HP StoreOnce Backup System Generation 3 Version Security Target

Transcription

1 HP StoreOnce Backup System Generation 3 Version Security Target Version 1.0 February 12, 2014 Prepared for: Hewlett-Packard Long Down Avenue Stoke Gifford Bristol BS34 8QZ UK Prepared By: Leidos Common Criteria Testing Laboratory 6841 Benjamin Franklin Drive Columbia, MD USA

2 TABLE OF CONTENTS 1 SECURITY TARGET INTRODUCTION SECURITY TARGET, TOE AND CC IDENTIFICATION CONFORMANCE CLAIMS CONVENTIONS GLOSSARY TOE DESCRIPTION TOE OVERVIEW TOE ARCHITECTURE TOE Physical Boundaries TOE Logical Boundaries TOE DOCUMENTATION SECURITY PROBLEM DEFINITION ASSUMPTIONS THREATS SECURITY OBJECTIVES SECURITY OBJECTIVES FOR THE TOE SECURITY OBJECTIVES FOR THE ENVIRONMENT IT SECURITY REQUIREMENTS ETENDED COMPONENT DEFINITION Extended Family Definitions Extended Requirements Rationale: TOE SECURITY FUNCTIONAL REQUIREMENTS Security audit (FAU) Cryptographic Support User data protection (FDP) Identification and authentication (FIA) Security management (FMT) Protection of the TSF (FPT) TOE Access (FTA) Trusted path/channels (FTP) TOE SECURITY ASSURANCE REQUIREMENTS Development (ADV) Guidance documents (AGD) Life-cycle support (ALC) Tests (ATE) Vulnerability assessment (AVA) TOE SUMMARY SPECIFICATION SECURITY AUDIT CRYPTOGRAPHIC SUPPORT USER DATA PROTECTION IDENTIFICATION AND AUTHENTICATION SECURITY MANAGEMENT PROTECTION OF THE TSF TOE ACCESS TRUSTED PATH/CHANNELS PROTECTION PROFILE CLAIMS RATIONALE

3 8.1.1 Security Objectives Rationale for the TOE and Environment SECURITY REQUIREMENTS RATIONALE Security Functional Requirements Rationale SECURITY ASSURANCE REQUIREMENTS RATIONALE REQUIREMENT DEPENDENCY RATIONALE TOE SUMMARY SPECIFICATION RATIONALE LIST OF TABLES Table 1 TOE Security Functional Components Table 2 Auditable Events Table 3 EAL 2 augmented with ALC_FLR.3 Assurance Components Table 4 Objective to Requirement Correspondence Table 5 Security Functions vs. Requirements Mapping

4 1 Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is HP StoreOnce Backup System, Generation 3 Version provided by Hewlett-Packard. The HP StoreOnce Backup System is a disk-based storage appliance for backing up host network servers or PCs to target devices on the appliance. These devices are configured as either Network-Attached Storage (NAS) or Virtual Tape Library (VTL) targets or StoreOnce Catalyst for backup applications. The Security Target contains the following additional sections: TOE Description (Section 2) Security Problem Definition (Section 3) Security Objectives (Section 4) IT Security Requirements (Section 5) TOE Summary Specification (Section 6) Protection Profile Claims (Section 7) Rationale (Section 8). 1.1 Security Target, TOE and CC Identification ST Title HP StoreOnce Backup System, Generation 3 Version Security Target ST Version Version 0.7 ST Date December 24, 2013 TOE Identification HP StoreOnce Backup System, Generation 3 Version Hardware Models Single Node Appliances HP StoreOnce 2610 iscsi Backup HP StoreOnce 2620 iscsi Backup HP StoreOnce 4210 iscsi Backup HP StoreOnce 4210 FC Backup HP StoreOnce 4220 Backup HP StoreOnce 4420 Backup HP StoreOnce 4430 Backup Multi-Node Appliances HP StoreOnce B6200 Backup System TOE Developer Hewlett-Packard Evaluation Sponsor Hewlett-Packard CC Identification Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 3, July Conformance Claims This TOE is conformant to the following CC specifications: 4

