Page 1
ZXR10 M6000&T8000&8900E Series Routers and Switches Running the ZXROSNG Operating System Security Target ZTE CORPORATION NO. 55, Hi-tech Road South, ShenZhen, P.R.China Postcode: 518057 Tel: +86-755-26771900 Fax: +86-755-26770801 URL: http://ensupport.zte.com.cn E-mail: support@zte.com.cn Version: R1.6...
Page 2
ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by contractual confidentiality obligations. All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE CORPORATION or of their respective owners.
Contents Chapter 1 ST INTRODUCTION..............1-1 1.1 ST IDENTIFICATION..................1-1 1.1.1 ST Title....................1-1 1.1.2 References ....................1-1 1.2 TOE IDENTIFICATION ..................1-2 1.3 TOE OVERVIEW ....................1-4 1.3.1 Intended usage and security features of the TOE ........1-4 1.3.2 Non-TOE components ................1-4 1.4 TOE DESCRIPTION...................
Page 4
6.1.2 Identification & Authentication ..............6-3 6.1.3 Security Management................6-4 6.1.4 TOE Access..................... 6-7 6.1.5 User data protection ................. 6-7 6.1.6 Trusted Channel..................6-9 Chapter 7 RATIONALE ................7-1 7.1 RATIONALE FOR SECURITY OBJECTIVES ............7-1 7.1.1 Rationale for Security Objectives for the TOE..........7-1 7.1.2 Rationale for Security Objectives for the Environment.........
TOE OVERVIEW......................1-4 TOE DESCRIPTION ....................1-5 1.1 ST IDENTIFICATION 1.1.1 ST Title V1.6 of the Security Target for the ZXR10 M6000&T8000&8900E Series Routers and Switches running the ZXROSNG Operating System. 1.1.2 References The following documentation was used to prepare this ST.
ZXR10 M6000&T8000&8900E Security Target 1.2 TOE IDENTIFICATION This Security Target describes the M6000&T8000&8900E Series of Routers and Switches running the ZXROSNG Operating System v1.00.20. The M6000&T8000&8900E series consists of the following: Table 1-1 M6000&T8000&8900E Series Models Series Model Interface Description...
Page 7
8900E Series 1 x Ethernet Management Interface à 1 x RS232 Console à LIC supported interfaces: 8-port 10GE Optical Ethernet à 12-port 10GE Optical interface à 48-port Gigabit Electrical interface à à 48 port Gigabit Optical interface SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
1.3 TOE OVERVIEW 1.3.1 Intended usage and security features of the TOE The TOE is ZXR10 M6000&T8000&8900E series routers and switches running the ZXROSNG 1.00.20. The TOE enables the delivery of metro Ethernet services and high-density service-aware Ethernet aggregation over IP/ MPLS-based networks.
SNMP/SYSLOG server, the NTP server and the RADIUS/TACACS+ server to the TOE. 1.4 TOE DESCRIPTION The TOE is ZXR10 M6000&T8000&8900E series routers and switches running on ZXROSNG. M6000&T8000 router is a device that determines the next network point to which a packet should be forwarded toward its destination.
ZXR10 M6000&T8000&8900E Security Target Control Plane The control plane receives configuration commands, protocol information and keep-alive packets from other planes to implements the following functions: Configuration of command parameter, displaying statistics and status information. Local authentication, RADIUS authentication and TACACS+ authentication...
ZXR10 M6000&T8000&8900E Security Target addresses only the client-side support of RADIUS and TACACS+: the servers themselves are out-of-scope. Profiles: Administrator profiles are configured to permit or deny access to a hierarchical branch or specific commands. Audit: The TOE provides an audit feature for actions related to authentication attempts...
Page 13
× × VLAN Not evaluated: Virtual LAN × Mitigate DoS Denial of service × attack URPF Unicast Reverse Path Forwarding × Not permitted in the evaluated × × configuration: WebVPN, IPSec, IKE, L2TP (Layer 2 Tunneling Protocol). SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Page 14
ZXR10 M6000&T8000&8900E Security Target Feature Description Evaluated Permitted Evaluated IPSEC Not evaluated: IPSec provides × confidentiality, authenticity and integrity for IP data transmitted between trusted (private) networks or remote clients over untrusted (public) links or networks. 1-10 SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
CC, version 3.1R3, as defined by [CCp1], [CCp2], [CCp3] and [CEM]. CC Part 2 as CC Part 2 conformant CC Part 3 as CC Part 3 conformant This ST conforms to no Protection Profile. This ST conforms to EAL 3+ALC_FLR.2, and to no other packages. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Page 16
ZXR10 M6000&T8000&8900E Security Target This page intentionally left blank. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Actions performed by users may not be known to the administrators due to actions not being recorded or the audit records not being reviewed prior to the machine shutting down, or an unauthorized administrator modifies or destroys audit data. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
ZXR10 M6000&T8000&8900E Security Target THREAT DESCRIPTION T.NO_PRIVILEGE An unauthorized user may gain access to inappropriately view, tamper, modify, or delete TOE Security Functionality data. T.MEDIATE An unauthorized entity may send impermissible information through the TOE which results in the exploitation of resources on the network.
