Ciena 5400 Series Packet Optical Platform Supplemental ... · PDF fileCiena 5400 Series Packet Optical Platform Supplemental Administrative Guidance Version 1.0 December 18, 2015 Ciena

Ciena 5400 Series Packet Optical Platform

Supplemental Administrative Guidance Version 1.0

December 18, 2015

Ciena Corporation

7035 Ridge Road

Hanover, MD 21076

Prepared By:

Cyber Assurance Testing Laboratory

900 Elkridge Landing Road, Suite 100

Linthicum, MD 21090

1 | P a g e

Booz Allen Hamilton – CATL / Ciena Proprietary

Contents

1 Introduction ........................................................................................................................................... 3

2 Intended Audience ................................................................................................................................ 3

3 Terminology .......................................................................................................................................... 3

4 References ............................................................................................................................................. 4

5 Evaluated Configuration of the TOE .................................................................................................... 4

5.1 TOE Components .......................................................................................................................... 4

5.2 Supporting Environmental Components ....................................................................................... 4

5.3 Assumptions .................................................................................................................................. 5

5.4 Communication Protocols and Services ....................................................................................... 5

6 Secure Installation and Configuration ................................................................................................... 6

6.1 Enable CC Mode ........................................................................................................................... 7

6.2 Enable Enhanced Security Profile from Commissioning CLI (CCLI) ......................................... 7

6.3 Configure the TOE Minimum Password Length to 15 Characters ............................................... 7

6.4 Configure the Syslog Server (MCLI) ............................................................................................ 7

6.5 Configure the Time ....................................................................................................................... 8

6.6 Performing a Secure Software Upgrade (MCLI) .......................................................................... 8

6.7 Configure the TOE for SSH Public/Private Key Authentication .................................................. 9

6.8 Configure Login Banner with the MCLI .................................................................................... 10

6.9 Lock All Insecure Ports............................................................................................................... 10

7 Secure Management of the TOE ......................................................................................................... 10

7.1 Administrative Roles .................................................................................................................. 10

7.2 Authenticating to the TOE .......................................................................................................... 11

7.3 User Lockout ............................................................................................................................... 11

7.4 Managing Users .......................................................................................................................... 11

7.5 Password Management ............................................................................................................... 12

7.6 Login Banner .............................................................................................................................. 12

7.7 Admin Logout ............................................................................................................................. 12

7.8 Self-Tests .................................................................................................................................... 12

8 Auditing .............................................................................................................................................. 13

8.1 Audit Storage .............................................................................................................................. 17

2 | P a g e


9 SFR Assurance Activities ................................................................................................................... 17

10 Operational Modes .......................................................................................................................... 21

11 Additional Support .......................................................................................................................... 21

Table of Tables

Table 5-1: TOE Models ................................................................................................................................ 4

Table 5-2: Supporting Environmental Components ..................................................................................... 5

Table 7-1: NDPP Auditable Events ............................................................................................................ 16

3 | P a g e


1 Introduction

The Ciena 5400 Series Packet Optical Platform (hereafter referred to as the 5400 Series or the TOE) is a

family of hardware devices that provides OSI Layer 2 network traffic management services. It is a packet-

optical switching platform that enables users to direct traffic to designated ports, giving them control of

network availability for specific services. The system features an agnostic switch fabric that is capable of

switching SONET/SDH, OTN, and Ethernet/MPLS networks. The 5400 Series contains two models: the

Ciena 5430 and Ciena 5410. Each of these devices runs Linux kernel version 3.4.36 and provides

identical security functionality to one another. The Target of Evaluation (TOE) is the general network

device functionality (I&A, auditing, security management, trusted communications, etc.) of the switch,

consistent with the claimed Protection Profile.

2 Intended Audience

This document is intended for administrators responsible for installing, configuring, and/or operating

5400 Series devices. Guidance provided in this document allows the reader to deploy the product in an

environment that is consistent with the configuration that was evaluated as part of the product’s Common

Criteria (CC) testing process. It also provides the reader with instructions on how to exercise the security

functions that were claimed as part of the CC evaluation.

The reader is expected to be familiar with the Security Target for Ciena 5400 Series Packet Optical

Platform version 1.0 and the general CC terminology that is referenced in it. This document references the

Security Functional Requirements (SFRs) that are defined in the Security Target document and provides

instructions for how to perform the security functions that are defined by these SFRs. The Ciena 5400

Series Packet Optical Platform product as a whole provides a great deal of security functionality but only

those functions that were in the scope of the claimed PP are discussed here. Any functionality that is not

described here or in the Ciena 5400 Series Packet Optical Platform Security Target was not evaluated and

should be exercised at the user’s risk.

3 Terminology

In reviewing this document, the reader should be aware of the terms listed below. These terms are also

described in the Ciena 5400 Series Packet Optical Platform Security Target.

CC: stands for Common Criteria. Common Criteria provides assurance that the process of specification,

implementation and evaluation of a computer security product has been conducted in a rigorous and

standard and repeatable manner at a level that is commensurate with the target environment for use.

SFR: stands for Security Functional Requirement. An SFR is a security capability that was tested as part

of the CC process.

TOE: stands for Target of Evaluation. This refers to the aspects of the Ciena 5400 Series products that

contain the security functions that were tested as part of the CC evaluation process.

4 | P a g e


4 References

The following security-relevant documents are included with the TOE. This is part of the standard

documentation set that is provided with the product. Documentation that is not related to the functionality

tested as part of the CC evaluation is not listed here.

