2. Broadcom
  3. Brocade Fabric OS BSI 8.2.0x

Broadcom Brocade Fabric OS BSI 8.2.0x User guide

  • Hello! I am an AI chatbot trained to assist you with the Broadcom Brocade Fabric OS BSI 8.2.0x User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Supporting FOS 8.2.0a2
Draft: Broadcom Condential
USER GUIDE
Brocade Fabric OS BSI User Guide, 8.2.0x
FOS-820X-BSI-UG100
18 January 2019
Copyright
©
2019 Broadcom. All Rights Reserved. Broadcom, the pulse logo, Brocade, and the stylized B logo are among the trademarks of Broadcom
in the United States, the EU, and/or other countries. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information
furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of
this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the
rights of others.
The product described by this document may contain open source software covered by the GNU General Public License or other open source license
agreements. To nd out which open source software is included in Broadcom products, view the licensing terms applicable to the open source software,
and obtain a copy of the programming source code, please visit https://www.broadcom.com/.
Brocade Fabric OS BSI User Guide, 8.2.0x
2 FOS-820X-BSI-UG100
Contents
Introduction.......................................................................................................................................................................................................................... 4
BSI Overview............................................................................................................................................................................................................................................... 4
Acronyms and Terminology...................................................................................................................................................................................................................5
Brocade Switch and Software Support............................................................................................................................................................................................. 5
FOS Documentation................................................................................................................................................................................................................................ 6
Excluded Features..................................................................................................................................................................................................................................... 6
Acceptance Procedure and Installation..........................................................................................................................................................................8
Installation and Setup of Hardware Appliance................................................................................................................................................................................8
Software Download on the TOE.......................................................................................................................................................................................................... 9
Prerequisites and Preparation for Conguration....................................................................................................................................................... 10
Assumptions............................................................................................................................................................................................................................................. 10
Prerequisites..............................................................................................................................................................................................................................................10
Conguring TOE for BSI.................................................................................................................................................................................................13
Maintaining Compliance................................................................................................................................................................................................. 18
Appendix A: Predened TOE Accounts and Roles................................................................................................................................................... 21
Appendix B: Password Space Analysis........................................................................................................................................................................22
Appendix C: User Roles and Privileges for CLI Commands................................................................................................................................... 23
Brocade Fabric OS BSI User Guide, 8.2.0x
FOS-820X-BSI-UG100 3
Introduction
BSI Overview..........................................................................................................................................................................................................4
Acronyms and Terminology............................................................................................................................................................................. 5
Brocade Switch and Software Support........................................................................................................................................................5
FOS Documentation...........................................................................................................................................................................................6
Excluded Features................................................................................................................................................................................................6
BSI Overview
This user guide describes the security measures and procedures required to use the Brocade switch products (running Fabric OS version
8.2.0a2) in accordance with the BSI EAL2 certied conguration. Where appropriate, this document also makes references to the
Brocade ocial guides to provide additional information to prepare and congure the product.
Brocade Fabric OS (FOS) version 8.2.0a2 is provided by Brocade Communications Systems LLC. The FOS software runs on Brocade
storage area networks (SAN) switches, which include directors and switches. FOS 8.2.0a2 was evaluated for Common Criteria
compliance with the German Common Criteria evaluation scheme (BSI). This version of FOS received an evaluation with an EAL2 rating.
A detailed description of the security functionality included in the evaluation can be found in Section 7, TOE Summary Specication, of
the Security Target document.
A switch is considered to be in a certied conguration when it satises all the security functional requirements during the evaluation as
dened in the Security Target document.
The ocial Brocade Fabric OS Administration Guide and Brocade Fabric OS Command Reference dene all commands supported by
FOS. The set of commands supported by FOS includes those commands necessary to congure and operate the self-protection and
security features that were evaluated. However, the majority of commands described by these documents are available to support the
FOS conguration and operations capabilities that form the primary storage area network switching features. Because the BSI evaluation
focuses on FOS security, the majority of commands (those that pertain to the operation of the SAN switching features) are not
considered security relevant from the evaluation's perspective.
The commands associated with conguration of an excluded feature (see Excluded Features on page 6) should not be used, beyond
disabling the feature as instructed by this document (see Prerequisites and Preparation for Conguration on page 10). All other
commands and guidance provided by the ocial Brocade Fabric OS Administration Guide and Brocade Fabric OS Command
Reference must be used in a manner consistent with the guidance provided by this user guide and the description of the FOS security
features provided by the Security Target document. The Security Target document can be found on the Common Criteria Portal
website's Certied Product List at https://www.commoncriteriaportal.org/products.
