ZTE Access Systems Series ZXA10 C300 C300M C350M v1 0 PDF
ZTE Access Systems Series ZXA10 C300 C300M C350M v1 0 PDF
ZTE Access Systems Series ZXA10 C300 C300M C350M v1 0 PDF
Security Target
ZXA10 C300/C300M/C350M
ZTECORPORATION
NO. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: (86) 755 26770801
URL: http://ensupport.zte.com.cn
E-mail: support@zte.com.cn
Security Target ZTE Access Gateways ZXA10 Series C300/C300M/C350M 2 | 26
Document history
References
[CCp1] Common Criteria for IT Security Evaluation, Part 1, v3.1r3, July 2009
[CCp2] Common Criteria for IT Security Evaluation, Part 2, v3.1r3, July 2009
[CCp3] Common Criteria for IT Security Evaluation, Part 3, v3.1r3, July 2009
[CEMe] Common Methodology for IT Security Evaluation, v3.1r3, July 2009
Security Target ZTE Access Gateways 3 | 26
Content
1 ST Introduction ....................................................................................... 4
1.1 ST and TOE References .......................................................................... 4
1.2 TOE Overview and usage ........................................................................ 5
1.2.1 Major security features ............................................................................. 6
1.2.2 Non-TOE Hardware/Software/Firmware .................................................. 6
1.3 TOE Description ....................................................................................... 7
1.3.1 Physical scope .......................................................................................... 7
1.3.2 Logical scope ............................................................................................ 8
7 Rationales.............................................................................................. 20
7.1 Security Objectives Rationale................................................................. 20
7.2 Security Functional Requirements Rationale ......................................... 21
7.3 Dependencies ......................................................................................... 22
1 ST Introduction
This is version 1.0 of the Security Target for the ZTE Access System Series.
Each of these is considered a TOE. The major differences between TOEs are the
type, the physical interfaces (various types of broadband and narrowband), and the
capacity. See Appendix A of this Security Target for details.
Security Target ZTE Access Gateways 5 | 26
EMS
RADIUS
Or
Management Network(s)
TACACS+
(optional) Network
Platform
Running
SSH
TOE
Environment
TOE
Subscribers
Figure 1: The TOE
The subscribers can access the TOE through a wide variety of technologies, like
POTS, ISDN, xDSL, FE/GE and xPON. The exact technologies depend on the
particular TOE. See Appendix A for details on the:
specific network technologies
specific subscriber access technologies
that are supported by each TOE.
1
The TOE has the following general functionalities :
o Provide access of subscribers to networks (and vice versa)
o Convert the protocols used by the subscribers to protocols suitable
for the networks (and vice versa)
o Allow management of itself through a Management Network
1
Not all TOEs offer the same functionality. See Appendix A for details.
Security Target ZTE Access Gateways 6 | 26
Note that the TOE offers access to different subscribers through a set of physical
ports. In many cases, there will be a 1:1 relation between subscribers and ports,
but it is allowed to have multiple subscribers to a single port:
o If this port is based on xPON technology, the TOE will be able to protect
subscribers from each other by:
o Encrypting data downstream so that only a specific subscriber can
read it
o Using TDM upstream, so each subscriber has his own time-slice to
send data
o If this port uses a different protocol (e.g. FE/GE), the TOE itself will not
protect subscribers on that port against each other, and, if required, they
should take care of this protection themselves (e.g. by using cryptography).
