Ciena 6500 Packet Optical Platform Supplemental Administrative Guidance for Common Criteria Version 1.0 August 10, 2018 Ciena Corporation 7035 Ridge Road Hanover, MD 21076 Prepared By: Booz | Allen | Hamilton delivering results that endure Cyber Assurance Testing Laboratory 1100 West Street Laurel, MD 20707Contents 1 Introduction. 2 Intended Audience... 3 Terminology. 4 References 5 Evaluated Configuration of the TOE... 5.1 TOE Components. 5.2. Supporting Environmental Components... nnn ssn 3 53 Assumptions. 6 Secure Acceptance, Installation, and Configuration 6 6.1 Initial Configuration. 6 7 7 62 Power-On Self Tests 6.3 Cryptographic Configuration Notice. 64 Disable Insecure Services... 7 Secure Management of the TOE. 7.1. Authenticating to the TOE... 7.11 Configuring an Authorized User with a Public Key . 7.1.2 Generate SSH Public/Private Keypair 7.13 Configuring a Known Host with a Public Key . 7.14 — Configuring SSH Server and Client Parameters 15 7.15 SSH/SFTP Server & Client (System) RSA Keys 18 7.2. Failed Authentication Lockout 7.3. User Accounts and User Management. 7.4 Password Management 7.5 Login Banner... 7.6 Session Termination... 7.6.1 Admin Logout... 7.6.2 ‘Termination from Inactivity 7.7 System Time Configuration 78 — Secure Updates. 8 Auditing 8.1 Audit Storage... 8.1.1 Example Audit retrieval script 9 Operational Modes. 10 TL1 Commands... 11 Additional Support. 1|PageTable of Tables Table L: Hardware Model Information... sen ‘Table 2: Evaluated Components of the Operational Environment . Table 3: Ciena 6500 Auditable Events... 2|Page1 Introduction ‘The Ciena 6500 S-Series and D-Series Packet Optical Platform, the Target of Evaluation (TOE), is a family of standalone hardware devices that run VxWorks and provide OSI Layer 0/1/2 network traffic management services. The collaborative Protection Profile for Network Devices, version 2.0 + Errata 20180314 (NDePP] defines a network device as “a device composed of both hardware and software that is connected to the network and has an infrastructure role within the network”. Additionally, the NDePP says that example devices that fit this definition include routers, firewalls, intrusion detection systems, and switches. As a Common Criteria evaluated product, this guidance serves to define the ‘evaluated configuration’ in which the evaluation was performed and to summarize how to perform the security functions that were tested as part of the evaluation. 2 Intended Audience This document is intended for administrators responsible for installing, configuring, and/or operating Ciena 6500. Guidance provided in this document allows the reader to deploy the product in an environment that is consistent with the configuration that was evaluated as part of the product’s Common Criteria (CC) testing process. It also provides the reader with instructions on how to exercise the security functions that were claimed as part of the CC evaluation. The reader is also expected to be familiar with the general operation of the Ciena 6500 product. This supplemental guidance includes references to Ciena’s standard documentation set for the product and does not explicitly reproduce materials located there, The reader is also expected to be familiar with the Ciena 6500 Packet Optical Platform Security Target and the general CC terminology that is referenced in it, This document references the Security Functional Requirements (SFRs) that are defined in the Security Target document and provides instructions for how to perform the security functions that are defined by these SFRs. The Ciena 6500 product as a whole provides a great deal of security functionality but only those functions that were in the scope of the claimed PP are discussed here. Any functionality that is not described here or in the Ciena 6500 Packet Optical Platform Security Target was not evaluated and should be exercised at the user’s risk. 3. Terminology In reviewing this document, the reader should be aware of the terms listed below. These terms are also described in the Ciena 6500 Packet Optical Platform Security Target CC: stands for Common Criteria. Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use. SFR: stands for Security Functional Requirement. An SFR is a security capability that was tested as part of the CC process. 3|PageTOE: stands for Target of Evaluation. This refers to the aspects of the Ciena 6500 product that contain the security functions that were tested as part of the CC evaluation process. 4 References The following security-relevant documents are included with the TOE. This is part of the standard documentation set that is provided with the product. Documentation that is not related to the functionality tested as part of the CC evaluation is not listed here. [1] Ciena 6500 Packet-Optical Platform Administration and Security Release 12.3 [2] Ciena 6500 Packet-Optical Platform TL1 Command Definition Release 12.3 [3] Site Manager for Ciena 6500 Packet-Optical Platform Fundamentals Release 12.3 [4] Suite of Hardware Installation Manuals Release 12.3 8) General Information b) 2,7, 14, & 32 Slot Shelves (individual documents) The following document was created in support of the Ciena 6500 CC evaluation: [5] Ciena 6500 Packet Optical Platform Security Target 5 Evaluated Configuration of the TOE This section lists the components that have been included in the TOE’s evaluated configuration, whether they are part of the TOE itself, environmental components that