[1] Turn-up and Test – 009-3251-002

[2] Alarm and Trouble Clearing Procedures Manual - 009-3251-003

[3] Service Manual - 009-3251-004

[4] Node Manager User Guide - 009-3251-005

[5] System Description - 009-3251-006

[6] 5430 Switch Hardware Installation – 009-3251-001

[7] 5410 Switch Hardware Installation – 009-3251-019

[8] TL1 Interface Manual – 009-2009-086

The following document was created in support of the Ciena Carrier Ethernet Solutions 3900/5100 Series

CC evaluation:

[9] Ciena 5400 Series Packet Optical Platform Security Target

5 Evaluated Configuration of the TOE

This section lists the components that have been included in the TOE’s evaluated configuration, whether

they are part of the TOE itself, environmental components that support the security behavior of the TOE,

or non-interfering environmental components that were present during testing but are not associated with

any security claims.

5.1 TOE Components

The TOE is a family of standalone network appliances. Each model of the TOE can run independently

and all models have the Linux operating system, kernel version 3.4.36. There is no functional difference

in the behavior of each model based on the processor type. The TOE includes a Freescale MPC8572

processor which is used to provide entropy to the software deterministic random bit generation function.

Model

Ciena 5410 Packet Optical Platform

Ciena 5430 Packet Optical Platform

Table 5-1: TOE Models

5.2 Supporting Environmental Components

Component Definition

Management

Workstation

Any general-purpose computer that is used by an administrator to manage the TOE.

The TOE can be managed remotely, in which case the management workstation

requires an SSH client, or locally, in which case the management workstation must

5 | P a g e


be physically connected to the TOE using the serial port and must use a terminal

emulator that is compatible with serial communications.

NTP Server A system that provides an authoritative and reliable source of time using network

time protocol (NTP).

Syslog Server A general-purpose computer that is running a syslog server, which is used to store

audit data generated by the TOE.

Update Server An FTP server where software updates for the TOE can be made available.

Table 5-2: Supporting Environmental Components

Note that switched traffic is not addressed by the security requirements of the claimed Protection Profile

so the only use of data plane interfaces was used to perform in-band management of the TOE.

5.3 Assumptions

In order to ensure the product is capable of meeting its security requirements when deployed in its

evaluated configuration, the following conditions must be satisfied by the organization, as defined in the

claimed Protection Profile:

No general purpose computing capabilities: The Ciena 5400 Series product must only be used

for its intended purpose. General purpose computing applications, especially those with network-

visible interfaces, may compromise the security of the product if introduced.

Physical security: The Ciena 5400 Series product does not claim any sort of physical tamper-

evident or tamper-resistant security mechanisms. Therefore, it is necessary to deploy the product

in a locked or otherwise physically secured environment so that it is not subject to untrusted

physical modification.

Trusted administration: The Ciena 5400 Series product does not provide a mechanism to

protect against the threat of a rogue or otherwise malicious administrator. Therefore, it is the

responsibility of the organization to perform appropriate vetting and training for security

administrators prior to granting them the ability to manage the product.

5.4 Communication Protocols and Services

In the evaluated configuration, the SSH protocol was tested for remote administration. The TLS and SSH

protocol was tested for secure transfer of audit data. SSH was tested for transferring audit data to an

external SFTP server as well as pulling updates from the SFTP server. TLS protocol was tested for the

secure transfer of audit data to the external syslog server. The Telnet protocol is excluded from the

evaluated configuration because it does not provide security for data in transit. The product supports

numerous communications protocols that were not considered to be part of the Target of Evaluation

because they provide functionality that were outside the scope of the Security Target. These protocols are

facilitated by processes on the 5400 Packet-Optical Switch device that support their implementation and

include the following:

ARP

BFD

CFM

CORBA

DHCP

6 | P a g e


DHCPv6

FTP

802.1X

GMPLS

HTTP

HTTPS

ISIS

LDP

LLDP

MPLS

MSTP

NDP

NETCONF

NTP

OSPF

PBB-TE

PBT

RADIUS

RSTP

RSVP-TE

SNMP

TELNET_TLS

ORP

OSP

OSRP

6 Secure Installation and Configuration

Physical installation can be accomplished by following the steps outlined in the hardware specific

installation instructions, see 5430 Switch Hardware Installation [6] and 5410 Switch Hardware

Installation [7]. First-time setup of the TOE can be accomplished by following the steps outlined in Turn-

up and Test [1]. This document also describes how to verify the correct version of software running

during the initial startup and the steps the installer should take if the version is not the expected version.

Regardless of the specific device being installed, the menu-driven command-line interface (MCLI) and

Transaction Language 1 (TL1) interface are used to securely manage the devices via a local console or

SSH. These steps can be performed using the initial default user account. Once the TOE is fully set up,

follow the steps in Section 7.5 to change the password of the default user account.

NOTE: In the evaluated configuration, the CORBA interface will be disabled following initial setup so

that all remote administrative communications use SSH.

7 | P a g e


6.1 Enable CC Mode

The cryptographic algorithms used in SSH and TLS are restricted by placing the TOE into “CC mode”.

The algorithms are set to only those identified in Section 8.2.8 of the ST which meet the PP requirements.

All other algorithms are disabled.

CC mode is enabled using the following commands:

1. Authenticate to the TOE as superuser via the MCLI.

2. Choose Option 7 – Modify system configuration.

3. Choose Option 20 – Set Common Criteria Mode.

4. Enable Set Common Criteria Mode.

6.2 Enable Enhanced Security Profile from Commissioning CLI (CCLI)

1. Authenticate to the TOE as superuser via the MCLI using the local console (serial).

2. Choose Option 6 – Perform system operations.

3. Choose Option 5 – Control Plane Reset the Secondary CTM.

4. Choose Option 4 – Control Plane Reset the Primary CTM.

5. During the boot, interrupt the startup from the Primary CTM by pressing “ENTER” at the

countdown menu.

