Ciena 6500 Packet Optical Platform

Supplemental Administrative Guidance

for Common Criteria
Version 1.0
August 10, 2018

Ciena Corporation
7035 Ridge Road
Hanover, MD 21076

Prepared By:

Cyber Assurance Testing Laboratory

1100 West Street
Laurel, MD 20707
 Contents
1 Introduction ........................................................................................................................................... 3
2 Intended Audience ................................................................................................................................ 3
3 Terminology .......................................................................................................................................... 3
4 References ............................................................................................................................................. 4
5 Evaluated Configuration of the TOE .................................................................................................... 4
5.1 TOE Components.......................................................................................................................... 4
5.2 Supporting Environmental Components ....................................................................................... 5
5.3 Assumptions.................................................................................................................................. 5
6 Secure Acceptance, Installation, and Configuration ............................................................................. 6
6.1 Initial Configuration...................................................................................................................... 6
6.2 Power-On Self Tests ..................................................................................................................... 7
6.3 Cryptographic Configuration Notice ............................................................................................ 7
6.4 Disable Insecure Services ............................................................................................................. 8
7 Secure Management of the TOE ........................................................................................................... 9
7.1 Authenticating to the TOE ............................................................................................................ 9
7.1.1 Configuring an Authorized User with a Public Key ............................................................. 9
7.1.2 Generate SSH Public/Private Keypair ................................................................................ 12
7.1.3 Configuring a Known Host with a Public Key ................................................................... 13
7.1.4 Configuring SSH Server and Client Parameters ................................................................. 15
7.1.5 SSH/SFTP Server & Client (System) RSA Keys ............................................................... 18
7.2 Failed Authentication Lockout.................................................................................................... 19
7.3 User Accounts and User Management ........................................................................................ 20
7.4 Password Management ............................................................................................................... 21
7.5 Login Banner .............................................................................................................................. 22
7.6 Session Termination.................................................................................................................... 23
7.6.1 Admin Logout ..................................................................................................................... 23
7.6.2 Termination from Inactivity ................................................................................................ 23
7.7 System Time Configuration ........................................................................................................ 24
7.8 Secure Updates............................................................................................................................ 24
8 Auditing .............................................................................................................................................. 25
8.1 Audit Storage .............................................................................................................................. 32
8.1.1 Example Audit retrieval script ............................................................................................ 32
9 Operational Modes .............................................................................................................................. 34
10 TL1 Commands .............................................................................................................................. 34
11 Additional Support .......................................................................................................................... 36

1|Page
Table of Tables
Table 1: Hardware Model Information ......................................................................................................... 5
Table 2: Evaluated Components of the Operational Environment ............................................................... 5
Table 3: Ciena 6500 Auditable Events ....................................................................................................... 32

2|Page
1 Introduction
The Ciena 6500 S-Series and D-Series Packet Optical Platform, the Target of Evaluation (TOE), is a
family of standalone hardware devices that run VxWorks and provide OSI Layer 0/1/2 network traffic
management services. The collaborative Protection Profile for Network Devices, version 2.0 + Errata
20180314 [NDcPP] defines a network device as “a device composed of both hardware and software that
is connected to the network and has an infrastructure role within the network”. Additionally, the NDcPP
says that example devices that fit this definition include routers, firewalls, intrusion detection systems,
and switches.
As a Common Criteria evaluated product, this guidance serves to define the ‘evaluated configuration’ in
which the evaluation was performed and to summarize how to perform the security functions that were
tested as part of the evaluation.

2 Intended Audience
This document is intended for administrators responsible for installing, configuring, and/or operating
Ciena 6500. Guidance provided in this document allows the reader to deploy the product in an
environment that is consistent with the configuration that was evaluated as part of the product’s Common
Criteria (CC) testing process. It also provides the reader with instructions on how to exercise the security
functions that were claimed as part of the CC evaluation. The reader is also expected to be familiar with
the general operation of the Ciena 6500 product. This supplemental guidance includes references to
Ciena’s standard documentation set for the product and does not explicitly reproduce materials located
there.
The reader is also expected to be familiar with the Ciena 6500 Packet Optical Platform Security Target
and the general CC terminology that is referenced in it. This document references the Security Functional
Requirements (SFRs) that are defined in the Security Target document and provides instructions for how
to perform the security functions that are defined by these SFRs. The Ciena 6500 product as a whole
provides a great deal of security functionality but only those functions that were in the scope of the
claimed PP are discussed here. Any functionality that is not described here or in the Ciena 6500 Packet
Optical Platform Security Target was not evaluated and should be exercised at the user’s risk.

3 Terminology
In reviewing this document, the reader should be aware of the terms listed below. These terms are also
described in the Ciena 6500 Packet Optical Platform Security Target.
CC: stands for Common Criteria. Common Criteria provides assurance that the process of specification,
implementation and evaluation of a computer security product has been conducted in a rigorous and
standard and repeatable manner at a level that is commensurate with the target environment for use.
SFR: stands for Security Functional Requirement. An SFR is a security capability that was tested as part
of the CC process.

3|Page
TOE: stands for Target of Evaluation. This refers to the aspects of the Ciena 6500 product that contain
the security functions that were tested as part of the CC evaluation process.

4 References
The following security-relevant documents are included with the TOE. This is part of the standard
documentation set that is provided with the product. Documentation that is not related to the functionality
tested as part of the CC evaluation is not listed here.
[1] Ciena 6500 Packet-Optical Platform Administration and Security Release 12.3
[2] Ciena 6500 Packet-Optical Platform TL1 Command Definition Release 12.3
[3] Site Manager for Ciena 6500 Packet-Optical Platform Fundamentals Release 12.3
[4] Suite of Hardware Installation Manuals Release 12.3:
a) General Information
b) 2, 7, 14, & 32 Slot Shelves (individual documents)
The following document was created in support of the Ciena 6500 CC evaluation:
[5] Ciena 6500 Packet Optical Platform Security Target

5 Evaluated Configuration of the TOE

This section lists the components that have been included in the TOE’s evaluated configuration, whether
they are part of the TOE itself, environmental components that support the security behavior of the TOE,
or non-interfering environmental components that were present during testing but are not associated with
any security claims:

5.1 TOE Components

The TOE is Ciena 6500 Packet Optical Platform, running software version Release 12.3. Ciena 6500 are
standalone hardware network appliances that run VxWorks. This is a family of products that contains the
following hardware models:
Model Type Model Part # SP2 Service Card SPAP2 Service Card
PowerQUICC II Processor PowerQUICC II Processor
with VxWorks 6.3 with VxWorks 6.1
NTK555CA NTK555NA
NTK555EA NTK555NB
NTK555FA
2-slot Type 2 NTK503LA No Yes
7-slot NTK503PA Yes No
7-slot Type 2 NTK503KA No Yes
6500-7 NTK503RA Yes No
14-slot NTK503BA Yes No
NTK503CA
NTK503CC

4|Page
 NTK503GA
NTK503AD
NTK503BD
NTK503CD
NTK503SA
32-slot NTK603AA Yes No
NTK603AB
Table 1: Hardware Model Information

5.2 Supporting Environmental Components

The following table lists components and applications in the environment that the TOE relies upon in
order to function properly:
Component Definition
Any general-purpose computer that is used by an administrator to manage the TOE.
The TOE can be managed remotely, in which case the management workstation
Management requires an SSH client, or locally, in which case the management workstation must
be physically connected to the TOE using the serial port and must use a terminal
Workstation
emulator that is compatible with serial communications. Alternatively, the
workstation can physically connect to the TOE using the craft port, which is an
Ethernet port through which the TOE can be managed locally using a SSH Client.
A general-purpose computer that runs a script to pull audit records from the TOE
Audit Server
automatically, using the TL1 interface over SSH.
A server running the secure file transfer protocol (SFTP) server that is used as a
Update Server
location for storing product updates that can be transferred to the TOE.
The Site Manager software provides a graphical interface to the TL1 interface for
Site Manager managing the TOE. The Site Manager software is installed on the Management
workstation and uses an SSH channel to connect to the TOE.
Table 2: Evaluated Components of the Operational Environment

5.3 Assumptions
In order to ensure the product is capable of meeting its security requirements when deployed in its
evaluated configuration, the following conditions must be satisfied by the organization, as defined in the
claimed Protection Profile:
 Physical security: The Ciena 6500 product does not claim any sort of physical tamper-evident or
tamper-resistant security mechanisms. Therefore, it is necessary to deploy the product in a locked
or otherwise physically secured environment so that it is not subject to untrusted physical
modification.
 Limited functionality: The Ciena 6500 product must only be used for its intended networking
purpose. General purpose computing applications, especially those with network-visible
interfaces, may compromise the security of the product if introduced.
 No through traffic protection: The security boundary of the Common Criteria evaluation is
limited to traffic flowing to or from the TOE. The intent is for Ciena 6500 to protect data that
originates on or is destined to the device itself, to include administrative data and audit data.
Traffic that is traversing the network device, destined for another network entity, is not covered

5|Page
 by the NDcPP. It is assumed that this protection will be covered by cPPs for particular types of
network devices (e.g., firewall).
 Trusted administration: The Ciena 6500 product does not provide a mechanism to protect
against the threat of a rogue or otherwise malicious administrator. Therefore, it is the
responsibility of the organization to perform appropriate vetting and training for security
administrators prior to granting them the ability to manage the product.
 Regular updates: Ciena provides regular product updates for the Ciena 6500 product that
include bug fixes as well as functionality and security enhancements. It is expected that
administrators are reasonably diligent in ensuring that software patches are applied regularly as
they are made available.
 Secure admin credentials: Ciena 6500 protects the administrator’s credentials stored on Ciena
6500 that are used to access it. Additionally, it is assumed that any administrative credentials
maintained by an environmental SFTP Server are secured in order to mitigate the risk of
impersonation.
 Residual information: It is the responsibility of the administrator to ensure that there is no
unauthorized access possible for sensitive residual information (e.g. cryptographic keys, keying
material, PINs, passwords etc.) on networking equipment when the equipment is discarded or
removed from its operational environment.

