nov 12 16:59:18 2015 |


|

| ntp client enable server 192.168.100.9

| | Thu Nov 12 16:59:18 2015 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

FPT_TUD_EXT

.1

Initiation of update. No additional

information

Installation of a new software package

followed by a reboot

67: Tue Nov 17 14:02:13.522 2015 [local]

Sev:7 chassis(1): :Commencing with

software signature checking

68: Tue Nov 17 14:02:27.165 2015 [local]

Sev:7 chassis(1): :Software signature

21 | P a g e

checking passed

69: Tue Nov 17 14:09:59.426 2015 [local]

Sev:7 chassis(1): :Sw Xgrade Complete

operation: install result: Success

70: Tue Nov 17 14:09:59.427 2015 [local]


User su:Software manager package install

slot: 1, package: saos-06-14-00-0265

71: Tue Nov 17 14:11:51.724 2015 [local]



192.168.200.2 due to shutdown

72: Tue Nov 17 14:11:52.000 2015 [local]

Sev:8 1 Shutdown

Commands that were executed:

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 133 | Tue Nov 17 14:01:29 2015 |


|

| software install package-path

/tftpboot/CCTest/saos-06-14-00-

0265.signed package saos-06-14-00-0265

sftp-server 192.168.100.9 login-id ocadmin

echoless-password

| | Tue Nov 17 14:09:59 2015 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 134 | Tue Nov 17 14:11:41 2015 |


|

| chassis reboot

| | Tue Nov 17 14:11:51 2015 |

|

+-------+--------------------------+-

FTA_SSL_EXT.

1

Any attempts at

unlocking of an

interactive session.

No additional

information.

See FIA_UIA_EXT.1 for local and

remote login attempts.

Locking of the local connection after a

configured timeout period of 3, 5 and 7

minutes

3 minute inactivity timeout

419: November 12, 2015 18:15:08.169

[UTC] Sev:8 chassis(1): Local RS-232 User

22 | P a g e

test1:User 'test1' successfully logged in

from ttyS0

420: November 12, 2015 18:18:11.924


test1:User 'test1' logged out from ttyS0 due

to inactivity


424: November 12, 2015 18:24:55.761



from ttyS0

425: November 12, 2015 18:29:57.804



to inactivity


429: November 12, 2015 18:32:41.283



from ttyS0

430: November 12, 2015 18:39:44.364



to inactivity

Commands that were issued:

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 365 | Thu Nov 12 18:09:11 2015 |

su(super) ttyS0

|

| system shell set global-inactivity-timer on

| | Thu Nov 12 18:09:11 2015 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 366 | Thu Nov 12 18:09:24 2015 |

su(super) ttyS0

|

| system shell set global-inactivity-timeout 3

| | Thu Nov 12 18:09:24 2015 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

23 | P a g e

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 378 | Thu Nov 12 18:24:33 2015 |

su(super) ttyS0

|


| | Thu Nov 12 18:24:33 2015 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

---------------------------------------------------+

| 385 | Thu Nov 12 18:32:31 2015 |

su(super) ttyS0

|


| | Thu Nov 12 18:32:31 2015 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

FTA_SSL.3 The termination of a

remote session by

the session locking

mechanism.

No additional

information.

Locking on a remote session after 3, 5, 7

minutes

472: January 1, 2000 00:03:03.909 [UTC]


User su:System Global Inactivity Timer

Enable

473: January 1, 2000 00:03:11.703 [UTC]


User su:System Global Inactivity Timeout

Set 3

487: January 1, 2000 00:27:38.086 [UTC]


User test1:User 'test1' successfully logged in

from 192.168.100.2

488: January 1, 2000 00:30:49.324 [UTC]


User test1:User 'test1' logged out from

192.168.100.2 due to inactivity

490: January 1, 2000 00:32:44.252 [UTC]



Set 5

491: January 1, 2000 00:32:46.032 [UTC]



24 | P a g e

192.168.100.2

492: January 1, 2000 00:32:58.343 [UTC]



from 192.168.100.2

493: January 1, 2000 00:38:06.485 [UTC]