6. Login as superuser.

7. At the CTM Config Menu, choose Option 19 – Enhanced Security Profile.

8. Enable “Enhanced Security Profile”

9. Choose Option 29 to commit settings.

10. After the TOE has finished rebooting, Authenticate to the TOE as superuser via the MCLI.

6.3 Configure the TOE Minimum Password Length to 15 Characters

The minimum password length can be specified by performing the following steps:

1. Enable the CORBA interface.

2. Launch Ciena Node Manager and populate the following fields:

Node Url: <NODE_NAME>:<TOE_IP_ADDRESS>

User Name: administrator

Password: admin1!

3. Click “NE Defaults” tab > “Account Defaults” tab.

4. In the Password Character Minimum Length field enter “15”.

5. Click on “Accept” and then exit the Ciena Node Manager.

6.4 Configure the Syslog Server (MCLI)

Configure the syslog server using the following instructions:

8 | P a g e


1. Authenticate to the TOE.

2. Choose Option 7 – Modify system configuration

3. Choose Option 18 – Security Log Settings Menu

4. Choose Option 2 – Enable/Disable External Security Log Support (enable)

5. Choose Option 3 – Set Security Log Remote Destination IP (Input syslog IP address and port at

prompt)

6. Choose Option 4 – Set Security Log Connection Mode (tls)

7. Choose Option 6 – Commit pending Security Log configuration

NOTE: If the connection from the TOE to the external syslog is disconnected, reconnection will take

place automatically without any additional administrative action.

6.5 Configure the Time

Configure the NTP server using the following instructions:

1. Authenticate to the TOE through the MCLI.

2. Using the following commands configure the TOE to sync with the NTP server.

a) Option 7 – Modify System Configuration

b) Option 16 – NTP Settings Menu

a. Option 2 – Enable

b. Option 3 – Client mode

c. Option 4 – Enable/Disable Authentication Support

d. Option 7 – NTP Server Settings Menu

i. Option 4 – Set IP address for NTP = <NTP_SERVER_IP_ADDRESS>

ii. Option 5 – Set Server Authentication Key ID = 0

iii. Option 6 – Enable/Disable iburst mode = enable (default)

iv. Option 7 – Set Minimum Polling Interval = 64 (default)

v. Option 8 – Set Maximum Polling Interval = 1024 (default)

vi. Option 10 – Commit NTP Server

To set the time manually via the TL1 interface the administrator must enter the command:

ED-DAT:::abc::DATE=<DATE>,TIME=<TIME>;

Verifying that the time has been set the administrator must enter the command:

rtrv-TOD:::abc;

6.6 Performing a Secure Software Upgrade (MCLI)

Updates are both digitally signed and hashed, but the hash information is used only for internal

verification and not made public. The digital signature is a 2048-bit RSA signature that is provided by

Entrust. Prior to performing a secure software upgrade, the device will download the software release as

well as the hash for the release. It will then compare the downloaded hash with the hash of the software

release. If the hashes do not match, the upgrade process will stop and the downloaded software release

will be flushed from the device’s temporary memory. In addition the digital signature of the software

upgrade is verified once the update is downloaded. If the digital signature verification failed, the upgrade

9 | P a g e


process will stop and the downloaded software release will be flushed from the device’s temporary

memory. In the event of a failure of the upgrade mechanism, please see Section 11 for contacting Ciena

Customer Support. Otherwise, perform a secure software using the following instructions:

1. Authenticate to the TOE via the MCLI.

2. Option 3 – Upgrade or revert software release.

3. Option 3 – Download a new release.

4. Option 1 – List available software releases and scroll up to view RELEASE that is “good in-use”

for the current version.

5. Option 3 – Enter URL for software release file transfer – guided entry.

a) Enter the protocol (SFTP)

b) Enter the IP address (<TOE_IP_ADDRESS>)

c) (Optional) Enter port number

d) (Optional) Enter path of the file

6. Option 4 – Enter user name for file server access.

7. Option 5 – Enter password for file server access.

8. Option 7 – Transfer software release from the file server.

9. After the transfer is finished, choose Option 8 – Return to previous menu.

10. Option 5 – Upgrade to new software release.

11. Specify the name of the release to upgrade to from the list of available updates.

12. After the update has finished installing and a login prompt is returned, authenticate to the TOE.

13. Query the TOE for its current version and verify that the version number has increased.

To display the Software Release Signing Certificate information to verify correctness: Choose Option 7

prior to implementing step 10.

NOTE: If the SFTP server becomes disconnected from the TOE at any point in the download process, the

administrator must restart the download.

6.7 Configure the TOE for SSH Public/Private Key Authentication

Configure the TOE to accept user authentication using Public/Private Key

1. Generate keypair on the Bitvise client and upload the key to the SFTP Server

2. Upload key generated from Bitvise:

a) Authenticate to the MCLI as Superuser.

b) Option 7 Modify system configuration

c) Option 17 SSH Key Management Menu

d) Option 4 Download New Host Key Pair to Node

e) Option 2 Enter URL for SSH host key file transfer - Guided entry <URL of SFTP Server and

file path to keys>

f) Option 3 Enter user name for file server access <username from SFTP Server>

g) Option 4 Enter password for file server access <password for user of SFTP Server>

h) Option 6 Transfer SSH host key from the file server

10 | P a g e


6.8 Configure Login Banner with the MCLI

The login banner is created by following these instructions:

1. Enable the CORBA interface.

2. Login to the Ciena Node Manager

3. Click “NE Defaults” tab > “Account Defaults” tab.

4. In the “Pre Authentication Login Banner” field enter the desired banner text

The banner text can be edited by following the same instructions as above.