5 Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements, Version 3.1 Revision 3, July Part 2 Extended Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 Revision 3, July Conventions Part 3 Conformant Assurance Level: EAL 2 augmented with ALC_FLR.3 The following conventions have been applied in this document: Security Functional Requirements Part 2 of the CC defines the approved set of operations that may be applied to functional requirements: iteration, assignment, selection, and refinement. Iteration: allows a component to be used more than once with varying operations. In the ST, iteration is indicated by a letter placed at the end of the component. For example FDP_ACC.1a and FDP_ACC.1b indicate that the ST includes two iterations of the FDP_ACC.1 requirement, a and b. Assignment: allows the specification of an identified parameter. Assignments are indicated using bold and are surrounded by brackets (e.g., [assignment]). Selection: allows the specification of one or more elements from a list. Selections are indicated using bold and are surrounded by brackets (e.g., [selection]). Refinement: allows the addition of details. Refinements are indicated using bold, for additions, and strikethrough, for deletions (e.g., all objects or some big things ). Other sections of the ST Other sections of the ST use bolding to highlight text of special interest, such as captions. 1.4 Glossary Acronym AD CC CHAP CIFS FC HP HTTP HTTPS iscsi IQN LAN LDAP NAS NFS NTP SAN SNMP SSH ST TLS TOE TSF Description Active Directory Common Criteria Challenge-Handshake Authentication Protocol Common Internet File System Fibre Channel Hewlett-Packard Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Internet Small Computer System Interface iscsi Qualified Name Local Area Network Lightweight Directory Access Protocol Network Attached Storage Network File System Network Time Protocol Storage Area Network Simple Network Management Protocol Secure Shell Security Target Transport Layer Security Target of Evaluation TOE Security Function 5

6 VTL Virtual Tape Library 6

7 2 TOE Description The Target of Evaluation (TOE) is an HP StoreOnce Backup System system with one or more hardware appliances. The TOE models that offer either a single-node or multi-node system and are running Generation 3 Version software are the target of evaluation. The following appliances allow the TOE to provide varying types of faulttolerance and are the hardware platform for the TOE. HP StoreOnce B6200 HP StoreOnce 2610 iscsi Backup HP StoreOnce 2620 iscsi Backup HP StoreOnce 4210 iscsi Backup HP StoreOnce 4210 FC Backup HP StoreOnce 4220 Backup HP StoreOnce 4420 Backup HP StoreOnce Single-node appliances operate as standalone devices and do not operate as part of a cluster. Multi-node appliances operate as a cluster. A cluster is composed of from 1 to 4 couplets each couplet having two nodes. A cluster is the scope of administrative control, with the configuration of the cluster defining the behavior of all nodes within the cluster. The B6200 appliance is a multi-node appliance. The number of nodes in a model B6200 is determined by the customer. The B6200 can be ordered as a single couplet (2 nodes), a 2 couplet (4 node) cluster, a 3 couplet (6 node) cluster or a 4 couplet (8 node) cluster. A customer can buy a cluster of one couplet and then buy additional couplets to expand the cluster up to a maximum of 4 couplets. 2.1 TOE Overview The HP StoreOnce Backup System is a disk-based storage appliance for backing up host network servers or PCs to target devices on the appliance. These devices are configured as either Network-Attached Storage (NAS) or Virtual Tape Library (VTL) or StoreOnce Catalyst stores for backup applications. The total number of backup targets offered by an HP StoreOnce Backup System is split between VTL, NAS and StoreOnce Catalyst devices. The number of supported backup targets varies according to model (for single-node appliances) or number of nodes (for clusters). Each node in a cluster is capable of supporting 48 target devices. So as examples, a couplet can support 96 backup targets, while an 8 node (4 couplet) B6200 can support 384 (i.e., 48 x 8) backup targets. These devices may be all VTL, all NAS, or any combination of StoreOnce Catalyst, NAS and VTL devices. The HP StoreOnce Backup System supports both Common Internet File System(CIFS) and Network File System (NFS) protocols for connectivity to TOE provided NAS. This allows the TOE to provide backup targets for both Windows and UNI/Linux hosts. All devices (i.e., VTL, NAS and StoreOnce Catalyst) automatically include the TOE s data Deduplication functionality. Data Deduplication is a process in which the TOE compares blocks of data being written to a backup device with data blocks previously stored on the device. If duplicate data is found, a pointer is established to the original data, rather than storing the duplicate data. The TOE performs data deduplication at the block level and not at the file level, which reduces the amount of data actually stored on physical disks. The HP StoreOnce Backup System products are hardware appliances that offer network accessible administration interfaces in the form of an HTTPS based Graphical User Interface or SSH protected Command Line Interface. A single node appliance or a couplet provides network access using a number of network distinct ports. There are four (4) physical 1GB ports and two (2) physical 10GB ports for Ethernet connections. Another two (2) 10GB network connections are used for the internal network (internal to the cluster only) and not accessible to client-hosts. 7