6 Secure Acceptance, Installation, and Configuration

Documentation for how to order and acquire the TOE is described under the Support and Next Steps link
on the Ciena website https://www.ciena.com/. Section 5.1 of this document lists the properties that are
associated with the TOE. When receiving delivery of the TOE, this documentation should be checked as
part of the acceptance procedures so that the correctness of the hardware can be verified.

6.1 Initial Configuration

Physical installation and first-time setup of the TOE can be accomplished by the steps outlined in [1].
Additionally, these steps are also needed to provide initial out-of-the-box configuration:

1. Authenticate to the TOE via TELNET using the Site Manager client on machine.
2. Specify the IP address of the TOE.
3. Authenticate using the default credentials (case sensitive):
Username: ADMIN
Password: ADMIN
4. Execute the following command to enable cryptographic key zeroization capability:
ED-SECU:::CTAG:::ZEROIZEMODE=ENABLED;

Once the TOE is physically installed, it is recommended that an administrator acquire the software image
for the current version from Ciena and perform a software upgrade to the current version. Depending on
when the device was manufactured, Ciena 6500 may have a different software version initially installed
on it. The TOE will need to be booted and the procedures in [1] must be followed to complete the
installation of Ciena 6500 software.

6|Page
The Security Administrator must also perform the actions defined in [1] to prepare to access the TOE
remotely and change the passwords for the default Security Administrator account using the Site
Manager.

6.2 Power-On Self Tests

The TOE runs a series of self-tests during initial start-up to verify its correct operation. As part of the
startup of the TOE, the TOE will perform a series of known answer tests, pair-wise consistency tests,
continuous random number generator tests, SP 800-90B health tests to verify the correct functionality of
the cryptographic functions. Additionally, the TOE performs a software integrity check (SHA-384). In the
event that a POST fails, the TOE will create a log to indicate which self-test failed. The TOE will attempt
to reboot to resolve the issue. If the TOE has been corrupted or the hardware has failed such that
rebooting will not resolve the issue, an Administrator will need to contact Ciena support per the guidance
in Section 11.
These tests and the responses to failures are sufficient to ensure that the TSF is functioning in the manner
that is described in the Security Target because they will detect unauthorized modified of the TOE
software image and detect improperly functioning cryptography which could lead to insecure trusted
channels.

6.3 Cryptographic Configuration Notice

The administrator installing the TOE is expected to perform all of the operations in Sections 6.1 and 6.2
of this document. This will result in the TOE’s cryptographic operations being limited to the claims made
within the Common Criteria evaluation. There is no further configuration required on the TOE’s
cryptographic engine as the TOE already becomes pre-configured to meet many of the Common Criteria
requirements. The TOE is preconfigured to enforce the use of the selected DRBG, key generation and key
establishment schemes, key sizes, hash sizes, and ciphersuites as defined in the Security Target.
The Diffie-Hellman Shared Secret, Diffie Hellman private exponent, and SSH session key are generated
by the TOE and stored in volatile memory (RAM). These keys are destroyed by a single direct overwrite
consisting of zeroes and is read back to verify the success of the zeroization prior to releasing the memory
free(). These keys are zeroized immediately after they are no longer needed (i.e. connection terminated or
re-key) and when the TOE is shut down as well as when power is lost.
The SSH private key is encrypted with a 256 bit AES key before being stored in non-volatile storage.
This symmetric key is stored as two halves. One half is stored in flash on the shelf-processor, the other
half is stored in another device on the backplane, separate from the shelf processor. If the INIT-
ZEROIZE TL1 command is invoked by the Security Administrator, the AES encryption key is destroyed
by a single direct overwrite consisting of zeroes and is read back to verify the success of the zeroization.
This effectively destroys the SSH keys as the encrypted SSH private key is not recoverable. Alternatively,
the existing SSH keys are destroyed if the Security Administrator generates new SSH keys using the
CRTE-SSH-KEYS command, overwriting the old key with the newly generated one. There is only one
instance of the SSH keypair on the system at any time. There are no known instances where key
destruction does not happen as defined.

7|Page
The remaining Sections of 6.4 have the administrator manually configuring the remaining items (i.e.,
disable protocols, block ports). For this reason, other configurations require no further administrative
action.
NOTE: The use of other cryptographic engines and cryptographic settings were not evaluated nor tested
during the Common Criteria evaluation of the TOE.

6.4 Disable Insecure Services

In the evaluated configuration, certain services will need to be configured off on the TOE. The Security
Administrator will need to disable these services by performing the following steps:

Using the TL1 command:

1. Disable Telnet:
ED-TELNET:::CTAG:::SERVER=DISABLED;
2. Disable HTTP, HTTPS, REST, GRPC:
ED-HTTP::SHELF-1:1:::HTTP=OFF,HTTPS=OFF,REST=OFF,GRPC=OFF;
3. Disable SSH on port 20002
ENT-PORTFILTER-GNE::PORTFILTER-1-
1:ctag:::PROTO=TCP,DROPPORT=20002,ACCESSCOLANX=ON,ACCESSCOL
ANA=ON;
4. Disable SSH on port 20003
ENT-PORTFILTER-GNE::PORTFILTER-1-
2:ctag:::PROTO=TCP,DROPPORT=20003,ACCESSCOLANX=ON,ACCESSCOL
ANA=ON;
5. Disable SSH on port 20040
ENT-PORTFILTER-GNE::PORTFILTER-1-
3:ctag:::PROTO=TCP,DROPPORT=20040,ACCESSCOLANX=ON,ACCESSCOL
ANA=ON;
6. Disable SSH on port 28888
ENT-PORTFILTER-GNE::PORTFILTER-1-
4:ctag:::PROTO=TCP,DROPPORT=28888,ACCESSCOLANX=ON,ACCESSCOL
ANA=ON;
7. Disable SSH on port 32769
ENT-PORTFILTER-GNE::PORTFILTER-1-
5:ctag:::PROTO=TCP,DROPPORT=32769,ACCESSCOLANX=ON,ACCESSCOL
ANA=ON;
8. Disable NTP on port 123
ENT-PORTFILTER-GNE::PORTFILTER-1-
6:1:::PROTO=UDP,DROPPORT=123;

8|Page
7 Secure Management of the TOE
The following sections provide information on managing TOE functionality that is relevant to the claimed
Protection Profile. Management of the TOE can be accomplished through a local or remote connection.
Either connection uses the TL1 interface. Note that this information is largely derived from [1], [2], and
[5] but summarized here to discuss only actions that are required as part of the ‘evaluated configuration’.
The Security Administrator is encouraged to reference these documents in full in order to have in-depth
awareness of the security functionality of the Ciena 6500, including functions that may be beyond the
scope of this evaluation.

7.1 Authenticating to the TOE

The TOE requires the use of locally-defined authentication credentials. Users are not allowed to perform
any security-relevant functions on the TOE without first being successfully identified and authenticated
by the TOE’s authentication method. At initial login, via a TL1 ACT-USER command, the user provides
the username, the user is prompted to provide the administrative password associated with the user
account. The TOE then either grants administrative access (if the combination of username and credential
are correct) or indicates that the login was unsuccessful. The TOE stores username and password hash
data in the local storage for the TL1 interfaces. A warning banner is displayed prior to any login attempt.
The TL1 is protected by SSHv2 and users must authenticate using SSH public key. Connecting to the
TOE with SSHv2 requires the SSH client to support:
 Encryption algorithms: aes-128-cbc, aes-256-cbc, aes-128-ctr, and/or aes-256-ctr
 Public key algorithm: ssh-rsa
 MAC algorithms: hmac-sha1-96, hmac-sha-1, and/or hmac-sha-256 (all other MAC algorithms
are rejected and “none” is not allowed)
 Key exchange method: diffie-hellman-group14-sha1
There are no special actions required in the event of a communications outage. Simply, re-establish the
SSH connection and log into the TOE if the connection does not re-establish automatically.

7.1.1 Configuring an Authorized User with a Public Key

This is a prerequisite that must be completed prior to setting the SSH Server authentication method to
public key. At least one SSH/SFTP User with public key (authorized user entry) must be configured
before public key authentication can be used by the SSH/SFTP Server (i.e., before setting SSH Server
“Server Auth” to Public Key).
Using TL1 commands:
a) ENT-SSH-AUTHUSER::SHELF-
1:54:::KEY="AAAAB3NzaC1yc2EAAAABJQAAAQEAjNLGsKswyQWNPdnnA3ccTsGou
gkPhvgXgChKmEUT5kZr5kfZU11Lv6BlVkK1cKkceafL2tWpbE0UX4cyF23yrfz2jL
QJQ9Z8rUYfY3L1EzHUwTaFCdXeS5+hL+y2oTVUuyxU6O5TIn86TLrbUs/M2vmgH53
vnbuK2MBajYXtIDmf3NRriC6nt9oL7N0tI944iGnU9G5wn7oHe428Kc/2DkSHDw4c
bV9Hw3Ohx3UGeRxINSjT+ho49xYWHKSmHxdJDBkCrSGE5ak/Zgse/xDv8xscy22Ns
JrXst06Ob5QE1PX7LbHNukF4EsM3aUn0Pl3p2VpBMB8E4etd95+WO4teQ==",USER
ID="userid";
9|Page
 b) RTRV-SSH-AUTHUSER::SHELF-1:55;
c) DLT-SSH-AUTHUSER::SHELF-1:56:::USERID="userid";
NOTE: “userid” is the User’s ID.