NOTE
To operate FOS in a manner consistent with the BSI evaluation, read and apply the instructions in this document in the correct
order. Follow all the chapters and prerequisites as mentioned in each chapter before moving on to the conguration steps.
Other suggested and ocially published Brocade documents can be used as supporting material with this document. All
warnings, cautions, and recommendations in those documents apply as stated, except where they directly conict with
statements in this document. In case of a discrepancy or conicts in the procedures mentioned in other Brocade
documentation, the guidance in this guide takes the precedence when conguring the product to satisfy the BSI Common
Criteria EAL-2 security evaluation conguration.
Draft: Broadcom Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
4 FOS-820X-BSI-UG100
Acronyms and Terminology
The following acronyms and terms are used throughout this document.
Acronyms Meaning
BSI Bundesamt für Sicherheit in der Informationstechnik (Federal Oce of
Information Security in Germany)
EAL Evaluation Assurance Level
FOS Fabric Operating System
FC Fibre Channel
FCIP Fibre Channel over IP
FCOE Fibre Channel over Ethernet
RBAC Role-Based Access Control
SAN Storage Area Network
SSH Secure Shell Protocol
TOE Target of Evaluation
TLS Transport Layer Security protocol
Brocade Switch and Software Support
FOS version 8.2.0a2, is certied for the following Brocade products:
NOTE
A blade refers to a purpose-built component that is installed in a Brocade director.
Gen 5 hardware
Director Blade Models: FC16-32, FC16-48, FC16-64, CP8, CR16-4, CR16-8, and FX8-24
Director Models: DCX 8510-4, and DCX 8510-8
Switch Models: 6510, 6520, and 7840
Gen 6 hardware
Director Blade Models: FC32-48, CPX6, CR32-4, CR32-8, and SX6
Director Models: X6-4 and X6-8
Switch Models: G620 and G630
NOTE
The FOS software is pre-installed on these products. The evaluated version of the FOS software may also be obtained by
customers through a private, customer-only download facility. Because the evaluation performed by the German evaluation
scheme did not include the use of the download facility to obtain the evaluated version of the Target of Evaluation (TOE), using
that approach does not result in a BSI EAL2 certied conguration.
Draft: Broadcom Condential
Brocade Switch and Software Support
Brocade Fabric OS BSI User Guide, 8.2.0x
FOS-820X-BSI-UG100 5
FOS Documentation
The following documents describe the conguration process of the FOS software and provide guidance for subsequent use and
administration of the applicable security features:
Brocade Fabric OS Administration Guide, 8.2.0a - Publication #53-1005237-05, 10 May 2018
Brocade Fabric OS Command Reference, 8.2.0a - Publication #53-1005241-04, 10 April 2018
Brocade Fabric OS Message Reference, 8.2.0a - Publication #53-1005249-04, 10 April 2018
Brocade Fabric OS BSI User Guide, 8.2.0x - Publication #FOS-820X-BSI-UG100, 31 October 2018
Excluded Features
BSI EAL2 compliance does not apply to all software features. Some of the features were excluded to facilitate the evaluation. To be
compliant, ensure that excluded features are not in use during the switch operations.
The following list of features are excluded from the evaluation and must be disabled or not congured for use in the TOE conguration.
Some features are disabled by virtue of not being congured for use by TOE administrators. For applicable commands, see the
Prerequisites and Preparation for Conguration on page 10.
Redundancy or encryption provided by processing of user data by ASICs was not evaluated.
Some ASICs supported by the Brocade products support additional ASIC-specic functionality. The functionality provided by
these ASICs occurs after SAN data has been processed by the TOE, and occurs outside the scope of control of the TOE. Any
processing performed by such ASICs is out of scope for the evaluation.
Fibre Channel over Ethernet (FCOE) and Fibre Channel over IP (FCIP) are not supported.
The TOE must be congured to exclude the use of Elliptic-Curve Cryptographic algorithms for use with SSH.
Use SSHv2 clients congured to use RSA 2048-bit keys for host authentication, AES-CBC for encryption and decryption, and
HMAC_SHA for integrity verication.
The TOE cannot be congured to prevent the use of Elliptic-Curve Cryptographic algorithms supporting TLS. These algorithms
have not been evaluated.