Instructions for configuring the login banner on the TL1 interface can be found in Section 7.6

6.9 Lock All Insecure Ports

All insecure ports can be locked by performing the following steps:

1. Authenticate to the TOE as superuser via the MCLI.

2. Choose Option 6 – Perform system operations.

3. Choose Option 15 – Service and Port Lock Config Menu.

4. Choose Option 1 – Display Lock Configuration.

5. Choose Option 2 – Lock a Service or Port.

6. Follow the prompts to lock the following interfaces:

FTP

HTTP

TELNET

TELNET_TLS

SNMP

CORBA

7 Secure Management of the TOE

The following sections provide information on managing TOE functionality that is relevant to the claimed

Protection Profile. Note that this information is largely derived from [5] and [8], minus the specific

actions that are required as part of the ‘evaluated configuration’. The administrator is encouraged to

reference these documents in full in order to have in-depth awareness of the security functionality of the

5400 Series product family, including functions that may be beyond the scope of this evaluation.

7.1 Administrative Roles

The product provides five administrative roles on its TL1 interface: Account Administrator (AA),

Termination Point Provisioner (TP), Connection Provisioner (CP), Troubleshooter (TS), and Operator

(O). Each administrative role is given a fixed set of privileges. Of these five roles, only the AA role has

the ability to manage functions that are relevant to the TOE as defined by the NDPP. As such, the

manipulation of user data requires AA role privileges. For the MCLI interface there exists a separate

11 | P a g e


superuser role that is used for managing the TOE via the CLI. Both the superuser and AA roles are

analogous to the role of Security Administrator as defined by the NDPP.

7.2 Authenticating to the TOE

Local users log in to the Maintenance Command Line Interface (MCLI) using username and password

defined locally to the TOE, while remote users can log in via the MCLI using username and password or

certificates. User authentication information that is sent remotely via the MCLI is protected using SSHv2.

The TOE requires the use of locally-defined authentication credentials. Users are not allowed to perform

any functions on the TOE without first being successfully identified and authenticated by the TOE’s

authentication method. At initial login, the TOE will display a login banner and prompt the administrative

user to provide a username. After the user provides the username, the user is prompted to provide the

administrative password associated with the user account. The TOE then either grants administrative

access (if the combination of username and password is correct) or indicates that the login was

unsuccessful. The MCLI requires a separate superuser account that cannot be the same as an account that

is used to access the TL1 interface.

When authenticating via the MCLI using port 22 over SSH, the user is prompted for a SSH username

followed by a SSH password. This behaves like a regular SSH username/password authentication process.

Alternatively, if configured to do so, the user can use public-key authentication to log in to the MCLI

remotely using SSH.

When authenticating via the TL1 using port 10220 over SSH, the user is prompted for a SSH username.

At this prompt, the user can enter any string for the username and then the user is presented with a TL1

prompt; there is no “SSH password.” At this point, the TL1 prompt is listening waiting for commands.

Any commands that require TL1 authentication will not work until a user is authenticated via TL1. A TL1

username and password needs to be entered using the TL1 command syntax:

act-user::<username>:abc::<password>;

At this point, if the TL1 username/password is accepted, then the user is permitted to perform authorized

TL1 commands. If the trusted path for remote administration becomes disconnected, the

administrator/superuser will be required to perform the authentication process again in order to reconnect

to the TOE.

7.3 User Lockout

By default, the TOE locks out a user for an idle interactive session based on the duration specified during

account creation, this is enabled and set to the desired length of time by using the following commands

via the TL1 interface:

ed-user-secu::<username>:abc:::TMOUT=<number of minutes>;

Note: These commands can only be configured via the TL1 interface but the settings can be applied to

users that access the TOE via the local serial console, TL1 and MCLI interfaces.

7.4 Managing Users

Users can be created with the following commands via the TL1 interface:

12 | P a g e


ent-user-

secu:: <username>:abc::<password>,TL1,AA:TMOUT=<number of minutes>;

The TL1 interface will collect the password in an interactive prompt after this command is entered. This

prevents password data from being displayed in the command log.

7.5 Password Management

Passwords must be 6 to 16 characters long can and must include the following:

Two alphabetical characters

One numerical character

One special character

In addition, only the following special characters are acceptable:

! % ^ , + - [ ] ` ~ { } | _

In order to change the password for a user account following the account’s creation, use the following

command in the TL1 interface:

ed-pid::<username>:abc::<old_password>:<new_password>;

See Section 6.3 for instructions on configuring the minimum acceptable password length.

Note: This command can be used to change the MCLI’s superuser password. This should be completed

after initial configuration is complete.

7.6 Login Banner On the TL1 interface, the login banner can be configured using the following command:

ED-ECFG::CUSTOMERSETTINGS:MYSTAG::PREBANNER=<Message>;

7.7 Admin Logout

An administrator can manually log out at any time by entering the following command via the TL1

interface:

canc-user::<username>:abc;

On the MCLI interface, enter the “10” command to terminate the current session.

7.8 Self-Tests

The OpenSSL cryptographic module performs a series of known answer tests to verify the correct

functionality of the cryptographic functions as well as fingerprint and SHA file checksums to validate its

own integrity at initial start-up to verify its correct operation. In addition, the software image itself is

validated against a known hash to ensure its integrity. In the event of failure of the self-tests or

operational error, the device will reboot itself and initiate a new run of self-tests.

13 | P a g e


8 Auditing

In order to be compliant with Common Criteria, the TOE must audit the events in the table below. The

audit records that the TOE creates include the date and time, outcome of the event, event type, subject

identity and the source of the event.

