Transcription
Brocade Directors and Switches SecurityTargetVersion Number3.1Publication Date11/26/2013
Copyright 2001 - 2013 Brocade Communications Systems, Inc. All Rights Reserved.Brocade, FabricOS, File Lifecycle Manager, MyView, and StorageX are registered trademarks and the Brocade B-wing symbol,DCX, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products orservices of their respective owners.Notice: The information in this document is provided “AS IS,” without warranty of any kind, including, without limitation, anyimplied warranty of merchantability, noninfringement or fitness for a particular purpose. Disclosure of information in thismaterial in no way grants a recipient any rights under Brocade's patents, copyrights, trade secrets or other intellectual propertyrights. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility forits use.The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity withrespect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs thataccompany it.Notice: The product described by this document may contain “open source” software covered by the GNU General PublicLicense or other open source license agreements. To find-out which open source software is included in Brocade products, viewthe licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visithttp://www.brocade.com/support/oscd.Export of technical data contained in this document may require an export license from the United StatesGovernmentBrocade Communications Systems, Inc.Page 2 of 48
Table of Contents1. SECURITY TARGET INTRODUCTION .51.11.21.31.42.SECURITY TARGET, TOE AND CC IDENTIFICATION .5CONFORMANCE CLAIMS .6CONVENTIONS .6ACRONYMS AND TERMINOLOGY .6TOE DESCRIPTION .82.1TOE OVERVIEW .92.2TOE ARCHITECTURE . 102.2.1Physical Boundaries . 112.2.2Logical Boundaries . 122.3TOE DOCUMENTATION . 143.SECURITY ENVIRONMENT . 153.13.24.SECURITY OBJECTIVES . 164.14.25.THREATS . 15ASSUMPTIONS . 15SECURITY OBJECTIVES FOR THE TOE. 16SECURITY OBJECTIVES FOR THE ENVIRONMENT. 16IT SECURITY REQUIREMENTS . 175.1TOE SECURITY FUNCTIONAL REQUIREMENTS . 175.1.1Security audit (FAU). 175.1.2Cryptographic Support . 185.1.3User data protection (FDP) . 195.1.4Identification and authentication (FIA) . 205.1.5Security management (FMT) . 215.1.6Protection of the TSF (FPT) . 225.1.7TOE access (FTA) . 225.1.8Trusted Path (FTP) . 235.2TOE SECURITY ASSURANCE REQUIREMENTS. 235.2.1Development (ADV) . 235.2.2Guidance documents (AGD) . 255.2.3Life-cycle support (ALC) . 255.2.4Tests (ATE) . 275.2.5Vulnerability assessment (AVA) . 286.TOE SUMMARY SPECIFICATION . 296.1TOE SECURITY FUNCTIONS. 296.1.1Audit. 296.1.2User data protection . 306.1.2.1 User Data Encryption . 326.1.2.1.1 Key Management System . 336.1.2.1.2 CryptoTarget Container . 346.1.3Identification and authentication . 356.1.4Security management . 366.1.5Protection of the TSF . 376.1.6TOE Access . 386.1.7Trusted Path. 397.PROTECTION PROFILE CLAIMS . 408.RATIONALE . 41Brocade Communications Systems, Inc.Page 3 of 48
SECURITY OBJECTIVES RATIONALE. 418.18.1.1Security Objectives Rationale for the TOE and Environment. 418.2SECURITY REQUIREMENTS RATIONALE . 438.2.1Security Functional Requirements Rationale. 438.3SECURITY ASSURANCE REQUIREMENTS RATIONALE. 468.4REQUIREMENT DEPENDENCY RATIONALE . 468.5EXTENDED REQUIREMENTS RATIONALE . 478.6TOE SUMMARY SPECIFICATION RATIONALE. 478.7PP CLAIMS RATIONALE . 48LIST OF TABLESTable 1 TOE Security Functional Components . 17Table 2 EAL-4 Assurance Components . 23Table 3 Trusted Path Algorithms, Key Sizes, Standards and Certificate Numbers . 39Table 4 Environment to Objective Correspondence . 41Table 5 Objective to Requirement Correspondence . 44Table 6 CC Dependencies vs. ST Dependencies . 47Table 7 Security Functions vs. Requirements Mapping . 48LIST OF FIGURESFigure 1: Host bus adapters can only access storage devices that are members of the same zone. .8Figure 2: Administrators can access the TOE using a serial terminal or across a network. Audit records aresent to a syslog server. . 10Figure 3: TOE and environment components. . 11Figure 4: TOE and environment audit record components. . 30Figure 5: User Data Encryption . 33Figure 6: User Data Flow for User Data Encryption SFP. 34Figure 7: CryptoTarget Container . 35Brocade Communications Systems, Inc.Page 4 of 48