TOE. All administrators are “vetted” to help ensure their trustworthiness, and administrator connectivity to the TOE is restricted. P.ROUTE The TOE must be able to accept routing data from trusted routers SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Page 20
ZXR10 M6000&T8000&8900E Security Target This page intentionally left blank. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
The TOE will provide mechanisms that control an administrator’s logical access to the TOE and to deny access to unattached session to configure the TOE. O.ROUTE The TOE shall be able to accept routing data from trusted routers according to BGPv4/OSPFv2/IS-IS/RIPv2. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
ZXR10 M6000&T8000&8900E Security Target 4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT The following IT security objectives for the environment are to be addressed by the operational environment via technical means. Table 4-2 Security Objective for the environment OBJECTIVES DESCRIPTION OE.TIMES NTP server must be available to provide accurate/synchronized time services to the TOE.
5.1.1 Overview The security functional requirements for this ST consist of the following components from Part 2 of the CC. Table 5-1 TOE Security Functional Requirements CC Part 2 Security Functional Components Identifier Name FAU_GEN.1 Audit data generation SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Page 24
ZXR10 M6000&T8000&8900E Security Target FAU_GEN.2 User identity association FAU_SAR.1 Audit review FAU_STG.1 Protected audit trail storage FAU_STG.4 Prevention of audit data loss FDP_IFC.1(1) Subset information flow control (unauthenticated policy) FDP_IFF.1(1) Simple security attributes (unauthenticated policy) FDP_IFC.1(2) Subset information flow control (export policy) FDP_IFF.1(2)
Page 25
1. Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and 2. For each audit event type, based on the auditable event definitions of the functional components included in the ST [none]. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
ZXR10 M6000&T8000&8900E Security Target Application Note: There is no success / failure concept for Alarm log. Therefore there is no outcome (success or failure) for alarm log. 5.1.2.2 FAU_GEN.2 User identity association FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event.
2. when the outgoing interface of the source routing packet is different from the ingoing interface, the packet will be dropped. (URPF) 3. when the semi-connection statistics information of the TCP SYN flood exceeds configured threshold, the TOE suppresses these attacks.] SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
ZXR10 M6000&T8000&8900E Security Target FDP_IFF.1.4 The TSF shall explicitly authorize an information flow based on the following rules: [none]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: 1. [the TOE shall reject requests for access or services where the source identity of the information received by the TOE is not included in the set of source identifiers for the source subject;...
4. Either the administrator must change his password at the first login, or the administrator is not forced to change his password at the first login, as configured by the administrator] Application Note: the TOE cannot enforce this SFR when performing remote authentication with RADIUS/TACACS+ server. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
ZXR10 M6000&T8000&8900E Security Target 5.1.2.13 FIA_UAU.2 User authentication before any action FIA_UAU.2.1 The TSF shall require each administrator to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that administrator. 5.1.2.14 FIA_UAU.5 Multiple authentication mechanisms FIA_UAU.5.1 The TSF shall provide [client RADIUS, TACACS+, and local authentication mechanisms] to support user authentication.
The TSF shall be able to associate users with roles. Application Note: although there is only one administrator role. However each administrator account has his privilege level and corresponding management scope. The management scope of each privilege level is configurable. All commands are assigned a SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
ZXR10 M6000&T8000&8900E Security Target required privilege level. The administrator can execute commands with required privilege levels lower than or equal to his privilege level. 5.1.2.24 FPT_STM.1 Reliable time stamps FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own use.
1. I&A authentication success 2. I&A authentication failure user management alarm 1. user account is locked 2. user account is unlocked 3. user account is enabled 4. user account is disabled RADIUS alarm log SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Page 36
ZXR10 M6000&T8000&8900E Security Target 1. RADIUS authentication group is unreachable 2. RADIUS accounting server group is unreachable 3. RADIUS buffer queue exceeds the threshold NTP alarm log 1. The clock of NTP server and client are not synchronized ACL alarm ACL alarm 1.
TOE. So this SFR is only enforced when performing local authentication. FIA_UAU.2 User authentication before any action The TOE is configured to use RADIUS, TACACS+, and local/remote authentication to validate administrators requesting access to the network. The password authentication SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
ZXR10 M6000&T8000&8900E Security Target is processed between RADIUS and local or TACACS+ and local passwords are specifically configured. The order of TACACS+ and local can be configured. The allowed authentication models are listed below: 1. Local only 2. RADIUS only 3.