support the security behavior of the TOE, or non-interfering environmental components that were present during testing but are not associated with any security claims 5.1 TOE Components The TOE is Ciena 6500 Packet Optical Platform, running software version Release 12.3. Ciena 6500 are standalone hardware network appliances that run VxWorks. This is a family of products that contai following hardware models: eer Sr TST ora) PowerQUICC I Processor PowerQUICC II Processor a acetal ery ee [ 2-slor Type 2 | NTKSOSLA Yes [Taslot NTKSO3PA No | stor Type2 | NTKSO3KA No Yes [[es00-7NTKSO3RA Yes No T4sloi | NTKSO3BA Yes Ne NTKS03CA NTKS03CC 4|PageNTKS03GA, NTKSO3AD_ NTKS03BD_ NTKS03CD_ NTK5038A, 32siot_| NTKOO3AA Yes No NTK603AB_ ‘Table [: Hardware Model Taformation 5.2. Supporting Environmental Components ‘The following table lists components and applications in the environment that the TOE relies upon in order to function properly: ‘omponent oa ‘Any general-purpose computer that is used by an administrator to manage the TOE. ‘The TOE can be managed remotely, in which case the management workstation requires an SSH client, or locally, in which case the management workstation must Management bbe physically connected to the TOE using the serial port and must use a terminal Workstation ‘emulator that is compatible with serial communications. Alternatively, the ‘workstation ean physically connect tothe TOE using the erat port, which is an Ethernet port through which the TOE can be managed locally using SSH Client. ‘ ‘A general-purpose computer that runs a script to pull audit records fom the TOE Audit Server automatically, using the TL interface over SSH. pda server ‘A server running the secure file transfer protocol (SFTP) server that i wed asa location for storing product updates that can be transferred to the TOE. ‘The Site Manager software provides a graphical interface to the TLI interface for ite Manager ‘managing the TOE. The Site Manager software i installed on the Management ‘workstation and uses an SSH channel to connect to the TOE. ‘Table 2: Evaluated Components of the Operational Environment 5.3 Assumptions In order to ensure the product is capable of meeting its security requirements when deployed in its evaluated configuration, the following conditions must be satisfied by the organization, as defined in the claimed Protection Profile: ‘+ Physical security: The Ciena 6500 product does not claim any sort of physical tamper-evident or tamper-resistant security mechanisms, Therefore, itis necessary to deploy the product in a locked or otherwise physically secured environment so that it is not subject to untrusted physical modification. ‘+ Limited functionality: The Ciena 6500 product must only be used for its intended networking purpose. General purpose computing applications, especially those with network-visible interfaces, may compromise the security of the product if introduced. ‘+ No through traffic protection: The security boundary of the Common Criteria evaluation is limited to traffic flowing to or from the TOE. The intent is for Ciena 6500 to protect data that originates on or is destined to the device itself, to include administrative data and audit data. Traffic that is traversing the network device, destined for another network entity, is not coveredby the NDePP. It is assumed that this protection will be covered by ePPs for particular types of network devices (c.g., firewall) ‘* Trusted administration: The Ciena 6500 product does not provide a mechanism to protect against the threat of a rogue or otherwise malicious administrator. Therefore, it is the responsibility of the organization to perform appropriate vetting and training for security administrators prior to granting them the ability to manage the product. ‘+ Regular updates: Ciena provides regular produet updates for the Ciena 6500 product that, include bug fixes as well as functionality and security enhancements. It is expected that administrators are reasonably diligent in ensuring that software patches are applied regularly as they are made available. ‘+ Secure admin credentials: Ciena 6500 protects the administrator's credentials stored on Ciena £6500 that are used to access it. Additionally, itis assumed that any administrative credentials maintained by an environmental SFTP Server are secured in order to mitigate the risk of impersonation. ‘+ Residual information: It is the responsibility of the administrator to ensure that there is no unauthorized access possible for sensitive residual information (e.g. eryptographic keys, keying ‘material, PINs, passwords etc.) on networking equipment when the equipment is discarded or removed from its operational environment. 6 Secure Acceptance, Installation, and Configuration Documentation for how to order and acquire the TOE is described under the Support and Next Steps link on the Ciena website https:/www.ciena.conv. Section 5.1 of this document lists the properties that are associated with the TOE. When receiving delivery of the TOE, this documentation should be checked as part of the acceptance procedures so that the correctness of the hardware can be verified. 6.1 Initial Configuration Physical installation and first-time setup of the TOE can be accomplished by the steps outlined in [1] Additionally, these steps are also needed to provide initial out-of-the-box configuration: 1, Authenticate to the TOE via TELNET using the Site Manager client on machine. 