8 Fibre Channel connections (available on some appliances) are only used to present VTL devices that have been configured on the nodes in a couplet. Figure 1 Supported Network Separation Figure 1 presents a high level depiction of one possible network topology supported by the HP StoreOnce Generation 3 product. Shown in Figure 1 are 3 distinct networks: a management network, a data network and an internal network. The management network would connect the product to any devices associated with managing the product such as an administration workstation, NTP server or LDAP server. The Data Network provides client hosts a communication path with the product. Finally, the internal network is used for communication between nodes of a multi-node system and storage devices (e.g., a SAN storage device). Remote administration sessions occurring through the management network are protected using cryptography (SH and HTTPS). Network traffic between the product and NTP or LDAP servers occurs utilizing only protections inherent in the NTP and LDAP protocols. The HP StoreOnce Backup System allows a site to choose to combine the data and management networks. In single-node configurations, the data and management network must be combined. Both single-node and multi-node configurations utilize an Internal network for communication with storage devices. The configuration shown in Figure 1 represents a multi-node configuration. The HP StoreOnce Backup Systems provides Ethernet network connections for use as a management network (i.e., used for all management traffic). All Ethernet-based networks support only IPv4 networking functionality. IPSec and IPv6 security features are not available, though some protection is supported for administrator network communications (e.g., SSH and HTTPS). The data network can be either Ethernet or Fibre Channel. The internal network will be Ethernet. The HP StoreOnce Backup Systems include hardware-based RAID 5 or RAID 6 to reduce the risk of user data loss due to disk failure within a couplet. 2.2 TOE Architecture The HP StoreOnce Backup System product line is available in single-node or multi-node configurations. The Gen 3 architecture of a multi-node configuration is depicted in Figure 2. A single-node configuration would be identical to the architecture of a single node as shown in Figure 2. The multi-node architecture provides mechanisms for high availability support by offering the ability to continue operation in the event of the failure of one node within each couplet as well as by offering support of RAID levels to protect user and TSF data. Single-node configurations support availability of data through the support of RAID levels to protect user and TSF data store within the control of the TOE. Figure 2 depicts a cluster composed of two couplets. Each couplet includes two nodes. This is an example of a multinode StoreOnce configuration. 8

9 From the perspective of shared configuration data (i.e., TOE Data), there are two significant types of data depicted in Figure 2. The storage of TOE Security Function data is depicted by the box labeled Fusion Manager Store. This store of data is accessible to all of the nodes in the cluster. The second type of configuration data is labeled as Ibrix FS with N sets of node configuration data. This data is available within a couplet even after one node of that couplet fails. The multi-node architecture includes distinct physical network ports that are used to isolate node-to-node communications from client-data backup operations. The ability to isolate internal TOE communications (which is not encrypted) to a dedicated network strengthens protection of TSF data. Administrative communication is cryptographically protected using SSHv2 and HTTPS/TLSv1.0. While the administrative communication would occur on the same network as client-data backup operations, they are protected cryptographically. The middle and lower end model single-node configuration, there would be no need for node-to-node communications, so no dedicated network would be employed. In a high end single node product, there is an internal network between the node and the storage devices. The multi-node architecture supports up to four couplets of nodes in a cluster. Each cluster portrays a single management interface and one data interface per node. When a node in a couplet fails, the lost physical data interface is virtualized by the other node. Virtualization can occur for either an Ethernet or Fibre Channel interface. When both nodes of a couplet fail, the data within that couplet is unavailable to users. Each time the active management node fails, reboots or is put in to a maintenance mode for repairs, a negotiation occurs between all remaining nodes in the cluster to elect a new active management node. The single-node architecture makes use of RAID to provide availability of data stored by a node. In multi-node configurations, RAID of physical storage occurs inside a couplet with both nodes accessing the same RAID arrays. There is no RAID or other redundancy between couplets in a cluster. Deduplication (a.k.a., deduping), allows data to be stored only once. When the same data occurs multiple times (as in the backup of data that has not changed) it is handled by reference as opposed to storing multiple copies. Remote copy (i.e., site replication) basically allows all the data to be copied to another cluster and makes use of the same deduping technology. Remote administrator sessions are encrypted using SSHv2 or HTTPS/TLS. SNMPv2 is also supported. Internal cluster and client-host connections are not encrypted by the TOE. A cluster can be configured to use NTP to synchronize time with an external server. When so configured, one node in the cluster becomes an NTP server. This NTP server node connects (as a client) to an external NTP server to obtain a time value from that external entity. The NTP server node then acts as a server to each of the other nodes within the cluster which are acting as NTP clients to the one node designated as the NTP server within the cluster. 9