Using the Site Manager:

1. Security > Manage Keys > SSH/SFTP Users > Add

10 | P a g e
Logging in using RSA private/public key pair:
1. File > Login

11 | P a g e
NOTE: New users are required to change their passwords after successfully logging in for the first time.

7.1.2 Generate SSH Public/Private Keypair

1. Authenticate as user with appropriate privilege level for the following TL1 commands (UPC 4)
ACT-USER::UID:CTAG::PID:DOMAIN=LOCAL;
2. Execute the following TL1 command for the TOE SSH server to authenticate a user with a RSA
public key generated in Step 1:
ENT-SSH-AUTHUSER:::CTAG:::USERID=userid,KEY=publickey;
For example:
ENT-SSH-AUTHUSER:::CTAG:::
USERID="ADMIN",KEY="AAAAB3NzaC1yc2EAAAABJQAAAQEAjNLGsKswyQW
NPdnnA3ccTsGougkPhvgXgChKmEUT5kZr5kfZU11Lv6BlVkK1cKkceafL2t
WpbE0UX4cyF23yrfz2jLQJQ9Z8rUYfY3L1EzHUwTaFCdXeS5+hL+y2oTVUu
yxU6O5TIn86TLrbUs/M2vmgH53vnbuK2MBajYXtIDmf3NRriC6nt9oL7N0t
I944iGnU9G5wn7oHe428Kc/2DkSHDw4cbV9Hw3Ohx3UGeRxINSjT+ho49xY
WHKSmHxdJDBkCrSGE5ak/Zgse/xDv8xscy22NsJrXst06Ob5QE1PX7LbHNu
kF4EsM3aUn0Pl3p2VpBMB8E4etd95+WO4teQ==";
3. Enter the following TL1 command to enable SSH public key authentication on the TOE and
restrict the TOE SSH algorithms to those claimed in the Security Target:

12 | P a g e
 ED-SSH:::CTAG:::KEYEXCMETHOD=DH-
GROUP14,CIPHER=AES128CTR&AES256CTR&AES128CBC&AES256CBC,SERV
ER=ENABLED,HMAC=SHA2_256&SHA1&SHA1_96,IDLETIMEOUT=30,MAXSES
SIONS=3,LOGLEVEL=2,KEYREX=Y,HOSTKEYALG=RSA,SRVRAUTH=PUBKEY;
4. (Optional) For TOE SSH Client to authenticate to a server with a RSA public key, retrieve the
internally generated public key:
CRTE-SSH-KEYS:::CTAG:::KEYSIZE=2048,KEYTYPE=RSA;
RTRV-SSH-PUBKEY:::CTAG;

7.1.3 Configuring a Known Host with a Public Key

This step is needed if the SSH/SFTP Client is set to validate the SSH/SFTP Server public key. At least
one SSH/SFTP Hosts entry with public key is needed prior to enabling SSH Client Host Key Validation.

Using TL1 commands:

1. ENT-SSH-HOSTKEY::SHELF-
1:77:::HOST="192.168.0.2",KEY="AAAAB3NzaC1yc2EAAAABJQAAAQEAjNLGsK
swyQWNPdnnA3ccTsGougkPhvgXgChKmEUT5kZr5kfZU11Lv6BlVkK1cKkceafL2tW
pbE0UX4cyF23yrfz2jLQJQ9Z8rUYfY3L1EzHUwTaFCdXeS5+hL+y2oTVUuyxU6O5T
In86TLrbUs/M2vmgH53vnbuK2MBajYXtIDmf3NRriC6nt9oL7N0tI944iGnU9G5wn
7oHe428Kc/2DkSHDw4cbV9Hw3Ohx3UGeRxINSjT+ho49xYWHKSmHxdJDBkCrSGE5a
k/Zgse/xDv8xscy22NsJrXst06Ob5QE1PX7LbHNukF4EsM3aUn0Pl3p2VpBMB8E4e
td95+WO4teQ==";
2. RTRV-SSH-HOSTKEY::SHELF-1:78;

Using the Site Manager:

1. Security > Manage Keys > SSH/SFTP Hosts > Add

13 | P a g e
14 | P a g e
7.1.4 Configuring SSH Server and Client Parameters
If the SSH Server is set to perform Public Key based authentication, at least one SSH/SFTP Users
(authorized user) entry must be configured. Similarly, if the SSH Client is set to perform host validation,
at least one SSH/SFTP Hosts (known host) entry must be configured.

Using TL1 Commands:

1. ED-SSH::SHELF-1:105:::KEYEXCMETHOD=DH-
GROUP14,CIPHER=AES128CTR&AES256CTR&AES128CBC&AES256CBC,SERVER=ENA
BLED,HOSTVLD=Y,HMAC=SHA2_256&SHA1&SHA1_96,IDLETIMEOUT=30,MAXSESSI
ONS=3,LOGLEVEL=2,KEYREX=Y,HOSTKEYALG=RSA,SRVRAUTH=PUBKEY;

Using the Site Manager:

1. Configuration > Comms Setting Management > Services > Service Type: SSH/Telnet > Edit

15 | P a g e
16 | P a g e
17 | P a g e
7.1.5 SSH/SFTP Server & Client (System) RSA Keys
The system automatically generates RSA (2048) keys if they do not exist. New keys can be re-generated.
Note that although a DSA key pair is generated by and present in the system, they are not used on any
management interface (not used for any trusted path or trusted channel) if the SSH Host Key Algorithm is
set to RSA only.

Using TL1 commands:

1. RTRV-SSH-PUBKEY::ALL:71;
2. CRTE-SSH-KEYS::SHELF-1:61:::KEYSIZE=3072,KEYTYPE=RSA;
3. CHK-SSH-KEYS::SHELF-1:63;

Using the Site Manager:

1. Security > Manage Keys > SSH/SFTP Keys
2. Regenerate

18 | P a g e
7.2 Failed Authentication Lockout
In the evaluated configuration, the TOE will lock a remote administrative account when an administrator
configured number of successive invalid login attempts have been made within an administrator
configured time period. This applies to the remote TL1 interface, and the default values for the failed
attempts is between 2 and 20 unsuccessful remote authentication attempts within 15 minutes. The TOE
prevents further authentication attempts until a Security Administrator with a UPC Level of 4 or higher
(UPC >=4) unlocks the accounts or the account is automatically unlocked after a configurable period of
between 0 and 7200 seconds, with 0 meaning no automatic locking, i.e. user account is not locked out.

19 | P a g e
The TOE ensures that remote authentication failures do not prevent another Administrator from accessing
the TOE thus preventing a denial of service attack from taking place. By default, this is achieved by
exempting Security Administrators with a UPC >=4 from being locked out on local connections.

These settings can be configured by the Security Administrator with a UPC >=4 via the local or remote
TL1 interface by modifying the following files:

1. Authenticate to the TOE via the TL1.

2. Enter the following command to configure the number of successive unsuccessful authentication
attempts before the account is locked:
SET-ATTR-
SECUDFLT:::CTAG:::IDSTATE=UBIDON,USRLCKOUTMDE=ALLREMUSRS,MX
INV=5,DURAL=300;
NOTE: The 5 is number of failed attempts, and the 300 is number of seconds.

Even though the above setting is global to the system, the TOE maintains a counter per username for the
number of failed authentication attempts and tracks the time when each failed authentication attempt
occurs. If a valid password is provided before the failed attempt value is met, then authentication is
granted and the counter resets to zero. When a failed authentication attempt is older than the set time
period and the counter has not met the failed attempt value, the counter will be reduced by one failed
attempt. If the limit of failed authentication attempts is reached within the defined time period, the
account associated with the username will be locked. Once an account is locked, repeated attempts to
authenticate with that account will not work.

Once an account is locked, the Security Administrator with a UPC >=4 via the TL1 interface must unlock
the account using the following commands before another authentication attempt will be checked for that
account:

1. Authenticate to the TOE locally as the Administrator and run the following command to manually
unlock the account:
ALW-SECU-USER:::CTAG::<USER>:USERTYPE=LOCAL;

7.3 User Accounts and User Management

6500 provides two default user accounts: ADMIN and SURVEIL. These accounts should have their
default passwords modified, or the accounts should be replaced after initial commissioning. 6500 requires
at least one account with a UPC of 4 be provisioned on the system. Refer to “Local password
management” and “Setting/changing/removing the supervisory password” in [1] in order to change the
password or disable the default accounts.
The TOE requires the use of locally-defined authentication credentials. Users are not allowed to perform
any security-relevant functions on the TOE without first being successfully identified and authenticated
by the TOE’s authentication method. At initial login, via a TL1 ACT-USER command, the user provides
the username, the user is prompted to provide the administrative password associated with the user

20 | P a g e
account. The TOE then either grants administrative access (if the combination of username and credential
are correct) or indicates that the login was unsuccessful.
All security management functions are managed by Security Administrators being assigned to certain
security levels. Authorized actions for a particular Security Administrator are dependent on which
security level they are assigned to. There are five UPC security levels that allow a range of task execution
capabilities: Level 5, Level 4, Level 3, Level 2, and Level 1. Security levels have permissions assigned to
them, which defines a Security Administrator’s ability to administer the TOE. UPC Levels 4 and 5
provide the same capabilities, therefore System Administrators should be a UPC Level 4 to access all
commands. Security administrators can perform activities from both the local craft port interface or
remote interface. The TL1 interface can be accessed via SSH only. If administering the TOE locally via
TL1 is desired, the management workstation should be placed on a dedicated local network as the TOE.
Section 2-1 under ‘Security Levels’ in [1] describes the various security levels and managing local and
remote user accounts.

