WIXLIB

MAGNUM Security Administration ManualRevision 26: December 20, 20191.MAGNUM 19.10.1Contents1.Contents . 12.Overview . 33.Initial Setup and Configuration . 44.Logging in to Local Console . 55.Logging Out Of Local Console . 56.Logging in with SSH . 57.Logging out of SSH . 68.Logging in to Web Interface . 79.Logging out of Web Interface . 710. Configuring Date and Time . 811. Configuring IP Addresses . 912. Transfer Files Using SFTP . 1013. Transfer Files Using USB Drive . 1114. System Security Mode . 1215. Account Lockout Duration . 1516. Account Lockout Threshold . 1717. Power-On Self Test. 1818. Firmware Integrity Check . 1819. Minimum Password Length . 1920. Password Complexity . 2021. Session Timeout . 2122. Web Login Banner . 2123. Certificate Management . 2224. Show Server Certificate. 2225. Create Certificate Signing Request . 2326. Import Signed Server Certificate . 24MAGNUM Security Administration ManualPage 1 of 62

27. Export Server Certificate . 2528. Show Trusted CA Certificates . 2629. Import Trusted CA Certificate . 2730. Export Trusted CA Certificate. 2831. Remove Trusted CA Certificate . 2932. Show Certificate Revocation List. 3033. Import Certificate Revocation List . 3134. Remove Certificate Revocation List . 3235. Allowed Subject Alt Names (DNS) . 3336. Allow Subject Alt Names (IP). 3437. Connection Security Options . 3538. Change Linux User Passwords. 3639. Edit Login Banner . 3840. Expire Web User Passwords. 3941. Import Code Verification Public Key . 4042. Reset SSH Key. 4143. Reset TLS Key and Certificate . 4244. Secure Audit Servers . 4345. Unlock SSH Accounts. 4446. Unlock Web Accounts . 4547. Auditable Events . 4648. Check Version from Console . 5549. Check Version from Web Interface . 5650. Create and Remove Web Users . 5751. Change Web User Passwords. 5852. Upgrading Firmware . 6053. Export Logs . 6154. Data Purge. 62MAGNUM Security Administration ManualPage 2 of 62

2.OverviewThis manual is a supplement to the “MAGNUM-SDVN User Manual v0.1.” It is specifically intended foruse with the MAGNUM-HW-C-CC. MAGNUM is a software product produced by Evertz. MAGNUM-HWC-CC is a product consisting of MAGNUM software pre-installed on an Evertz-providedserver. MAGNUM-HW-C-CC is a product that meets the “Collaborative Protection Profile for NetworkDevices” for “Common Criteria.”MAGNUM-HW-C-CC only meets these requirements in “High Security Mode.” It is shipped with thesecurity mode turned off (“Normal Security Mode”). Customers can choose to use only a subset of the“High Security Mode” features. (Evertz does not recommend using only a subset of “High Security”features; MAGNUM is not in its evaluated configuration unless placed into “High Security Mode”.) Once“High Security Mode” is enabled it is permanent. To be clear, MAGNUM-HW-C-CC only meets the“Collaborative Protection Profile for Network Devices” for “Common Criteria” when in “High SecurityMode” and should be used in this configuration.Except where specifically stated in this manual the nature of physical network connections is outsidethe scope of the “Collaborative Protection Profile for Network Devices” for “Common Criteria,” as theavailable network elements (IP switches, IP routers, etc.) which may be used in establishing those linksare site-specific. Evertz stipulates that any connection must meet organization-specific securityrequirements for the location(s) where the equipment is deployed. MAGNUM-HW-C-CC isrecommended to be deployed in a closed networkThis diagram shows typical MAGNUM connections:Web BrowserSSH ClientVUEControl PanelsMAGNUMBackup ServerSyslog ServerMAGNUMMAGNUMFederated PeerCRL ServerVideo SwitchIPXMAGNUM Security Administration ManualVideo SwitchEXEPage 3 of 62