10 2.2.1 TOE Physical Boundaries Figure 2 StoreOnce MultiNode Service Architecture The physical boundary of a HP StoreOnce Backup System is the physical boundary of the hardware of the cluster. Interfaces to this hardware include the following: a per-node serial port which provides limited administrative access, Fibre Channel ports for Fibre Channel host access to the data network, Four (4) Ethernet connections for iscsi host access to the data network, Two (2) Ethernet connections for administrative device access to the management network, and two (2) Ethernet connections used for an internal network. The TOE can be configured to rely on and utilize a number of other components in its operational environment. Active Directory servers The HP StoreOnce Backup System can be configured to utilize Active Directory as an external authentication server. Network Time Protocol (NTP) server The HP StoreOnce Backup System can be configured to act as an NTP client to synchronize the internal clock of the active node with an external source. The product can also be configured to offer NTP server functionality to each individual node in a cluster, to synchronize the clocks within the cluster. 10

11 iscsi and Fibre Channel client hosts The HP StoreOnce Backup System attaches to applicable ports which access available storage resources (SANs and VTLs). Network Storage Devices The HP StoreOnce Backup System is typically connected to a storage controller that manages the actual physical storage. Figure 1 depicts three networks to which the HP StoreOnce Backup System nodes (couplets) may be attached. The TOE nodes, storage devices, and internal network must have physical protections that are consistent with the data being stored and transmitted. This internal network is expected to be dedicated such that communication between the TOE and either another TOE node or a storage device is not modified or disclosed. The management network is expected to provide connectivity for the TOE, administrative devices, and NTP servers. Active directory servers are accessed from the data network to manage NAS share permissions. Active Directory servers can be deployed with or without cryptographic protections depending on the needs of the operational environment. While physical security of this network is appropriate, TOE remote administrative sessions are protected from disclosure and modification using SSH and HTTPS/TLS, The data network is used by clients to send data to the TOE for backup purposes. The data network is also expected to provide physical protections that are consistent with the data being stored and transmitted. Network devices on the Ethernet SAN are expected not to intercept, impersonate or otherwise modify communications on the SAN TOE Logical Boundaries The HP StoreOnce Backup System includes a number of security features with claims in the security functional requirements of this Security Target (Section 5.2). The HP StoreOnce Backup system also includes features such as deduplication and replication which can be used but for which this Security Target contains no claims (i.e., no security functional requirements). The following sections summarize security functionality of the product Security Audit The HP StoreOnce Backup System includes its own logging of management events and also user authentication. Administrators can also review the audit data collected by the product. Finally, the product protects audit data, and overwrites the storage space used for audit data once the available storage space becomes full Cryptographic Support The HP StoreOnce Backup System currently includes cryptographic functions to support SSHv2 and HTTPS (using TLS) protection for communication with remote administrative sessions. Connections to the HP StoreOnce Backup System can be made through SSHv2 to support a Command Line Interface for an administrator. Connections to the HP StoreOnce Backup System utilize HTTPS/TLS to support a graphical user interface for an administrator User data protection The HP StoreOnce Backup System is designed to offer reliable disk-based backup storage services. Access to TOE resources Network-Attached Storage (NAS), StoreOnce Catalyst or Virtual Tape Library (VTL) is provided either through iscsi, CIFS or NFS, Ethernet and Fibre Channel. iscsi VTL The product permits access based upon assigned hosts using its iscsi Qualified Name (IQN). CIFS-based NAS The product permits access based upon a list of users with read-write or read-only permissions. Alternately, the product can use AD user accounts and AD defined access permissions. NFS-based NAS The product permits access based upon a list of hosts defined as permitted for the NFS share. Fibre Channel VTL The product permits Fibre Channel resources to be assigned to specific Fibre Channel ports. Note that the SAN can be zoned to restrict access to specific devices, but that is out of scope of the TOE. The TOE implements RAID on physical disks. The single-node architecture makes use of RAID 5 or RAID 6 to provide availability of user data stored by a node. Multi-node configurations support only RAID 6, however, RAID of physical storage occurs inside a couplet with both nodes accessing the same RAID arrays. There is no RAID or other redundancy between couplets in a cluster. 11

