Pure Storage FlashArray Security Target

Transcription

Pure Storage FlashArraySecurity Target15-3312-R-0015Version: 1.1March 4, 2016Prepared For:Pure Storage, Inc.650 Castro Street, Suite #260Mountain View, CA 94041Prepared By:709 Fiero Lane, Suite 25San Luis Obispo, CA 93401

Pure Storage FlashArray Security TargetNotices: 2016 Pure Storage, Inc. All rights reserved. All other brand names are trademarks, registeredtrademarks, or service marks of their respective companies or organizationsIt is prohibited to copy, reproduce or retransmit the information contained within this documentationwithout the express written permission of Pure Storage, Inc. 650 Castro Street, Suite #260, MountainView, CA 94041.Page 2 of 61

Pure Storage FlashArray Security TargetTable of Contents1.Security Target (ST) Introduction . 61.1Security Target Reference . 61.2Target of Evaluation Reference. 61.3Target of Evaluation Overview . 71.3.1TOE Product Type. 71.3.2TOE Usage . 71.3.3TOE Major Security Features Summary . 71.3.4TOE IT environment hardware/software/firmware requirements. 71.41.4.1Target of Evaluation Physical Boundaries . 91.4.2Target of Evaluation Description. 101.52.3.4.5.6.Target of Evaluation Description . 9Notation, formatting, and conventions . 11Conformance Claims . 132.1Common Criteria Conformance Claims. 132.2Conformance to Protection Profiles . 132.3Conformance to Security Packages . 132.4Conformance Claims Rationale . 13Security Problem Definition . 153.1Threats . 153.2Organizational Security Policies . 153.3Assumptions . 15Security Objectives. 174.1Security Objectives for the TOE . 174.2Security Objectives for the Operational Environment . 17Extended Components Definition . 185.1Extended Security Functional Requirements Definitions . 185.2Extended Security Assurance Requirement Definitions . 18Security Requirements . 196.1Security Function Requirements . 196.1.1Security Audit (FAU) . 206.1.2Cryptographic Support (FCS) . 246.1.3User Data Protection (FDP) . 346.1.4Identification and Authentication (FIA) . 34Page 3 of 61

Pure Storage FlashArray Security Target6.1.5Security Management (FMT) . 376.1.6Protection of the TSF (FPT) . 386.1.7TOE Access (FTA) . 416.1.8Trusted Path/Channels (FTP) . 426.2Security Assurance Requirements . 446.2.16.37.Extended Security Assurance Requirements . 45Security Requirements Rationale. 476.3.1Security Function Requirement to Security Objective Rationale. 476.3.2Security Functional Requirement Dependency Rationale . 496.3.3Security Assurance Requirements Rationale . 50TOE Summary Specification . 517.1Security Audit . 517.1.1Audit Generation. 517.1.2Audit Storage . 517.2Cryptographic Operations . 527.2.1Cryptographic Key Generation . 527.2.2Zeroization . 527.2.3Random Bit Generation . 537.2.4TLS . 547.2.5SSH . 547.2.6HTTPs. 557.3User Data Protection. 557.4Identification and Authentication . 557.5Security Management . 567.6Protection of the TSF . 567.7TOE Access . 577.8Trusted Path/Channels . 578.Terms and Definitions . 599.References . 61Page 4 of 61

Pure Storage FlashArray Security TargetTablesTable 1: Threats . 15Table 2: Organizational Security Policies . 15Table 3: Assumptions . 15Table 4: Security Objectives for the TOE . 17Table 5: Security Objectives for the Operational Environment . 17Table 6: Security Functional Requirements . 19Table 7: Auditable Events . 20Table 8: Assurance Requirements . 44Table 9: SAR Component Dependency Mapping . 50Table 10: TOE Abbreviations and Acronyms . 59Table 11: CC Abbreviations and Acronyms . 59Table 12: TOE Guidance Documentation . 61Table 13: Common Criteria v3.1 References . 61Table 14: Supporting Documentation . 61Page 5 of 61