2. Specify the IP address of the TOE. 3. Authenticate using the default credentials (case sensitive): Username: ADMIN Password: ADMIN 4, Execute the following command to enable cryptographic key zeroization capability: ED-SECU: : :CTAG: : : ZEROIZEMODE=ENABLED; Once the TOE is physically installed, it is recommended that an administrator acquire the software image for the current version from Ciena and perform a software upgrade to the current version. Depending on when the device was manufactured, Ciena 6500 may have a different software version initially installed on it. The TOE will need to be booted and the procedures in [1] must be followed to complete the installation of Ciena 6500 software, 6|Page‘The Security Administrator must also perform the actions defined in [1] to prepare to access the TOE remotely and change the passwords for the default Security Administrator account using the Site Manager. 6.2 Power-On Self Tests The TOE runs a series of self-tests during initial start-up to verify its correct operation. As part of the startup of the TOF, the TOE will perform a series of known answer tests, pair-wise consistency tests, continuous random number generator tests, SP 800-90B health tests to verify the correct functionality of the cryptographic functions. Additionally, the TOE performs a software integrity check (SHA-384). In the event that a POST fails, the TOE will create a log to indicate which self-test failed. The TOE will attempt to reboot to resolve the issue. If the TOE has been corrupted or the hardware has failed such that rebooting will not resolve the issue, an Administrator will need to contact Ciena support per the guidance in Section 11 ‘These tests and the responses to failures are sufficient to ensure that the TSF is functioning in the manner that is described in the Security Target because they will detect unauthorized modified of the TOE software image and detect improperly functioning cryptography which could lead to insecure trusted channels, 6.3 Cryptographic Configuration Notice ‘The administrator installing the TOE is expected to perform all of the operations in Sections 6.1 and 6.2, of this document. This will result in the TOE?s cryptographic operations being limited to the claims made within the Common Criteria evaluation. There is no further configuration required on the TOE’s cryptographic engine as the TOE already becomes pre-configured to meet many of the Common Criteria requirements. The TOE is preconfigured to enforce the use of the selected DRBG, key generation and key establishment schemes, key sizes, hash sizes, and ciphersuites as defined in the Security Target. The Diffie-Hellman Shared Secret, Diffie Hellman private exponent, and SSH session key are generated by the TOE and stored in volatile memory (RAM). These keys are destroyed by a single direct overwrite consisting of zeroes and is read back to verify the success of the zeroization prior to releasing the memory free(). These keys are zeroized immediately after they are no longer needed (i.e. connection terminated or re-key) and when the TOE is shut down as well as when power is lost. ‘The SSH private key is encrypted with a 256 bit AES key before being stored in non-volatile storage. This symmetric key is stored as two halves. One half is stored in flash on the shelf-processor, the other half is stored in another device on the backplane, separate from the shelf processor. If the INT?- 2EROIZE TLI command is invoked by the Security Administrator, the AES encryption key is destroyed bya single direct overwrite consisting of zeroes and is read back to verify the suecess of the zeroization. This effectively destroys the SSH keys as the encrypted SSH private key is not recoverable. Alternatively, the existing SSH keys are destroyed if the Security Administrator generates new SSH keys using the CRTE-SSH-KEYS command, overwriting the old key with the newly generated one. There is only one instance of the SSH keypair on the system at any time, There are no known instances where key destruction does not happen as defined. 7|PageThe remaining Sections of 6.4 have the administrator manually configuring the remaining items (i.e., disable protocols, block ports). For this reason, other configurations require no further administrative action, NOTE: The use of other cryptographic engines and cryptographic settings were not evaluated nor tested during the Common Criteria evaluation of the TOE. 6.4 Disable Insecure Services In the evaluated configuration, certain services will need to be configured off on the TOE. The Security Administrator will need to disable these services by performing the following steps: Using the TL1 command: 1. Disable Telnet: ED-TELNET: : :CTAG: : : SERVER=DISABLED; 2. Disable HTTP, HTTPS, REST, GRPC: ED-HTTP: :SHELF-1:1:: 3. Disable SSH on port 20002 ENT-PORTFILTER-GNE: : PORTFILTER-1- L:ctag: : :PROTO=TCP, DROPPORT=20002, ACCESSCOLAN! ANA=ON, 4, Disable SSH on port 20003 ENT-PORTFILTER-GNE: : PORTFILTER-1- 2:ctag: : :PROTO=TCP, DROPPORT=20003, ACCESSCOLAN! ANA=ON, 5. Disable SSH on port 20040 ENT-PORTFILTER-GNE:: : PORTFILTER-1- 3:ctag: : : PROTO=TCP, DROPPORT=20040, ACCESSCOLAN! ANA=ON; 6. Disable SSH on port 28888 ENT-PORTFILTER-GNE:: : PORTFILTER-1- 4:ctag: : : PROTO=TCP, DROPPORT=28888, ACCESSCOLAN: ANA=ON; 7. Disable SSH on port 32769 ENT-PORTFILTER-GNE: : PORTFILTER-1- S:ctag: : : PROTO=TCP, DROPPORT=32769, ACCESSCOLANX=ON, ACCESSCOL ANA=ON; 8. Disable NTP on port 