495: January 1, 2000 00:41:25.887 [UTC]



Set 7

496: January 1, 2000 00:41:29.435 [UTC]



192.168.100.2

497: January 1, 2000 00:41:35.381 [UTC]



from 192.168.100.2

498: January 1, 2000 00:48:37.164 [UTC]




Commands that were executed:

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 433 | Sat Jan 1 00:03:03 2000 | su(super)

/ssh_shell_192.168.100.2:62766

|

| system shell set global-inactivity-timer on

| | Sat Jan 1 00:03:03 2000 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 434 | Sat Jan 1 00:03:11 2000 | su(super)

/ssh_shell_192.168.100.2:62766

|


| | Sat Jan 1 00:03:11 2000 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

25 | P a g e

---------------------------+

| 465 | Sat Jan 1 00:32:44 2000 | su(super)

/ssh_shell_192.168.100.2:63114

|


| | Sat Jan 1 00:32:44 2000 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 469 | Sat Jan 1 00:41:25 2000 | su(super)

/ssh_shell_192.168.100.2:63202

|


| | Sat Jan 1 00:41:25 2000 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

FTA_SSL.4 The termination of

an interactive

session.

No additional

information.

Login and exit for a local session

501: January 1, 2000 01:04:53.733 [UTC]



from ttyS0

502: January 1, 2000 01:04:58.426 [UTC]


test1:User 'test1' logged out from tty S0

Login and exit for a remote SSH session

506: January 1, 2000 01:08:51.446 [UTC]



from 192.168.100.2

507: January 1, 2000 01:09:44.274 [UTC]



192.168.100.2

FTP_ITC.1 Initiation of the

trusted channel.

Termination of the

trusted channel.

Failure of the trusted

channel functions.

Identification of the

initiator and target of

failed trusted channels

establishment attempt.

See FCS_SSH_EXT.1 to see failure of

trusted channel attempt.

Trusted Channel: TOE to Update Server

(SFTP Server) software package upgrade

118: November 16, 2015 19:45:45.250



26 | P a g e

ttyS0

119: November 16, 2015 19:47:43.059

[UTC] Sev:7 chassis(1): :Sw Xgrade

Complete operation: protect result:

Unknown error

120: November 16, 2015 19:52:05.343

[UTC] Sev:7 chassis(1): :Commencing with

software signature checking

121: November 16, 2015 19:52:22.475

[UTC] Sev:7 chassis(1): :Software signature

checking passed

122: November 16, 2015 19:53:57.469

[UTC] Sev:7 chassis(1): :Sw Xgrade

Complete operation: other result: Success

123: November 16, 2015 19:53:57.471


su:Software manager package install slot: 1,

package: saos-06-14-00-0265

Software package upgrade command

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

| 577 | Mon Nov 16 19:51:54 2015 |

su(super) ttyS0

|

| software install defer-activation package-

path /tftpboot/CCTest/saos-06-14-00-

0265.signed package saos-06-14-00-0265

sftp-server 192.168.100.9 login-id ocadmin

echoless-password

| | Mon Nov 16 19:53:57 2015 |

|

+-------+--------------------------+---------------

----------------------------------

Audit Server data transfer via SFTP

448: Tue Nov 17 19:53:43.000 2015 [local]

Sev:8 SFTP upload

/mnt/sysfs/seclog/secLog.1447062878 to

192.168.100.9 as

/tftpboot/CCTest/5142/2C-39-C1-94-A2-

80.1447062878: Success

Audit server commands:

27 | P a g e

----------------------+

| 624 | Tue Nov 17 19:33:06 2015 |


|

| system security log transfer set sftp-server

192.168.100.9 login-id ocadmin echoless-

password

| | Tue Nov 17 19:33:14 2015 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

---------------------------+

----------------------+

| 631 | Tue Nov 17 19:53:36 2015 |


|

| system security log transfer now

| | Tue Nov 17 19:53:36 2015 |

|

+-------+--------------------------+---------------

-----------------------------------------------------

Successful file transfer to SFTP server:

January 20, 2016 15:43:45.284 [local]


su:Beginning upload of file /tmp/test1.txt to

SFTP server 10.33.22.79

January 20, 2016 15:43:46.331 [local]


su:Successfully uploaded file /tmp/test1.txt

to SFTP server 10.33.22.79, remote file

test1.txt

January 20, 2016 15:43:46.331 [local]


su:File transfer result: DownloadManager:

File /tmp/test1.txt transferred successfully to

ip 10.33.22.79

Termination of SFTP file transfer to

SFTP server due to failure:

January 20, 2016 15:48:39.437 [local]


su:Beginning upload of file /tmp/test1.txt to

SFTP server 10.33.22.79

January 20, 2016 15:48:47.891 [local]


su:Unable to upload file /tmp/test1.txt to

SFTP server 10.33.22.79: Remote access

denied

January 20, 2016 15:48:47.892 [local]


su:File transfer result: DownloadManager:

Could not transfer /tmp/test1.txt to host

10.33.22.79

28 | P a g e

FTP_TRP.1 Initiation of the

trusted channel.

Termination of the

trusted channel.

Failures of the

trusted path

functions.

Identification of the

claimed user identity.

See FTP_ITC.1

Table 8-1: NDPP Auditable Events

The following is an example of an audit record that CES produces.

366: January 1, 2000 22:03:53.585 [UTC] Sev:8 chassis(1): SSH IP 192.168.100.2 User su:User 'su'

successfully logged in from 192.168.100.2

It can be seen from the example record that this includes a timestamp value (January 1, 2000

22:03:53.585 [UTC]), the process causing the log to be generated (SSH), the IP address of the event

(192.168.100.2), the user causing the event to occur (su), the action (logged in), and the result of the event

(successful[ly]). It also includes non-security relevant data of a sequence number (366), severity level (8),

and number of the chassis on which the event occurred (1).

8.1 Audit Storage

Once enabled (see section 6.1), log records are stored locally by default. Section 6.3 provides instructions

on how to set up and verify an SFTP client connection to a remote file server that can be used to transfer

audit data. An administrator with Super level privilege can transfer audit data using the ‘system security

log transfer now’ command. Administrators are encouraged to back up audit data regularly so that there is

organizational visibility into the behavior of the CES device.

9 SFR Assurance Activities

In this section we identify the SFR assurance activities and specify where in the Ciena documentation this

information can be found.

FAU_GEN.1 – Section 8 of this document lists the security-relevant auditable events for the TOE and

provides sample audit data for each event. Additionally, a comprehensive list of the ‘system events’ that

are considered to be auditable events for the CES product is provided in [6]. This includes both security-

relevant and non-security-relevant events. [8] provides a general overview of the log format under ‘Event

logging configuration’.

The instructions for configuring logging are described in section 11 of [8]. The actions in Ciena’s

documentation that are considered to be security-relevant are those that are directly applicable to

satisfying the functionality described in the Security Target [12]. Other product functionality such as

configuration of networks and Quality of Service (QoS) for traffic that is traveling through the TOE’s

data plane interface is considered to be non-interfering with respect to the secure operation of the TSF.

FAU_STG_EXT.1 – In the evaluated configuration, collected audit data is stored persistently in local

memory. See section 6.1 of this document for configuration instructions. The steps in section 6.3 indicate

how to enable a remote audit server and securely transfer audit data to it using SSH. Command log data is

29 | P a g e

stored in the /flash1/log/CmdLog.[0-4]. It can be transmitted to the remote audit server using SSH via the

‘system xftp putfile’ command.

The procedures for establishing a trusted channel to the audit server are described in section 6 of this

document.

FCS_SSH_EXT.1.4 – Section 6.6 of this document provides instructions for how to configure the TOE

to implement SSH in a manner that is consistent with the Security Target.

FCS_SSH_EXT.1.6 – See FCS_SSH_EXT.1.4

FCS_SSH_EXT.1.7 – See FCS_SSH_EXT.1.4

FIA_PMG_EXT.1 – Password management is described in section 7.4 of this document.