12 TSF data stored by a single-node appliance is protected only using the RAID array within the appliance. TSF data is stored by a multi-node appliance (i.e., a couplet) as a mirrored set in a stripped set (i.e., RAID 1+0). Any disk failure causes the TOE to generate an alert via SNMP or SMTP. Failures of one node within a couplet also generate an alert via SNMP or SMTP Identification & Authentication The HP StoreOnce Backup System requires that administrators must login with username and password prior to being able to access functions associated with their defined role. The HP StoreOnce Backup System uses only locally defined accounts to define the Administrator and Operator accounts. The HP StoreOnce Backup System can be configured to use an Active Directory (LDAP) server for user identification and authentication associated with CIFS-based NAS access. Fibre Channel (FC), iscsi, and NFS hosts are always identified when they access backup targets, but are not usually authenticated. Fibre Channel hosts are identified using a Fibre Channel port prior to the TOE granting access to a backup target over a FC network (i.e., part of the Data network shown in Figure 1). An iscsi host is identified using an iscsi qualified name (IQN). Since the TOE supports CHAP authentication for iscsi, a site can choose to use CHAP to authenticate iscsi hosts. Use of CHAP for authentication is suggested but not required to satisfy the claims in this Security Target NFS hosts are identified solely using their IP address. Security Management The HP StoreOnce Backup System is responsible for enabling the management of available storage resources and access by client-hosts. Users manage the product with either a graphical user interface or command line interface. Both interfaces enforce the same administrative constraints which limit the operations available to the user. Each user is assigned a role which is currently limited to administrator (read and write functionality) or operator (read-only functionality). The HP StoreOnce Backup System also supports a read-only SNMPv2 interface to allow network monitoring of a running system Protection of the TSF The HP StoreOnce Backup System includes a real-time clock. It also protects especially sensitive security data such as password and cryptographic keys TOE Access The HP StoreOnce Backup System can terminate an inactive remote administrative session after an administratordefined period of inactivity Trusted Paths/Channels As mentioned above, the HP StoreOnce Backup System currently provides cryptographic functions that are used to protect administrator sessions. These cryptographic functions include SSHv2 and HTTPS (TLS). 2.3 TOE Documentation The HP StoreOnce Backup System offers a series of documents that describe the installation of the product as well as guidance for subsequent use and administration of the applicable security features. These documents include 2 : 1) HP StoreOnce Backup System Concepts Guide, September ) HP StoreOnce Backup System User Guide, November Since single-node appliances are not part of a couplet or cluster, such failures do not generate alarms. 2 The documents listed here are those available with the version of the product shipping today. 12

13 3) HP StoreOnce Backup System Installation and Configuration Guide, December

14 3 Security Problem Definition This section describes the security environment in which the TOE operates. The security environment is defined in terms of assumptions made by the TOE and threats to the TOE. 3.1 Assumptions The following conditions are assumed to exist in the operational environment. Assumption A.NO_GENERAL_PURPOSE A.PHYSICAL A.TRUSTED_ADMIN A.HOST_IDENTITY A.MGMT_NET A.DATA_NET A.INTERNAL_NET A.ETHERNET Definition It is assumed that there are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE. Physical security, commensurate with the value of the TOE and the data it contains, is assumed to be provided by the environment. TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner. It is assumed that iscsi and Fiber Channel host identities properly reflect the adapters and hence the hosts to which they are associated such that authentication is not necessary. It is assumed that a dedicated and protect Management Network exists between nodes of the TOE and hosts providing supporting services (e.g., AD and NTP). Clients on the Data Network do not have direct access to the Internal or Management networks that are used for managing, accessing, and supporting the TOE operations. It is assumed that a dedicated and protected Internal Network exists that connects nodes of the TOE with network storage devices. It is assumed that network devices on the Internal Network do not intercept, impersonate or otherwise modify communications on the Internal network. 3.2 Threats Threat T.ADMIN_ERROR T.DATA_AVAILABILITY T.DATA_DISCLOSURE T.UNAUTHORIZED_ACCESS Definition An administrator may unintentionally install or configure the TOE incorrectly, resulting in ineffective security mechanisms that may go undetected. User data may become unavailable due to isolated storage resource failures, node failures or due to resource exhaustion. A connected host might obtain access to user data for which they have no authorization. A user may gain unauthorized access to the TSF data and TSF executable code. A malicious user, process, or external IT entity may masquerade as an authorized entity in order to gain unauthorized access to TSF data or TSF resources. A malicious user, process, or external IT entity may misrepresent itself as the TSF to obtain identification and authentication data. 14