1. Security Target IntroductionThis section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, STconformance claims, and the ST organization. The TOE is the Brocade Directors and Switches provided by BrocadeCommunications Systems, Inc. Brocade Directors and Switches are hardware appliances that implement what iscalled a “Storage Area Network” or “SAN”. SANs provide physical connections between servers that are located inthe environment and storage devices such as disk storage systems and tape libraries that are also located in theenvironment.The Security Target contains the following additional sections: Section 2 – Target of Evaluation (TOE) DescriptionThis section gives an overview of the TOE, describes the TOE in terms of its physical and logicalboundaries, and states the scope of the TOE.Section 3 – TOE Security EnvironmentThis section details the expectations of the environment, the threats that are countered by the TOEand the environment, and the organizational policy that the TOE must fulfill.Section 4 – TOE Security ObjectivesThis section details the security objectives of the TOE and environment.Section 5 – IT Security RequirementsThe section presents the security functional requirements (SFR) for the TOE and environment thatsupports the TOE, and details the assurance requirements.Section 6 – TOE Summary SpecificationThe section describes the security functions represented in the TOE that satisfy the securityrequirements.Section 7 – Protection Profile ClaimsThis section presents any protection profile claims.Section 8 – RationaleThis section closes the ST with the justifications of the security objectives, requirements and TOEsummary specifications as to their consistency, completeness, and suitability.1.1 Security Target, TOE and CC IdentificationSecurity Target Title – Brocade Directors and Switches Security TargetSecurity Target Version – Version 3.1Security Target Date – November 26, 2013TOE Identification – Director Blade 1 Models: FC8-16, FC8-32, FC8-48, FC8-64, FC16-32, FC16-48, CP8, CR8,CR4S-8, CR16-4, CR16-8, FCOE10-24, FS8-18, FX8-24 Director Models: DCX, DCX-4S, DCX 8510-4, DCX 8510-8 Switch Appliance Models: 300, 5100, 5300, 6510, 6520, 7800, 8000, BES Embedded Blades 2: 5410, 5424, 5450, 5460, 5470, 5480, 5431, 6547 and M6505 Software: FabricOS version 7.2.0.aModels FS8-18 and BES switch appliance support the user data encryption function.TOE Guidance Documents – 12Brocade - FabricOS Administrator’s Guide – Publication #53-1002920-01, 26-July 2013A blade refers to a purpose-built component that is installed in a Brocade director.An embedded blade is a Brocade switch in a blade form factor that may be installed in any blade server product.Brocade Communications Systems, Inc.Page 5 of 48
Brocade – FabricOS Command Reference – Publication #53-1002921-01, 26-July 2013 Brocade – FabricOS Message Reference – Publication #53-1002929-01, 26-July 2013TOE Developer – Brocade Communications Systems, Inc.Evaluation Sponsor – Brocade Communications Systems, Inc.CC Identification – Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4,September 20121.2 Conformance ClaimsThis TOE is conformant to the following CC specifications: Common Criteria for Information Technology Security Evaluation Part 2: Security FunctionalRequirements, Version 3.1, Revision 4, September 2012. Part 2 ConformantCommon Criteria for Information Technology Security Evaluation Part 3: Security AssuranceComponents, Version 3.1, Revision 4, September 2012. Part 3 Conformant Assurance Level: EAL-4 augmented with ALC FLR.21.3 ConventionsThe following conventions have been applied in this document: Security Functional Requirements – Part 2 of the CC defines the approved set of operations that may beapplied to functional requirements: iteration, assignment, selection, and refinement.oIteration: allows a component to be used more than once with varying operations. In the ST,iteration is indicated by a letter placed at the end of the component. For example FDP ACC.1(1)and FDP ACC.1(2) indicate that the ST includes two iterations of the FDP ACC.1 requirement,(1) and (2).oAssignment: allows the specification of an identified parameter. Assignments are indicated usingbold and are surrounded by brackets (e.g., [assignment]). Note that an assignment within aselection would be identified in italics and with embedded bold brackets (e.g., [[selectedassignment]]).oSelection: allows the specification