Dene connections to remote network peers over the management network using cryptographic algorithms other than Elliptic
Curve (AES or RSA).
Brocade Web Tools, a web-based administrator console interfaces, cannot be used for administration of the TOE.
The SNMP administrative interface cannot be used and must be disabled.
The basic functionality provided through the SNMP protocols (version 1 and 3) and the cryptographic aspects of the SNMP
protocol are not relevant to this evaluation because SNMP is not permitted.
The REST API interface must not be used to access the TOE.
Optional modem hardware for simulating a serial administration interface is not installed.
By default, this hardware is not part of the evaluated platforms identied by the Security Target. Do not add this hardware.
The TOE cannot be operated in Access Gateway Mode.
The TOE can operate in either Native Mode or Access Gateway Mode. Only Native Mode is supported in the evaluated
conguration. Access Gateway Mode makes a switch function more like a "port aggregator" and in Access Gateway Mode, the
product does not support the primary access control security functions (mainly zoning) claimed when operating in Native Mode.
Draft: Broadcom
Condential
FOS Documentation
Brocade Fabric OS BSI User Guide, 8.2.0x
6 FOS-820X-BSI-UG100
By default, the TOE comes up in Native Mode and the administrator is able to conrm if the Access Gateway Mode is disabled
by using the ag --show CLI command.
Dynamic RBAC was not congured for use by administrators.
The TOE does not add any Dynamic RBAC role by default. In order for the feature to be used, administrators must explicitly
dene new roles and add the users to those roles. Since Dynamic RBAC roles were not evaluated, these must not be
congured. Conrm if any Dynamic RBAC role is added using the roleconfig --show -all CLI command.
Inight encryption must be disabled.
Only PEAP-MSCHAPv2 extension authentication protocols needs to be congured for RADIUS authentication.
Draft: Broadcom Condential
Excluded Features
Brocade Fabric OS BSI User Guide, 8.2.0x
FOS-820X-BSI-UG100 7
Acceptance Procedure and Installation
Installation and Setup of Hardware Appliance..........................................................................................................................................8
Software Download on the TOE.....................................................................................................................................................................9
The following assumptions are made of the site on delivery of Brocade switches:
The operating environment is physically secure.
The administration station used to access the serial conguration (initial setup) is operated in a secure environment.
Before connecting the switch to a network, FOS must be congured to BSI EAL2 evaluated conguration to ensure that the
ngerprint for the SSH is securely accepted.
SSHv2 hosts are authenticated using host keys and to ensure that the public host key of the switch (TOE) is not provided
by a Man-In-The-Middle, the host key has to be manually veried during the rst SSHv2 session establishment with the
switch. This is achieved by connecting the client to the serial port or through the network.
Ensure that saved ngerprints are not changed except by explicit action of the administrator using the SSH client, or "the
workstation shall ensure that the private keys used by an administrator are protected from corruption by other users."
When TOE acts as an SSH client, ngerprint must be veried manually after the initial connection.
NOTE
The TOE implementation of SSHv2 must be congured to utilize generation and exchange of session keys using
Die-Hellman-group14-SHA1 or Die-Hellman-group-exchange-sha256 for key exchange.
The crypto ocer should only import certicates that are strong and meet the criteria of their environment.
On delivery of Brocade switches, the package must be inspected to ensure the security and integrity of the shipped product. The
customer must strictly follow the following security precautions on receipt of the package:
1. Every product is sealed with tamper-evident security tape. Check the seal for damage. If the seal is missing or appears to have
been tampered with, please contact the carrier/supplier.
2. Verify that the dispatcher of the TOE is an authorised entity.
3. Verify the hardware components match the details in the packing slips and that no damage has occurred during shipping.
4. After physical installation of the hardware (refer to Installation and Setup of Hardware Appliance on page 8), verify the switch
prompts the admin user to change the password to ensure there were no prior congurations.
Installation and Setup of Hardware Appliance
FOS (8.2.0a2) runs on Brocade switch products.
The various models of the hardware supporting the software are mentioned in Brocade Switch and Software Support on page 5. These
models dier in performance, form factor, and number of ports. However, all models run the same FOS Version 8.2.0a2 software. The
Brocade switch products are available in one of the following two form factors.