123, ENT-PORTFILTER-GNE: : PORTFILTER-1- 6:1:::PROTO=UDP, DROPPORT=123; ITTP=OFF, HTTPS=OFF , REST=OFF, GRPC=OFF; IN, ACCESSCOL IN, ACCESSCOL IN, ACCESSCOL, IN, ACCESSCOL, 8|Page7 Secure Management of the TOE The following sections provide information on managing TOE functionality that is relevant to the claimed Protection Profile. Management of the TOE can be accomplished through a local or remote connection. Either connection uses the TL1 interface. Note that this information is largely derived from [1], [2], and [5] but summarized here to discuss only actions that are required as part of the ‘evaluated configuration’ The Security Administrator is encouraged to reference these documents in full in order to have in-depth awareness of the security functionality of the Ciena 6500, including functions that may be beyond the scope of this evaluation, 7.1 Authenticating to the TOE The TOE requires the use of locally-defined authentication credentials. Users are not allowed to perform any security-relevant functions on the TOE without first being successfully identified and authenticated by the TOE’s authentication method, At initial login, via a TLI ACT-USER command, the user provides the username, the user is prompted to provide the administrative password associated with the user account. The TOE then either grants administrative access (if the combination of usemame and credential are correct) or indicates that the login was unsuccessful. The TOE stores usemame and password hash data in the local storage for the TL! interfaces. A warning banner is displayed prior to any login attempt. ‘The TL1 is protected by SSHv2 and users must authenticate using SSH public key. Connecting to the TOE with SSHv2 requires the SSH client to support: ‘+ Encryption algorithms: aes-128-cbe, aes-256-cbe, aes-128-ctr, and/or aes-256-ctr © Public key algorithm: ssh-rsa ‘MAC algorithms: hmac-shal-96, hmac-sha-1, and/or hmac-sha-256 (all other MAC algorithms are rejected and “none” is not allowed) ‘+ Key exchange method: diffie-hellman-group14-shal There are no special actions required in the event of a communications outage. Simply, re-establish the SSH connection and log into the TOE if the connection does not re-establish automatically. 7.1.1 Configuring an Authorized User with a Public Key This is a prerequisite that must be completed prior to setting the SSH Server authentication method to public key. At least one SSH/SPTP User with public key (authorized user entry) must be configured before public key authentication can be used by the SSH/SFTP Server (i, before setting SSH Server ‘Server Auth” to Public Key), Using TL1 commands: a) ENT-SSH-AUTHUSER: : SHELF~ 1:54: : :KEY="AAAAB3NzaC yc2 EAAAABJQAAAQEA jNLGsKswyQHNPdnnA3ccTsGou gkPhvgXqChkmBUTS kZr5k£2U11Lv6B1VkK1cKkceafL2tWpbEQUX4cyF23yrf2251, 090928 rUYEY3L1E2KUnTaFCdxeSS+hlt y2oTVUuyxU605TIn86TLrbUs /M2vmgH53 vnbuk2MBaj YXtIDmE3NRriCént 9oL7NOLT944iGnU9GSwn7oHe426Kc /2DkSHDwac. bV9Hw30hx3UGERXINS}1+hod 9x YWHKSmExdJDBkCrSGESak/Zgse/xDv8xscy22Ns JrXst0 60b5QE1 PXTLbHNUKF4ESM3aUnOP1 3p2VpBMBSEdetd95+WO4teQ==", USE! 1 userid"; 9|Pageb) RTRV-SSH-AUTHUSER: : SHELF-1:55; ¢) DLT-SSH-AUTHUSER: : SHELF-1:5) NOTE: “userid” is the User’s ID. ‘Using the Site Manager: 1. Security > Manage Keys > SSH/SFTP Users > Add yates ahaa ye 2EAAAAE QAAAQEANLGSKS¥yQWNPdNAASCCTSGoUGKPWaKGCHKl — 10|PageLogging in using RSA private/public key pair: 1. File Login W[Pageciena. connect Using: "e Ste Manager © Terminal session NE Information ne type: [6500 ——| (ne Gstewsy|6500 Connection information comecton ype (Netware) Hostiaddres: 192168.0. Poti[22 (a aerate ssw Timeout: 15 [x seconds [requees manuel connectonsecure masem a gateway node toga information Login WE: stow ‘ee ralnge capone ssi\Userb: [tas] rate tny Pasa remeymetweo.sso7 a) [era | Tu UserID) [ADMIN nl ([Ciemee]| cancel | Hop NOTE: New users are required to change their passwords after successfully logging in for the first time. 7.1.2 Generate SSH Public/Private Keypair 1. Authenticate as user with appropriate privilege level for the following TL1 commands (UPC 4) ACT-USER: : UID: CTAG: : PID: DOMAIN=LOCAL; 2. Execute the following TL1 command for the TOE SSH server to authenticate a user with a RSA public key generated in Step 1 ENT-SSH-AUTHUSER: cTAG USERID=userid, KEY=publickey; For example: ENI-SSH-AUTHUSER: : :CTAG USERID="ADMIN", KEY="AAAAB3N2aC1 yc2EAAAABJQAAAQEAJNLGSKswyQN, NPdnnA3ccTsGougkPhvgXqChkmEUTSk2r5kfZUL1LV6B1VKK1 cKkceafL2t WpbEOUX4cyF23yr£z2jLQJQ928rUY FY3L1B2HUwTaFCaXeSS+hL+ y20TVUu yxU6059In8 6TLrbUs /M2vmgH5 3vnbuk2MBaj YXtIDm£3NRriCént9oL7NOt 1944iGnU9G5wn7ToHe428Kc/2DkSHDw4 cbV9HW30hx3UGERXINS} T+ho4 9x¥ WHKSmHxdJDBkCrSGESak/Zgse/xbv8xscy22NsJrXst.060b50B1PX7LbANu kF4EsM3aUn0P13p2VpBMBBEAetd95+HO4teQ==" ; 3. Enter the following TL command to enable SSH public key authentication on the TOE and restrict the TOE SSH algorithms to those claimed in the Security Target: 12|PageED-SSH: : :CTAG: : :KEYEXCMETHOD=DH- GROUP 14, CIPHER-AES128CTR&ABS256CTR&AES128CBC6AES256CBC, SERV ER-ENABLED, HMAC=SHA2_256&SHA14SHA1_96, IDLETIMEOUT=30 ,MAXSES STONS=3, LOGLEVEL=2, KEYREX=Y, HOSTKEYALG@RSA, SRVRAUTH=PUBKEY; 4, (Optional) For TOE SSH Client to authenticate to a server with a RSA public key, retrieve the internally generated public key: CRTE-SSH-KEYS: : :CTAG: : :KEYSIZE=2048, KEYTYPE=RSA; RTRV-SSH-PUBKEY: : :CTAG; 7.1.3 Configuring a Known Host with a Public Key This step is needed if the SSH/SFTP Client is set to