7.4 Password Management

A Security Administrator has the ability to set the minimum length that is permitted to any value between
8 and 128. In the evaluated configuration, the passwords must have minimum length of 15 characters or
greater. The accepted characters include upper and lower case letters, numbers, and the special characters
“!”, “@”, “#”, “$”, “%”, “^”, “*”, “(”, “)”, “””, “’”, “+”, “-”, “_”, “/”, “<”, “=”, “>”, “{“, “}”, “\” and “~”.
In order to minimize the risk of account compromise, it is recommended to use a password that includes a
mixture of uppercase, lowercase, numeric, and special characters and is not a common word or phrase,
but is not so complex that it must be written down in order to be remembered.
The TOE supports three local password rules: Standard, Complex and Custom. The default is Standard
for the Ciena 6500.
Security Administrators with a UPC >=4 have the ability to set the password length to 15 characters (or
more) by performing the following steps:

Using the TL1 command:

1. Authenticate as user with appropriate privilege level for the following commands (UPC 4)
ACT-USER::UID:CTAG::PID:DOMAIN=LOCAL;
2. Execute the following TL1 command
ED-SECU-PWDRLS:::CTAG:::PLEN_MIN=15;

Using the Site Manager:

21 | P a g e
 1. Authenticate to the TOE via the Site Manager.
2. Select the required network element in the navigation tree.
3. Select User Profile from the Security menu.
4. The existing user accounts for the selected network element appear in the User Profile
application. Only local users are displayed.
NOTE: The User Profile application is unavailable when connected directly to a member shelf of
a consolidated node.
5. Click Defaults to open the Default Security Parameters dialog box.
6. From the Local Password Rules drop-down list, select Custom.
7. Click OK.
8. Click Customs to open the Customized Security Parameters dialog box.
9. In the Minimum number of characters in password (8-15) field, enter the minimum number of 15
total characters required in each password.

7.5 Login Banner

The TOE displays a configurable warning banner on the local and remote console prior to a user
supplying their authentication credentials. Remote authentication requires the use of SSH. The warning
banner is configured by a Security Administrator with a UPC >=4. Configuring instructions for the
banners are in Procedure 4-2 ‘Editing the Banner’ [1].
Using TL1 command:
1. RTRV-BANNER:::87:::BANNERTYPE=ACTIVE;
2. DLT-BANNER:::88;
3. SET-BANNER-LINE:::89::1,"text_message";
4. SET-BANNER-LINE:::90::2,"text_message";
5. SET-BANNER-LINE:::91::1,"text_message";
Using the Site Manager:
1. Configuration > Node Information > Login Banner > Edit

22 | P a g e
7.6 Session Termination
7.6.1 Admin Logout
The TOE provides the ability for administrators to manually terminate their own sessions. Both the TL1
interface and Site Manager use the CANC-USER command. These commands apply to both local and
remote usage. Additionally, when managing the TOE remotely, the terminal application used on the
management workstation will typically terminate the SSH session if the application itself is closed.
1. Authenticate to the TOE via the local console.
2. Execute the following command to terminate the session:
CANC-USER::<username>:CTAG;
3. Observe that the session has been terminated.

7.6.2 Termination from Inactivity

The Security Administrator with UPC >=4 can configure maximum inactivity times for both local and
remote administrative sessions. The idle timeout value is set for each individual user account as opposed
to being globally defined for all users. This is specified using the ‘Timeout Interval’ field when
the user is created or modified using the TL1 interface (TMOUT=XXX parameter). By default, a user
account will be logged out if idle for 30 minutes, but the value can be set to anything between 1 and 99

23 | P a g e
minutes. This applies to both local and remote connections. See [1] Procedure 2-2: Adding a user account
for full instructions. The TOE will terminate a remote TL1 session after a Security Administrator-
defined period of inactivity. Additionally, there is an inactivity timer for SSH with a default of 30
minutes. There is an inactivity timer for SSH with a default of 30 minutes. The following steps can be
performed to set the session timeouts via the TL1 interface:
1. Authenticate to the TOE via SSH.
2. Execute the following command to change the SSH timeout value to desired value in minutes:
ED-SSH:::CTAG:::IDLETIMEOUT=30;
NOTE: IDLETIMEOUT shown here is for 30 minutes.

7.7 System Time Configuration

The TOE has an underlying hardware clock that is used for time keeping. In the evaluated configuration
of the TOE, the system time is expected to be manually set. The Security Administrator with UPC >=4
can configure all aspects of the clock using the local or remote TL1. To set the time manually, the
following steps are used:

1. Authenticate to the TOE via TL1.

2. Use the following TL1 command to edit the date and time:
ED-DAT:::CTAG::[yy-mm-dd],[hh-mm-ss];
3. Verify that the date and time was set by entering the following TL1 command:
RTRV-DAT:::CTAG;

7.8 Secure Updates

To maintain security throughout the lifecycle of the Ciena 6500 product, the TOE provides a mechanism
to apply software updates.
The TOE provides the ability for a Security Administrator with UPC >=3 to update its software from the
TL1 interface. The TOE acting as the SSH client will use SFTP via SSH to retrieve software updates from
an update server. This can be a server maintained by Ciena or one maintained by the organization
operating the TOE, in which case updates are shipped on read-only physical media when made available
by Ciena and then loaded onto the update server, which must support SFTP via SSH, in the Operational
Environment. Updates are digitally signed and verified using ECDSA using the P-521 elliptic curve with
SHA-512. Once the update has been uploaded to the TOE, the digital signature of the software upgrade is
verified. If the digital signature verification fails, the upgrade process will stop and the downloaded
software release will be flushed from the device’s temporary memory. After successful digital signature
validation, the Security Administrator must load the update into flash memory, by executing the LOAD-
UPGRD command, where it remains until invoked. Invoking the update requires the Security
Administrator to execute the INVK-UPGRD command to install the upgrade on the shelf processor
resulting in the TOE rebooting. The Security Administrator will then need to reauthenticate to the TOE
and commit the upgrade using the CMMT-UPGRD command. Additionally, the TOE administrator can
query the currently executing version and most recently installed version.
The TOE software is updated by the administrator performing the following steps:
1. Authenticate to the TOE via SSH.

24 | P a g e
 2. Execute the following commands to output the current running and most recently installed TOE
software version:
RTRV-RELEASE:::CTAG;
RTRV-SW-VER:::CTAG;
3. Fetch the legitimate update by executing the following command:
DLVR-
RELEASE:::CTAG::REL1230Z.TD:URL="SFTP://ciena:Ciena123!@192
.168.2.122/home/ciena/Downloads",MINIMAL=Y;
4. Once the update has been fully fetched, execute the following command to load it into flash
memory:
LOAD-UPGRD:::CTAG::REL1230Z.TD:ALRMS=N;
5. Repeat Step 2 and confirm the current running version did not change, but that the most recently
installed TOE software version increased.
6. Execute the following command to install the new load on the shelf processor:
INVK-UPGRD:::CTAG;
7. After the TOE reboots, repeat Step 1 and execute the command in Step 6 to install the new load
on all the line cards.
8. Execute the following command to commit the upgrade:
CMMT-UPGRD:::CTAG;
9. Repeat Step 2 and confirm that both the current running version and most recently installed TOE
software version increased.

8 Auditing
In order to be compliant with Common Criteria, the TOE audits the events in the table below. Performing
the steps in Sections 6 and 7 of this document are all the steps required for the TOE to generate the
required audit records, store them locally, and send them to an external SFTP Server.
The following is an example of an audit record that Ciena 6500 produces:
“SHELF-1:<133>1 2018-05-25T14:11:55.000786Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000185 SHELF-1:18-05-25,14-11-
55:YEAR=2018,LOGNAME=SECU400,LOGEVENT=ACT-
USER,UID=\"SURVEIL\",UPC=1,PORTTYPE=SSH,PORTADDR=\"192.168.2.126:52124\",STATUS
=DENY,EVTDESCR=\"Invalid login\""

Each audit record contains identifying information required by Common Criteria including the date and
time the event occurred (2018-05-25 14:11:55), the type of event (LOGEVENT=ACT-USER), the
subject identity of the event (UID=\”SURVEIL”\,UPC=1), source (PORTTYPE=SSH,
PORTADDR=\”192.168.2.126:52124”\)and the outcome of the event (STATUS=DENY) with
detail (EVTDESCR=\”Invalid Login”\).
When reading the audit log, one must read from the bottom up for chronological order. Each record has
an identifying sequence order. For example, SHELF-1 000185 SHELF-1 order indicates this was
the 185th record since booting. A record that has SHELF-1 000000 SHELF-1 as its number is
indicating the first record since booting. The record prior to a SHELF-1 000000 SHELF-1 would be