A rack-mount director chassis with a variable number of blades
A self-contained switch device
On delivery, a preinstalled Brocade switch requires physical setup and initial software conguration (using serial connection) before it can
be made operational. On boot up, verify and conrm that the approved FOS (8.2.0a2) is preinstalled using the firmwareshow CLI
Draft: Broadcom
Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
8 FOS-820X-BSI-UG100
command. Detailed procedures for each hardware model are described in their respective hardware manuals which can be referenced to
setup the switch.
Software Download on the TOE
Because the evaluation performed by the German evaluation scheme did not include the use of the download facility to obtain the
evaluated version of the Target of Evaluation (TOE), using that approach does not result in a BSI EAL2 certied conguration.
Draft: Broadcom Condential
Software Download on the TOE
Brocade Fabric OS BSI User Guide, 8.2.0x
FOS-820X-BSI-UG100 9
Prerequisites and Preparation for
Conguration
This chapter presents how the operational environment is to be prepared.
Assumptions
The operational environment must meet the following requirements:
All prerequisites and preparation steps that require command execution must be done as an admin user.
Brocade switch and fabric are located within controlled access facilities, which will prevent unauthorized physical access.
The environment will protect network connections to and from the TOE from unauthorized disclosure or modication.
The administration station used to access the serial conguration for initial setup is operated in a secure environment.
Before connecting the switch to the physical network, FOS must be congured to use the BSI EAL2 evaluated conguration.
FOS will be installed, congured, managed, and maintained in accordance with guidance documentation.
The environment will provide a Syslog server and a means to present a readable view of the audit data.
FOS is running on the models of Brocade products that are listed in Brocade Switch and Software Support on page 5.
All external services for AAA, Syslog, NTP, and Certicate Authority (CA) are operated in a secure environment.
Passwords for the user accounts are congured to adhere to the password recommendations. See Appendix B: Password
Space Analysis on page 22 for details of password space analysis.
All administrators should be trustworthy and be qualied, with sucient administration skills, to work on Brocade products.
Administrators shall only install certicates created entirely with RSA 2048-bit key sizes and SHA256 hashing. The same
algorithm, hash and key size should be used for the certicate and for any CA key that signs the certicate.
Prerequisites
The following preparatory steps need to be completed by an admin user before proceeding with the installation.
Disable Fibre Channel over Ethernet (FCOE) and Fibre Channel over IP (FCIP).
Do not to setup any ports for FCIP or FCoE connections. As part of normal installation and operation, the SAN data ports are
recognized by the device I/O feature, which creates logical device les representing each SAN data port. The only way a SAN
data port device le is congured is by explicit administrative action through the FOS subsystem's admin functionality.
Do not congure or use elliptical curve based cryptography for any protocol.
Ensure that the TOE does not connect to SSH servers that support EC-based host key authentication for SS.
TOE cannot be congured to prevent the use of Elliptic-Curve Cryptographic algorithms supporting TLS. These algorithms
have not been evaluated.
Brocade Web Tools, a web-based administrator console interface, must not be used for administration of the TOE.
Web Tools interface is oered using an internal HTTP server, which listens on known HTTP and HTTPS ports. Disable the Web
Tools interface by conguring IP lter rules. Refer to the instructions in the chapter Conguring TOE for BSI on page 13. Scroll
through the chapter and look for the step for excluding Telnet, SNMP, HTTP, and HTTPS.
Draft: Broadcom
Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
10 FOS-820X-BSI-UG100
The SNMP administrative interface must not be used and must be disabled by setting the secLevel to 'NoAccess' and blocking
port 161. For more information, see Conguring TOE for BSI on page 13. Execute the following commands and enter 3 at
both prompts to block the port and set the security level:
snmpconfig --set secLevel
Select SNMP GET Security Level
(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 = No Access): (0..3)
[0] 3
Select SNMP SET Security Level
(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 = No Access): (3..3)
[3] 3
To display the current congured SNMP level, execute the following command:
sw0:FID128:admin> snmpconfig --show secLevel
GET security level = 3, SET level = 3
SNMP GET Security Level: No Access
SNMP SET Security Level: No Access
Make sure TOE is not operating in Access Gateway Mode. By default, the switch boots up in Native Mode and requires explicit
conguration to operate in Access Gateway Mode. Use the following command to verify the mode:
ag --modeshow
Access Gateway mode is NOT enabled
Congure the default zone to no access using the following command:
sw0:FID128:admin> defzone --noaccess
You are about to set the Default Zone access mode to No Access
Do you want to set the Default Zone access mode to No Access ? (yes, y, no, n): [no] yes
2018/10/30-13:07:44, [ZONE-1043], 41813, FID128, INFO, sw0 , The Default Zone access mode is set to
No Access.