Component Event Additional

Information Sample Log

FAU_GEN.1

Startup and

shutdown of audit

functions.

No additional

information

Shutdown of the TOE:

2016-01-07T12:03:04.000+00:00 <local3.notice> 1-A-CTM

(9476) exec EXEC: Shutdown : ss 6

Startup of the TOE:

2016-01-07T12:04:05.000+00:00 <local1.info> (none)

(initramfs 773) boot_exec In initialization of CTM HAL.

FCS_SSH_EX

T.1

Failure to establish

an SSH session

Establishment/Ter

mination of an

SSH session

Reason for failure

Reason for failure

Non-TOE endpoint

of connection (IP

address) for both

successes and

failures.

Termination of SSH Session

2015-11-10T15:32:46.000+00:00 <auth.info> 1-A-CM1 (2)

sshd Disconnected from 10.41.71.100

Establishment of SSH Session

2015-11-10T15:32:51.000+00:00 <authpriv.info> 1-A-CM1

(10) sshd libpam_user_access_process(login:session): TL1

over SSH session detected. Return success.

Failure of SSH Session

2015-11-13T19:21:55.000+00:00 <auth.crit> 1-A-CM1 (3)

sshd fatal: Unable to negotiate with 10.41.71.210: no matching

cipher found. Their offer: 3des-cbc [preauth]

FIA_UIA_EX

T.1

All use of the

identification and

authentication

mechanism.

Provided user

identity, origin of

the attempt (e.g.,

IP address).

Successful authentication via Console:

2015-11-13T20:38:22.000+00:00 <authpriv.debug> 1-A-CM1

(585) login libpam_user_access_process(logintty:auth):

pam_sm_authenticate...success - user:superuser

2015-11-13T20:38:22.000+00:00 <local0.info> 1-A-CM1

(597) Ciena CreateTheUserSession- userName:superuser

sessionId:1014510046 clientInterface:SERIAL @

Failed authentication via Console:

2015-11-09T23:19:06.000+00:00 <auth.info> 1-A-CM1 (438)

usracc Authentication failed user:superuser

authMethodUsed:Local configAuthMethod:Local @

src/software/centaur/apps/user_acc/UAP_LoginTask.cpp:106

Successful authentication via TL1:


(107) sshd libpam_user_access_process(login:auth):

pam_sm_authenticate user:administrator interface:SSH

14 | P a g e


rHost:10.41.71.210

Failed authentication via TL1:



pam_sm_authenticate user:baduser interface:SSH

rHost:10.41.71.210

2015-11-13T20:11:19.000+00:00 <local0.info> 1-A-CM1

(266) Ciena UserAccountManager::IsPriviledgeExists-

Account:baduser does not exist @

src/software/centaur/apps/core/txn/Management/Managers/Use

rAccountManager.cpp:783

2015-11-13T20:11:19.000+00:00 <local0.info> 1-A-CM1

(267) Ciena Wrong password @

src/software/centaur/apps/core/txn/Management/Managers/Ma

nagementServices.cpp:1148

Successful authentication via MCLI:

2015-11-13T20:11:26.000+00:00 <auth.info> 1-A-CM1 (284)

sshd Connection from 10.41.71.210 port 58048 on 10.41.73.31

port 22



pam_sm_authenticate user:superuser interface:SSH

rHost:10.41.71.210

Failed authentication via MCLI:

2015-11-13T20:11:43.000+00:00 <auth.info> 1-A-CM1 (310)

sshd Connection from 10.41.71.210 port 58051 on 10.41.73.31

port 22



pam_sm_authenticate user:baduser2 interface:SSH

rHost:10.41.71.210



HandleLogonResponse: User failed authentication

FIA_UAU_EX

T.2

All use of the

authentication

mechanism.

Origin of the

attempt (e.g., IP

address).

See FIA_UIA_EXT.1 records

FPT_STM.1 Changes to the

time.

The old and new

values for the time.

Origin of the

attempt (e.g., IP

address).

Manually changing time via TL1:

/*EventType=AuditTrail,Category=Security,OpResult=OK,M

oName=/NE=txn543/T=EQUIPMENT/N=txn543,NETimeMill

iSec=0,LogId=2000115,ClientHostName=10.40.32.135,ClientI

nterface=TL1,NETime=01/07/2016

13:56:00,OpName=Configure,ProbableCause=ResponseFrom

Service,UserAccount=/NE=txn543/T=ACCOUNT/N=administ

rator,oldSecond=30,oldMinute=54,oldMonth=1,oldHour=13,ol

dDay=7,oldYear=2016,Hour=13,Second=0,Month=1,Year=20

16,Day=7,Minute=56*/

Change of time using NTP Server:

15 | P a g e


2016-01-07T12:03:26.000+00:00 <local1.info> 1-CTM1

(15576) secexec NTP Server add:10.41.88.5, keyid=0, iburst

2016-01-07T12:03:26.000+00:00 <local1.notice> 1-CTM1

(15577) MCLI 1266: Commit NTP Server: NTP server

committed successfully - '10.41.88.5', '0', 'enable', '64', '1024'

2016-01-07T19:32:11.000+00:00 <user.debug> 1-CTM1 (1)

Ciena cad_client_fetch_status: Client started with slot = 0

FPT_TUD_EX

T.1

Initiation of

update.

No additional

information

2016-01-07T17:32:46.000+00:00 <local3.info> 1-CTM2 (68)

exec INSTALLEVENT: 3 rel_cn5410_4.0.2.1_cl688569

Release rel_cn5410_4.0.2.1_cl688569 synced to all slots.