25 | P a g e
the last event prior to rebooting such as a shutdown or reboot. This is important as some events have
multiple records to provide all of the information required. For example:
“SHELF-1:<134>1 2018-05-23T14-01-50.000658Z 192.168.2.101 DBCHG OME-
2C39C1A48438:SHELF-1 000112 DBCHGSEQ=783,DATE=18-05-23,TIME=14-01-
50,USERID=ADMIN,SOURCE=73,PRIORITY=GEN_TL1_CMD,STATUS=COMPLD:ED-SECU-PWDRLS:SHELF-
1::ALPHA_MIN=0,PDIF=1,SPEC_MIN=0,PLEN_MIN=15,NUM_MIN=0,UPPERC_MIN=0,LOWERC_MIN=0,REPEA
T_CHAR_MAX=0"
“SHELF-1:<134>1 2018-05-23T14-01-50.000647Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000111 SHELF-1:18-05-23,14-01-
50:YEAR=2018,LOGNAME=SECU406,LOGEVENT=ED-SECU-
PWDRLS,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.124:3633\",STATUS=COMPLD,
RESOURCE=\"SHELF-1\""

To decipher this example, start from the bottom record (SHELF-1 000111 SHELF-1): On the 23
of May 2018 a user called ADMIN with a UPC code of 4, was remotely connected over SSH
from IP source 192.168.2.124:3633 issued an edit secure password rules (ED-SECU-
PWDRLS)command successfully.
The next audit record provides the details of the values stored: Again, it identifies the who issued the
command “ADMIN”. This is a database change (DBCHG)that was successfully completed
STATUS=COMPLD:ED-SECU-PWDRLS. The values for the parameters are:
ALPHA_MIN=0,PDIF=1,SPEC_MIN=0,PLEN_MIN=15,NUM_MIN=0,UPPERC_MIN=0,LOWER
C_MIN=0,REPEAT_CHAR_MAX=0" Minimum password length set to 15 (PLEN) and each password
must have at least 1 character difference from the last (PDIF). The min number of alphabetic, upper
case, lower case, numeric, special characters, and maximum number of repeating characters in a password
are all set to 0 (ALPHA_MIN, UPPERC_MIN, LOWERC_MIN, NUM_MIN, SPEC_MIN,
REPEAT_CHAR_MAX).
See [2] for a complete list of user initiated LOGEVENT= (TL1commands) along with the parameters for
the command in helping to decipher audit records.
Sample audit records for each security-relevant auditable event are included in the following table.
Requirement Auditable Events Sample Audit Records

• System startup and Startup of system:

shutdown (example “SHELF-1:<134>1 2018-05-22T19-21-48.000930Z 192.168.2.101 SECU OME-
provided as the 2C39C1A48438:SHELF-1 000000 SHELF-1:18-05-22,19-21-
startup/shutdown of 48:YEAR=2018,LOGNAME=SECU420,LOGEVENT=TOD-
audit service is equated CHANGE,UID=\"*SYSTEM*\",UPC=4,PORTTYPE=SSH,PORTADDR=\"LOCALH
to the startup/shutdown OST\",STATUS=COMPLD,RESOURCE=\"SLOT=15,TOD=Update May 22, 2018 -
19:21:47.867 to May 22, 2018 - 19:21:48.742\""
of the TOE).
• Administrative login Shutdown/reboot of system:
and logout (name of “SHELF-1:<134>1 2018-05-22T19-20-01.000408Z 192.168.2.101 SECU OME-
FAU_GEN.1 user account shall be 2C39C1A48438:SHELF-1 001369 SHELF-1:18-05-22,19-20-
logged if individual 01:YEAR=2018,LOGNAME=SECU406,LOGEVENT=INIT-
user accounts are WARM,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"10.0.0.2:63710\"
required for ,STATUS=COMPLD,RESOURCE=\"SLOT-1-15\""
Administrators).
Login:
• Changes to TSF data
“SHELF-1:<133>1 2018-05-23T15-17-53.000710Z 192.168.2.101 SECU OME-
related to configuration
2C39C1A48438:SHELF-1 000209 SHELF-1:18-05-23,15-17-
changes (in addition to
53:YEAR=2018,LOGNAME=SECU400,LOGEVENT=ACT-
the information that a
USER,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.126:64
change occurred it shall
968\",STATUS=COMPLD"

26 | P a g e
 Requirement Auditable Events Sample Audit Records
be logged what has
been changed). Logout:
• Generating/import of, “SHELF-1:<133>1 2018-05-22T18-47-21.000998Z 192.168.2.101 SECU OME-
changing, or deleting of 2C39C1A48438:SHELF-1 001347 SHELF-1:18-05 -22,18-47-
cryptographic keys (in 21:YEAR=2018,LOGNAME=SECU400,LOGEVENT=CANC-
addition to the action USER,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"10.0.0.2:
itself a unique key 63316\",STATUS=COMPLD"
name or key reference
shall be logged). Modifying password complexity rules:
• Resetting passwords “SHELF-1:<134>1 2018-05-23T14-01-50.000658Z 192.168.2.101 DBCHG OME-
(name of related user 2C39C1A48438:SHELF-1 000112 DBCHGSEQ=783,DATE=18-05-23,TIME=14-01-
account shall be 50,USERID=ADMIN,SOURCE=73,PRIORITY=GEN_TL1_CMD,STATUS=COMPL
D:ED-SECU-PWDRLS:SHELF-
logged).
1::ALPHA_MIN=0,PDIF=1,SPEC_MIN=0,PLEN_MIN=15,NUM_MIN=0,UPPERC_
MIN=0,LOWERC_MIN=0,REPEAT_CHAR_MAX=0"
“SHELF-1:<134>1 2018-05-23T14-01-50.000647Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000111 SHELF-1:18-05-23,14-01-
50:YEAR=2018,LOGNAME=SECU406,LOGEVENT=ED-SECU-
PWDRLS,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.124
:3633\",STATUS=COMPLD,RESOURCE=\"SHELF-1\""

SSH key creation:

“SHELF-1:<134>1 2018-05-21T17-42-15.000345Z 192.168.2.101 DBCHG OME-
2C39C1A48438:SHELF-1 000973 DBCHGSEQ=719,DATE=18-05-21,TIME=17-42-
15,USERID=ADMIN,SOURCE=CTAG,PRIORITY=GEN_TL1_CMD,STATUS=CO
MPLD:CRTE-SSH-KEYS:::KEYSIZE=2048,KEYTYPE=RSA"

Resetting password:
“SHELF-1:<134>1 2018-05-23T13-51-41.000835Z 192.168.2.101 DBCHG OME-
2C39C1A48438:SHELF-1 000102 DBCHGSEQ=782,DATE=18-05-23,TIME=13-51-
41,USERID=ADMIN,SOURCE=69,PRIORITY=GEN_TL1_CMD,STATUS=COMPL
D:ED-SECU-
USER:TEST:,,,2:ACCRSTAT=OFF,TMOUT=30,PAGE=45,PCND=14,ACCR=0,MIN
W=20,PAGESTAT=OFF,TMOUTA=Y,USEDFLT=N"
“SHELF-1:<134>1 2018-05-23T13-51-41.000823Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000101 SHELF-1:18-05-23,13-51-
41:YEAR=2018,LOGNAME=SECU406,LOGEVENT=ED-SECU-
USER,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.124:36
33\",STATUS=COMPLD,RESOURCE=\"TEST\""
“SHELF-1:<134>1 2018-05-23T13-49-42.000461Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000100 SHELF-1:18-05-23,13-49-
42:YEAR=2018,LOGNAME=SECU406,LOGEVENT=RTRV-SECU-
DFLT,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.124:36
33\",STATUS=COMPLD,RESOURCE=\"ALL\""

“SHELF-1:<37>May 15 14-54-27 10.41.75.67 SECU OME-

FCS_SSHC_E Failure to establish an SSH 2C39C1A48438:SHELF-1 000337 SHELF-1:18-05-15,14-54-
XT.1 session 27:YEAR=2018,LOGNAME=SECU414,LOGEVENT=SFTP-CLIENT-
CONNECT,UID=\"ciena\",UPC=3,PORTTYPE=SSH,PORTADDR=\"192.168.2.122:2
2\",STATUS=ERROR,RESOURCE=\"reason='Negotiation failed'\""^M

“SHELF-1:<133>1 2018-05-21T18-22-52.000030Z 192.168.2.101 SECU OME-

FCS_SSHS_E Failure to establish an SSH 2C39C1A48438:SHELF-1 001002 SHELF-1:18-05-21,18-22-
XT.1 session 52:YEAR=2018,LOGNAME=SECU417,LOGEVENT=SSH-SERVER-
CONNECT,UID=\"\",UPC=1,PORTTYPE=SSH,PORTADDR=\"192.168.2.123:63099
\",STATUS=ERROR,RESOURCE=\"reason='Negotiation failed'\""

“SHELF-1:<134>1 2018-05-25T14:11:55.000898Z 192.168.2.101 ALM OME-

2C39C1A48438:SHELF-1 000189 SP-1-15:SEC_INTRUDER,TC,05-25,14-11-
Unsuccessful login attempts
FIA_AFL.1 55,NEND,NA,,,:\"Intrusion Attempt: 5 times by ""SURVEIL""\",NONE:0100000000-
limit is met or exceeded 0614-1376,:YEAR=2018,MODE=NON"
“SHELF-1:<129>1 2018-05-25T14:11:55.000856Z 192.168.2.101 ALM OME-
2C39C1A48438:SHELF-1 000188 SP-1-15:MJ,SEC_INTRUDER,NSA,05-25,14-11-

27 | P a g e
 Requirement Auditable Events Sample Audit Records
55,NEND,NA:\"Intrusion Attempt\",NONE:0100000008-0614-
0267,:YEAR=2018,MODE=NON"