15 T.UNDETECTED_ACTIONS Malicious remote users or external IT entities may take actions that adversely affect the security of the TOE. These actions may remain undetected and thus their effects cannot be effectively mitigated. 15

16 4 Security Objectives This chapter identifies the security objectives of the TOE and its environment. Security objectives identify the responsibilities of the TOE and the support need by the TOE from its environment. 4.1 Security Objectives for the TOE Objective O.AVAILABILITY O.LIMIT_ACCESS O.PROTECTED_COMMUNICATIONS Definition The TOE will ensure that data can be stored in a manner that is protected from underlying resource failure and exhaustion. The TOE will ensure that connected hosts can access only data resources for which they are authorized. The TOE will provide protected communication channels for administrators. O.SYSTEM_MONITORING O.TOE_ADMINISTRATION The TOE will provide the capability to generate audit data and provide the means to store and review those data. The TOE will provide mechanisms to ensure that only administrators are able to log in and configure the TOE, and restrict logged-in administrators to authorized functions and TSF data. 4.2 Security Objectives for the Environment Objective OE.NO_GENERAL_PURPOSE OE.PHYSICAL OE.TRUSTED_ADMIN OE.HOST_IDENTITY OE.MGMT_NET OE.DATA_NET OE.INTERNAL_NET OE.ETHERNET Definition There are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE. Physical security, commensurate with the value of the TOE and the data it contains, is provided by the environment. TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner. iscsi hosts correctly reflect the iscsi identifier associated with their Host Bus Adapters (HBAs). A dedicated Management network provides reliable ad secured communication between the TOE, hosts supporting remote administrative sessions and peer hosts providing supporting services such as Active Directory or NTP. Clients on the Data Network do not have direct access to the Internal or Management networks that are used for managing, accessing, and supporting the TOE operations. A dedicated and protected Internal Network exists that connects nodes of the TOE with one another and with network storage devices. Hosts on the Internal Network do not intercept communications on the Internal Network, do not modify communications on the Internal Network, and do not impersonate endpoints on the Internal Network. 16

17 17

18 5 IT Security Requirements The security requirements for the TOE have been drawn from Parts 2 and 3 of the Common Criteria. The security functional requirements have been selected to correspond to the actual security functions implemented by the TOE while the assurance requirements have been selected to offer a low to moderate degree of assurance that those security functions are properly realized. 5.1 Extended Component Definition This Security Target includes Security Functional Requirements (SFR) that are not drawn from CC Part 2. These Extended SFRs are identified by having a label _ET after the requirement name for TOE SFRs. The structure of the extended SFRs is modeled after the SFRs included in CC Part 2. The structure is as follows: A. Class The extended SFRs included in this ST are part of the identified classes of requirements. B. Family The extended SFRs included in this ST are part of several SFR families including the new families defined below. C. Component The extended SFRs are not hierarchical to any other components, though they may have identifiers terminating on other than 1. The dependencies for each extended component are identified in the TOE SFR Dependencies section of this ST (Section 8.4, Requirement Dependency Rationale) Extended Family Definitions FCS_COMM_PROT_ET Family Behavior This family identifies the protocols used to protection remote administrative sessions. Management: FCS_COMM_PROT_ET.1 There are no management activities foreseen. Audit: FCS_COMM_PROT_ET.1 There are no auditable events foreseen FCS_COMM_PROT_ET.1 Remote Administrative Session Communication Protection Hierarchical to: No other components. Dependencies: FCS_COMM_PROT_ET FCS_HTTPS_ET Family Behavior None The TSF shall protect remote administrative session communications using [selection: IPsec, SSH] and [selection: TLS/HTTPS, no other protocol]. This family identifies the behavior of the TOE when the HTTPS protocol is implemented. Management: FCS_HTTPS_ET.1 There are no management activities foreseen. Audit: FCS_SSH_ET.1 Basic Level: Failure to establish an HTTPS Session Establishment/Termination of an HTTPS session 18