NOTE
A default zone controls device access when zoning is not enabled. When a user-specied zoning conguration is not
enabled, default zone is in eect, allowing access to all devices. Default zone conguration is not supported in the
evaluated conguration.
Ensure that only the zone members which are allowed to connect with one another are specied in each zone. Ensure that soft
zoning is disabled by verifying Default Zone Access Mode is set to "'No Access"
sw0:FID128:admin> defzone --show
Default Zone Access Mode
committed - No Access
transaction - No Transaction
Hard zoning can be veried by conrming that only the WWN or Domain,Index to which you wish to be connected are specied
in each zone.
Make sure Dynamic RBAC is not congured for use by administrators. Verify that there are no user-dened roles using the
following CLI:
roleconfig --show –a
There are no user-defined roles on the switch
TOE must be congured to not use the REST API interface. For instructions on how to disable REST interface, see Conguring
TOE for BSI on page 13.
TOE must be congured to use one of the ciphers listed below for RADIUS, LDAP and Syslog.
RADIUS:
TLS_RSA_WITH_AES_128_CBC_SHA256 (number 003C)
TLS_RSA_WITH_AES_256_CBC_SHA256 (number 003D)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (number 009F)
Draft: Broadcom
Condential
Prerequisites
Brocade Fabric OS BSI User Guide, 8.2.0x
FOS-820X-BSI-UG100 11
LDAP and Syslog:
TLS_RSA_WITH_AES_128_CBC_SHA (number 002F)
TLS_RSA_WITH_AES_256_CBC_SHA (number 0035)
TLS_RSA_WITH_AES_128_CBC_SHA256 (number 003C)
TLS_RSA_WITH_AES_256_CBC_SHA256 (number 003D)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (number 009F)
With the prerequisites addressed and preparatory steps completed, the switch is ready to be setup for BSI evaluated conguration.
Draft: Broadcom Condential
Prerequisites
Brocade Fabric OS BSI User Guide, 8.2.0x
12 FOS-820X-BSI-UG100
Conguring TOE for BSI
TOE is in a certied conguration when it satises all of the security functional requirements dened during the evaluation. This section
details the steps that must be performed to congure the TOE in accordance with the certied and evaluated state. Details and other
options for the commands used in this section are found in Brocade Fabric OS Command Reference, 8.2.0a.
Review all prior sections of this document and complete all of the steps detailed in the Prerequisites and Preparation for Conguration on
page 10 before proceeding. See Appendix C: User Roles and Privileges for CLI Commands on page 23 for the user roles and access
privilege required for CLI commands used in the conguration.
1. Log in as admin.
2. On a chassis-based products, TOE conguration is synced between the main and redundant CPs using the High Availability
(HA) feature. Verify the state of HA using the following command:
hashow
Local CP (Slot 4, CP0): Active, Cold Recovered
Remote CP (Slot 4, CP1): Standby, Healthy
HA enabled, Heartbeat Up, HA State synchronized
3. Ensure that FTP mode of transfer is not selected for rmware download by choosing scp or sftp for the firmwaredownload
command :
firmwaredownload
Server Name or IP Address: 10.10.10.10
User Name: admin
File Name: /server/home/file.txt
Network Protocol(1-auto-select, 2-FTP, 3-SCP, 4-SFTP) [1]: scp
NOTE
The SCP command used in the Brocade TOE is not a standalone command and cannot be directly invoked.
4. To ensure there are no residual values for the cryptographic keys, algorithm state machines, or critical security parameters,
zeroize the system using the following command to erase the sensitive parameters:
fipscfg --zeroize
You are zeroizing FIPS.
Do you want to continue? (yes, y, no, n) [no]:y
5. Power cycle the switch to erase all the contents in the random access memory (RAM).
6. Login as admin to continue with the rest of the congurations. In EAL2 congured mode, management sessions, and
communications need to be secure. Employ approved cryptographic parameters.