Local TL1:
“SHELF-1:<133>1 2018-05-23T16-02-00.000416Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000275 SHELF-1:18-05-23,16-02-
00:YEAR=2018,LOGNAME=SECU400,LOGEVENT=ACT-
USER,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"10.0.0.2:65427\",
STATUS=COMPLD"

Remote SSH Public Key:

“SHELF-1:<133>1 2018-05-23T15-54-23.000678Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000263 SHELF-1:18-05-23,15-54-
23:YEAR=2018,LOGNAME=SECU417,LOGEVENT=SSH-SERVER-
All use of the identification CONNECT,UID=\"ADMIN\",UPC=1,PORTTYPE=SSH,PORTADDR=\"192.168.2.12
FIA_UIA_EXT 6:65344\",STATUS=SUCCESS,RESOURCE=\"\""
and authentication
.1 “SHELF-1:<133>1 2018-05-23T15-54-23.000671Z 192.168.2.101 SECU OME-
mechanism.
2C39C1A48438:SHELF-1 000262 SHELF-1:18-05-23,15-54-
23:YEAR=2018,LOGNAME=SECU400,LOGEVENT=SSH-
LOGIN,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.126:6
5344\",STATUS=COMPLD"

Remote SSH TL1:

“SHELF-1:<133>1 2018-05-23T15-17-53.000710Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000209 SHELF-1:18-05-23,15-17-
53:YEAR=2018,LOGNAME=SECU400,LOGEVENT=ACT-
USER,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.126:64
968\",STATUS=COMPLD"
FIA_UAU_EX All use of the authentication
T.2 mechanism. See FIA_UIA_EXT.1 above

Update failed to download from update server:

"SHELF-1:<134>1 2018-05-21T17-00-08.000003Z 192.168.2.101 SECU OME-

2C39C1A48438:SHELF-1 000942 SHELF-1:18-05-21,17-00-
08:YEAR=2018,LOGNAME=SECU401,LOGEVENT=DLVR-
RELEASE,UID=\"TEST\",UPC=2,PORTTYPE=SSH,PORTADDR=\"192.168.2.124:1
FMT_MOF.1/ Any attempt to initiate a 932\",STATUS=PIUC,RESOURCE=\"\""
ManualUpdate manual update
Update Failure:
“SHELF-1:<134>1 2018-05-21T17-00-08.000003Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000942 SHELF-1:18-05-21,17-00-
08:YEAR=2018,LOGNAME=SECU401,LOGEVENT=DLVR-
RELEASE,UID=\"TEST\",UPC=2,PORTTYPE=SSH,PORTADDR=\"192.168.2.124:1
932\",STATUS=PIUC,RESOURCE=\"\""
Note: "PIUC" indicates that the event failed
Modification of the
behaviour of the transmission Modify the syslog transmission configuration:
of audit data "SHELF-1:<134>1 2018-05-21T17-14-38.000082Z 192.168.2.101 DBCHG OME-
FMT_MOF.1/ to an external IT entity, the 2C39C1A48438:SHELF-1 000953 DBCHGSEQ=716,DATE=18-05-21,TIME=17-14-
Functions handling of audit data, the 38,USERID=ADMIN,SOURCE=1,PRIORITY=GEN_TL1_CMD,STATUS=COMPL
audit functionality when D:SET-SYSLOG-
Local Audit Storage Space is SETTINGS:::PRTCL=5424,SYSLOGFAC=16,SYSLOGSEV=7,SYSLOGTYPES=AL
full L,HOSTIPFMT=IPV4"

Starting of SSH service:

“SHELF-1:<134>1 2018-05-23T17-12-19.000812Z 192.168.2.101 DBCHG OME-
FMT_MOF.1/ Starting and stopping of 2C39C1A48438:SHELF-1 000294 DBCHGSEQ=790,DATE=18-05-23,TIME=17-12-
Services services 19,USERID=ADMIN,SOURCE=CTAG,PRIORITY=GEN_TL1_CMD,STATUS=CO
MPLD:ED-SSH:::SERVER=ENABLED"

Stopping of SSH service:

28 | P a g e
 Requirement Auditable Events Sample Audit Records
“SHELF-1:<134>1 2018-05-23T17-10-41.000409Z 192.168.2.101 DBCHG OME-
2C39C1A48438:SHELF-1 000291 DBCHGSEQ=789,DATE=18-05-23,TIME=17-10-
41,USERID=,SOURCE=CTAG,PRIORITY=GEN_TL1_CMD,STATUS=COMPLD:E
D-SSH:::SERVER=DISABLED"

Refer to FIA_UIA_EXT.1
Refer to FIA_PMG_EXT.1
Refer to FMT_MOF.1/Functions
FMT_MTD.1/ All management activities of Refer to FTA_SSL_EXT.1
CoreData TSF data Refer to FTA_SSL.3
Refer to FTA_TAB.1
Refer to FMT_MTD.1/CryptoKeys
Refer to FIA_PMG_EXT.1
Refer to FMT_MOF.1/Services

User failed to generate keys due to privilege level:

“SHELF-1:<134>1 2018-05-21T17-39-11.000571Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000969 SHELF-1:18-05-21,17-39-
11:YEAR=2018,LOGNAME=SECU401,LOGEVENT=CRTE-SSH-
KEYS,UID=\"TEST\",UPC=2,PORTTYPE=SSH,PORTADDR=\"192.168.2.124:1932\
FMT_MTD.1/ Management of
",STATUS=PIUC,RESOURCE=\"\""
CryptoKeys cryptographic keys
Admin created SSH keys:
“SHELF-1:<134>1 2018-05-21T17-42-15.000345Z 192.168.2.101 DBCHG OME-
2C39C1A48438:SHELF-1 000973 DBCHGSEQ=719,DATE=18-05-21,TIME=17-42-
15,USERID=ADMIN,SOURCE=CTAG,PRIORITY=GEN_TL1_CMD,STATUS=CO
MPLD:CRTE-SSH-KEYS:::KEYSIZE=2048,KEYTYPE=RSA"
Discontinuous changes to
time – either Administrator Manual change of system clock:
actuated or changed via an “SHELF-1:<110>May 21 09-34-00 192.168.2.101 SECU OME-
automated process. (Note that 2C39C1A48438:SHELF-1 000579 SHELF-1:18-05-21,09-34-
FPT_STM_EX 00:YEAR=2018,LOGNAME=SECU420,LOGEVENT=TOD-
no continuous changes to
T.1 CHANGE,UID=\"*SYSTEM*\",UPC=4,PORTTYPE=SSH,PORTADDR=\"LOCALH
time need to be logged. See
also application note on OST\",STATUS=COMPLD,RESOURCE=\"SLOT=15,TOD=Update May 21, 2018 -
FPT_STM_EXT.1 in the 13:33:42.256 to May 21, 2018 - 09:34:00.000\""
NDcPP)

Initiation of Update:
“SHELF-1:<134>1 2018-05-24T18-03-33.000751Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000878 SHELF-1:18-05-24,18-03-
33:YEAR=2018,LOGNAME=SECU406,LOGEVENT=DLVR-
Initiation of update; result of RELEASE,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.12
FPT_TUD_EX 6:51708\",STATUS=COMPLD,RESOURCE=\"\""
the update attempt (success
T.1
or failure) Validation Failure:
“SHELF-1:<134>1 2018-05-24T18-06-24.000013Z 192.168.2.101 ALM OME-
2C39C1A48438:SHELF-1 000896 SP-1-15:SWFTDWN,TC,05-24,18-06-
23,NEND,NA,,,:\"Release 'REL1230Z.SZ' not delivered. Error is: Checksum validation
failure\",NONE:0100000000-0000-0072,:YEAR=2018,MODE=NON"

Configuration of 3 Minute Timeout:

“SHELF-1:<134>1 2018-05-22T17-46-57.000854Z 192.168.2.101 DBCHG OME-
2C39C1A48438:SHELF-1 001261 DBCHGSEQ=768,DATE=18-05-22,TIME=17-46-
57,USERID=ADMIN,SOURCE=CTAG,PRIORITY=GEN_TL1_CMD,STATUS=CO
The termination of a local MPLD:ED-SSH:::IDLETIMEOUT=3"
FTA_SSL_EX
session by the session
T.1 Admin Authentication:
locking mechanism. “SHELF-1:<133>1 2018-05-22T17-48-51.000043Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001267 SHELF-1:18-05-22,17-48-
51:YEAR=2018,LOGNAME=SECU400,LOGEVENT=ACT-
USER,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"10.0.0.2:62876\",
STATUS=COMPLD"

29 | P a g e
 Requirement Auditable Events Sample Audit Records
Session Timeout:
“SHELF-1:<133>1 2018-05-22T17-51-51.000204Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001270 SHELF-1:18-05-22,17-51-
51:YEAR=2018,LOGNAME=SECU417,LOGEVENT=SSH-SERVER-
DISCONNECT,UID=\"ADMIN",UPC=1,PORTTYPE=SSH,PORTADDR=\"10.0.0.2:
62876\",STATUS=SUCCESS,RESOURCE=\"reason=Timeout\""

3 Minute Timeout Configuration:

“SHELF-1:<134>1 2018-05-21T14-56-56.000213Z 192.168.2.101 DBCHG OME-
2C39C1A48438:SHELF-1 000727 DBCHGSEQ=659,DATE=18-05-21,TIME=14-56-
56,USERID=ADMIN,SOURCE=CTAG,PRIORITY=GEN_TL1_CMD,STATUS=CO
MPLD:ED-SSH:::IDLETIMEOUT=3"