FIA_UIA_EXT.1 – Creating usernames and passwords is described in section 7.3 of this document. SSH

server configuration is described in section 6.2 of this document. Authenticating to the TOE for both

password-based and public key-based authentication is described in section 7.1 of this document.

Section 7.5 of this document provides instructions on how to configure the pre-authentication login

banner. There is no other method by which a user or administrator can view or interact with TSF data

prior to authentication.

FMT_MTD.1 – The TOE has a fixed set of administrative roles with a fixed set of privileges which is

summarized in section 7.1 of this document. [4] also provides a comprehensive listing of administrative

commands and the minimum level of privilege required to execute each of them.

FMT_SMR.2 – Configuration of the TOE can occur locally via the serial console or remotely over the

dedicated Management Ethernet Port (if available) or data plane interface via in-band management.

Section 6.7 of this document provides instructions on how to set up in-band management. Section 6.2 of

this document provides instructions on how to set up the SSH server for remote administration. Section

7.1 of this document provides instructions for how to log in to the TOE once an appropriate connection

has been set up.

FPT_STM.1 – Procedure 4-2 of [2] provides instructions on how to manually set the system time.

Procedures 3-17 through 3-22 of [2] provide instructions on how to set up and administer NTP. These

activities are also summarized in section 7.7 of this document.

FPT_TST_EXT.1 – Section 6.5 of this document references procedures for enabling FIPS mode, which

also enables the use of self-tests by the TOE during boot. In the event that a self-test fails, the TOE will

automatically reboot. If the TSF has been corrupted or the hardware has failed such that rebooting will not

resolve the issue, an administrator will need to factory reset the TOE and/or replace the failed hardware

component.

FPT_TUD_EXT.1 – Section 7.8 of this document summarizes the method by which software upgrades

are applied and verified. The ‘software upgrade’ command in [4] describes the syntax for performing a

system upgrade. The general instructions for acquiring, verifying, and performing trusted updates are

described in detail in [10].

FTA_SSL_EXT.1, FTA_SSL.3, FTA_SSL.4 – There is no specific assurance activity. However, the

assurance activity for testing requires the tester to follow the operational guidance to configure the system

30 | P a g e

inactivity period. Section 7.6 of this document provides information on manual and automatic session

termination activities.

FTA_TAB.1 – There is no specific assurance activity. However, the assurance activity for testing

requires the tester to follow the operational guidance to configure the banner. Section 7.5 of this

document provides instructions on how to configure the login banner.

FTP_ITC.1 – Section 10 of [2] provides information on all of the trusted communications used by the

TOE. Sections 6.3 and 6.4 of this document provide instructions for configuring the TOE and remote

SFTP server for trusted communications.

FTP_TRP.1 – Section 10 of [2] provides information on all of the trusted communications used by the

TOE. Section 6.2 of this document includes instructions for how to configure the TOE’s SSH server to

allow for secure remote administration.

10 Operational Modes

The device has two configurable settings for its operational modes: security mode and encryption mode.

In order to enable the secure configuration for each of these modes, the following commands are issued:

system security set security-mode enhanced

system security set encryption-mode fips

Note that enabling enhanced security mode also performs a factory reset on the device. There is no

separate error mode or other degraded mode of operation in the event that a cryptographic self-test fails;

instead, the device will reboot and attempt to automatically repair the error state. If this fails to correct the

error state, it may be necessary to perform a factory reset on the device or to load a new software image.

11 Additional Support

Ciena provides technical support for its products if needed. Customers can register for a support account

at www.ciena.com/support. Additionally, direct support can be reached toll-free in North America at 1-

800-243-6224.

http://www.ciena.com/support

Ciena Carrier Ethernet Solutions 3900/5100 Series ... · PDF fileCiena Carrier Ethernet...

Documents

Transcript of Ciena Carrier Ethernet Solutions 3900/5100 Series ... · PDF fileCiena Carrier Ethernet...