Network Device S6000 and GGM 8000 with EOS Version 16.9Common Criteria User Guide
Common Criteria Supplement - version1.2© 2016 Motorola Solutions, Inc. All rights reserved
CopyrightsThe Motorola products described in this document may include copyrighted Motorola computerprograms. Laws in the United States and other countries preserve for Motorola certain exclusive rightsfor copyrighted computer programs. Accordingly, any copyrighted Motorola computer programscontained in the Motorola products described in this document may not be copied or reproduced in anymanner without the express written permission of Motorola.
© 2016 Motorola Solutions, Inc. All Rights Reserved
No part of this document may be reproduced, transmitted, stored in a retrieval system, or translatedinto any language or computer language, in any form or by any means, without the prior writtenpermission of Motorola Solutions, Inc.
Furthermore, the purchase of Motorola products shall not be deemed to grant either directly or byimplication, estoppel or otherwise, any license under the copyrights, patents or patent applications ofMotorola, except for the normal non-exclusive, royalty-free license to use that arises by operation oflaw in the sale of a product.
DisclaimerPlease note that certain features, facilities, and capabilities described in this document may not beapplicable to or licensed for use on a particular system, or may be dependent upon the characteristicsof a particular mobile subscriber unit or configuration of certain parameters. Please refer to yourMotorola contact for further information.
TrademarksMOTOROLA, MOTO, MOTOROLA SOLUTIONS, and the Stylized M Logo are trademarks orregistered trademarks of Motorola Trademark Holdings, LLC and are used under license. All othertrademarks are the property of their respective owners.
European Union (EU) Waste of Electrical and Electronic Equipment (WEEE)directive
The European Union's WEEE directive requires that products sold into EU countries must have thecrossed out trash bin label on the product (or the package in some cases).
As defined by the WEEE directive, this cross-out trash bin label means that customers and end-usersin EU countries should not dispose of electronic and electrical equipment or accessories in householdwaste.
Customers or end-users in EU countries should contact their local equipment supplier representative orservice centre for information about the waste collection system in their country.
Common Criteria Supplement - version 1.2Copyrights
Send Feedback 3
This page intentionally left blank.
Contact UsMotorola Solutions Support CenterThe Solutions Support Center (SSC) is the primary Motorola Solutions support contact. Call:
• Before any software reload.
• To confirm troubleshooting results and analysis before removing and replacing a Field ReplaceableUnit (FRU) and Field Replaceable Entity (FRE) to repair the system.
For... Phone
United States Calls 800-221-7144
International Calls 302-444-9800
North America Parts OrganizationFor assistance in ordering replacement parts or identifying a part number, contact the MotorolaSolutions Parts organization. Your first response when troubleshooting your system is to call theMotorola SSC.
For... Phone
Phone Orders 800-422-4210 (US and Canada Orders)
For help identifying an item or part number, selectchoice 3 from the menu.
302-444-9842 (International Orders)
Includes help for identifying an item or part number andfor translation as needed.
Fax Orders 800-622-6210 (US and Canada Orders)
CommentsSend questions and comments regarding user documentation to [email protected].
Provide the following information when reporting a documentation error:
• The document title and part number
• The page number with the error
• A description of the error
We welcome your feedback on this and other Motorola Solutions manuals. To take a short, confidentialsurvey on Motorola Solutions Customer Documentation, go to docsurvey.motorolasolutions.com orscan the following QR code with your mobile device to access the survey.
Common Criteria Supplement - version 1.2Contact Us
Send Feedback 5
This page intentionally left blank.
Document HistoryTable 1: Document History
Document Version Date Author Comments
0.1 06/04/10 Kenji Yoshino Initial Draft
0.2 06/16/10 Kenji Yoshino Updates based onMotorola input
0.3 7/20/10 Kenji Yoshino Minor updates basedon Motorola’s an-swers to specific com-mand questions.
0.4 9/14/10 Kenji Yoshino Removed selector listcaveats. Added proto-col authentication.
0.5 2/6/11 Kenji Yoshino Added GGSN and de-livery verification.
0.6 3/25/11 Kenji Yoshino Updated referencesand acceptance pro-cedures
0.7 6/6/11 Kenji Yoshino Removed GGSN.
Added SW/FW identi-fiers.
Added verification ofdownloaded docu-mentation.
0.8 6/21/11 Kenji Yoshino Removed additionalGGSN references.
Clarified FIA_AFL
0.9 None Reverted to 0.8 due todelivery changes.
0.10 8/3/11 Kenji Yoshino
0.10.1 8/9/11 Tresa Johnson Additional Configcommands
0.11 8/16/11 Kenji Yoshino
0.12 11/22/11 Kenji Yoshino Changed the deliveryverification to includecalling SSC and usingTanapa numbers.
0.13 02/16/2012 Tresa Johnson Added more informa-tion on the SSC call.
Table continued…
Common Criteria Supplement - version 1.2Document History
Send Feedback 7
Document Version Date Author Comments
0.14 03/28/2012 David Kiefer Added information onthe Tanapa verifica-tion for S6000.
0.15 04/02/2012 Tresa Johnson Modified Tanapanumbers
0.16 04/19/2012 Tresa Johnson Minor Edits.
1.0 04/19/2016 Tomasz Rypina Changes for compli-ance with NDcPPv1.0
1.0.1 05/30/2016 Tomasz Rypina Added disable ofHTTP access andFirewall configuration
1.1 06/17/2016 Tomasz Rypina Minor Edits
1.2 07/28/2016 Tomasz Rypina Minor Edits.