validate the SSH/SFTP Server public key. At least one SSH/SFTP Hosts entry with public key is needed prior to enabling SSH Client Host Key Validation, Using TL1 commands: 1. ENT-SSH-HOSTKEY: : SHELF- "192.168.0.2", KEY="AAAAB3NzaC1 yc2EAAAABJQARAQEANLGSK swyQWNPdnnA3ccTsGougkPhvgXgChkmBUTSk2 Sk £ZU11Lv6B1VkK1cKkceafL2tw pbEOUX4cyF23yrfz231LQJQ928rUYf¥3L1E2zHUwTaFCdXeS5+hLty2oTVUuyxU605T Tn8 6TLrbUs /M2vmgHS 3vnbuk2MBaj YXt IDm£3NRriC6nt 9oL 7NOtI944iGnUSGSwn ‘JoHe42 8Kc/2DkSHDw4chV9Hw30hx3UGERXINS jT+hod 9xYWHKSMAXGIDBkCrSGESa k/Zgse/xDv8xscy22NsJrXst0 6Ob5QE1PXTLbHNUKF4EsM3aUn0P] 3p2VpBMBSEde tags+HO4te 2. RTRV-SSH-HOSTKEY: : SHELF-1:78; Using the Site Manager: 1. Security > Manage Keys > SSH/SFTP Hosts > Add 13|Pagei NtetDSOBSGEIPII DEN AFEeMaUOI3p 27pBMBECetd9S. WOst 14|Page7.1.4 Configuring SSH Server and Client Parameters If the SSH Server is set to perform Public Key based authentication, at least one SSH/SFTP Users (authorized user) entry must be configured. Similarly, if the SSH Client is set to perform host validation, at least one SSH/SFTP Hosts (known host) entry must be configured. Using TL1 Commands: 1, ED-SSH: :SHELP-1:105: : :KEYEXCMETHOD=DH- GROUP14, CIPHER-AES128CTR&AES256CTR&AES128CBCEAES256CBC, SERVER-ENA BLED, HOSTVLD=¥, HMAC-SHA2_2566SHA16SHA1_96, IDLETIMEOUT=30, MAXSESSI ONS=3, LOGLEVEL=2, KEYREX=¥, HOSTKEYALG=RSA, SRVRAUTH=PUBKEY; ‘Using the Site Manager: 1. Configuration > Comms Setting Management > Services > Service Type: SSH/Telnet > Edit 15|Page16|PageEdit SSH/Telnct Parameters ~ SP2GSIMAJ [Page7.15 SSH/SFTP Server & Client (System) RSA Keys ‘The system automatically generates RSA (2048) keys if they do not exist. New keys can be re-generated. ‘Note that although a DSA key pair is generated by and present in the system, they are not used on any ‘management interface (not used for any trusted path or trusted channel) if the SSH Host Key Algorithm is set to RSA only. Using TL1 commands: 1. RTRV-SSH-PUBKEY 2. CRTE-SSH-KEY: 3, CHK-SSH-KEYS:: KEYSIZE=3072,KEYTYPE=RSA; ‘Using the Site Manager: 1. Security > Manage Keys > SSH/SFTP Keys 2. Regenerate 18|Page7.2, Failed Authentication Lockout In the evaluated configuration, the TOE will lock a remote administrative account when an administrator configured number of successive invalid login attempts have been made within an administrator configured time period. This applies to the remote TL1 interface, and the default values for the failed attempts is between 2 and 20 unsuccessful remote authentication attempts within 15 minutes. The TOE, prevents further authentication attempts until a Security Administrator with a UPC Level of 4 or higher (UPC >=4) unlocks the accounts or the account is automatically unlocked after a configurable period of between 0 and 7200 seconds, with 0 meaning no automatic locking, i.e. user account is not locked out. 19|PageThe TOE ensures that remote authentication failures do not prevent another Administrator from accessing the TOE thus preventing a denial of service attack from taking place. By default, this is achieved by exempting Security Administrators with a UPC >= from being locked out on local connections. These settings can be configured by the Security Administrator with a UPC >= via the local or remote TLI interface by modifying the following files: 1, Authenticate to the TOF via the TLI. 2. Enter the following command to configure the number of successive unsuccessful authentication attempts before the account is locked: SBT-ATTR- SECUDFLT: : :CTAG INV=5,, DURAL=300; NOTE: The S is number of failed attempts, and the 300 is number of seconds. : IDSTATE=UBIDON, USRLCKOUTMI ALLREMUSRS, MX Even though the above setting is global to the system, the TOE maintains a counter per username for the ‘number of failed authentication attempts and tracks the time when each failed authentication attempt occurs. Ifa valid password is provided before the failed attempt value is met, then authentication is granted and the counter resets to zero. When a failed authentication attempt is older than the set time period and the counter has not met the failed attempt value, the counter will be reduced by one failed attempt. Ifthe limit of failed authentication attempts is reached within the defined time period, the account associated with the username will be locked. Once an account is locked, repeated attempts to authenticate with that account will not work. Once an account is locked, the Security Administrator with a UPC >=4 via the TL1 interface must unlock the account using the following commands before another authentication attempt will be checked for that account: 1, Authenticate to the TOE locally as the Administrator and run the following command to manually unlock the account: ALW-SECU-USER: CTAG: : : USERTYP: 7.3. User Accounts and User Management 6500 provides two default user accounts: ADMIN and SURVEIL. These accounts should have their default passwords modified, or the accounts should be replaced after initial commissioning. 