7. Set the internal hardware clock using the following command:
date
date “MMDDhhmmYY”
8. Enable secure upload and download, and enforce signature verication check using the configurechassis command:
configurechassis
Configure...
cfgload attributes (yes, y, no, n): [no] y
Enforce secure config Upload/Download (yes, y, no, n): [no] y
9. Disable the Elliptical Curve-based host key using the following command:
sshutil delhostkey -ecdsa
Draft: Broadcom
Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
FOS-820X-BSI-UG100 13
10. Congure SSHv2 to use approved crypto parameters:
a) Export a template le using the following command:
seccryptocfg --export default_strong -server <server-ip> -name <username> -proto scp –file
<remote path>/default_bsi_cc
b) Edit the contents of the exported template le to reect the crypto conguration as shown below. You can add notes in the
comment area of the le:
[Ver] 0.1
/*
* Group : SSH
* Rules : Comma Separated
* Example : aes128-ctr,aes192-ctr -> Note, no space before and after comma.
* Valid options: Kex, Mac, Enc
*/
[SSH]
Enc:aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc
Kex:diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
Mac:hmac-sha2-256,hmac-sha2-512
/*
* Group : AAA
* Rules : Textual openssl cipherlist (colon,comma and space separated)
* Example: ALL:-MD5:!PSK
* Valid options: RAD_Ciphers, LDAP_Ciphers
*/
[AAA]
RAD_Ciphers:!ECDH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!3DES:-AESGCM:-DH:!SHA:DHE-RSA-AES256-GCM-SHA384
LDAP_Ciphers:!ECDH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!3DES:-AESGCM:-DH:DHE-RSA-AES256-GCM-SHA384
RAD_Protocol:TLSv1.2
LDAP_Protocol:TLSv1.2
/*
* Group : LOG
* Rules : Textual openssl cipherlist (colon,comma and space separated)
* Example: ALL:-MD5:!PSK
* Valid options: Ciphers
*/
[LOG]
Syslog_Ciphers:!ECDH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!3DES:-AESGCM:-DH:DHE-RSA-AES256-GCM-SHA384
Syslog_Protocol:TLSv1.2
/*
* Group : HTTPS
* Rules : Textual openssl cipherlist (colon,comma and space separated)
* Example: ALL:-MD5:!PSK
* Valid options: Ciphers
*/
[HTTPS]
Ciphers:!ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM:!SSLv3
Protocol:TLSv1.2
/*
* Group : X509v3
* Rules : Textual X509v3 validation options
* Example: Validation:Strict
* Valid options: Ciphers
*/
[X509v3]
Validation:Basic
c) Import the edited template le with the following command:
seccryptocfg --import default_bsi_cc -server <ipaddr> -name <user> -proto scp -file <remote
path>/default_bsi_cc
Draft: Broadcom
Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
14 FOS-820X-BSI-UG100
d) Apply the imported template with the command:
seccryptocfg –-apply default_bsi_cc
11. Verify that the template is compliant with the running conguration:
admin> seccryptocfg --verify default_bsi_cc
Validating ....
Verifying ....
Passed: System configuration is compliant with the input template
12. On the director products, reboot the standby CP after applying the template to ensure that the crypto conguration is applied on
both CPs.
a) Log into the standby CP.
b) Reboot the CP using the reboot command:
reboot
Warning: This command would cause the switch to reboot
and result in traffic disruption.
Are you sure you want to reboot the switch [y/n]? y
Broadcast message from root (pts/0) Sun Feb 28 19:49:45 2018...
The system is going down for reboot NOW !!
c) Wait for the standby CP to come up.
13. Verify if FCoE is disabled:
fosconfig --show
FC Routing service: disabled
Virtual Fabric: enabled
Ethernet Switch Service: disabled
If the Ethernet switch service is enabled, disable it with the fosconfig -disable ethsw command.
14. Verify if any FCIP tunnels are connected:
portshow fciptunnel
No FCIP tunnels found.
If the output lists any FCIP port, delete the tunnels using the portcfg fciptunnel tunnel delete command.
15. Exclude Telnet, SNMP, HTTP, and HTTPS:
a) Clone the default_ipv4 policy:
ipfilter --clone BSI_v4 -from default_ipv4
b) Delete the rules that permit the HTTP, HTTPS, SNMP, and Telnet services:
ipfilter --delrule BSI_v4 -rule 2 (Port 23, TELNET)
ipfilter --delrule BSI_v4 -rule 2 (Port 80, HTTP)
ipfilter --delrule BSI_v4 -rule 2 (Port 443, HTTPS)
ipfilter --delrule BSI_v4 -rule 2 (Port 161, SNMP)
ipfilter --delrule BSI_v4 -rule 3 (Port 600-1023, TCP)
ipfilter --delrule BSI_v4 -rule 3 (Port 600-1023, UDP)
c) Activate the new policy:
ipfilter --activate BSI_v4
ipfilter --delrule BSI_v4 -rule 3
ipfilter --delrule BSI_v4 -rule 3
d) Repeat steps a to c for the default_ipv6 rules to ensure that the rules are applied for both IPv4 and IPv6.