Common Criteria Supplement - version 1.2Document History
8 Send Feedback
ContentsCopyrights................................................................................................................... 3
Contact Us................................................................................................................... 5
Document History....................................................................................................... 7
List of Figures........................................................................................................... 11
List of Tables............................................................................................................. 13
List of Procedures.....................................................................................................15
About this Guide....................................................................................................... 17Conventions.................................................................................................................................17
Chapter 1: Preparation............................................................................................. 191.1 User Roles............................................................................................................................. 19
1.2 Pre-Installation Considerations..............................................................................................20
Chapter 2: Secure Installation................................................................................. 212.1 Verification of Components ...................................................................................................21
2.2 Hardware Installation............................................................................................................. 23
2.3 Initial Configuration................................................................................................................ 23
2.3.1 Connecting to your Device.......................................................................................23
2.3.2 Verifying Hardware and Software of the Device...................................................... 23
2.3.3 Setting Passwords................................................................................................... 24
2.3.4 General Configuration..............................................................................................25
2.3.5 Configuring the Access Banner .............................................................................. 25
2.3.6 Software Trusted Update......................................................................................... 25
2.3.7 Configuring Trusted Channel................................................................................... 25
2.3.8 Security Policy Database Configuration...................................................................26
2.3.9 Configuring NTP Server ..........................................................................................26
2.3.10 Configuring AuditLog ............................................................................................ 27
2.3.11 Configuring RADIUS.............................................................................................. 27
2.3.12 Enabling FIPS mode.............................................................................................. 28
2.3.13 Configuring Trusted Path and SSH Server............................................................ 29
2.3.14 Disabling Services................................................................................................. 30
Chapter 3: Common Criteria Security Functions...................................................313.1 Common Criteria Security Features...................................................................................... 31
3.1.1 Local User Management..........................................................................................31
3.1.2 Cryptographic Keys Operations............................................................................... 31
3.1.3 Synchronizing NTP Time ........................................................................................ 32
3.1.4 RADIUS Authentication ...........................................................................................32
Common Criteria Supplement - version 1.2Contents
Send Feedback 9
3.1.5 Audit Logs................................................................................................................ 32
3.1.6 IKEv1....................................................................................................................... 32
3.1.7 Configuring IPsec.....................................................................................................33
3.1.8 Generating X509 Certificate Requests.................................................................... 34
3.1.9 Authentication for IPsec Using X.509 Certificates................................................... 34
3.1.10 Firewall...................................................................................................................34
3.1.11 Cryptographic Self-Tests....................................................................................... 34
3.2 Excluded Security Features...................................................................................................35
Chapter 4: Glossary.................................................................................................. 37
Common Criteria Supplement - version 1.2Contents
10 Send Feedback
List of FiguresFigure 1: Tamper Label Text.................................................................................................................. 21
Common Criteria Supplement - version 1.2List of Figures
Send Feedback 11
This page intentionally left blank.
List of TablesTable 1: Document History....................................................................................................................... 7
Table 2: Conventions..............................................................................................................................17
Table 3: TSF Data manipulation functions ............................................................................................ 19
Table 4: Tanapa numbers for GGM 8000...............................................................................................22
Table 5: Tanapa numbers for S6000......................................................................................................22
Table 6: Acronyms Definitions................................................................................................................37
Common Criteria Supplement - version 1.2List of Tables
Send Feedback 13
This page intentionally left blank.
List of ProceduresConnecting to your Device .................................................................................................................... 23
Verifying Hardware and Software of the Device ....................................................................................23
Setting Passwords .................................................................................................................................24
Configuring the Access Banner ............................................................................................................. 25
Configuring Trusted Channel .................................................................................................................25
Configuring NTP Server ........................................................................................................................ 26
Configuring AuditLog ............................................................................................................................. 27
Configuring RADIUS ..............................................................................................................................27
Enabling FIPS mode ..............................................................................................................................28
Configuring Trusted Path and SSH Server ............................................................................................29
Disabling Services ................................................................................................................................. 30
Local User Management ....................................................................................................................... 31
Cryptographic Keys Operations .............................................................................................................31
Synchronizing NTP Time .......................................................................................................................32
RADIUS Authentication ......................................................................................................................... 32
Configuring IPsec .................................................................................................................................. 33
Generating X509 Certificate Requests .................................................................................................. 34
Common Criteria Supplement - version 1.2List of Procedures
Send Feedback 15
This page intentionally left blank.
About this GuideThis guide is a supplement to the standard Enterprise OS (EOS) Software User Guide. This guideprovides Common Criteria (CC) specific installation and administrative guidance that must be followedto operate your Motorola Network Router in the Common Criteria evaluated configuration.
Common Criteria is an Information Technology Security Evaluation program adopted by the NationalInformation Assurance Partnership (NIAP). NIAP is collaboration between the National Institute ofStandards and Technology (NIST) and the National Security Agency (NSA). NIAP has established theCommon Criteria Evaluation Validated Scheme (CCEVS) to validate IT products. Common Criteria isalso referred to as ISO 15408.
Who Should Use This Guide?This guide is intended for personnel who:
• Have experience planning, maintaining, and troubleshooting local or wide area networks.
• Are familiar with network protocols, bridging and routing, and network management.
Supported DevicesSupported hardware devices for the CC Evaluated configuration:
• Motorola Network Router S6000
• Motorola Gateway GGM 8000
ConventionsThe following table lists the command line interface symbol conventions that are throughout this guide.
Table 2: Conventions
Symbol Description
angle brackets < > Evaluate the syntax provided and supply theappropriate values. Placeholders for values youmust supply appear in angle brackets. Exam-ple: DELete -IP ADDRess <IP address>you must supply a value for <IP address>when you enter the command. Do not type theangle brackets.
square brackets [ ] Enclose an optional value or a list of optional ar-guments. You can specify one or more valuesor arguments. For example, in the syntax: SETPRIvilege = [User | NetMgr] you canspecify either User or NetMgr when you enterthe command. Do not type the square brackets.
parentheses ( ) Enclose a list of values that can be assigned toa single parameter. You must enter at least oneof the values. If you enter more than one value,you must type the parentheses and separatethe values with commas. For example, in thesyntax: SET CurrentPorts = ALL |
Table continued…
Common Criteria Supplement - version 1.2About this Guide
Send Feedback 17
Symbol Description
(<port>, <port>) you can specify two portnumbers by enclosing them in parentheses andseparating them with a comma when you enterthe command.
vertical bar | Separates mutually exclusive values; you mustenter one of the values. For example, in thesyntax: SETDefault -PIM BSRPeriod =<secs> | Default you can enter a value for<secs> or you can enter the word Default. Donot type the vertical bar.
hyphen - Precedes service names. When you enter aservice name as part of a command, you mustprecede the service name with a hyphen. Forexample, in the syntax: SHow [!<port> |!*]-IP CONFiguration you must include thehyphen with the service name when you enterthe command.
braces { } Enclose a list of required values. You must en-ter one of the values. For example, in the syn-tax: SETDefault -PIM BSFragLimit ={(100-1480) | Default} you must entereither a value (between 100 and 1480) or theword Default.
exclamation mark ! Precedes a number that represents a port, virtu-al port, or path number. For example, in thesyntax:SETDefault !<port> -IPRtphcHdrExtComp = Enable | Disableyou must include the exclamation point beforethe port number when you enter the command.