FTA_SSL_EX

T.1

Any attempts at

unlocking of an

interactive session.

No additional

information.

Termination of a local session by the locking mechanism:

2015-11-19T14:48:10.806-05:00 10.41.73.34 220 <86>1

2015-11-20T18:59:00.081+00:00 1-A-CM1 usracc 4053 -

[meta sequenceId="84"] SecurityLog - Category=Security,

OpName=CloseSession, SessionID=297273786,

UserAccount=superuser, Interface=SERIAL,

LogonHost=HOST_UNKNOWN

FTA_SSL.3 The termination of

a remote session

by the session

locking

mechanism.

No additional

information.

2015-11-19T13:35:14.079-05:00 10.41.73.31 217 <86>1

2015-11-19T18:33:40.342+00:00 1-C-CM2 usracc 4161 -

[meta sequenceId="75"] SecurityLog - Category=Security,


UserAccount=superuser, Interface=SSH,

LogonHost=10.41.71.210

FTA_SSL.4 The termination of

an interactive

session.

No additional

information.

User termination of a local session:

2015-11-09T20:01:08.000+00:00 <auth.info> 1-A-CM1 (43)

usracc LogOff sessID:82307218, pam_tty:SERIAL @

src/software/centaur/apps/user_acc/UAP_LoginTask.cpp:1656

User termination of a remote session (MCLI):

2015-11-17T21:30:34.000+00:00 <local1.notice> 1-A-CM1

(303) MCLI 6642: menu choice 10 - Log off

2015-11-17T21:30:34.000+00:00 <local1.notice> 1-A-CM1

(304) MCLI 6642: CLI session 6642 ended.

User termination of a remote session (TL1):


(4) usracc SecurityLog - Category=Security,


UserAccount=administrator, Interface=TL1,

LogonHost=127.0.0.1

FTP_ITC.1 Initiation of the

trusted channel.

Termination of the

trusted channel.

Failure of the

trusted channel

functions.

Identification of

the initiator and

target of failed

trusted channels

establishment

attempt.

Failure of a Connection:

2016-01-08T14:40:22.000+00:00 <local1.info> 1-CTM2

(22576) x secsyslog ip:10.41.88.17, port:2999, mode:tls,

cipher:AES256-SHA256

2016-01-08T14:40:22.356+00:00 <syslog.notice> 1-CTM2

(22589) 1-C-CM2 syslog-ng[3426]: Syslog connection

established; fd='13', server='AF_INET(10.41.88.17:2999)',

local='AF_INET(0.0.0.0:0)'

2016-01-08T14:40:22.359+00:00 <syslog.err> 1-CTM2

(22590) 1-C-CM2 syslog-ng[3426]: SSL error while writing

stream; tls_error='SSL

routines:SSL23_GET_SERVER_HELLO:sslv3 alert

handshake failure'

2016-01-08T14:40:22.359+00:00 <syslog.err> 1-CTM2

(22591) 1-C-CM2 syslog-ng[3426]: I/O error occurred while

16 | P a g e


writing; fd='13', error='Broken pipe (32)

Initiation of a trusted channel:

2016-01-08T14:42:09.000+00:00 <local1.info> 1-CTM2

(22825) secsyslog_config.sh 7139: Invoked with 'syslog true

10.41.88.17 2999 tls AES256-SHA', restarting syslog-ng-sec.

2016-01-08T14:42:10.000+00:00 <user.notice> 1-CTM2

(22826) logger Enforcing reset rate limit. Will resume in 3

seconds.

2016-01-08T14:42:13.000+00:00 <local1.notice> 1-CTM2

(22827) MCLI 6668: menu choice 1 - Display current Security

Log configuration


(22828) 1-C-CM2 syslog-ng[3426]: Configuration reload

request received, reloading configuration;



established; fd='14', server='AF_INET(10.41.88.17:2999)',

local='AF_INET(0.0.0.0:0)'

Termination of a trusted channel:

2015-11-18T21:42:13.034+00:00 <syslog.err> 1-C-CTM

(233714) 1-C-CM2 syslog-ng[3225]: SSL error while writing

stream; tls_error='SSL routines:SSL23_WRITE:ssl handshake

failure'

2015-11-18T21:42:13.034+00:00 <syslog.err> 1-C-CTM

(233715) 1-C-CM2 syslog-ng[3225]: I/O error occurred while

writing; fd='13', error='Broken pipe (32)'

2015-11-18T21:42:13.034+00:00 <syslog.notice> 1-C-CTM


broken; fd='13', server='AF_INET(10.41.73.110:2999)',

time_reopen='10

FTP_TRP.1 Initiation of the

trusted channel.

Termination of the

trusted channel.

Failures of the

trusted path

functions.

Identification of

the claimed user

identity.

See FCS_SSH_EXT.1 and FIA_UIA_EXT.1.

Table 8-1: NDPP Auditable Events

The following is an example of a security audit record that the 5400 series produces.

/*EventType=AuditTrail,Category=Security,OpResult=OK,MoName=/NE=TXN542A/T=EQUIPMENT/

N=TXN542A,NETimeMilliSec=0,LogId=4005456,ClientHostName=127.0.0.1,ClientInterface=TL1,NET

ime=11/11/2015

09:40:22,OpName=Configure,ProbableCause=ResponseFromService,UserAccount=/NE=TXN542A/T=

ACCOUNT/N=administrator,Hour=9,Second=22,Month=11,Year=2015,Day=11,Minute=40*/"AuditTrai

l"

17 | P a g e


It can be seen from the example record that this includes a timestamp value (November 11, 2015

09:40:22 [UTC]), the client interface was the TL1 interface, the IP address of the event (127.0.0.1), the

user causing the event to occur (administrator), and the trigger (response from a service).