6500 requires, at least one account with a UPC of 4 be provisioned on the system. Refer to “Local password management” and “Setting/changing/removing the supervisory password” in [1] in order to change the password or disable the default accounts, ‘The TOE requires the use of locally-defined authentication credentials. Users are not allowed to perform any security-relevant functions on the TOE without first being successfully identified and authenticated by the TOE’s authentication method, At initial login, via a TL1 ACT-USER command, the user provides the usemame, the user is prompted to provide the administrative password associated with the user 20|Pageaccount. The TOE then either grants administrative access (if the combination of username and credential are correct) or indicates that the login was unsuccessful Al security management functions are managed by Security Administrators being assigned to certain security levels. Authorized actions for a particular Security Administrator are dependent on which security level they are assigned to. There are five UPC security levels that allow a range of task execution capabilities: Level 5, Level 4, Level 3, Level 2, and Level 1. Security levels have permissions assigned to them, which defines a Security Administrator's ability to administer the TOE, UPC Levels 4 and $ provide the same capabilities, therefore System Administrators should be a UPC Level 4 to access all commands. Security administrators can perform activities from both the local craft port interface or remote interface. The TL1 interface can be accessed via SSH only. If administering the TOE locally via TLI is desired, the management workstation should be placed on a dedicated local network as the TOE. Section 2-1 under ‘Security Levels’ in [1] describes the various security levels and managing local and remote user accounts. 7.4 Password Management A Security Administrator bas the ability to set the minimum length that is permitted to any value between 8 and 128. In the evaluated configuration, the passwords must have minimum length of 15 characters or greater. The accepted characters include upper and lower case letters, numbers, and the special characters 1 S@P HH, 08 7, ym am a a a fH HO and aM In order to minimize the risk of account compromise, itis recommended to use a password that includes a mixture of uppercase, lowercase, numeric, and special characters and is not a common word or phrase, but is not so complex that it must be written down in order to be remembered. ‘The TOE supports three local password rules: Standard, Complex and Custom. The default is Standard for the Ciena 6500. Security Administrators with a UPC >=4 have the ability to set the password length to 15 characters (or more) by performing the following steps: Using the TL1 command: 1, Authenticate as user with appropriate privilege level for the following commands (UPC 4) ACT-USER: : UID:CTAG: : PID: DOMAINSLOCAL; 2. Execute the following TL1 command ED-SECU~PWDRLS: : :CTAG: : : PLEN_MIN=15; Using the Site Manager: 2|PageAuthenticate to the TOE via the Site Manager. Select the required network element in the navigation tree. Select User Profile from the Security menu. The existing user accounts for the selected network element appear in the User Profile application. Only local users are displayed. NOTE: The User Profile application is unavailable when connected directly to a member shelf of a consolidated node. Click Defaults to open the Default Security Parameters dialog box. From the Local Password Rules drop-down list, select Custom. Click OK. Click Customs to open the Customized Security Parameters dialog box. In the Minimum number of characters in password (8-15) field, enter the minimum number of 15 total characters required in each password, 7.5 Login Banner ‘The TOE displays a configurable warning banner on the local and remote console prior to a user supplying their authentication credentials. Remote authentication requires the use of SSH. The warning banner is configured by a Security Administrator with a UPC >=. Configuring instructions for the banners are in Procedure 4-2 “Editing the Banner’ [1]. Using TL1 command: RTRV-BANNER DLT-BANNER: : : 88; SBT-BANNER-LINI 9:21, "text_message" SET-BANNER-LINE: : : 90: :2, "text_message" SET-BANNER-LINE: ::91::1, "text_message" SANNERTYPESACTIVE; Using the Site Manager: 1. Configuration > Node Information > Login Banner > Edit 22|Page7.6 Session Termination 7.6.1 Admin Logout ‘The TOE provides the ability for administrators to manually terminate their own sessions. Both the TL] interface and Site Manager use the CANC-USER command. These commands apply to both local and remote usage. Additionally, when managing the TOE remotely, the terminal application used on the ‘management workstation will typically terminate the SSH session if the application itself is closed. 1, Authenticate to the TOE via the local console. 2, Execute the following command to terminate the session: CANC-USER: : :CTAG; 3. Observe that the session has been terminated. 7.6.2 Termination from Inactivity ‘The Security Administrator with UPC >=4 can configure maximum inactivity times for both local and remote administrative sessions. The idle timeout value is set for each individual user account as opposed to being globally defined for all users. This is specified using the ‘Timeout Interval’ field when the user is created or modified using the TL1 interface (TMOUT-XXX parameter) . By default, a user account will be logged out if idle for 30 minutes, but the value can be set to anything between | and 99 23|Pageminutes. This applies to both local and remote connections. See [1] Procedure 2-2: Adding @ user account for full instructions. ‘The TOE will terminate a remote TLI session after a Security Administrator- defined period of inactivity. Additionally, there is an inactivity timer for SSH with a default of 30 minutes. There is an inactivity timer for SSH with a default of 30 minutes. The following steps can be performed to set the session timeouts via the TL1 interface: 1, Authenticate to the TOE via SSH. 2, Execute the following command to change the SSH timeout value to desired value in minutes: ED-SSH: : :CTAG: : :IDLETIMEOUT=30; ‘NOTE: IDLETIMEOUT shown here is for 30 minutes. 