3.Initial Setup and ConfigurationThe following steps are required after first boot to put MAGNUM into the Common Criteria evaluatedconfiguration:1)2)3)4)5)6)7)Observer Power-On Self Test passageConfigure IP addressesConfigure Date, Time, Time ZoneEnable high security modeRemove the Evertz default CRL and CAImport the organization’s CAs and CRLsConfigure Secure Audit ServersDetails of all functions that are configured in High Security Mode can be found in Section 14. HighSecurity Mode sets all cryptographic configurations for the TOE, including limiting cryptographicparameters to only the following: Ciphersuites allowed for TLS:o TLS RSA WITH AES 128 CBC SHA as defined in RFC 3268o TLS RSA WITH AES 256 CBC SHA as defined in RFC 3268o TLS RSA WITH AES 128 CBC SHA256 as defined in RFC 5246o TLS RSA WITH AES 256 CBC SHA256 as defined in RFC 5246o TLS ECDHE RSA WITH AES 128 GCM SHA256 as defined in RFC 5289o TLS ECDHE RSA WITH AES 256 GCM SHA384 as defined in RFC 5289SSH cryptographic configurations:o AES CTR with 128-bit or 256-bit keys for encryptiono SSH-RSA, RSA-SHA2-256, and RSA-SHA2-512 for authenticationo ECDH-SHA2-NISTP256, ECDH-SHA2-NISTP384, ECDH-SHA2-NISTP512 for key exchangeo HMAC-SHA2-256 and HMAC-SHA2-512 for SSH transport MAC algorithmsTLS Key establishment is performed with either RSA or ECDHE. The selection between keyestablishment schemes is determined by the TLS ciphersuite selection.SSH supports key exchange using ecdh-sha2-nistp256, ecdh-sha2-nistp521, or ecdh-sha2nistp384 as selected by the SSH client.The TOE does not allow any configuration of cryptographic parameters other than entering and exitinghigh security mode. All other cryptographic parameters are set and cannot be changed including: Random number generation using AES-256 CTR DRBG with SHA-256 hashKey generation of RSA 4096-bit keys to support digital signaturesECDSA keys with NIST curves P256 or P-384 to support ECDHE key agreementSHA-512 used to verify file checksums and hash stored passwordsHMAC-SHA-1/256/384/512 used for TLS sessions and verification of firmware imageSSH rekey thresholds of 1 hour or 1 GB of dataReject any SSL connection or TLS v1.0 or v1.1 connectionsMAGNUM Security Administration ManualPage 4 of 62

4.Logging in to Local ConsoleMost administrative actions are accomplished through the console menu. Failed login attempts on thelocal console do not trigger account lockouts. Only administrative users have access to the consolemenu, either locally or remotely. No unprivileged users are permitted access to the console menu.1) Connect a VGA monitor and a USB keyboard2) Switch console sessions by pressing CTRL ALT F1 through CTRL ALT F6 .3) Log in with username admin and default password admin to access a structured menu4) Changing any settings requires entering admin’s password each time, and that step is assumedin all instructions. Security-sensitive changes are further protected by user prompts andwarnings.5) There also exists users etservice and etdev that access an open shell with limited permissions5.Logging Out Of Local Console1) Select logout at the bottom of the menu list2) This will close the current administration session6.Logging in with SSHThe console menu is available over SSH for remote administration. Too many failed login attempts overSSH will trigger account lockouts.1) Use Putty or a similar SSH client from a PC2) Enter MAGNUM’s IP address (use default port 22)3) Log in with username admin and default password admin to access a structured menuMAGNUM Security Administration ManualPage 5 of 62

4) Changing any settings requires entering admin’s password each time, and that step is assumedin all instructions. Security-sensitive changes are further protected by user prompts andwarnings.5) There also exists users etservice and etdev that access an open shell with limited permissions7.Logging out of SSH1) Select logout at the bottom of the menu list2) This will close the current SSH sessionMAGNUM Security Administration ManualPage 6 of 62