Ellipsis ... Indicate that you may specify one or more addi-tional arguments on the same command line.For example, in the syntax:ADD!<filterid> -IP FIlters<condition> [,<condition>...]<condition> = <%offset>:[<operator>] <%pattern>you may specify multiple conditions when youenter the command. Do not type the ellipsis.
Common Criteria Supplement - version 1.2About this Guide
18 Send Feedback
Chapter 1
PreparationThis chapter includes the following sections:
• User Roles on page 19
• Pre-Installation Considerations on page 20
1.1
User RolesThis chapter discusses the different user roles supported by EOS and the responsibilities that eachrole is assigned.
Human Administrators must be familiar with network protocols, bridging, routing, and networkmanagement. Ensure that users assigned to these roles have reviewed the guidance, are aware oftheir responsibilities, and are trusted to follow the policies of your organization.
Human Administrators can perform the following roles:
• Root Role – Full read-write access to the device. This role has a single built in account with theusername root.
• Network Manager Role – Full read-write access to the device, except enable/disable of audit andchanging acceptable software signature algorithm.
• User Role – Read-only access to the device. The device includes a built-in account with theusername admin.
All authenticated users are considered Administrative. No administrative interfaces are available priorto successful authentication .
Table 3: TSF Data manipulation functions on page 19 provides a list of mapping of TSF datamanipulating functions with user’s roles and privileges. TSF Data manipulation functions allowed forparticular Role are indicated by “x”.
Table 3: TSF Data manipulation functions
TSF Data manipulat-ing function
Root Role Network ManagerRole
User Role
User management x x -
Cryptographic keysoperations (genera-tion, import, zeroiza-tion)
x x -
Audit logging configu-ration
x - -
Audit logs deletion x x -
Audit log display x x -
TOE configuration(setting parameters,
x x -
Table continued…
Common Criteria Supplement - version 1.2Preparation
Send Feedback 19
TSF Data manipulat-ing function
Root Role Network ManagerRole
User Role
enabling/disablingservices)
File system opera-tions (copy, delete)
x x -
Software update x x -
Change of acceptablesoftware signature al-gorithm
x - -
1.2
Pre-Installation Considerations
Physical LocationInstall the device in a place that has physical access control. The GGM 8000 gateway provides tamper evidence as required by FIPS 140-2 Level 2. However, it does not provide any protection that can prevent or mitigate a physical attack.The S6000 models do not provide any protection that can prevent or mitigate a physical attack.
Network ArchitectureMake sure that all servers are able to communicate with MNR router. Ensure the following resources are available in the environment where you intend to deploy your router or gateway:
• RADIUS Authentication Server (optional)
NOTICE: If your organization requires authentication failure counters and account lockoutsfor remote accounts, ensure your RADIUS Server supports these features.
• Syslog Server
• NTP Server
• SSHv2 Client
• HTTP Server
• Serial Console
NTP, Syslog and RADIUS servers must be installed on the host capable of terminating IPsec tunnel.
Additional DocumentationIn addition to this guide, it is recommended to obtain the following documents:
• Enterprise OS Software Version 16.9 User Guide, June 26, 2016 (EOS User Guide)
• Enterprise OS Software Version 16.9 Reference Guide, June 28, 2016 (EOS Reference Guide)
• Hardware User Guide for your device:
- Motorola Network Router (MNR) S6000 Hardware User Guide, May 30, 2016; or
- Motorola GGM 8000 Hardware User Guide, May 30, 2016
Verify that you have downloaded the latest version of Documents from https://businessonline.motorolasolutions.com/ as specified in your purchase email.
Common Criteria Supplement - version 1.2Chapter 1: Preparation
20 Send Feedback
Chapter 2
Secure InstallationThis chapter includes the following sections:
• Verification of Components on page 21
• Hardware Installation on page 23
• Initial Configuration on page 23
2.1
Verification of Components Ensure that your device is packaged in a Motorola branded box. In GGM 8000 and S6000 devices,carefully inspect the tape to ensure that it has not been broken and resealed.
GGM 8000 VerificationWhen verifying the tamper labels, ensure that each tamper label has the Motorola Logo, as shown in Figure 1: Tamper Label Text on page 21, printed on a glittery silver background.
NOTICE: The clear plastic with the Motorola Logo can sometimes separate from the silverbackground. If this happens, verify that the silver background has not been broken. If yoususpect that the labels were tampered with, contact Motorola System Support Center (SSC) at800-221-7144 or 800-323-9949. From the call menu, choose Technical Support ofInfrastructure Products → technical support of Voice networks → Astro 25 Systems.While talking to the representative, refer to the site ID as “ASTRO_NIAP”. Your product plannerwill guide you through additional verification steps. If you cannot verify the integrity of thetamper labels, you may request a replacement unit.
Figure 1: Tamper Label Text
After unpacking GGM 8000 device, verify the tamper labels look as described below:
Front
• Two tamper labels hold the Base Module (right side) in place. One tamper label is near each thumbscrew and wrapped over the top cover.
• One tamper label holds the Expansion Module (left side) in place.
- If you do not have any pluggable modules installed, the tamper label is near the center of thepanel and wrapped over the top cover.
- If you have pluggable modules installed, the tamper label is below ports 5A and 5B and wrappedunder the bottom of the device.
Back
• One tamper label is on the top right corner of the power supply wrapped over the top cover.
Common Criteria Supplement - version 1.2Secure Installation
Send Feedback 21
Verifying Tanapa numbersLocate the serial number on the back of your device. Contact Motorola System Support Center (SSC)at 800-221-7144 or 800-323-9949. From the call menu, choose Technical Support of InfrastructureProducts → technical support of Voice networks → Astro 25 Systems. While talking to therepresentative, refer to the site ID as “ASTRO_NIAP”. Provide the serial number of your device andask for the Tanapa numbers that comprise your serial number. Use the to verify if your Tanapanumbers are correct.