Page 39
3. transport layer protocol and their flags and attributes (UDP, TCP); 4. network layer protocol (IP, ICMP); 5. interface on which traffic arrives and departs; and 6. routing protocols and their configuration and state. Simple security attributes (export policy) SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Page 40
ZXR10 M6000&T8000&8900E Security Target The event log is configured to send events to one SYSLOG destination. SYSLOG destinations have the following properties: 1. SYSLOG server IP address. 2. The UDP port used to send the SYSLOG message. 3. The SYSLOG Facility Code (0 - 23): default 16 (local 0).
Also the TOE provide exporting log to SYSLOG and SNMP servers. FDP_IFC.1(1) Subset information flow control (unauthenticated policy) The TOE enforces an UNAUTHENTICATED SFP whereby the network packets sent and/or received through the TOE to IT entity. FDP_IFC.1(2) Subset information flow control (export policy) SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Page 42
ZXR10 M6000&T8000&8900E Security Target The TOE enforces an EXPORT SFP whereby information events are sent from the TOE to SNMP trap and SYSLOG destinations. The TOE will only send audit and management data to properly configured destinations FDP_IFF.1(1) Simple security attributes (unauthenticated policy) The TOE supports routing of the traffic that is permitted by the information flow policies.
TOE. FTP_ITC.1 The TSF shall provide a communication channel between itself and a remote administration client. Secure remote administration is provided by SSH. The communication between TOE and RADIUS/TACACS+/NTP server is protected by the trusted channel. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Page 44
ZXR10 M6000&T8000&8900E Security Target This page intentionally left blank. 6-10 SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
This section provides a mapping of environment security objectives to those assumptions that must be met. Since the Security Objectives for the Operational environment were derived directly from the Assumptions there is a one to one mapping between them. It SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
ZXR10 M6000&T8000&8900E Security Target is also clear since the Security Objectives for the Operational environment are simply a restatement of the applicable assumption, that each objective is suitable to meet its corresponding assumption. Table 7-2 Mapping of Assumptions to Security Objectives for the Operational Environment OE.NO_EVIL&TR-...
FAU_STG.4 requires that unauthorised deletion of audit records does not occur, and thus helps to maintain accountability for actions SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Page 48
ZXR10 M6000&T8000&8900E Security Target OBJECTIVES SFR Rationale FPT_STM.1 ensures that reliable time stamps are provided for audit records FTP_ITC.1(3) requires that the timestamp is protected by trusted channels. O.MANAGE This objective is met by: The TOE must provide services that allow FMT_MOF.1 allows the authorized users...
Page 49
This objective is met by: The TOE shall be able to accept routing FDP_UIT.1 transmits and receives routing data from trusted routers according to data to/from trusted routers in a manner BGPv4/OSPFv2/IS-IS/RIPv2. protected from modification, insertion and replay errors. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
ZXR10 M6000&T8000&8900E Security Target 7.2.2 Rationale for Security Assurance Requirements The ST requires EAL3 augmented with ALC_FLR.2 assurance. EAL3 augmented with ALC_FLR.2 was chosen because it is based upon good commercial development practices with thorough functional testing. EAL3 provides the developers and users a moderate level of independently assured security in conventional commercial TOE.
Page 51
FMT_MTD.1(2) FMT_SMR.1 FMT_SMF.1 FMT_MTD.1(3) FMT_SMR.1 FMT_SMF.1 FMT_MTD.1(4) FMT_SMR.1 FMT_SMF.1 FMT_SMF.1 No dependencies FMT_SMR.1 FIA_UID.1 FPT_STM.1 No dependencies FTA_SSL.3 No dependencies FTA_TSE.1 No dependencies FTP_ITC(1) No dependencies FTP_ITC(2) No dependencies FTP_ITC(3) No dependencies There are no unsatisfied dependencies. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Page 52
ZXR10 M6000&T8000&8900E Security Target This page intentionally left blank. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Multi-Protocol Label MPLS technology implements the delivery of highly Switching scalable, differentiated, end-to-end IP and VPN services. The technology allows core network routers to operate at higher speeds without examining each packet in detail, and allows differentiated services. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...
Page 54
ZXR10 M6000&T8000&8900E Security Target Management The MPU of ZXR10 M6000&T8000 has two processor Process Unit systems. One is Route Process Module (RPM), and the other is Management Process Module (MPM). ZXR10 M6000&T8000 can connect to the maintenance background through the 10/100/1000M Ethernet electrical port and the Console port on the MPU for the maintenance and management of the system.
Page 55
Appendix A Document Terminology Switch Fabric Unit The SFU of ZXR10 M6000-8 adopts 2+1 redundancy backup. The SFU of ZXR10 M6000-16&T8000 adopts 3+1 redundancy backup. Several SFUs can work at the same time. When a SFU is broken or plugged out, interface access and processing ability are not affected.
Page 56
ZXR10 M6000&T8000&8900E Security Target This page intentionally left blank. SJ-20110815105844-030|2011/08/19(R1.6) ZTE CORPORATION...