19 FCS_HTTPS_ET.1 Secure Shell Protocol Hierarchical to: Dependencies: No other components. FCS_TLS_ET.1 FCS_HTTPS_ET.1.1 The TSF shall implement the HTTPS protocol that complies with RFC FCS_HTTPS_ET FCS_SSH_ET Family Behavior The TSF shall implement HTTPS using TLS as specified in FCS_TLS_ET.1. This family identifies the behavior of the TOE when the Secure Shell (SSH) protocol is implemented. Management: FCS_SSH_ET.1 There are no management activities foreseen. Audit: FCS_SSH_ET.1 Basic Level: Failure to establish an SSH Session Establishment/Termination of an SSH session FCS_SSH_ET.1 Secure Shell Protocol Hierarchical to: Dependencies: FCS_SSH_ET.1.1 FCS_SSH_ET.1.2 FCS_SSH_ET.1.3 FCS_SSH_ET.1.4 FCS_SSH_ET.1.5 FCS_SSH_ET.1.6 FCS_SSH_ET.1.7 FCS_SSH_ET.1.8 FCS_SSH_ET FCS_TLS_ET Family Behavior No other components. FCS_COP.1 The TSF shall implement the SSH protocol that complies with RFCs 4251, 4252, 4253, and The TSF shall ensure that the SSH connection be rekeyed after no more than 228 packets have been transmitted using that key. The TSF shall ensure that the SSH protocol implements a timeout period for authentication as defined in RFC 4252 of [assignment: timeout period], and provide a limit to the number of failed authentication attempts a client may perform in a single session to [assignment: maximum number of attempts] attempts. The TSF shall ensure that the SSH protocol implementation supports the following authentication methods as described in RFC 4252: public key-based, password-based. The TSF shall ensure that, as described in RFC 4253, packets greater than [assignment: number of bytes] bytes in an SSH transport connection are dropped. The TSF shall ensure that the SSH transport implementation uses the following encryption algorithms: AES-CBC-128, AES-CBC-256, [selection: AEAD_AES_128_GCM, AEAD_AES_256_GCM, no other algorithms]. The TSF shall ensure that the SSH transport implementation uses SSH_RSA and [selection: PGP-SIGN-RSA, PGP-SIGN-DSS, no other public key algorithms,] as its public key algorithm(s). The TSF shall ensure that data integrity algorithms used in SSH transport connection is [selection: hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96]. The TSF shall ensure that diffie-hellman-group14-sha1 is the only allowed key exchange method used for the SSH protocol. 19

20 This family identifies the behavior of the TOE when the Transport Layer Transport Layer Security (TLS) protocol is implemented. Management: FCS_TLS_ET.1 There are no management activities foreseen. Audit: FCS_TLS_ET.1 Basic Level: Failure to establish an TLS Session Establishment/Termination of an TLS session FCS_TLS_ET.1 Transport Layer Security Protocol Hierarchical to: Dependencies: FCS_TLS_ET FPT_PTD_ET Family Behavior No other components. FCS_COP.1 The TSF shall implement one or more of the following protocols [selection: TLS 1.0 (RFC 2346), TLS 1.1 (RFC 4346), TLS 1.2 (RFC 5246)] supporting the following ciphersuites: Mandatory Ciphersuites: TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA Optional Ciphersuites: [selection: None TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_ SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ]. This family defines the protections required for critical security parameters used by the TOE for authentication or cryptography. Management: FPT_PTD_ET.1 There are no management activities foreseen. Audit: FPT_PTD_ET.1 There are no auditable events foreseen FPT_PTD_ET.1 Protection of TSF Data Hierarchical to: No other components. Dependencies: FPT_PTD_ET.1.1 None The TSF shall prevent reading of [assignment: critical security parameters]. 20