Table 4: Tanapa numbers for GGM 8000
Description Tanapa Number
GGM 8000 Base Unit CLN1841F Rev AB
FIPS 140-2 Kit CLN8787A Rev B
AC Power Option
NOTICE: Either the AC or DC PowerOption must be selected.
CLN1850A Rev G
DC Power Option
NOTICE: Either the AC or DC PowerOption must be selected.
CLN1849C Rev AA
Inspect the Expansion Module (left side) and verify that the correct pluggable modules are installed.The CC configuration of the GGM 8000 supports the following pluggable modules:
• a Low Density Enhanced Conventional Gateway Module
• a High Density Enhanced Conventional Gateway Module
• a single 4 Port E&M Analog module and DSP module
• two of the following:
- 2 port T1/E1 (WAN/Telco) module
- 1 port FlexWAN Serial module
- 2 port V.24 module
Table 5: Tanapa numbers for S6000
Description Tanapa Number
S6000 Base Unit CLN1780L Rev FB
Encryption Module CLN8261D Rev NA
Verify that the correct pluggable modules are installed. The CC configuration of the S6000 supportstwo of the following:
• 4 port T1/E1 (UltraWAN) module
• 12 port T1/E1 module
• 4 port FlexWAN Serial module
• 2 port T3/E3 module
Use your packing slip to verify that you have the correct pluggable modules that comprise the model ofthe TOE that you ordered. Make sure you are looking at the correct packing slip by matching the serialnumber of the device to the serial number on the packing slip. For more information about identifyingthe connectors on your device or pluggable modules, see "Configuring Paths, Port, and Connectors"
Common Criteria Supplement - version 1.2Chapter 2: Secure Installation
22 Send Feedback
chapter of the hardware user guide for your device. Contact the person responsible for ordering yournetwork device and verify that the packing slip matches the original order.
2.2
Hardware Installation
S6000Follow the instructions in the following sections of the S6000 Hardware User Guide:
1 "Mounting the S6000"
2 "Cabling the Connectors"
3 "Powering the Router On and Off"
GGM 8000Follow the instructions in the following sections of the GGM 8000 Hardware User Guide:
1 "Rack-Mounting the GGM 8000"
2 "Cabling the Connectors"
3 "Connecting the GGM 8000 to a Power Source"
2.3
Initial ConfigurationPerform the following configuration steps to enter the Common Criteria evaluated configuration. Theseinstructions assume that you are using the ‘root’ account unless otherwise specified.
NOTICE: The default password for the root and admin account is blank.
2.3.1
Connecting to your DeviceConnect a PC running a terminal emulation program or a terminal to your router or gateway. Refer to"Connecting a PC, Terminal, or Modem" section of your hardware user guide.
Procedure:
Follow the procedures from your hardware user guide:
• "Starting the System"
• "Verifying Successful Startup"
• "Logging on to the System"
2.3.2
Verifying Hardware and Software of the Device
Procedure:
1 To display the version of EOS your device is running, run the SHow -SYS VERSion command.
The values for GGM 8000 should be:SW/GGM8000-KS-16.9.0.40
BM/GGM8000, 16.9.0.40
Common Criteria Supplement - version 1.2Chapter 2: Secure Installation
Send Feedback 23
The values for S6000 should be:SW/S6000-GS-16.9.0.40
FW/ S6000, 16.9.0.40
2 To verify that hardware encryption module is installed, run the si command. Make sure thefollowing is reported in the Cryptographic Information or Certificate Information section of the output:
The values for GGM 8000 should be:
Cryptographic Information:
Type Fsl SEC - Encryption Card
Certificate Information:
Successfully authenticated (1)
The values for S6000 should be:
Cryptographic Information:
Type HIFN-7855 Encryption Card
Presence of hardware encryption module is mandatory for Compliance with Common Criteria and FIPS.MNR router’s encryption module together with the software implementation of cryptographic algorithms creates cryptographic engine. There is only one cryptographic engine on the MNR router. There are no Administrator -configurable choices related to the configuration of a cryptographic engine associated with the evaluated configuration of the MNR router.
2.3.3
Setting PasswordsTo change all of the passwords for the built-in user accounts, follow the instructions in the "Changingthe ‘root’ and ‘admin’ Passwords" section of your hardware user guide.For the root and admin account, the password is blank.
The password complexity is not enforced by the MNR router by default, and must be set inconfiguration by running the following command: SETDefault -AC PWComplexity = Enhanced
CC configuration requires using passwords with at least 15 characters.
Procedure:
1 To set password complexity, enter the following command:
SETDefault -AC PWComplexity = Enhanced
2 To enforce passwords longer than 15 characters (CC requirement), enter the followingcommand:
SETDefault -AC PwMinchar = 15
3 To make your password stronger, enter the following commands:
PWLowercase
PWUppercase
PWNumber
PWSpecial
The following combinations of characters are enabled:
• upper and lowercase letters
• numbers
Common Criteria Supplement - version 1.2Chapter 2: Secure Installation
24 Send Feedback
• special characters (which include: !, %, &, *, (, ), +, :, ;, <, >, ?)
Strong password should include any combination of these characters.
For more authentication parameters, see "AC Service Parameters" in EOS Reference Guide.
2.3.4
General Configuration
To configure the IP Address of the Ethernet (LAN) port(s), follow the instructions in the "Configuring the<device model> to Perform IP Routing Functions" section of your hardware user guide.
You may set other general system information by following the instructions in the "Setting SystemInformation" section of your hardware user guide.
2.3.5
Configuring the Access Banner
Procedure:
To configure the access banner of your device, run the following command:
SETDefault -SYS BannerString = “<string>”
2.3.6
Software Trusted Update
To obtain software update, contact Motorola System Support Center (SSC) at 800-221-7144 or800-323-9949. From the call menu, choose Technical Support of Infrastructure Products →technical support of Voice networks → Astro 25 Systems
Software digital signature checking is enabled by default and is performed after transfer of software tothe router. If verification fails, software is removed from router’s file system. If verification is successful,software is installed and can be activated.
To safely upgrade EOS software, see the "Best Practice Recommendations for Upgrading EOSSoftware" Appendix in EOS User Guide
NOTICE: For FIPS and Common Criteria Compliance, administrator is not allowed to changefirmware signing algorithm to SHA1withRSA1024.