8.Logging in to Web InterfaceMAGNUM’s application features are accessed with a web browser. Chrome and Safari are supported.Too many failed login attempts over the web interface will trigger account lockouts.1) Launch a web browser session2) Enter the IP address of MAGNUM3) Log in with username admin and default password admin (other users can be created as well)9.Logging out of Web Interface1) Select the person icon on the top right of the web page2) Select logoutMAGNUM Security Administration ManualPage 7 of 62

10.Configuring Date and TimeUnderstanding logged audit events requires accurate time keeping. Reboot is required after changingthe date or time.1) Log in to the console as admin and select System2) Select and configure Time Zone3) Select and configure Date4) Select and configure Time5) RebootMAGNUM Security Administration ManualPage 8 of 62

11.Configuring IP AddressesMAGNUM is usually given static IP addresses. There are multiple network ports, configured differentlydepending on each organization’s requirements.1) These are the port names on the MAGNUM device:2) Log in to the console as admin and select Network3) Assign IP Addresses (and Gateways if needed) to the appropriate network ports4) If the organization requires redundant network links, team ports by creating a “bond”5) Select Save and Apply at the bottom6) When prompted, select Yes to tolerate the service interruptionMAGNUM Security Administration ManualPage 9 of 62

12.Transfer Files Using SFTPMany menu options require transferring files to or from the device. The admin user requires SFTP.1) Use WinSCP or a similar SFTP client from a PC2) Enter MAGNUM’s IP address and login credentials for admin3) Use the client’s interface to transfer files4) When exporting files, select /home/admin as the destination5) When importing files, select /home/admin as the sourceMAGNUM Security Administration ManualPage 10 of 62

13.Transfer Files Using USB DriveMany menu options require transferring files to or from the device. USB drives formatted with NTFS andFAT are supported.1) USB ports are on the back of the device:2) When exporting files, select USB Device as the destination3) When importing files, select USB Device as the sourceMAGNUM Security Administration ManualPage 11 of 62

14.System Security ModeThe device should not be considered online, and should not be connected to the network, unless it is inhigh security mode. Putting the device in High Security Mode configures the TLS ciphers and all othercryptographic engine requirements needed in the evaluated configuration. No other configuration ofcryptography is permitted on the TOE. The TOE was evaluated in High Security Mode, with thecryptographic configurations permitted within this mode. The use of other cryptographic engines wasnot tested or evaluated and therefore should not be used.These are the changes when entering high security mode:1)2)3)4)Set new passwords for console users (admin, etdev, etservice)Expire all web user passwords (set new password at each user's next successful login)Securely erase and regenerate all keys (SSH and TLS)Set security options according to this table (changing any puts MAGNUM into Custom securitymode):Security OptionAbility for etdev to sudoAccount Lockout DurationAccount Lockout ThresholdFirmware Integrity CheckMinimum Password LengthPassword ComplexitySession TimeoutWeb Login BannerNormal Security ModeEnabled15 min10 minDisabled4Disabled60 minDisabledHigh Security ModeDisabled15 min10 minEnabled8Enabled15 minEnabled5) Set connection security options according to this table (changing any puts MAGNUM intoCustom security mode):Connection TypeSSH ServerSSH ClientSNMP Agent GetsSNMP Agent TrapsLDAP AuthenticationWeb ServerRsync ReplicationRsync ReplicationQuartz InterfacesRemote SyslogRPC DevicesAuthentication ServiceIPX/EXE DevicesJSON-RPC DevicesVIP DevicesVUE/vScribePort and Direction22 in22 out161 in162 out389 out443 in873 in873 out4000-4009 in6514 out6577 out8210 in9672 out9677 out9700 out9720 outMAGNUM Security Administration ManualNormal Security dunencryptedHigh Security cert-and-crlPage 12 of 62