of one or more elements from a list. Selections are indicatedusing bold italics and are surrounded by brackets (e.g., [selection]).oRefinement: allows the addition of details. Refinements are indicated using bold, for additions,and strike-through, for deletions (e.g., “ all objects ” or “ some big things ”).Other sections of the ST – Other sections of the ST use bolding to highlight text of special interest, such ascaptions.1.4 Acronyms and TerminologyThis section defines the acronyms and terms used throughout this document.DEKData Encryption KeyFCFibre ChannelFCIPFibre Channel over IPHBAHost Bus AdapterBrocade Communications Systems, Inc.Page 6 of 48
JBODStands for "Just a Bunch of Disks", and it a way of connecting together a series of hard drives,combining multiple drives and capacities, into one driveLUNLogical Unit Number, used to refer to a logical device within a chain.SANStorage Area NetworkBrocade Communications Systems, Inc.Page 7 of 48
2. TOE DescriptionThe Target of Evaluation (TOE) is the Brocade Directors and Switches hardware appliances running FabricOSversion 7.2.0a. The various models of the TOE mentioned in Section 1.1 differ in performance, form factor andnumber of ports, but all run the same FabricOS version 7.2.0a software. The TOE is available in three form factors:a rack-mount Director chassis with a variable number of blades, a self-contained switch appliance device andembedded blades acting as a switch.Director models are composed of blades of several types. A ‘director blade model’ is either a control blade (CP4 orCP8), a core switch blade (CR8 or CR4S-8, CR16-4, CR16-8), a port blade (FC4-16, FC4-32, FC4-48, FC8-16,FC8-32, FC8-48, FC8-64, FC16-32, FC16-48) or an application blade (FC4-16IP, FX8-24, FCOE10-24, FS8-18).Control blades contain the control plane for the chassis. A core switch blade contains the ASICs for switchingbetween port blades. A port blades support various numbers of ports and speeds. Application blades provideadditional capabilities such as FC over Ethernet or encryption. The DCX, DCX-4S, DCX 8510-4 and DCX 8510-8require at least one control blade and one core blade to make the director operational.Director ModelDCXDCX-4SBladesCP8, CR8, FC8-16, FC8-32, FC8-48, FC8-64, FX8-24,FCOE10-24, FS8-18CP8, CR4S-8, FC8-16, FC8-32, FC8-48, FC8-64, FC10-6,FX8-24, FCOE10-24, FS8-18DCX 8510-4CP8, CR16-4, FC8-64, FC16-32, FC16-48, FX8-24, FS8-18DCX 8510-8CP8, CR16-8, FC8-64, FC16-32, FC16-48, FX8-24, FS8-18Brocade Directors and Switches are hardware appliances that implement what is called a “Storage Area Network” or“SAN”. SANs provide physical connections between machines in the environment containing a type of networkcard called a Host Bus Adapter (HBA) that are located in the environment and storage devices such as disk storagesystems and tape libraries that are also located in the environment. The network connection between the storagedevices in the environment, the TOE, and HBAs in the environment use high-speed network hardware. SANs areoptimized to transfer large blocks of data between HBAs and storage devices. SANs can be used to replace orsupplement server-attached storage solutions, for example.The basic concept of operations from a user’s perspective is depicted below.interconnect multiple instances of TOE models.Actual implementation mayFigure 1: Host bus adapters can only access storage devices that are members of the same zone.Brocade Communications Systems, Inc.Page 8 of 48
HBAs communicate with the TOE using Fibre Channel (FC) or FC over IP (FCIP) protocols. Storage devices in turnare physically connected to the TOE using FC/FCIP interfaces. When more than one instance of the TOE isinterconnected (i.e. installed and configured to work together), they are referred to collectively as a “SAN fabric”. Azone is a specified group of fabric-connected devices (called zone members) that have access to one another.The remainder of this section summarizes the TOE architecture.2.1 TOE OverviewThe TOE provides the ability to centralize the location of storage devices in a network in the environment. Insteadof attaching disks or tapes to individual hosts in the environment, or for example attaching a disk or tape directly tothe network, storage devices can be physically attached to the TOE, which can then be physically attached to hostbus adapters in the