For more information about methods of transferring files to the TOE (copy, get, put commands),see "Commands" chapter in your EOS Reference Guide .
For more information about SCP file transfers, see "Secure Shell (SSH) Support" chapter of the EOSUser Guide.
2.3.7
Configuring Trusted ChannelSet IPsec channel to provide trusted communication between the MNR routers and authorized ITentities supporting audit server, authentication server and time server.
Procedure:
1 To configure router, see the "Configuring a Dynamic-Key Security Policy for IPv4" section ofyour EOS User Guide.
Common Criteria Supplement - version 1.2Chapter 2: Secure Installation
Send Feedback 25
2 To enable successful trusted channel establishment, configure IPsec peer with the sameparameters as the router.
3 Verify that relationship between Phase 1 and Phase 2 encryption algorithms is checked byrunning the following command:
SHow -CRYPTO IKEConstraints
NOTICE: IKEConstraints should be set to EncAlgStrength. If it is not, run followingcommand:SETDefault -CRYPTO IKEConstraints = EncAlgStrength
4 To establish IPsec tunnel, initiate a traffic defined in SPD (Security Policy Database) asEncrypted between MNR router and the peer.
5 Verify that Trusted Channel is established by running the following command:
SHow -CRYPTO IKESecAssoc
Command returns status for Phase 1 and Phase 2 security associations. Presence of securityassociation for Phase 1 and Phase 2 indicates that trusted channel is established.For information about other cryptographic parameters, see the "CRYPTO Service Parameters" chapterin EOS Reference Guide.
If Trusted Channel is dropped, the session will be automatically re-established with the first outgoingpacket which is defined as encrypted in SPD.
2.3.8
Security Policy Database Configuration
SelectorLIst command is used to construct lists of IP flows that will be protected by dynamicsecurity policies. Action parameter defines if traffic is encrypted or not.
IP flows which should be sent encrypted have Include parameter set. It equals to SPD entry =PROTECT
IP packets that should be sent unencrypted should have action set to Exclude. It equals to SPD entry= BYPASS
To fulfill SPD entry=DISCARD (dropping the packets) router firewall rule sets should be used. Fordetailed description, see "Configuring Internet Firewalls" section of the EOS Reference Guide.
For more information on how to use other cryptographic and firewall parameters, see "CRYPTOService Parameters" and "FireWall Service Parameters" chapters of the EOS Reference Guide.
2.3.9
Configuring NTP Server Set your system time by following the instructions in the "Setting the Time and Date" section of yourhardware user guide.
Procedure:
To configure your device to synchronize time with an NTP server, run the following commands:
SETDefault -NTP CONTrol = Enable
SETDefault –NTP PrimarySrvr = <IP address>
To change other NTP service parameters or configure a backup NTP server, see "NTP ServiceParameters" section of the EOS Reference Guide.
Common Criteria Supplement - version 1.2Chapter 2: Secure Installation
26 Send Feedback
2.3.10
Configuring AuditLog
Prerequisites: The AuditLog Service uses the BSD syslog Protocol specified in RFC3164. To useAuditLog, the host with compatible syslog server should be configured for listen on UDP port 514. Thehost with syslog server should be capable of terminating IPsec tunnel.
Procedure:
1 To configure your device to send logs to your syslog server, run the following commands:
SETDefault -AuditLog CONTrol = (COnfig, MEssages, Security)
SETDefault –AuditLog LogServerAddr = <IP address>
SETDefault -AuditLog DefAction = Include
2 To configure your device audit logs for IPsec, run the following commands:
SETDefault -CRYPTO LogLevel = 5
SETDefault -CRYPTO LogDest = Syslog
3 To disable and verify syslog throttling mechanism, run the following commands:
SETDefault -AuditLog SysLogThrottle = Disable
SHow -AuditLog SysLogThrottle
Postrequisites:By default all audit events are simultaneously sent to the syslog server and to the local buffer.
No additional configuration is required for protected audit trail storage.
NOTICE:The MNR router by default overwrites the oldest audit records when the local storage space foraudit data is full. This behavior cannot be changed.
Firewall Logs are not stored in Local Audit Logs buffer.
For more information about changing other syslog parameters or adding an additional syslog server,see the EOS Reference Guide.
2.3.11
Configuring RADIUSIf your environment uses a RADIUS server for authentication, you can configure your device to use it.
When and where to use:If your organization requires authentication failure counters and account lockouts for remote accounts,you must configure these settings on your RADIUS Server.
Procedure:
1 Run the following commands:
SETDefault –AC PrimAUthSrvr = <IP address>
SETDefault -AC PrimACcntSrvr = <IP address>
2 To configure the secret text string to be used to authenticate communication between yourdevice and the RADIUS server, run the following commands:
SETDefault -AC ACcntUdpport = 1813
SETDefault -AC AUthUdpport = 1812
SETDefault -AC RESolutionOrder = Radius Local
Common Criteria Supplement - version 1.2Chapter 2: Secure Installation
Send Feedback 27
SETDefault –RAS SecurityType = radius
SETDefault –RAS Secret = <"string">
For more information about changing other RADIUS parameters or adding a backup RADIUS server, see "AC Service Parameters" and "RAS Service Parameters" chapters in EOS Reference Guide.
2.3.12
Enabling FIPS modeUse this procedure to enter FIPS mode. For details on individual commands, see EOS User Guide andEOS Reference Guide.
Procedure:
1 To check if FIPS mode is enabled, run the following command: SHow –SYS FIPS
• If FIPS = ON, continue with the procedure.
• If FIPS = OFF, run the following command: SETDefault -SYS FIPS=ON
2 To configure the parameters for the IKE negotiations, run the following command: ADD -CRypto IKEProfile
For FIPS mode, only the following values are allowed:
• Diffie-Hellman Group(Group 14, Group19 or Group20 required for 112-bit key strength.)
• Encryption Algorithm (AES)
• Hash Algorithm (SHA, SHA-256 or SHA-384)
• Authentication Method (PreSharedKey, RSA-Signature, ECDSA-256 or ECDSA-384)
3 If PreSharedKey is used as Authentication Method, establish the pre-shared key (PSK) to beused for the IKE protocol using the following command:
ADD –CRYPTO FipsPreSharedKey <peer_ID> <pre-shared_key> <pre-shared_key>
For FIPS mode, minimum key length is 14 bytes.