7.7. System Time Configuration The TOE has an underlying hardware clock that is used for time keeping. In the evaluated configuration of the TOE, the system time is expected to be manually set. The Security Administrator with UPC >=4 can configure all aspects of the clock using the local or remote TL1. To set the time manually, the following steps are used: 1, Authenticate to the TOE via TL1. 2. Use the following TL1 command to edit the date and time: ED-DAT: : :CTAG: : [yy-mm-dd] , [hh-mm-ss] + 3. Verify that the date and time was set by entering the following TL1 command: 7.8 Secure Updates To maintain security throughout the lifecycle of the Ciena 6500 product, the TOE provides a mechanism to apply software updates. The TOE provides the ability for a Security Administrator with UPC >=3 to update its software from the TLI interface, The TOE acting as the SSH client will use SFTP via SSH to retrieve software updates from aan update server, This can be a server maintained by Ciena or one maintained by the organization operating the TOE, in which case updates are shipped on read-only physical media when made available by Ciena and then loaded onto the update server, which must support SFTP via SSH, in the Operational Environment. Updates are digitally signed and verified using ECDSA using the P-521 elliptic curve with SHA-S12. Once the update has been uploaded to the TOE, the digital signature of the software upgrade is verified. Ifthe digital signature verification fails, the upgrade process will stop and the downloaded software release will be flushed from the device's temporary memory. After successful digital signature validation, the Security Administrator must load the update into flash memory, by executing the LOAD~ UPGRD command, where it remains until invoked. Invoking the update requires the Security ‘Administrator to execute the INVK-UPGRD command to install the upgrade on the shelf processor resulting in the TOE rebooting. The Security Administrator will then need to reauthenticate to the TOE, and commit the upgrade using the CMM“?-UPGRD command. Additionally, the TOE administrator can query the currently executing version and most recently installed version, The TOE software is updated by the administrator performing the following steps: 1, Authenticate to the TOE via SSH. W|Page2. Execute the following commands to output the current running and most recently installed TOE software version: RTRV-RELEASE: RTRV-SW-VE 3, Fetch the legitimate update by executing the following command: DLVR- RELEASE: : : CTAG: :REL12302. TD: URL="SFTP: //ciena:Cienal23!@192 -168.2.122/home/ciena/Downloads",MINIMAL=Y; 4, Once the update has been fully fetched, execute the following command to load it into flash ‘memory; LOAD-UPGRD: : :CTAG: :REL1230Z. TD: ALRMS=Ns 5, Repeat Step 2 and confirm the current running version did not change, but that the most recently installed TOE software version increased 6. Execute the following command to install the new load on the shelf processor: INVK-UPGRD: : :CTAG; 7. After the TOE reboots, repeat Step 1 and execute the command in Step 6 to install the new load on all the line cards 8, Execute the following command to commit the upgrade: CMMT-UPGRD: : :CTAG; 9, Repeat Step 2 and confirm that both the current running version and most recently installed TOE, software version increased. 8 Auditing In order to be compliant with Common Criteria, the TOE audits the events in the table below. Performing the steps in Sections 6 and 7 of this document are all the steps required for the TOE to generate the required audit records, store them locally, and send them to an extemal SFTP Server. The following is an example of an audit record that Ciena 6500 produces: “SHELE-1:<133>1 2018-05-25714:11:55.0007862 192.168.2.101 SECU OME- 2c39C1AG8438:SHELF-1 000185 SHELF-1:18-05-25, 16-11- 55: YBAR=2018, LOGNAME=S2CU400, LOGEVENT=ACT- USER, UID=\"SURVEIL\", UPC=1, PORTTYP2=SSH, PORTADDR=\"192.168.2.126:52124\", STATUS DENY, EVIDESCRe\"Invalid login\” Each audit record contains identifying information required by Common Criteria including the date and time the event occurred (2018-05-25 14:11:55), the type of event (LOGEVENT-ACT-USER), the subject identity of the event (U1D=\”SURVETL”\, UPC=1), source (PORTTYPE=SSH, PORTADDR=\"192.168.2.126:52124”\)and the outcome of the event (STATUS=DENY) with detail (EVIDESCR=\"Invalid Login"\) . When reading the audit log, one must read from the bottom up for chronological order. Each record has an identifying sequence order. For example, SHELF-1 000185 SHELF-1 order indicates this was the 185" record since booting. A record that has SHELF-1 000000 SHELF-1 as its number is indicating the first record since booting, The record priot toa SHELF-1 000000 SHELF-1 would be 25|Pagethe last event prior to rebooting such as a shutdown or reboot. This is important as some events have multiple records to provide all of the information required. For example: “SHELF-11<134>1 2018-05-23714-01-50,000658% 192.168.2.101 DECKG OME~ 2C39C1A48438:SHELF-1 000112 DBCHGSEO=783, DATE=18-05~23,TIME=14-01- 50, USERID-ADMIN, SOURCE~73, PRIORITY-GEN TL1_CMD, STATUS~COMPLD:ED-SECU-PWDRLS:SHELF- 1: ‘1, SPEC_MIN-O, PLEN MINIS, NUM_MIN-0, UPPERC_MIN=0, LONERC_MIN-O, REPEA 134>1 2018-05-23714-01-50,000647z 192.168. 