environment. Host bus adapters that are connected to the TOE can then read from and write tostorage devices that are attached to the TOE according to TOE configuration. Storage devices in the environmentappear to the operating system running on the machine that the host bus adapter is installed in as local (i.e. directlyattached) devices.More than one host bus adapter can share one or more storage devices that are attached to the TOE according toTOE configuration. Scalability is achieved by interconnecting multiple instances of TOE directors and switches toform a fabric that supports different numbers of host bus adapters and storage devices.Directors and switches both can be used by host bus adapters to access storage devices using the TOE. Switchappliances provide a fixed number of physical interfaces to hosts and storage devices in the environment. Directorsprovide a configurable number of physical interfaces using a chassis architecture that supports the use of blades thatcan be installed in and removed from the director chassis according to administrator configuration.There are administrative interfaces to manage TOE services that can be accessed using an Ethernet network, as wellas interfaces that can be accessed using a directly-attached console as follows: Ethernet network-based web-based administrator console interfaces –Provides web-based administratorconsole interfaces called the “Brocade Advanced Web Tools.” Ethernet network-based command-line administrator console interfaces – Provides command-lineadministrator console interfaces called the “FabricOS Command Line Interface.” Serial terminal-based command-line administrator console interfaces – Provides command-lineadministrator console interfaces called the “FabricOS Command Line Interface.”There also exists administrative Ethernet network-based programmatic API interfaces that can be protected usingSSL. The API interface is not supported in the evaluated configuration. Similarly, there exists a modem hardwarecomponent that is optional to the product that can be used in a similar manner as a serial console port, but it isdisabled by virtue of not being physically installed during initial installation and configuration in the evaluatedconfiguration.The TOE can operate in either “Native Mode” or “Access Gateway Mode”. Only Native mode is supported in theevaluated configuration. Access Gateway mode makes the switch function more like a “port aggregator” and inAccess Gateway mode the product does not support the primary access control security functions (mainly zoning)claimed when operating in Native mode.The basic concept of operations from an administrator’s perspective is depicted below. While actualimplementations may interconnect multiple instances of TOE models, each TOE device (i.e., instance of the TOE) isadministered individually.Brocade Communications Systems, Inc.Page 9 of 48
Figure 2: Administrators can access the TOE using a serial terminal oracross a network. Audit records are sent to a syslog server.Separate appliance ports are relied on to physically separate connected HBAs. The appliance’s physical locationbetween HBAs and storage devices is relied on to ensure TOE interfaces cannot be bypassed. The TOE encryptscommands sent from terminal applications by administrators using SSH for the command line interface and HTTPSfor the Advanced Web Tools GUI interface. The TOE requires administrators to login after a SSH or HTTPSconnection has been established.2.2 TOE ArchitectureThe TOE can be described in terms of the following components: Brocade Switch and Director appliances – One or more of each type are supported in the evaluatedconfiguration. The evaluated configuration also supports one or more blades per director, depending on thenumber supported by a given director model. Brocade FabricOS operating system – Linux-based operating system that runs on Brocade switches anddirectors. FabricOS is comprised of user-space programs, kernel daemons and kernel modules loaded asproprietary components into LINUX. The base features of LINUX, including the file system, memorymanagement, processor and I/O support infrastructure for FOS user-space programs, daemons, and kernelmodules. Interprocess communication is handled through commonly mapped memory or shared PCImemory and semaphores as well as IOCTL parameter passing. LINUX provides access to memory or tomake a standard IOCTL call, and all the contents of the buffers and IOCTL message blocks or othermessage blocks are proprietary to the FOS user-space programs, kernel modules and daemons. TheFabricOS operating system is considered to include the OpenSSL crypto engine as internal functionalitysupporting TOE operation.In its most basic form, the TOE in its intended environment of the TOE is depicted in the figure below.Brocade Communications Systems, Inc.Page 10 of 48
