Beruflich Dokumente
Kultur Dokumente
Phone / +1 408.579.2800
Toll-free / +1 888.257.3000
www.extremenetworks.com
P/N 122042-00
Extreme Networks Summit Series Switches Common Criteria Admin Guide
1 Contents
2 Introduction ........................................................................................................ 4
3 Intended Audience ............................................................................................. 4
4 About Common Criteria ..................................................................................... 4
5 Related Documents ............................................................................................ 4
6 Evaluated Configuration .................................................................................... 4
7 Assumptions and Operational Environment .................................................... 5
8 How to Access Your System ............................................................................. 7
8.1 Local Command Line Interface (CLI) ................................................................................. 7
8.1.1 Connecting to the Serial Console Port .................................................................................. 7
8.1.2 Configuring Remote Administrative Management Interface.................................................. 7
2 Introduction
This guide provides the information an administrator would need to set up and administer the Extreme
Networks Summit Series switches in compliance with the Common Criteria evaluated configuration.
Follow this guide in its entirety to ensure that the settings of each parameter match the specific
configuration that was evaluated and certified as secure by the Common Criteria certification. Please refer
to the Security Target document for details on what has been evaluated in the Common Criteria
configuration.
3 Intended Audience
This document is intended for use by administrators who are responsible for installing, configuring, and
operating network security for their organization. To use this guide you must have knowledge of your
organization’s network infrastructure and standard networking technologies. For more detailed information
on specific commands used in this document, refer to other user guidance provided by Extreme Networks
Inc.
5 Related Documents
For more information about Extreme Summit Series Switches, see the following documents:
Table 1. Guidance Documentation
Identifier Edition Title
Security Target v2.4 Extreme Networks Summit Series Switches v2.4
6 Evaluated Configuration
The TOE is the Extreme Networks Summit series switches running EXOS v22.3.1.4-patch1CC-2 and
includes the following appliances.
Summit X870 series
Summit X690 series
Summit X620 series
Summit X440-G2 series
Summit X450-G2 series
Summit X460-G2 series
Summit X670-G2 series
The Common Criteria certification does not guarantee the product is secure in all circumstances and
possible modes of operation. It is assumed that the system administrators install, manage, and use the
Extreme ExtremeSwitching and Summit series switches in accordance with the instructions in this
document.
Note
The use of other cryptographic engines were not evaluated nor tested during the CC
evaluation of the TOE.
To manually configure this interface, statically assign an IP Address to the Management VLAN (Mgmt)
and add a static route:
1. Specify the VLAN Mgmt IP Address
2. Reboot the TOE by running reboot then entering yes at the prompt
3. Verify that FIPS mode is set by running the following command:
# show security fips mode
9.3 Configuring cryptographic primitives
9.3.1 Configuring Diffie-Hellman Group 14
Disable Diffie-hellman group 1 by issuing the following command:
# configure ssh2 dh-group minimum 14
Diffie-Hellman groups others than group 14 are now disabled.
9.3.2 Configuring Data Encryption Algorithms and HMAC Algorithms
SSH works on three security modes: default-mode, FIPS-mode, and Secure-Mode. In each mode, you
can configure the required ciphers and MACs from a list using the CLI. Different modes support a different
list of ciphers. By default, all available ciphers and MACs in the modes are configured.
1. Disable all unsupported algorithms by entering the following commands:
# configure ssh2 disable cipher 3des
# configure ssh2 disable cipher aes128-ctr
Prior to upgrading the image on the switch, the administrator needs the following information:
the IP address of the TFTP server to which the new software package resides
the full file name (case sensitive) for the software package
the Virtual Router (VR) that the TFTP server is connected to
To upgrade the switch software, use the command:
# download image <ipaddress> <fielname> vr <vr-name>
The following prompt appears: “Do you want to install image after downloading? (y - yes, n - no, <cr> -
cancel)”.
Configure the time zone for the TOE by entering the following command:
# config timezone name <unique name> <offset in minutes> autodst begins <every|on>
<first|fourth|last|second|third> <weekday> <month> <at|ends|name> <begin hour> <begin minute> ends
<on|every> <first|second|third|last> <weekday> <month> <at|name> <end hour> <end minute> name
<unique name>
Confirm the change to the system date/time by running the following command:
# show switch | grep "Current Time"
Note
Although the TOE supports multiple accounts, the only accounts that were tested
and evaluated were the following: admin (Security Administrator) and user.
Note
If the prompt is to contain spaces, it will need to be in quotes. Example: “Extreme x460”
Lockout-on-login-failures On or Off
1 The IP address indicated is an example only. Use one appropriate for your organization’s network.
2 CLI logging is disabled by default.
© 2017 Extreme Networks, Inc. All rights reserved. 16
Extreme Networks Summit Series Switches Common Criteria Admin Guide
Sign the CSR with the intermediate CA’s certificate using the following OpenSSL command:
# openssl ca –config openssl.intCA1.cnf –in csr/cert.csr.pem –out certs/ cert.pem –extentions toe-a
Once the certificate is signed, it must be imported back into the TOE.
Note
For Common Criteria, the RSA key length is configurable, supporting both 2048-bit
and 3076-bit keys. The key size is enforced in both private key/self-signed
certificate pairs and private key/CSR pairs.