8.1 Audit Storage

In the evaluated configuration, the TOE is configured to transmit its collected audit data to a syslog server

in the Operational Environment. The TOE uses syslog-ng to transmit audit data remotely to an audit

server using TCP. This channel is protected using TLS. SFTP is used for pushing logs manually to a

configured destination server.

Locally, the TOE maintains the security-relevant audit data in two locations on the filesystem,

summarized below:

/rel/<rel-name>/ctm30/<core>/ps/data/AuditTrail: audit log, records all authentication events and

management activities performed on the MCLI and TL1 interfaces

/var/log/secmessages: security syslog, records all events related to user account management

The audit data is stored in up to four files for each audit storage location. Each audit log file stores up to

1,000 records and each security syslog file stores up to 10 MB of data. When storage space is exhausted

for either audit storage location, the oldest log file will be overwritten when storage space is exhausted.

The TOE does not provide a mechanism to delete the locally-stored audit data. See Section 6.4 of this

document for instructions on configuration the Syslog Server interface.

To manually push audit data to an external SFTP server for storage use to following steps:

1. Authenticate to the TOE.

2. Option 6 – Perform system operations

3. Option 23 – Support menu

4. Option 5 – Upload logs, no crash dump files

5. Option 1 – Create log archive

6. For the module, type: “all”.

7. Option 3 – Enter URL for logs archive file transfer – guided entry

8. For the transfer protocol, type “sftp”.

9. Specify SFTP server IP address and port, destination path, username (Option 4), and password

(Option 5).

10. Option 7 to initiate the transfer

NOTE: If the connection to the SFTP server is disconnected during the transfer, the administrator must

restart the transfer process.

9 SFR Assurance Activities

In this section we identify the SFR assurance activities and specify where in the Ciena documentation this

information can be found.

FAU_GEN.1 –

18 | P a g e


“The evaluator shall check the administrative guide and ensure that it lists all of the auditable events and

provides a format for audit records. Each audit record format type must be covered, along with a brief

description of each field. The evaluator shall check to make sure that every audit event type mandated by

the PP is described and that the description of the fields contains the information required in

FAU_GEN1.2, and the additional information specified in Table 1.”

The AGD does not contain examples of audit data outside of this document. Additionally, [8] provides an

overview of the log format under ‘Retrieve Audit Security Log Information’.

“The evaluator shall also make a determination of the administrative actions that are relevant in the

context of this PP. The evaluator shall examine the administrative guide and make a determination of

which administrative commands, including subcommands, scripts, and configuration files, are related to

the configuration (including enabling or disabling) of the mechanisms implemented in the TOE that are

necessary to enforce the requirements specified in the PP. The evaluator shall document the methodology

or approach taken while determining which actions in the administrative guide are security relevant with

respect to this PP. The evaluator may perform this activity as part of the activities associated with

ensuring the AGD_OPE guidance satisfies the requirements.”

Auditing is always functional and thus cannot be disabled or enabled. As a result, the starting up and

shutting down of audit functions is synonymous with the startup and shutdown of the TOE.

FAU_STG_EXT.1 –

“The evaluator shall also examine the operational guidance to determine that it describes the

relationship between the local audit data and the audit data that are sent to the audit log server (for

TOEs that are not acting as an audit log server).”

In the evaluated configuration, the TOE is configured to transmit its collected audit data to a syslog server

in the Operational Environment. The steps in Section 6.4 indicate how to enable a remote audit server and

securely transfer audit data to it using TCP.

“The evaluator shall also examine the operational guidance to ensure it describes how to establish the

trusted channel to the audit server, as well as describe any requirements on the audit server (particular

audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed

to communicate with the audit server.”

The procedures for establishing a trusted channel to the audit server are described in Section 6 of this

document.

FCS_SSH_EXT.1.4 –

“The evaluator shall also check the operational guidance to ensure that it contains instructions on

configuring the TOE so that SSH conforms to the description in the TSS (for instance, the set of

algorithms advertised by the TOE may have to be restricted to meet the requirements).”

Configuration of the SSH server and SSH client cryptographic algorithms is not under administrator

control. The algorithms are restricted by placing the TOE into “CC mode” to those identified in Section

8.2.8 of the ST which meets the PP requirements. All other algorithms are disabled. Refer to Section 6.1

for enabling CC Mode.

FCS_SSH_EXT.1.6 –

19 | P a g e


“The evaluator shall also check the operational guidance to ensure that it contains instructions to the

administrator on how to ensure that only the allowed data integrity algorithms are used in SSH

connections with the TOE (specifically, that the “none” MAC algorithm is not allowed).”

See FCS_SSH_EXT.1.4

FCS_SSH_EXT.1.7 –

“The evaluator shall ensure that operational guidance contains configuration information that will allow

the security administrator to configure the TOE so that all key exchanges for SSH are performed using

DH group 14 and any groups specified from the selection in the ST.”

See FCS_SSH_EXT.1.4

FIA_PMG_EXT.1 –

“The evaluator shall examine the operational guidance to determine that it provides guidance to security

administrators on the composition of strong passwords, and that it provides instructions on setting the

minimum password length.”

Password management is described in Section 7.5 of this document.

FIA_UIA_EXT.1 –

“The evaluator shall examine the operational guidance to determine that any necessary preparatory steps

(e.g., establishing credential material such as pre-shared keys, tunnels, certificates, etc.) to logging in are

described.”

Creating usernames and passwords is described in Sections 7.4 and 7.5 of this document. Configuring the

TOE for SSH Public/Private key authentication is described in Section 6.7. Authenticating to the TOE is

described in Section 7.2 of this document.