Pure Storage FlashArray Security Target1. Security Target (ST) Introduction The ST introduction shall contain an ST reference, a TOE reference, a TOE overview and a TOEdescription.The ST reference shall uniquely identify the ST.The TOE reference shall identify the TOE.The structure of this document is defined by CC v3.1r3 Part 1 Annex A.2, “Mandatory contents of an ST”: Section 1 contains the ST Introduction, including the ST reference, Target of Evaluation (TOE)reference, TOE overview, and TOE description. Section 2 contains conformance claims to the Common Criteria (CC) version, Protection Profile(PP) and package claims, as well as rationale for these conformance claims. Section 3 contains the security problem definition, which includes threats, OrganizationalSecurity Policies (OSP), and assumptions that must be countered, enforced, and upheld by theTOE and its operational environment. Section 4 contains statements of security objectives for the TOE, and the TOE operationalenvironment as well as rationale for these security objectives. Section 5 contains definitions of any extended security requirements claimed in the ST. Section 6 contains the security function requirements (SFR), the security assurancerequirements (SAR), as well as the rationale for the claimed SFR and SAR. Section 7 contains the TOE summary specification, which includes the detailed specification ofthe IT security functions1.1Security Target ReferenceThe Security Target reference shall uniquely identify the Security Target.ST Title:Pure Storage FlashArray Security TargetST Version Number:Version 1.1ST Author(s):InfoGard Laboratories, Inc.ST Publication Date:3/4/2016KeywordsNetwork Device1.2Target of Evaluation ReferenceThe Target of Evaluation reference shall identify the Target of Evaluation.TOE DeveloperPure Storage, Inc.650 Castro Street, Suite #260Mountain View, CA 94041TOE Name:Pure Storage FA-405, FA-450, FlashArray//m20, FlashArray//m50, andFlashArray//m70 Series AppliancesPage 6 of 61

Pure Storage FlashArray Security Target1.3Target of Evaluation Overview1.3.1TOE Product TypeThe TOE is classified as a Network Device (a generic infrastructure device that can be connected to anetwork).1.3.2TOE UsagePure Storage's FlashArray (TOE) is an enterprise Network Attached Storage solution that includes aLinux-based operating system, SAN protocols and interfaces (iSCSI, Fiber Channel, SAS), and customsoftware to provide network storage with high performance, reliability, usability, and efficiency. The TOEcomes with the following unevaluated SAN features: 5-10x Data Reduction (FlashReduce)Non-Disruptive Expansion and High Availability (FlashProtect)Backup & Disaster Recovery (FlashRecover)Real-world Optimized Performance (100K - 200K 32K IOPS @ 1ms average latency)Data at rest encryption with AES-256The Pure Storage FlashArray is designed to act as a data storage endpoint for a SAN (Storage AreaNetwork). The TOE supports remote administration over HTTPS/TLS (Hypertext Transfer ProtocolSecure/Transport Layer Security) with cryptographic encryption and authentication using FIPS‐certifiedalgorithms. The TOE also supports use of external authentication and audit servers, protected using TLS.1.3.3 1.3.4TOE Major Security Features SummaryAuditCryptographyUser Data ProtectionIdentification and AuthenticationSecurity ManagementProtection of the TSFTOE AccessTrusted Path/ChannelsTOE IT environment hardware/software/firmware requirements1.3.4.1 Network/Software RequirementsSyslog Server: RFC 3164TLS Transport Mapping - RFC 5425o Required TLS ciphersuites match those required for HTTPS belowNTP Server: NTPv4 - RFC 5905The TOE is known to be compatible with Chrome 47.0 – 48.0 and Firefox 41.0 – 42.0. The TOE requires aWeb Browser (Remote Console) supporting: Protocol versions (at least one of):Page 7 of 61

Pure Storage FlashArray Security Target o HTTPs/TLSv1.1 (RFC 2818 & 3246)o HTTPs/TLSv1.2 (RFCs 2818 & 5246)Ciphersuites (at least one of):o TLS RSA WITH AES 128 CBC SHAo TLS RSA WITH AES 256 CBC SHAo TLS DHE RSA WITH AES 128 CBC SHAo TLS DHE RSA WITH AES 256 CBC SHAo TLS RSA WITH AES 128 CBC SHA256o TLS RSA WITH AES 256 CBC SHA256o TLS DHE RSA WITH AES 128 CBC SHA256o TLS DHE RSA WITH AES 256 CBC SHA256o TLS ECDHE RSA WITH AES 128 CBC SHA256o TLS ECDHE RSA WITH AES 256 CBC SHA384o TLS ECDHE RSA WITH AES 128 GCM SHA256o TLS ECDHE RSA WITH AES 256 GCM SHA384The TOE is known to be compatible with OpenSSH 6.6p1-2ubuntu2. The TOE requires an SSH client(Remote Console) supporting: Protocol versions (at least one of):o SSHv2 (RFCs 4251-4254, 5656 and 6668)Data Encryption (at least one of):o AES-CBC-128o AES-CBC-256o AEAD AES 128 GCMo AEAD AES 256 GCMData Integrity (at least one of):o hmac-sha1o hmac-sha1-96o hmac-sha2-256o hmac-sha2-512Key Exchangeo diffie-hellman-group14-sha1o ecdh-sha2-nistp256o ecdh-sha2-nistp384o ecdh-sha2-nistp521Active Directory authentication server communicating via LDAP over TLSThe TOE's IT environment must support incoming TCP connections from the PureStorage support stafffor trusted updates.1.3.4.2 Hardware RequirementsLocal Console: VGAUSB Mouse and Keyboard (HID-compliant)1 Gigabit Ethernet for Trusted Paths and Trusted ChannelsSAS-connected SSD Storage Array from PureStoragePage 8 of 61