Figure 3: TOE and environment components.The intended environment of the TOE can be described in terms of the following components: Host – A system in the environment that uses TOE SAN services. Host Bus Adapters (HBAs) – Provides physical network interfaces from host machines in the environmentto the TOE. HBA drivers provide operating system interfaces on host machines in the environment tostorage devices in the environment. Storage devices in the environment appear to the host operating systemas local (i.e. directly-attached) devices. Storage device – A device used to store data (e.g. a disk or tape) that is connected to the TOE using aFC/FCIP connection and is accessed by a host using the TOE. Terminal application – Provides a runtime environment for console-based (i.e. SSH) client administratorconsole interfaces. Web browser – Provides a runtime environment for web-based (i.e. HTTPS) client administrator consoleinterfaces. Syslog server – Provides logging to record auditable event information generated by the TOE. The syslogserver is expected to protect audit information sent to it by the TOE and make that data available toadministrators of the TOE. RADIUS/LDAP Server – An optional component that can perform authentication based on user credentialspassed to it by the TOE. The TOE then enforces the authentication result returned by the RADIUS orLDAP Server. Certificate Authority (CA) – Provides digital certificates for SSH and HTTPS-based interfaces that areinstalled during initial TOE configuration. After installation, the CA no longer needs to be on the networkfor operation. Key management systems -- Provide life cycle management for all DEKs created by the encryption engine.Key management systems are provided by third party vendors.2.2.1 Physical BoundariesThe components that make up the TOE are identified in Section 1.1 above.The TOE relies on a syslog server in the environment to store and protect audit records that are generated by theTOE. The TOE can be configured to use a RADIUS or LDAP Server for authentication. The TOE does not rely onBrocade Communications Systems, Inc.Page 11 of 48
any other components in the environment to provide security-related services. The TOE is interoperable with anyadapter or device that is interoperable with one or more of the following standards: FC-AL-2 INCITS 332: 1999 FC-GS-5 ANSI INCITS 427:2006 (includes the following.)oFC-GS-4 ANSI INCITS 387: 2004 FC-IFR revision 1 FC-SW-4 INCITS 418:2006 (includes the following)oFC-SW-3 INCITS 384: 2004 FC-VI INCITS 357: 2002 FC-TAPE INCITS TR-24: 1999 FC-DA INCITS TR-36: 2004 (includes the following)oFC-FLA INCITS TR-20: 1998oFC-PLDA INCIT S TR-19: 1998 FC-MI-2 ANSI/INCITS TR-39-2005 FC-PI INCITS 352: 2002 FC-PI-2 INCITS 404: 2005 FC-FS-2 ANSI/INCITS 424:2006 (includes the following)oFC-FS INCITS 373: 2003 FC-LS revision 1.51 (under development) FC-BB-3 INCITS 414: 2006 (includes the following)oFC-BB-2 INCITS 372: 2003 FC-SB-3 INCITS 374: 2003 (replaces FC-SB ANSI X3.271: 1996; FC-SB-2 INCITS 374: 2001) RFC 2625 IP and ARP Over FC RFC 2837 Fabric Element MIB MIB-FA INCITS TR-32: 2003 FCP-2 INCITS 350: 2003 (replaces FCP ANSI X3.269: 1996) SNIA Storage Management Initiative Specification (SMI-S) Version 1.2 (includes the following)oSNIA Storage Management Initiative Specification (SMI-S) Version 1.02 (ANSI INCITS 388:2004)oSNIA Storage Management Initiative Specification (SMI-S) Version 1.1.02.2.2 Logical BoundariesThis section summarizes the security functions provided by the TOE: Security audit User data protection Identification and authentication Security management Protection of the TSFBrocade Communic
To find-out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit . Brocade Communications Systems, Inc. Page 5 of 48 1. Security Target Introduction This section identifies the Security Target (ST) and Target .