“For each supported the login method, the evaluator shall ensure the operational guidance provides

clear instructions for successfully logging on.”

See above.

“If configuration is necessary to ensure the services provided before login are limited, the evaluator shall

determine that the operational guidance provides sufficient instruction on limiting the allowed services.”

Sections 6.8 and 7.6 of this document provide instructions on how to configure the pre-authentication

login banner. There is no other method by which a user or administrator can view or interact with TSF

data prior to authentication.

FMT_MTD.1 –

“The evaluator shall review the operational guidance to determine that each of the TSF-data-

manipulating functions implemented in response to the requirements of this PP is identified, and that

configuration information is provided to ensure that only administrators have access to the functions.”

The TOE has a fixed set of administrative roles with a fixed set of privileges. Document [5] provides a

listing of administrative access levels and the privilege required allowed. Only the AA role has the ability

to manage functions that are relevant to the TOE as defined by the NDPP. The remaining functions

pertain to the management of switching functions that are outside the scope of the NDPP. The TOE also

20 | P a g e


provides a CLI (referred to as the MCLI) for many security-relevant features, typically those that are not

managed frequently (such as configuring communications with remote audit and NTP servers). The

MCLI defines a superuser role that is separate from the roles defined for the TL1 interface, and is the only

role that is defined for the MCLI.

The user and interface required to execute functionality as defined by the PP are outlined throughout the

AGD but in particular Section 6 and 7 covers the configuration and management procedures..

FMT_SMR.2 –

“The evaluator shall review the operational guidance to ensure that it contains instructions for

administering the TOE both locally and remotely, including any configuration that needs to be performed

on the client for remote administration.”

Configuration of the TOE can occur locally via the serial console or remotely over the dedicated

management Ethernet port via SSH. Section 7.2 of this document provides instructions for how to log in

to the TOE once an appropriate encryption is configured as described in Section 6.1. Additionally, if for

SSH Public/Private Key Authentication will be used refer to section 6.7 for configuration.

FPT_STM.1 –

“The evaluator examines the operational guidance to ensure it instructs the administrator how to set the

time. If the TOE supports the use of an NTP server, the operational guidance instructs how a

communication path is established between the TOE and the NTP server, and any configuration of the

NTP client on the TOE to support this communication.”

The “System Maintenance” section of [8] provides instructions on how to manually set the system time.

Section 6.5 provides instructions on how to set up and administer NTP.

FPT_TST_EXT.1 –

“The evaluator shall also ensure that the operational guidance describes the possible errors that may

result from such tests, and actions the administrator should take in response; these possible errors shall

correspond to those described in the TSS.”

Section 6.1 of this document references procedures for enabling CC mode. The TOE uses a cryptographic

module (but which cannot be claimed as being FIPS validated); however, the algorithms the TOE uses

have been put through CAVP testing. Section 7.8 explains how the TOE performs self-tests and the

actions taken in the event of self-test failure. Also see [2] for instructions on troubleshooting and clearing

problems with the TOE.

FPT_TUD_EXT.1 –

“The evaluator also ensures that the TSS (or the operational guidance) describes how the candidate

updates are obtained; the processing associated with verifying the digital signature or calculating the

hash of the updates; and the actions that take place for successful (hash or signature was verified) and

unsuccessful (hash or signature could not be verified) cases.”

Section 6.6 of this document describes the process for performing a system upgrade. The general

instructions for acquiring, verifying, and performing trusted updates are described in detail in [1].

21 | P a g e


FTA_SSL_EXT.1, FTA_SSL.3, FTA_SSL.4 – There is no specific guidance assurance activity.

However, the assurance activity for testing requires the tester to follow the operational guidance to

configure the system inactivity period. Section 7.3 of this document provides information on manual and

automatic session termination activities.

FTA_TAB.1 – There is no specific guidance assurance activity. However, the assurance activity for

testing requires the tester to follow the operational guidance to configure the banner. Section 6.8 of this

document provides instructions on how to configure the login banner.

FTP_ITC.1 –

“The evaluator shall confirm that the operational guidance contains instructions for establishing the

allowed protocols with each authorized IT entity, and that it contains recovery instructions should a

connection be unintentionally broken.”

Section 6.4 discusses that in the case of disconnected channel between the TOE and the syslog server, the

connection will automatically re-establish with not further input from the administrator. Section 6.6

discusses that if the channel becomes disconnected between the TOE and SFTP server during a software

download, the administrator is required to perform the listed steps in order to download the full update.

As discussed in Section 6.6, Section 8.1 also states that the administrator must perform all steps listed in

the case of the communication disconnect during the manual push of audit data to the SFTP server.

FTP_TRP.1 –

“The evaluator shall confirm that the operational guidance contains instructions for establishing the

remote administrative sessions for each supported method.”

Section 7.2 states that in the event the administrator/superuser gets disconnected while remotely

administering the TOE, they must re-authenticate in order to resume management activities.

10 Operational Modes

The device has two configurable settings for its operational modes: normal mode and CC mode. Refer to

Section 6.1 for instructions on enabling CC mode. When not in CC mode, the device can be considered as

operating in normal mode.

11 Additional Support

Ciena provides technical support for its products if needed. Customers can register for a support account

at www.ciena.com/support. Additionally, direct support can be reached toll-free in North America at 1-

800-243-6224.

http://www.ciena.com/support

Documents

Ciena 5400 Series Packet Optical Platform Supplemental ... · PDF fileCiena 5400 Series Packet Optical Platform Supplemental Administrative Guidance Version 1.0 December 18, 2015 Ciena