10 Appendix—Auditable Events
Additional Audit
Requirement Auditable Events Sample Audit Record
Record Contents
FAU_GEN.1 None None
FAU_GEN.2 None None
FAU_STG_EXT.1 None None
FCS_CKM.1 None None
FCS_CKM.2 None None
FCS_CKM.4 None None
FCS_CKM_EXT.4 None None
FCS_COP.1/DataEncryption None None
FCS_COP.1/SigGen None None
FCS_COP.1/Hash None None
FCS_COP.1/KeyedHash None None
FCS_RBG_EXT.1 None None
06/20/2017 13:39:00.59
Failure to establish an <Warn:exsshd.KeyAuthFail> Key authentication
FCS_SSHS_EXT.1 Reason for failure failed for user ccadmin from 10.120.89.91.
SSH session
Key invalid/not configured to the user.
08/01/2017 10:51:06.60
<Erro:log.SyslogSSLCnctFail> Syslog SSL
Failure to establish a TLS connection(192.168.0.205:9011) failed: Can't
FCS_TLSC_EXT.2 Reason for failure
Session connect to syslog server. connect() returned
"Connection refused".
06/20/2017 13:44:19.17
Unsuccessful login Origin of the attempt <Warn:AAA.accountLockedOut> Account for user
FIA_AFL.1 attempts limit is met or 'ccadmin' locked out!
exceeded.
(e.g., IP address).
FIA_PMG_EXT.1 None. None.
Login Success: 17:55:08.54
Provided user <Info:AAA.authPass> Login passed for user
All use of the identification
identity, origin of the admin through ssh (10.120.89.91) Logout:
FIA_UIA_EXT.1 and authentication 0/20/2017 17:55:57.93 <Info:AAA.logout>
attempt (e.g., IP
mechanism. Administrative account (admin) logout from
address).
ssh (10.120.89.91)
All use of the identification 17:55:08.54 <Info:AAA.authPass> Login passed
Origin of the attempt for user admin through ssh (10.120.89.91)
FIA_UAU_EXT.2 and authentication
(e.g., IP address).
mechanism.
FIA_UAU.7 None. None.
08/29/2017 21:33:39.42
<Erro:log.SyslogSSLCnctFail> Syslog SSL
connection(10.68.6.3:6529) failed: Can't
Unsuccessful attempt to connect to syslog server with SSL.
FIA_X509_EXT.1/Rev Reason for failure
validate a certificate SSL_connect() returned "error:14090086:SSL
routines:ssl3_get_server_certificate:certific
ate verify failed".
FIA_X509_EXT.2 None. None.
FIA_X509_EXT.3 None. None.
06/20/2017 13:48:01.58 <Noti:cli.CmdNotPmt>
Any attempt to initiate a User user: This user does not have
FMT_MOF.1/ManualUpdate None. permissions for this command: download image
manual update
10.120.89.79 onie-22.5.0.12.xos
Additional Audit
Requirement Auditable Events Sample Audit Record
Record Contents
06/20/2017 13:50:13.11
<Noti:EPM.install_status> User admin: Image
installation finished with status success.
06/20/2017 13:49:57.87
All management activities <Noti:EPM.Upgrade.Strt> User admin: Image
FMT_MTD.1/CoreData None.
of TSF data. upgrade has started.
09/04/2017 13:30:33.24
<Noti:EPM.install_status> User admin: Image
installation finished with status succes
Discontinuous changes to 18:05:22.35 <Noti:DM.Notice> Setting time to
time – either Administrator For discontinuous Mon Nov 20 12:12:12 2017
actuated or changed via changes to time: The
an automated process. old and new values
for the time. Origin of
FPT_STM_EXT.1 (Note that no continuous the attempt to change
changes to time need to time for success and
be logged. See also failure (e.g., IP
application note on address).
FPT_STM_EXT.1)
06/20/2017 13:12:12.21 <Info:AAA.authPass>
Login passed for user admin through serial
FTA_SSL_EXT.1
Any attempts at unlocking
(if “lock the session is None. 06/20/2017 13:12:08.80 <Info:AAA.logout>
of an interactive session.
selected) Administrative account (admin) logout from
serial
06/20/2017 13:15:40.90 <Info:AAA.logout>
Administrative account (admin) logout from
The termination of a telnet (10.120.89.91)
FTA_SSL_EXT.1
remote session by the
(if “terminate the session” is None.
session locking
selected)
mechanism.
Additional Audit
Requirement Auditable Events Sample Audit Record
Record Contents
06/20/2017 13:22:14.52 <Info:AAA.logout>
The termination of an Administrative account (admin) logout from
FTA_SSL.4 None.
interactive session. ssh (10.120.89.91)
FTA_TAB.1 None. None.
08/30/2017 10:20:59.42
Initiation of the trusted <Noti:log.SyslogSSLCnctEstb> Syslog SSL
channel. connection(192.168.0.204:6514) established.
Identification of the 08/01/2017 10:51:43.57
Termination of the trusted initiator and target of <Noti:log.SyslogSSLCnctTerm> Syslog SSL
channel. failed trusted connection(192.168.0.204:6514) terminated.
FTP_ITC.1
channels 08/30/2017 09:33:37.90
establishment <Erro:log.SyslogSSLOCSPFail> Syslog SSL
Failure of the trusted attempt. connection(192.168.0.204:6514) failed: OCSP
channel functions. revocation check failed at depth 0.
OCSP_RevocationCheck() returned "No response
from all available OCSP responders".
03/23/2017 16:46:41.73 <Info:AAA.LogSsh> Msg
from Master : Did key authentication for user
ccadmin (10.127.8.86)