C300 V2.0.0.T2
Hardware ZXA10 C300
Software C300 v2.0.0T2
ZXIAP v2.0
ZXROS 04.08.35
Vxworks (5.5.1)
Guidance ZXA10 C300(V2.0) Optical Access Convergence Equipment Configuration
Manual (CLI)
ZXA10 C300(V2.0) Optical Access Convergence Equipment Configuration
Manual (NetNumen)
ZXA10 C300(V2.0) Optical Access Convergence Equipment Maintenance
Manual
ZXA10 C300(V2.0) Security Issues
C300M V3.0T2
Hardware ZXA10 C300M
Software C300M V3.0T2
ZXIAP v1.2
ZXROS 04.08.01
Vxworks (5.5.1)
Guidance ZXA10 C300M(V3.0) Multi-service Access Equipment Configuration
Manual (CLI)
ZXA10 C300M(V3.0) Multi-Service Access Equipment Configuration
Manual (NetNumen)
ZXA10 C300M(V3.0) Multi-service Access Equipment Maintenance Manual
ZXA10 C300M(V3.0) Security Issues
C350M V3.0T2
Hardware ZXA10 C350M
Software C350M V3.0T2
ZXIAP v1.2
ZXROS 04.08.01
Vxworks (5.5.1)
Guidance ZXA10 C350M(V3.0) Multi-Service Access Equipment Configuration
Manual (CLI)
ZXA10 C350M(V3.0) Multi-Service Access Equipment Configuration
Manual (NetNumen)
ZXA10 C350M(V3.0) Multi-Service Access Equipment Routine
Maintenance Manual
ZXA10 C350M(V3.0) Security Issues
Security Target ZTE Access Gateways 8 | 26
Secure management of the TOE, to ensure that only properly authorized staff can
manage the TOE.
Ensures that subscribers have only access to the services on the networks that
they are entitled to
The TOE can be configured to provide fine-grained access control: ensuring that
each subscriber has only access to the exact services that he is entitled to.
The TOE provides separation between the traffic streams of subscribers so that
unauthorized disclosure/modification is prevented.
Security Target ZTE Access Gateways 9 | 26
2 Conformance Claims
None
3.2 Threats
3.2.2 Threats
The combination of assets and threats gives rise to the following threats:
T.UNAUTHORISED_ADMIN
TA.NETWORK or TA.SUBSCRIBER gains access to the management functionality
of the TOE.
T.UNAUTHORISED_ACCESS
TA.SUBSCRIBER gains access to a service on a Network that he is not authorized
to access
T.PHYSICAL_ATTACK
TA.PHYSICAL gains physical access to the TOE and is able to perform actions on
the TOE.
T.CONFIDENTIALITY
TA.SUBSCRIBER is able to read traffic from/to another subscriber
T.INTEGRITY
TA.SUBSCRIBER is able to modify traffic from/to another subscriber
3.3 Assumptions
A.TRUSTED_NETWORK
It is assumed that the Network(s) (except the Management Network) are trusted,
such that they will not interfere with subscriber traffic. It is also assumed that the
EMS, RADIUS and TACACS+ servers will not be used to attack the TOE.
Security Target ZTE Access Gateways 12 | 26
4 Security Objectives
These security objectives describe how the threats described in the previous
section will be addressed. It is divided into:
The Security Objectives for the TOE, describing what the TOE will do to
address the threats
The Security Objectives for the Operational Environment, describing
what other entities must do to address the threats
A rationale that the combination of all of these security objectives indeed
addresses the threats may be found in section 7.1 of this Security Target.
4.1 Security objectives for the TOE
O. ACCESS
The TOE shall ensure that subscribers have only access to the services on the
networks that they are entitled to.
O.MANAGE_ACCESS
The TOE shall offer administrators the possibility to modify the access that
subscribers have to networks.
O.AUTHENTICATE_ADMIN
The TOE shall identify and authenticate administrators before allowing them
access to administrative functions.
O.ENCRYPTED_MANAGEMENT
The TOE shall offer an encrypted channel for administrative actions, preventing
disclosure, insertion and/or modification of administrative commands.
O. SEPARATION_OF_PORTS
The TOE shall offer physical ports, and be able to separate traffic between different
ports, such that:
o It is not possible to listen in on traffic from one port on a different port
o It is not possible to modify traffic on one port from another port
OE.PHYSICAL_SECURITY
The operator shall ensure that the TOE shall be protected from physical attacks.