Pure Storage FlashArray Security Target1.4Target of Evaluation DescriptionThe TOE is a Network Attached Storage device designed for high speed storage with enterprise levelprotocols and management features.The TOE consists of one or two physical PCs that are connected together via InfiniBand 1 for highavailability purposes. The PCs (TOE) are grouped and sold as five possible models: FA-405, FA-450,//m20, //m50, and //m70. The TOE acts as a SAN storage endpoint over the Fibre Channel and 10GbE(10 Gigabit Ethernet) interfaces, and allows TLS connections to its 1Gb Ethernet management interface.The TOE operating system, Purity 4.7, is built on the Ubuntu Linux kernel and an Intel Xeon x64 CPU.1.4.1Target of Evaluation Physical BoundariesThe TOE consists of the following hardware: FA-405oooFA-450ooo//m20ooo//m50ooo//m70oooPCs: 1x OEM PowerEdge R620CPU: Intel Xeon E5-2640 v2, 8 cores, 2.0 GHz, 30MB CacheRAM: 128 GB DDR3 1600MHzPCs: 2x OEM PowerEdge R720CPU: Intel Xeon E5-2697 v2, 12 cores, 2.7 GHz, 30MB CacheRAM: 512 GB DDR3 1600MHzPCs: 1x Custom-built PCCPU: Intel Xeon E5-2630 v3, 8 cores, 2.6 Ghz, 20MB CacheRAM: 192 GB DDR4-1866PCs: 2x Custom-built PCCPU: Intel Xeon E5-2670 v3, 12 cores, 2.3 Ghz, 25MB CacheRAM: 256 GB DDR4-2133PCs: 2x Custom-built PCCPU: Intel Xeon E5-2698 v3, 16 cores, 2.3 Ghz, 30MB CacheRAM: 512 GB DDR4-2133Running: Purity SW v4.7The guidance documentation that is part of the TOE is listed in Section 9, “References,” within Table 15:TOE Guidance Documentation.The TOE has the following types of physical connections:1InfiniBand is a brand of fiber optic interconnectivity solutions. It is a direct connection connecting thetwo controllers, allow them to operate in sync. There are no security relevant interfaces, and is notavailable over the network.Page 9 of 61

Pure Storage FlashArray Security Target 1.4.2Host IO Cardso 10GbE iSCSIo 8GB FCManagement Portso 4x 1GbEReplication Portso 4x 10GbE SFPSAS Portso 8x SAS3 (12Gb/s) Mini-SAS HDUSB Portso 4x USB 3.0 Rearo 2x USB 2.0 FrontTarget of Evaluation DescriptionThe logical boundary of the TOE include those security functions implemented exclusively by the TOE.These security functions are summarized in Section 1.3.3 above and are further described in thefollowing subsections. A more detailed description of the implementation of these security functions areprovided in Section 7, “TOE Summary Specification.”1.4.2.1AuditThe TOE audits all events and information defined by the Network Device Protection Profile v1.1. Auditlogs include the identity of the user that caused the event (if applicable), date and time of the event,type of event, and the outcome of the event. Audit events are transmitted to an external IT entity usingthe TLS protocol. The TOE also protects storage of audit information from unauthorized deletion andmodifications.1.4.2.2Cryptographic OperationsThe TOE implements CAVP validated cryptographic algorithms for random bit generation,encryption/decryption, authentication, and integrity protection/verification. These algorithms are usedto provide security for the SSH and TLS protocols.The TOE zeroizes all plaintext secret and private cryptographic keys and CSPs once they are no longerrequired.1.4.2.3User Data ProtectionThe TOE ensures that any previous information content of network packets are not re-used insubsequent network packets by leveraging the Linux kernel's network packet processing mechanisms.All network

TOE Developer Pure Storage, Inc. 650 Castro Street, Suite #260 . Mountain View, CA 94041 TOE Name: Pure Storage -450, FlashArray//m20, FlashArray//m50, and FA-405, FA FlashArray//m70