4 Only if RSA-Signature, ECDSA-256 or ECDSA-384 is used as Authentication Method:
a To unlock PKI database, use the following command:
SETD -PKI CONTrol = Unlocked
b To generate key pair, use the following command:
ADD -PKI KeyPair [<profile>] [<RSA|ECDSA>] <256|384|2048>
c To set identity of the device, run at least one of the following commands:
• SETD -PKI DNSName = <dns-name>
• SETD -PKI IPADDress = <ip-address>
• SETD -PKI EmailADDress = <email-address>
• SETD -PKI SubjectName = <subject-name>
NOTICE:For SubjectName format please see Sample Configuration of X509 in EOS UserGuide.
d To generate CSR, run the following command:
ADD -PKI CertReq <certreq-profile>
Common Criteria Supplement - version 1.2Chapter 2: Secure Installation
28 Send Feedback
e To generate certificate from CSR, use external CA.
f To install chain of certificates, run the following command:
ADD -PKI CERTificate <profile> <Self|TrustedCA|UnTrusted> InputFile<local-file-name>
g To lock PKI database, run the following command:
SETD -PKI CONTrol = Locked
5 If IPsec is used, configure IPsec transform lists by running the following command:
ADD –CRYPTO TransformLIst
NOTICE: For FIPS mode, only the following values are allowed: Encryption Transform(ESP-AES) and Authentication Transform (ESP-SHA).
6 If FRF.17 is used, configure FRF.17 transform lists by running the following command:
ADD –CRYPTO TransformLIst
NOTICE: For FIPS mode, only the following values are allowed: Encryption Transform(FRF-AES) and Authentication Transform (FRF-SHA).
7 For each port for which encryption is required, bind a dynamic policy to the ports by running thefollowing command:
ADD [!<portlist>] –CRYPTO DynamicPOLicy <policy_name> <priority> <mode><selctrlist_name> <xfrmlist_name> [<pfs>] [<lifetime>] [<preconnect>]
To be in FIPS mode, the selector list and transform list names must be defined as in previoussteps.
8 To enable PIM authentication, configure Manual Key set by running the following command:
ADD –CRYPTO ManKeySet
For FIPS mode, minimum authentication key length is 14 bytes.
9 For each port for which encryption is required, enable encryption on that port by running thefollowing command:
SETDefault [!<portlist>] –CRYPTO CONTrol = Enabled
10 DSA keys must not be used in FIPS mode.
11 Do one of the following:
• To verify that firmware signing algorithm is set to SHA2withRSA2048, run followingcommand: SHow –SYS SwSignatureAlgorithm
• To change the signing algorithm, run the following command:SetDefault –SYS SwSignAlgorithm = SHA2withRSA2048
NOTICE: For FIPS and Common Criteria Compliance, administrator is not allowed tochange firmware signing algorithm to SHA1withRSA1024
2.3.13
Configuring Trusted Path and SSH Server
Procedure:
1 To generate a SSH public key, run the following command: GenSshKey
NOTICE: DSA and RSA 1024 bits keys are not allowed by Common Criteria.
2 To configure allowed encryption algorithms for SSH, run the following command:
Common Criteria Supplement - version 1.2Chapter 2: Secure Installation
Send Feedback 29
SETDefault -CRYPTO SshEncryptAlgs = (noAES128-CTR, noAES192-CTR,noAES256-CTR, AES128-CBC, noAES192-CBC, AES256-CBC)
3 To enable SSH for administrator access, run the following command:
SETDefault -SYS NetAccess = Ssh
4 For public key authentication, import client’s SSH public key to MNR router using followingcommand:
ADD -CRypto PubliKey <user_name>@IPAddr rsa “key” “MD5-fingerprint
5 Verify that the root user can log on to the device using SSH.
Postrequisites:Router supports only hmac-sha1 as data integrity algorithm and diffie-hellmangroup14-sha1 as keyexchange method, additional configuration steps are not needed.
2.3.14
Disabling ServicesUse this procedure to complete your Common Criteria configuration.
Prerequisites: Verify that you can connect to your device using SSH.
Procedure:
1 Run the following command:
SETDefault -SYS NetAccess = (NoRemote, Console, NoTelnet, NoWebLink,Ssh)
SETDefault -SNMP CONTrol = NoManage
NOTICE: This command disables SNMP, Remote, Telnet and HTTP access.
Congratulations, your device is in the Common Criteria evaluated configuration.
Common Criteria Supplement - version 1.2Chapter 2: Secure Installation
30 Send Feedback
Chapter 3
Common Criteria Security FunctionsThis chapter includes the following sections:
• Common Criteria Security Features on page 31
• Excluded Security Features on page 35
3.1
Common Criteria Security FeaturesThis section describes the use of the Common Criteria evaluated security features.
3.1.1
Local User Management
Prerequisites: For instructions on managing local user accounts, see "AddUser", "DELeteUser","UserManage", "EXPire", "PassWord", "PwMinchar", and "NetAccessTimer" sections of the EOSReference Guide.
Procedure:
1 To change the password minimum length (from the default 7), run the following command:
SETDefault –AC PWMinchar = <length><length>: 7 - 128
NOTICE: The PWMinchar parameter takes effect when the AC service PWComplexityparameter is set to Enhanced.
2 To change the number of failed authentication attempts allowed before a user account is locked(from the default 3), run the following command:
SETDefault –AC TotalPsTrial = <Attempts>
<Attempts>: 1 - 6
3 To change the period of time for which an account is locked when the authentication failurethreshold is met (from the default 2), run the following command:
SETDefault –AC LockOutTimer = <Lockout>
<Lockout>: 2 – 1440 , time in minutes
NOTICE: The number of allowed failed authentication attempts and lockout timer onlyapply to the locally authenticated accounts.
3.1.2
Cryptographic Keys Operations
Procedure:
For information about cryptographic keys operations, see the following sections of EOSReference Guide :
• "KEKGenerate"
• "KEKZeroize"
Common Criteria Supplement - version 1.2Common Criteria Security Functions
Send Feedback 31
• "ZEROize"
• "GenSshKey"
• "ShowSshKey"
• "CRYPTO PublicKey"
• "CRYPTO ManKeySet"
• "CRYPTO FipsPreShrdKey"
• "PKI KeyPair"
3.1.3
Synchronizing NTP Time
Procedure:
1 For information about changing other NTP service parameters or configuring a backup NTPserver," NTP Service Parameters" section in EOS Reference Guide .