Draft: Broadcom
Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
FOS-820X-BSI-UG100 15
16. Disable the EZ-Server using the configure command:
configure
Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.
Configure...
Fabric parameters (yes, y, no, n): [no]
D-Port Parameters (yes, y, no, n): [no]
RDP Polling Cycle(hours)[0 = Disable Polling]: (0..24) [1]
System services (yes, y, no, n): [no]
ssl attributes (yes, y, no, n): [no]
cfgload attributes (yes, y, no, n): [no]
webtools attributes (yes, y, no, n): [no] y
Basic User Enabled (yes, y, no, n): [no]
Perform License Checking and Warning (yes, y, no, n): [yes]
Allow Fabric Event Collection (yes, y, no, n): [yes]
Login Session Timeout (in secs): (60..432000) [7200]
EZserver Enabled (yes, y, no, n): [yes] no
17. Disable IP security for the management interface using the ipsecconfig --disable command.
18. Disable Inight Encryption using the portcfgencrypt --disable portnumber command.
19. Congure the PEAP MS-CHAPv2 extension authentication protocol on the RADIUS server and obfuscate the RADIUS shared
secret using the following command:
aaaconfig –-add 10.10.10.1 –conf radius –s sharedsecret –e aes256 –a peap-mschapv2
NOTE
Use of either a RADIUS or LDAP authentication server is allowed, but is not required in the evaluated conguration.
If an LDAP server is used for authentication, it can be congured using the following CLI command:
aaaconfig --add padl12r2.la12security.brocade.com -conf ldap -d la12security.brocade.com
20. If an LDAP server or a RADIUS server is used for authentication and authorization, it is desirable to import a CA certicate that
has a 2048 key and is signed with SHA256 for the complete chain of CA certicates:
seccertmgmt import -ca -server ldap -protocol scp -ipaddr <remote-ip> -remotedir <remote path> -
login <remote username> -certname <LDAP CA cert filename>
seccertmgmt import -ca -server radius -protocol scp -ipaddr <remote-ip> -remotedir <remote-path> -
login <remote-username> -certname <RADIUS CA cert filename>
NOTE
For all TLS connections, RSA certicates with 2048 bits and signed with SHA256 must be used both on the
server and also on the TOE.
Certicates imported into the TOE should be from trustworthy sources.
Certicates and keys based on Elliptical-curve cryptography must not be congured or used for TLS or SSH
sessions.
Draft: Broadcom Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
16 FOS-820X-BSI-UG100
21. Congure secure transport for audit log using the following procedure:
a) Import a CA certicate with 2048 bits signed with 256 for the Syslog client.
seccertmgmt import -ca -server syslog -protocol scp -ipaddr <remote-ip> -remotedir
<remote path> -login <remote username> -certname <syslog server CA cert filename>
syslogadmin --set -ip <ipaddr> -secure -port 6514
b) Generate the Syslog client CSR using the seccertmgmt generate command:
seccertmgmt generate -csr syslog -type rsa -keysize 2048 -hash sha256 -years 5
Country Name (2 letter code, eg, US):US
State or Province Name (full name, eg, California):Colorado
Locality Name (eg, city name):Broomfield
Organization Name (eg, company name):Brocade
Organizational Unit Name (eg, department name):SQA
Common Name (Fully qualified Domain Name, or IP address): pizzabox12.englab.brocade.com
(switchname of default switch)
c) Export the client CSR using the seccertmgmt export command:
seccertmgmt export -csr syslog -protocol scp -ipaddr <remote-ip> -remotedir <remote path>/share/
certs –login <remote username>
d) Get the Syslog client signed by a CA.