Admin Authenticated:
“SHELF-1:<133>1 2018-05-21T14-57-57.000570Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000733 SHELF-1:18-05-21,14-57-
57:YEAR=2018,LOGNAME=SECU400,LOGEVENT=ACT-
The termination of a remote USER,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.124:17
FTA_SSL.3 session by the session 04\",STATUS=COMPLD"
locking mechanism.
Session Timeout:
“SHELF-1:<133>1 2018-05-21T15-00-57.000763Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000736 SHELF-1:18-05-21,15-00-
57:YEAR=2018,LOGNAME=SECU417,LOGEVENT=SSH-SERVER-
DISCONNECT,UID=\"\",UPC=1,PORTTYPE=SSH,PORTADDR=\"192.168.2.124:17
04\",STATUS=SUCCESS,RESOURCE=\"reason=Timeout\""
“SHELF-1:<133>1 2018-05-21T15-00-57.000763Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 000735 SHELF-1:18-05-21,15-00-
57:YEAR=2018,LOGNAME=SECU400,LOGEVENT=CANC-
USER,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.124:17
04\",STATUS=COMPLD"

User Terminated Session:

“SHELF-1:<133>1 2018-05-22T18-47-21.000998Z 192.168.2.101 SECU OME-
The termination of an 2C39C1A48438:SHELF-1 001347 SHELF-1:18-05-22,18-47-
FTA_SSL.4
interactive session. 21:YEAR=2018,LOGNAME=SECU400,LOGEVENT=CANC-
USER,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"10.0.0.2:
63316\",STATUS=COMPLD"

## AUDIT SERVER ##

Initiation of trusted channel:

“SHELF-1:<134>1 2018-05-22T15-01-33.000536Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001144 SHELF-1:18-05-22,15-01-
33:YEAR=2018,LOGNAME=SECU406,LOGEVENT=RTRV-
SYSLOG,UID=\"SURVEIL\",UPC=5,PORTTYPE=SSH,PORTADDR=\"192.168.2.12
2:40434\",STATUS=COMPLD,RESOURCE=\"\""
“SHELF-1:<134>1 2018-05-22T15-01-29.000871Z 192.168.2.101 SECU OME-
Initiation of the trusted 2C39C1A48438:SHELF-1 001143 SHELF-1:18-05-22,15-01-
channel. 29:YEAR=2018,LOGNAME=SECU406,LOGEVENT=INH-MSG-
Termination of the trusted ALL,UID=\"SURVEIL\",UPC=5,PORTTYPE=SSH,PORTADDR=\"192.168.2.122:40
FTP_ITC.1 434\",STATUS=COMPLD,RESOURCE=\"\""
channel.
“SHELF-1:<133>1 2018-05-22T15-01-29.000713Z 192.168.2.101 SECU OME-
Failure of the trusted channel 2C39C1A48438:SHELF-1 001142 SHELF-1:18-05-22,15-01-
functions. 29:YEAR=2018,LOGNAME=SECU400,LOGEVENT=ACT-
USER,UID=\"SURVEIL\",UPC=5,PORTTYPE=SSH,PORTADDR=\"192.168.2.122:4
0434\",STATUS=COMPLD"
“SHELF-1:<133>1 2018-05-22T15-01-28.000548Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001141 SHELF-1:18-05-22,15-01-
28:YEAR=2018,LOGNAME=SECU417,LOGEVENT=SSH-SERVER-
CONNECT,UID=\"ciena\",UPC=1,PORTTYPE=SSH,PORTADDR=\"192.168.2.122:4
0434\",STATUS=SUCCESS,RESOURCE=\"\""
“SHELF-1:<133>1 2018-05-22T15-01-28.000542Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001140 SHELF-1:18-05-22,15-01-
28:YEAR=2018,LOGNAME=SECU400,LOGEVENT=SSH-

30 | P a g e
 Requirement Auditable Events Sample Audit Records
LOGIN,UID=\"ciena\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.122:4043
4\",STATUS=COMPLD"

Termination of trusted channel:

“SHELF-1:<133>1 2018-05-22T15-01-33.000784Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001146 SHELF-1:18-05-22,15-01-
33:YEAR=2018,LOGNAME=SECU417,LOGEVENT=SSH-SERVER-
DISCONNECT,UID=\"ciena\",UPC=1,PORTTYPE=SSH,PORTADDR=\"192.168.2.1
22:40434\",STATUS=SUCCESS,RESOURCE=\"\""
“SHELF-1:<133>1 2018-05-22T15-01-33.000669Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001145 SHELF-1:18-05-22,15-01-
33:YEAR=2018,LOGNAME=SECU400,LOGEVENT=CANC-
USER,UID=\"SURVEIL\",UPC=5,PORTTYPE=SSH,PORTADDR=\"192.168.2.122:4
0434\",STATUS=COMPLD"

Failure of trusted channel:

“SHELF-1:<133>1 2018-05-22T15-27-27.000414Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001163 SHELF-1:18-05-22,15-27-
27:YEAR=2018,LOGNAME=SECU417,LOGEVENT=SSH-SERVER-
CONNECT,UID=\"\",UPC=1,PORTTYPE=SSH,PORTADDR=\"192.168.2.122:40454
\",STATUS=ERROR,RESOURCE=\"reason='Negotiation failed'\""

## UPDATE SERVER ##

Initiation of trusted channel:

“SHELF-1:<134>1 2018-05-22T15-45-08.000976Z 192.168.2.101 ALM OME-
2C39C1A48438:SHELF-1 001176 SP-1-15:SWFTDWN,TC,05-22,15-45-
08,NEND,NA,,,:\"Remote transfer of file
'/home/ciena/101/REL1230Z.SE/config/catalog' failed (SFTP: Object is not a
directory)\",NONE:0100000000-0000-0072,:YEAR=2018,MODE=NON"
“SHELF-1:<133>1 2018-05-22T15-45-08.000895Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001175 SHELF-1:18-05-22,15-45-
08:YEAR=2018,LOGNAME=SECU414,LOGEVENT=SFTP-CLIENT-
CONNECT,UID=\"ciena\",UPC=3,PORTTYPE=SSH,PORTADDR=\"192.168.2.122:2
2\",STATUS=SUCCESS,RESOURCE=\"fingerprint=42:6E:5D:2F:C5:41:BE:CE:91:5
B:D9:03:36:26:F3:3D\""
“SHELF-1:<131>1 2018-05-22T15-45-08.000891Z 192.168.2.101 ALM OME-
2C39C1A48438:SHELF-1 001174 SP-1-15:MN,SWFTDLIP,NSA,05-22,15-45-
08,NEND,NA:\"Software Delivery In Progress\",NONE:0100000027-2029-
0454,:YEAR=2018,MODE=NON"

Termination of trusted channel:

“SHELF-1:<133>1 2018-05-22T15-45-08.000989Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001177 SHELF-1:18-05-22,15-45-
08:YEAR=2018,LOGNAME=SECU414,LOGEVENT=SFTP-CLIENT-
DISCONNECT,UID=\"ciena\",UPC=3,PORTTYPE=SSH,PORTADDR=\"192.168.2.1
22:22\",STATUS=SUCCESS,RESOURCE=\"\""

Failure of trusted channel:

“SHELF-1:<134>1 2018-05-22T15-55-54.000806Z 192.168.2.101 ALM OME-
2C39C1A48438:SHELF-1 001216 SP-1-15:SWFTDWN,TC,05-22,15-55-
54,NEND,NA,,,:\"Release server connection failed\",NONE:0100000000-0000-
0072,:YEAR=2018,MODE=NON"
“SHELF-1:<134>1 2018-05-22T15-55-54.000728Z 192.168.2.101 ALM OME-
2C39C1A48438:SHELF-1 001215 SP-1-15:SWFTDWN,TC,05-22,15-55-
54,NEND,NA,,,:\"delivery Release failed: SFTP: Protocol error\",NONE:0100000000-
0000-0072,:YEAR=2018,MODE=NON"
“SHELF-1:<133>1 2018-05-22T15-55-54.000696Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001214 SHELF-1:18-05-22,15-55-
54:YEAR=2018,LOGNAME=SECU414,LOGEVENT=SFTP-CLIENT-
CONNECT,UID=\"ciena\",UPC=3,PORTTYPE=SSH,PORTADDR=\"192.168.2.122:2
2\",STATUS=ERROR,RESOURCE=\"reason='Negotiation failed'\""
Initiation of the trusted
FTP_TRP.1/A channel. Termination of trusted path:
dmin Termination of the trusted “SHELF-1:<133>1 2018-05-22T16-11-36.000270Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001239 SHELF-1:18-05-22,16-11-
channel.