NOTICE: The Common Criteria evaluated configuration requires the default NTP serverto be configured and trusted channel established to the server.
3.1.4
RADIUS Authentication Configure your RADIUS server to lock accounts after a number of failed authentication attempts, if youneed this feature for remotely authenticated accounts.
Procedure:
To change other RADIUS parameters or add a backup RADIUS server, see "ConfiguringRemote Access Services (RAS)" chapter in EOS User Guide and "RAS Service Parameters" inEOS Reference Guide .
3.1.5
Audit Logs
For instructions on how to review the local audit log, see "Logging Configuration Changes via the AuditLog Service" section of the EOS User Guide.
To change other syslog parameters or add an additional syslog server, see "AuditLog Service Parameters" chapter in EOS Reference Guide.
NOTICE: The Common Criteria evaluated configuration requires the default syslog server to beconfigured and trusted channel established to the server. No additional configuration is requiredfor protected audit trail storage.
3.1.6
IKEv1
For instructions on configuring IKE, see "IKEProfile" section of the EOS Reference Guide.
The following parameters supersede the parameters in the EOS Reference Guide for the
ADD –CRYPTO IKEProfile command:
ADD -CRYPTO IKEProfile <priority> IKEv1 [<auth_method>] [<encrypt_alg>][<hash_alg>] <dh_group> [<lifetime>]
Common Criteria Supplement - version 1.2Chapter 3: Common Criteria Security Functions
32 Send Feedback
<priority>: 1-9999, 1 = highest
<auth_method>: PreSharedKey RSA-Signature ECDSA-256 ECDSA-384
<encrypt_alg>: AES[/<128 | 192 | 256>] | 3DES
<hash_alg>: SHA SHA-256 SHA-384
<dh_group>: Group2 | Group5 | Group14 Group19 Group20
<lifetime>: 5-1440 min | 1-504 hr | 1-21 dy
For Common Criteria configurations, only the following values for Diffie-Hellman group, encryption
algorithm, and hash algorithm are allowed:<dh_group>: Group14 Group19 Group20
<encrypt_alg>: AES [/<128|256>]
<hash_alg>: SHA SHA-256 SHA-384
Diffie-Hellman Group20 must not be used together with hash algorithm SHA.
Elliptic curve-based key establishment schemes that meets NIST Special Publication 800-56A is usedwhen Group19 or Group20 is selected.
Establish the pre-shared key (PSK) to be used for the IKE protocol using:
ADD -CRYPTO FipsPreShrdKey <peer_ID> <pre-shared_key> <pre-shared_key>
<peer_ID>: <ipaddr/mask> | <ip_range>
<pre-shared_key> : "<ascii-text>" | %<hex-string>
NOTICE: The <pre-shared_key> must be at least 112 bits in length.The pre-shared key must be entered twice for verification.
Authentication with X509 certificates is described below in Authentication for IPsec Using X.509Certificates on page 34.
3.1.7
Configuring IPsecFor instructions on configuring selector lists for IPsec, see the "SelectorLIst" section of the EOSReference Guide.
Procedure:
1 To configure IPsec transform lists, run the following command:
ADD –CRYPTO TransformLIst <xfrmlist_name> <priority> <enc_transform>ESP-SHA
<xfrmlist_name>: (1-15 chars)
<priority>: 1-9999, 1 = highest
<enc_transform>: ESP-3DES | ESP-AES[/<128 | 192 | 256>]
2 To configure lifetime for Phase 2 SA, run the following command:SETDefault GlobalLifeTime = ([5-1440 min | 1-504 hr | 1-21 dy] |[1000-4000000 kb])
For Common Criteria configurations, only the following values are allowed: EncryptionTransform (ESP-AES [/<128|256>]) and Authentication Transform (ESP-SHA).
Common Criteria Supplement - version 1.2Chapter 3: Common Criteria Security Functions
Send Feedback 33
3.1.8
Generating X509 Certificate RequestsFor X509 Certificate Requests generating instructions, see the "Configuring X509 Certificates for theRouter" section of the EOS User Guide.
Procedure:
To generate Certificate Request, use the following command: ADD -PKI CertReq<certreq-profile>
3.1.9
Authentication for IPsec Using X.509 Certificates
For instructions on configuring and using X509 certificates authentication for IPsec, see to "ConfiguringSecurity Features" chapter of the EOS User Guide.
For instructions on configuring expected peer id for the connection, see "CRYPTO PermitCertPeer"command description in EOS Reference Guide.
NOTICE:According to RFC4945: "The CA SHOULD NOT include the ExtendedKeyUsage (EKU)extension in certificates for use with IKE (...) If a critical EKU extension appears in a certificateand EKU is not supported by the implementation, the certificate will be rejected."
3.1.10
Firewall
For instructions on configuring firewalls, see "Configuring Internet Firewalls" of the EOS User Guide. Inthe "Defining Your Firewall Stance" section, assume the Deny stance to remain in the CommonCriteria evaluated configuration.
The following template can be used to create a basic Firewall Filter:
ADD -FireWall filter <filter name>(
permit from <IP Address/subnet> to <IP Address/Subnet>
permit from <IP Address/subnet> to <IP Address/Subnet> ICMP
)
Apply Filter and Configure Firewall Settings for LAN Ports :
SETDefault !1 -FireWall InFilter = <filter name>
SETDefault !1 -FireWall OutFilter = <filter name>
SETDefault !1 -FireWall DefActionIn = (Deny, Log)
SETDefault !1 -FireWall DefActionOut = (Deny, Log)
SETDefault !1 -FireWall CONTrol = filter
3.1.11
Cryptographic Self-TestsThe MNR router cryptographic self-tests consist of tests run during power-on and conditional tests. Alltests are consistent with FIPS 140-2 requirements.