e) Import the root CA certicate for the CA in step d using the seccertmgmt import command:
seccertmgmt import -ca -client syslog -protocol scp -ipaddr <remote-ip> -
remotedir <remote path> -login <remote username> -certname <syslog client CA cert filename>
f) Import the Syslog client certicate that was signed in step d using the seccertmgmt import command:
seccertmgmt import -cert syslog -protocol scp -ipaddr <remote-ip> -remotedir <remote path>
g) Add the Syslog server using the following command:
syslogadmin --set -ip kali-3dot0.englab.brocade.com -secure -port 6514
h) Enable auditing of security events using the following commands:
auditcfg --class 1,2,3,4,5,7,8,9
auditcfg --enable
22. Root account is disabled by default in this release. Access to this account must be disabled on all interfaces. To conrm that root
is disabled, follow the steps below:
a) To conrm that the root account is disabled, issue the userconfig --change root -e no command.
b) Check for “Enabled:” in the output. If it is set to “No” then the root account is already disabled. If “Enabled:” is set to “Yes”,
then execute the userconfig –-change root –e no command to disable the root account.
c) To disable access of the root account on all interfaces, issue the rootaccess –-set none command.
For more information on accounts and roles, see Appendix A: Predened TOE Accounts and Roles on page 21.
23. Disable the REST API interface by entering the following command:
mgmtapp --disable rest
FOS device is now congured for BSI evaluated Common Criteria compliance mode.
Draft: Broadcom
Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
FOS-820X-BSI-UG100 17
Maintaining Compliance
After the switch has been congured to use the BSI evaluated conguration, use follow the following requirements to maintain
compliance:
1. Use the admin account for all administrative operations.
2. Verify that the TOE has the BSI evaluated version.
3. Ensure the root account remains disabled.
4. Ensure the FTP mode of transfer is not selected for the following operations during runtime:
a) Uploading the system conguration.
b) Downloading the system conguration.
c) Downloading the rmware.
d) Uploading the RASLOG, TRACE, supportshow, corele, FFDC data, and other support information.
Draft: Broadcom Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
18 FOS-820X-BSI-UG100
5. Execute the following commands as an administrator and verify the results are as shown:
a) Conrm that the root account is disabled using the following command:
userconfig --show root
b) Verify that the SSH ciphers are congured as follows:
SSH Cipher List : aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc
SSH Kex Algorithms List: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
SSH MACs List : hmac-sha2-256,hmac-sha2-512
c) Verify that FCoE is disabled.
fosconfig --show
FC Routing service: disabled
Virtual Fabric: enabled
Ethernet Switch Service: disabled
d) Verify that no FCIP tunnels are connected.
portshow fciptunnel
No FCIP tunnels found.
e) Verify that IPsec is disabled. If there is no output for the following command, then IPsec is disabled.
ipsecconfig --show config all
f) Conrm that PEAP-MSCHAPv2 is the authentication protocol used if RADIUS is congured.
aaaconfig --show
RADIUS CONFIGURATIONS
=====================
Position : 1
Server : 10.38.37.188
Port : 1812
Secret : Yf0BKEhsc83gp+kIoGMQ/g==
Timeout(s) : 3
Auth-Protocol : PEAP-MSCHAPv2
Encryption level : 1
NOTE
PEAP-MSCHAPv2 is a secured authentication method which employs TLS as the tunnel for secure
authentication.
g) Conrm that IP lter rules are applied.
ipfilter --show
Name: restrict_v4, Type: ipv4, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any udp 123 permit
Name: restrict_v6, Type: ipv6, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any udp 123 permit
h) Verify that all the necessary auditcfg modules are congured.
auditcfg --show
Audit filter is enabled.
1-ZONE
2-SECURITY
3-CONFIGURATION
Draft: Broadcom
Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
FOS-820X-BSI-UG100 19
4-FIRMWARE
5-FABRIC
7-LS
8-CLI
9-MAPS
Severity level: INFO
6. Verify that the Syslog server is still present and is using the secure mode port.
admin> syslogadmin --show -ip
syslog.1 kali-3dot0.englab.brocade.com secure: port 6514
7. In the event of a system-failure, follow the steps in the Brocade Fabric OS Troubleshooting and Diagnostics Guide, 8.2.0 -
Publication #53-1005252-03 10 April 2018.
Commands used in the guide can be executed with the admin role. Make sure to use SCP to transfer debug logs.
8. Do not use Telnet for any remote management operations.
9. Do not use SNMP for monitoring or data collection.
Draft: Broadcom Condential
Brocade Fabric OS BSI User Guide, 8.2.0x
20 FOS-820X-BSI-UG100
/