OE.MULTIPLE_SUBSCRIBERS
Where multiple subscribers are connected to a single non-xPON port, and it is
desired that the confidentiality and/or integrity of traffic from/to a subscriber shall be
protected from other subscribers, this must be arranged by the environment.
OE.TRUSTED_NETWORK
The environment shall ensure that the Network(s) are trusted (except the
Management Network), such that they will not interfere with subscriber traffic and
that the EMS, RADIUS and TACACS+ servers will not be used to attack the TOE.
Security Target ZTE Access Gateways 14 | 26
5 Security Requirements
None.
5.2 Definitions
Roles:
o Administrator
Subjects/External Entities
o Services (on a Network)
o Ports (any physical Port to a subscriber)
2
o xPON Port (a virtual Port to an xPON subscriber)
Objects:
o Traffic
Operations:
Receive
Send
Modify
2
Note that a Port is a physical port, while an xPON port is a virtual port: one port supporting
xPON can support many xPON ports. Ports are physically separated, while xPON ports are
cryptographically and separated from each other by TDM.
Security Target ZTE Access Gateways 15 | 26
The following notational conventions are used in the requirements. Operations are
indicated in bold, except refinements, which are indicated in bold italic. In general
refinements were applied to clarify requirements and/or make them more readable.
Iterations were indicated by adding three letters to the component name.
5.3.1 Management
3
Not supported on MSG5208, ZXDSL 9806H, 9816 and 9836 TOEs
Security Target ZTE Access Gateways 16 | 26
5.3.2 Separation
FDP_IFC.1 Subset information flow control
FDP_IFC.1.1 The TSF shall enforce the Traffic Policy on
Ports, xPON Ports5
Traffic
Receive, Send, Modify.
4
A refinement for readability.
5
Only MSG5200, C300M and C350M support xPON Ports.
6
Only MSG5200, C300M and C350M support xPON Ports.
Security Target ZTE Access Gateways 17 | 26
Assurance Components
Assurance Class
Identifier Name
FDP_IFC.1, FDP_IFF.1
The TOE uses several mechanisms to enforce the Traffic Policy:
Ports are physically isolated from each other, and can only talk to each
other through a switch in the TOE, which switches the communication from
Subscribers to Networks and vice versa.
The TOE supports VLANs, to ensure that certain ports can only talk to
certain networks.
The TOE supports L2 Isolation, preventing ports in the same VLAN from
communicating with each other, thus preventing ports from talking to erach
other directly (they can then only talk through each other via an entity in
one of the Networks)
The TOE supports ACL rules, both on Layer 2 (Ethernet) and Level 3 (IP),
allowing fine-grained access control on MAC-address (source and
destination), IP (source and destination) and ports.
The TOE provides MAC Source Guard, IP/MAC binding, DHCP snooping
and DHCP IP Source Guard to prevent subscribers from modifying their
own MAC and or IP addresses to circumvent the ACL rules
For xPON the TOE provides downstream encryption and upstream time-
division multiplexing or encryption as per the relevant xPON standards.
FMT_SMF.1
The TOE allows an administrator to manage:
The usernames/passwords of administrators
Manage the ACL-rules
through a command-line based interface.
7
There are other ways, but these are not available in the evaluated configuration (see 1.3.2).
Security Target ZTE Access Gateways 20 | 26
7 Rationales
Assumptions/OSPs/Threats Objectives
7.3 Dependencies
SFR Dependencies
FIA_UID.2 -
FIA_UAU.2 FIA_UID.1: met by FIA_UID.2
FMT_SMR.1 FIA_UID.1: met by FIA_UID.2
FPT_SMF.1 -
FPT_ITC.1 -
FDP_IFC.1 FDP_IFF.1: met
FDP_IFF.1 FDP_IFC.1: met
FMT_MSA.3: not met, as the policy does not use security attributes,
management of these attributes is unnecessary.
SAR Dependencies
A Supported Protocols
B List of Acronyms