Common Criteria Supplement - version 1.2Chapter 3: Common Criteria Security Functions
34 Send Feedback
Power-on tests:
• Firmware Integrity 16 bit CRC performed over all code in Flash memory
• AES - Hardware implementation KATs: Encryption, Decryption, Modes: CBC, Key sizes:128 bits
• AES - Firmware implementation KATs: Encryption, Decryption, Modes: CBC Key sizes: 128, 256bits
• DRBG (KATs: Hash DRBG)
• HMAC - Hardware implementation (KATs: Generation, verification, SHA-1)
• HMAC - Firmware implementation (KATs: Generation, verification, SHA-1, SHA-256, SHA-384)
• RSA KATs: Signature Generation, Signature Verification, Key:2048 bits
• ECDSA KATs: Signature Generation, Signature Verification, NIST curves: P-256, P-384
• SHA KAT: SHA-1, SHA-256, SHA-384
Conditional tests:
• NDRNG Continuous Test
• DRBG Continuous Test
• RSA 2048 signature verification
• Pair-wise consistency test
• All DRBG Health Checks defined in FIPS SP 800-90, section 11.3
• Bypass Test
If any of the tests fail, the MNR router will report error state by LEDs, reboot and restart all the tests. Allerror states and corrective actions are described in one of the following:
• GGM8000 Hardware User Guide, "Troubleshooting" Appendix, "System LEDs" section.
• S6000 Hardware User Guide, "Troubleshooting" Appendix, "Error LED Meanings" section.
The Software Digital Signature verification is run automatically whenever the software image is copiedto the MNR router’s file system. If Digital Signature verification fails, the software image is deleted andsyslog log message is generated.
To fix this problem, obtain new software image and load it to the MNR router. See Software TrustedUpdate on page 25.
The Software Integrity is also confirmed during system boot process. For S6000, it is through use ofchecksum verification, and for GGM 8000, it is through and signature verification. This ensures that thesoftware image to be loaded has not been corrupted. If the software image is corrupted, the MNRrouter will reboot and restart the test.
Solutions to this issue are described in:
• GGM8000 Hardware User Guide, "Troubleshooting" Appendix, "System LEDs" section.
• S6000 Hardware User Guide, "Troubleshooting" Appendix, "Error LED Meanings" section.
3.2
Excluded Security Features
The following features are not supported in Common Criteria configuration:Telnet and HTTP
Initial configuration steps described in Initial Configuration on page 23 disable the Telnet and HTTPadministrative interface.
Common Criteria Supplement - version 1.2Chapter 3: Common Criteria Security Functions
Send Feedback 35
The parameters for the NetAccess command (in the Common Criteria evaluated configuration)are:SETDefault -SYS NetAccess = (Ssh | NoSsh, Console | NoConsole)
NOTICE: The software allows you to disable NetAccess without giving any warningmessages. If you set NetAccess to NoSsh and NoConsole, you can no longer access therouter or gateway parameters to perform software configuration. You need to boot the routeror gateway with an image that contains an enabled NetAccess parameter before you canregain access.
SNMPSNMPv3 are disabled by default.Initial configuration steps described in Initial Configuration on page 23 disable the use of SNMP.
The parameters for the –SNMP CONTrol command (in the Common Criteria evaluatedconfiguration) is: SETDefault –SNMP CONTrol = NoManage.
Point to Pont Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP)PPTP and L2TP are disabled by default.Do not run the following command in the Common Criteria evaluated configuration:SETDefault –L2T CONTrol = Enable Protocol = (PPTP | L2TP). This enables PPTP or L2TP and takes the TOE out of the evaluated configuration.
Protocol authenticationProtocol authentication for BGP, OSPF and PIM were not evaluated during Common CriteriaCertification.
IKEv2Internet Key Exchange v2 protocol was excluded from evaluation during Common CriteriaCertification. For Common Criteria evaluated configurations, use IKEv1.
Use of the TOE as a GGSNGGSN functionality is not included in the Common Criteria evaluated builds of EOS software.Commands related to configuring your network device as a GGSN do not apply to the TOE.
1024-bit SSH Keys1024 bit keys are not allowed by FIPS 140-2 and Common Criteria.The parameters for the GenSshKey command (in the Common Criteria evaluated configuration)are: GenSshKey [{RSA | DSA} 1024]
Do not specify a 1024 bit key.
Hardware ChangesIgnore sections of the Hardware User Guides that describe replacing or installing hardware.Changes to the hardware were not included as part of the Common Criteria evaluation.
SSH Client functionalitySSH Client functionality is disabled by default and was not evaluated during Common CriteriaCertification.
Non-Security Relevant FeaturesThe remaining features described in the EOS User Guide and the EOS Reference Guide are availablefor use within the Common Criteria evaluated configuration; however, these features were not tested oranalyzed for Common Criteria.
Common Criteria Supplement - version 1.2Chapter 3: Common Criteria Security Functions
36 Send Feedback
Chapter 4
GlossaryThis glossary provides definitions of acronyms used in this guide.
Table 6: Acronyms Definitions
Acronym Definition
3DES Triple DES
AES Advanced Encryption Standard
CEN Customer Enterprise Network
CC Common Criteria
CCGW Conventional Channel Gateway
CSP Critical Security Parameter
CWR Cooperative WAN Routing
DES Data Encryption Standard
ECDSA Eliptic Curve Digital Signature Algorithm
EOS Enterprise Operating System
FIPS Federal Information Processing Standard
FQDN Fully Qualified Domain Name
GGSN Gateway GPRS Support Node
GPRS General Packet Radio Service
L2TP Layer 2 Tunneling Protocol
L2VPN Layer 2 Virtual Private Network
LAN Local Area Network
MIB Management Information Base
MIP Multicast Internet Protocol
MNR Motorola Network Router
NIST National Institute of Standards & Technology
PIM Protocol Independent Multicast
PKI Public Key Infrastructure
PPTP Point-to-Point Tunneling Protocol
RNG Random Number Generator
SNMP Simple Network Management Protocol
SPD Security Policy Database
SSC Motorola System Service CenterMotorola Sys-tem Service Center
Table continued…
Common Criteria Supplement - version 1.2Glossary
Send Feedback 37
Acronym Definition
TOE Target of Evaluation
TSF TOE Security Functionality
UI User Interface (subsystem)
USM User Security Model
VACM View Based Access Control Model
XML Extended Markup Language
WAN Wide Area Network
Common Criteria Supplement - version 1.2Chapter 4: Glossary
38 Send Feedback