31 | P a g e
 Requirement Auditable Events Sample Audit Records
Failures of the trusted path 36:YEAR=2018,LOGNAME=SECU417,LOGEVENT=SSH-SERVER-
functions. DISCONNECT,UID=\"ADMIN\",UPC=1,PORTTYPE=SSH,PORTADDR=\"192.168.
2.126:50779\",STATUS=SUCCESS,RESOURCE=\"\""

Failed establishment of trusted path:

“SHELF-1:<133>1 2018-05-22T16-10-31.000786Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001233 SHELF-1:18-05-22,16-10-
31:YEAR=2018,LOGNAME=SECU417,LOGEVENT=SSH-SERVER-
CONNECT,UID=\"\",UPC=1,PORTTYPE=SSH,PORTADDR=\"192.168.2.126:50772
\",STATUS=ERROR,RESOURCE=\"reason='Negotiation failed'\""

Successful establishment of trusted path:

“SHELF-1:<133>1 2018-05-22T16-09-40.000373Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001231 SHELF-1:18-05-22,16-09-
40:YEAR=2018,LOGNAME=SECU417,LOGEVENT=SSH-SERVER-
CONNECT,UID=\"ADMIN\",UPC=1,PORTTYPE=SSH,PORTADDR=\"192.168.2.12
6:50763\",STATUS=SUCCESS,RESOURCE=\"\""
“SHELF-1:<133>1 2018-05-22T16-09-40.000368Z 192.168.2.101 SECU OME-
2C39C1A48438:SHELF-1 001230 SHELF-1:18-05-22,16-09-
40:YEAR=2018,LOGNAME=SECU400,LOGEVENT=SSH-
LOGIN,UID=\"ADMIN\",UPC=4,PORTTYPE=SSH,PORTADDR=\"192.168.2.126:5
0763\",STATUS=COMPLD"
Table 3: Ciena 6500 Auditable Events

8.1 Audit Storage

The TOE stores audit data locally in three distinct files: security log, autonomous outputs (AO) log, and
syslog. The security log is the record of events such as login/authentication, authorized commands,
changes made in the network configuration. The AO contains the detailed information about the event
such as what parameters were used. The TOE aggregates both the security log and the AO files into the
syslog records file. The syslog file contains all the information required to satisfy the PP requirements
and is therefore the file that is subject to export to the external audit server.
The maximum audit size is approximate as the TSF limits the audit logs based on the number of records
per log file or a combined file size of approximately 7MB of data. The security log holds a maximum of
1000 records or 800KB. The AO log hold a maximum of 9000 records or 4MB. Syslog records hold a
maximum of 1000 records or 2MB. When a locally stored audit file has reached its defined maximum
number of records allowed, or has reached the maximum file size, the oldest record is overwritten with
new audit data. The TOE does not provide a user mechanism to delete or modify the locally-stored audit
data and the filesystem is not accessible by any user of the TOE.
In the evaluated configuration, the syslog file is periodically pulled to a remote audit server, via an
automated script, using SFTP over an SSH trusted channel. Depending on the usage of the TOE depends
on how fast the audit logs will fill and start overwriting the old records. Therefore, it is recommended
that the script be scheduled to execute every 1-6 hours, even though the frequency could be scheduled for
as little as every minute or long as once every 24 hours, to mitigate any potential of audit records not
being remotely stored.

32 | P a g e
8.1.1 Example Audit retrieval script
At this point it is assumed that the required key pair has been generated and installed per Section 7. The
following is an example python script that must be installed on the remote audit server in order to pull
audit information.

1. #######################################################
2. # Note: this script is meant as a simple example of
3. # how to periodically scrape a 6500 NE of it's syslogs
4. # through SSH and is not meant to be used as is in a
5. # production environment.
6. #######################################################
7. import os
8. import sys
9. import time
10. import datetime
11. import exceptions
12. #######################################################
13. # Information on pexpect python library, installation
14. # and support at:
15. # https://pexpect.readthedocs.io/en/stable/install.html
16. #######################################################
17. import pexpect#########################################
18. # Make custom changes here
19. #######################################################
20. sshUserId = 'ciena'
21. host = '<TOE_IP_ADDRESS>'
22. time_interval_seconds = 60
23. TL1_login_Id = 'SURVEIL'
24. TL1_login_password = 'SURVEIL'
25. log_prefix_name = 'mySyslog'
26. log_postfix_name = '.txt'
27. #######################################################
28. # End of custom changes
29. #######################################################
30. sshText = 'ssh ' + sshUserId + '@' + host
31.
32. #######################################################
33. # Loop forever, executing TL1 commands through an SSH
34. # session. Output the result of the SYSLOG retrieval
35. # to a new file on each time interval. Sleep until
36. # time interval expires and start over.
37. #######################################################
38. while True:
39. child = pexpect.spawn(sshText)
40. dateStamp = datetime.datetime.now().strftime("%Y-%m-%d-%H:%M:%S")
41. log_name = log_prefix_name+dateStamp+log_postfix_name
42. try:
43. child.expect('<')
44. child.sendline('ACT-USER::'+TL1_login_Id+':CTAG1::'+TL1_login_password+';')
45. child.expect('\r\n;')
46. child.sendline('INH-MSG-ALL:::CTAG2;')
47. child.expect('\r\n;')
48. child.sendline('INH-MSG-BROADCAST:::CTAG3;')
49. child.expect('\r\n;')
50. fout = open(log_name,'wb')
51. child.logfile = fout
52. child.sendline('RTRV-SYSLOG:::CTAG4;')
53. child.expect('\r\n;')

33 | P a g e
 54. child.logfile = None
55. fout.close()
56. child.sendline('CANC-USER::'+TL1_login_Id+':CTAG5;')
57. child.expect('\r\n;')
58. child.close(True)
59. print 'Wrote to log ' + log_name
60. print 'Back to sleep for ' + str(time_interval_seconds) + ' second(s)'
61. time.sleep(time_interval_seconds)
62. except pexpect.EOF:
63. print 'Unexpected EOF reached'
64. break;
65. except pexpect.TIMEOUT:
66. print 'Expect timeout error'
67. break;
68. except IOError:
69. print 'Error opening log file'
70. break;
71.
72. print 'Exiting'

9 Operational Modes
When the TOE is first installed, it is considered to be in its normal operational mode. After initial
installation, the TOE must still be placed into its evaluated configuration by performing the steps
described in Section 6 of this document. Once placed in the evaluated configuration, the TOE’s normal
operational mode will perform the functions as described in [5].
In the event that a POST fails, the TOE will attempt to reboot itself. If the TOE has been corrupted or the
hardware has failed such that rebooting will not resolve the issue, an Administrator will need to contact
Ciena support per the guidance in Section 11.

10 TL1 Commands
These are the security relevant commands used for TL1. For details of each command, use the TL1
reference.
1.ACT-USER
2.CANC-USER
3.RTRV-ACTIVE-USER
4.ED-SECU-PID
5.ENT-SECU-BADPID
6.DLT-SECU-BADPID
7.RTRV-SECU-BADPID
8.ENT-SECU-USER
9.ED-SECU-USER
10.ALW-SECU-USER
11.DLT-SECU-USER
12.RTRV-SECU-USER
13.SET-ATTR-SECUDFLT
14.RTRV-SECU-DFLT
34 | P a g e
 15.CLR-ALM-SECU
16.ALW-SECU-CID
17.RTRV-SECU-CID
18.RTRV-AUDIT-SECULOG
19.RTRV-SECU-UPC
20.INH-SECU-USER
21.SET-BANNER-LINE
22.DLT-BANNER
23.RTRV-BANNER
24.CANC-SECU-SESSION
25.ED-SSH
26.RTRV-SSH
27.RTRV-SSH-PUBKEY
28.CHK-SSH-KEYS
29.CRTE-SSH-KEYS
30.RTRV-INTRUDED-USER
31.ED-SECU
32.RTRV-SECU
33.ED-SECU-PWDRLS
34.RTRV-SECU-PWDRLS
35.RTRV-SYSLOG
36.SET-SYSLOG-SERVER
37.RTRV-SYSLOG-SERVER
38.SET-AUTH-DFLT
39.RTRV-AUTH-DFLT
40.SET-AUTH-MODE
41.RTRV-AUTH-MODE
42.SET-SYSLOG-SETTINGS
43.RTRV-SYSLOG-SETTINGS
44.ENT-SSH-HOSTKEY
45.DLT-SSH-HOSTKEY
46.RTRV-SSH-HOSTKEY
47.ENT-SSH-AUTHUSER
48.DLT-SSH-AUTHUSER
49.RTRV-SSH-AUTHUSER
50.INIT-ZEROIZE
51.RTRV-ALMPROFILE
52.RTRV-ALMPROFILE-ACTIVE
53.RTRV-ALMPROFILE-DFLT
54.SET-ALMPROFILE-ACTIVE
55.SET-ALMPROFILE-DFLT
56.SET-ALMPROFILE-ATTR
57.RTRV-ALM-ALL
58.RTRV-ALM-ENV
59.SET-ATTR-ENV
35 | P a g e
 60.SET-ATTR-CONT
61.RTRV-AO
62.RTRV-AO-BROADCAST
63.RTRV-COND-ALL
64.RTRV-SW-VER
65.RTRV-UPGRD-STATE
66.RTRV-UPGRD-DEPEND
67.RTRV-RELEASE
68.RTRV-NODE-RELEASE
69.CANC-RELEASE
70.CANC-UPGRD
71.CHK-RELEASE
72.CHK-UPGRD
73.CMMT-UPGRD
74.SAV-RELEASE
75.DLT-RELEASE
76.DLT-RELEASE-SERVER
77.DLVR-RELEASE
78.INVK-UPGRD
79.LOAD-UPGRD
80.ENT-RELEASE-SERVER
81.APPLY-SRVPACK
82.RMV-SRVPACK
83.ED-TOD-MODE
84.OPR-TOD-SYNC
85.SET-TOD-SER
86.ED-DAT
87.SAV-LOG
88.CANC-LOG
89.CANC-PROV
90.CHK-PROV
91.CMMT-PROV
92.RST-PROV
93.SAV-PROV

11 Additional Support
Ciena provides technical support for its products if needed. Customers can register for a support account
at http://my.ciena.com/CienaPortal/. Additionally, customers can open a ticket with Ciena support by
calling +1 (800) 243-6224 (U.S. and Canada only). Please visit https://www.ciena.com/support/ for
international phone numbers.

36 | P a g e