2039C1A48438:SHELF~1 000111 SHELF-1:18-05-23, 14-01- 50: YEAR=2018, LOGNAME=SECU406, LOGEY! SECU PWDRLS, UZD=\"ADMIN\ SH, PORTADD! RESOURCE=\"SHELP=1\' a si "192.168.2.124:3633\", sTATUS-coMP: To decipher this example, start from the bottom record (SHELF-1 000111 SKELF-1): Onthe 23 of May 2018 ausercalled ADMIN witha UPC code of 4, was remotely connected over SSH from IP source 192.168.2.124:3633 issued an edit secure password rules. (ED-SECU- PWDRLS) command successfully ‘The next audit record provides the details of the values stored: Again, it identifies the who issued the command “ADMIN”. This is a database change (DBCHG) that was successfully completed STATUS-COMPLD:ED-SECU-PWDRLS. The values for the parameters are: ALPHA MIN=0, PDIF=1,SPEC_MIN=0, PLEN_ MIN=15, NUM_MIN=0, UPPERC_MIN=0, LOWER C_MIN=0, REPEAT_CHAR_MAX=0" Minimum password length set to 15 (PLEN) and each password must have at least | character difference from the last (PDIF). The min number of alphabetic, upper case, lower case, numeric, special characters, and maximum number of repeating characters in a password are all set to0(ALPRA_MIN, UPPERC_MIN, LOWERC_MIN, NUMMIN, SPEC_MIN, REPEAT_CHAR MAX). See [2] for a complete list of user initiated LOGEVENT= (TL1commands) along with the parameters for the command in helping to decipher audit records. ‘Sample audit records for each security-relevant auditable event are included in the following table. CE) + System statupand | iarap of shutdown example “SHELF. -134>1 2018-05-22T19-21-48 0009202 192.1682.101 SECU OME- provided asthe 2C39CLAAS488-SHELF-1 000000 SHELF-1:13-05-2219-21- Starup/stutdown of | 4&:YEAR~2018,LOGNAME-SECU420,L0GEVENT-TOD- ‘audi service is equated. | CHANGE UID~*S¥STEM*"',UPC~4,PORTTYPE-SSH,PORTADDR™\'LOCALH. tothe taup/shutdown, | OSTN"STATUS-COMPLD RESOURCE='SLOT=15,TOD-Update May 22, 2018 - 19:21:47 867 to May 22,2018 - 1921-48782." ‘ofthe TOE), + Adminisrsivetogin | spurdownicboot of: and logout (nameaf | ""SGHELF-122134>1 2018-05-22T19-20-01 0004082 192.168.2101 SECU OME- FAU_GENA useraccount shall be | 2C39CLA4S438:SHELF-1 001369 SHELF-1:18-05-22,1-20- logged if individual | O1:YEAR=2013,LOGNAME-SECU06,LOGEVENT-INIT. Ser sn [WARM UID-\C ADMIN’ UPC—4 PORTTYPE-SSHPORTADDR+'10.0.02:63710\" auied for STATUS-COMPLD RESOURCE=/'SLOT--150 Aéinistator). Losin “*SHELP-1:<133>1 2018-08.25715.17-53.0007102 192.1682.101 SECU OME: {2C39CLAKS438-SHELF-1 000209 SHELF-1:18-05-25,15417- ‘53: YEAR=2018,LOGNAME-SECU#00 LOGEVENT-ACT- USER, UID=\"ADMINV" UPC=4,PORTTYPE-SSH PORTADDR=V"192. 168 2.126:64 968\" STATUS-COMPLD' + Changes o TSF data elated 1 confiuration changes (in adition to ‘he infomation tbat a ‘change occured it shall 26|Page‘belonged what has ‘ben changed. + Gencratingimpor of, changing cr deleting of exypograpic keys in ‘ation ote action isola unique key ‘name or key erence Shall be logge). + Resetting passwords (oume of rated user account shall be logees) Logont: °SHELF-1:<133>1 2018-05-22718-47-21,0009982 192.1682.101 SECU OME- 2C39CLAASA38 SHELF 1 001347 SHELF: 18-05, “B18a7- 21:YEAR-2018,LOGNAME-SECUS00,LOGEVENT-CANC- ‘USER, UID=\"ADMINY’,UPC~4,PORTTYPE~SSH,PORTADDR“Y'10.0.02: (63316, STATUS-COMPLD’ ‘Modifying password complet ule: “SHELF. 1:-134>1 201%:05-25T14-01-50 0006582 192.1682.101 DRCHG OME- 2C39CLAAS438 SHELF-1 000112 DECHGSEQ-T83,DATE=18-05-23,TIME~14-0 S0,USERID-ADMINSOURCE~73,PRIORITY=GEN_TL1_CMD,STATUS-COMPL D:ED-SECUPWDRLS'SHELF- | ALPHA MIN~O PDIP=I SPEC MIN-OPLEN_MIN-IS.NUM_MIN-O,UPPERC._ ‘MIN-0,LOWERC.MIN-O,REPEAT CHAR MAX-" *SHELF--<1341 2018-05-25T14-01-50.0006472 192.1682.101 SECU OME- 2C39CLANEA38.SHELF-1 000111 SHELF-1:18-05-23,14-01- 450:YEAR=2018,LOGNAME-SECUS06 LOGEVENT-ED-SECU- PWDRLS.LID-\"ADMINVLPC-4,PORTTYPE-SSH,PORTADDR-Y"192.168.2124 '3633",STATUS-COMPLD RESOURCE-\'SHELF-1\ ‘SSH key eration: “SHELF-1:<134>1 2018-05-21717-42-15 0003482 192.1682.101 DBCHG OME- 2€39CLA48438SHELP-1 000973 DBCHGSEQ~719,DATE~18-05-21,TIME~17-42 1S,USERID-ADMIN SOURCE“CTAG PRIORITY“GEN_TL1_CMD,STATUS-CO -MPLD CRTE-SSHL-KEYS:KEYSIZE-2048.KEYTYPE*RSA" Resting pasword °SHELF-1:<134>1 2018-05-23713-51-41.0008352 192.1682.101 DBCHG OME- 2C39CLAAS438 SHELF-1 000102 DECHGSEQ-782,DATE-18-05-23,TIME-13-5L 41,USERID-ADMIN SOURCE-69,PRIORITY=GEN_TLI_CMD.STATUS-COMPL, DEDSECU- LUSER-TEST.,2:ACCRSTAT-OFF;TMOUT™30,PAGE~4S PCND=14,ACCR~0.MIN| |W-20,PAGESTAT-OFF-TMOUTAY,USEDFLT=N* SHELF-I:134>1 2018-05.25715-51-41 0008292 192.1682.101 SECU OME- 2C39CLAAS438:SHIELP-1 000101 SHELP-1:18-05-23,13-51- 4L:YEAR~2018,LOGNAME-SECU#06LOGEVENT-ED-SECU- USER, UID=\"ADMINV" UPC-4,PORTTYPE-SSH PORTADDR-V'192.168.2.124:36 433), STATUS-COMPLD RESOURCE" TEST 'SHELF- 1341 2018-08-25713-49-42 04612 192.1682.101 SECU OME- 2€39CLA48438:SHELF-1 000100 SHELF-1:18405-23,13-49- 42:YEAR-2018, LOGNAME-SECU#06,LOGEVENT-RTRV-SECU- Tint is eto exceeded DFLT,UID~*ADMIN\’ UPC—4PORTTYPE™SSH,PORTADDR=\192.168.2124:36 33Y,STATUS-COMPLD RESOURCE=""ALL" *SHELP-1:<37>May 1S 14.54.27 101.1567 SECU OME: FCS_SSHC_E | Failuretocstalish an SSH | 2C39CLAASU3R'SHELP-1 000337 SHELF-1:18-05-18 14-58 xr session YT:YEAR-2018,LOGNAMESECUS4,LOGEVENT-SFTP-CLIENT- ‘CONNECT UID=\eiens\*{UPC=3,PORTTYPE~SSH,PORTADDR-192.168.212222 2V,STATUS-ERROR,RESOURCE=\'reason~"Negotiation falled'""*M “SHELP-1:<133>1 2018-08.21718-22-52 0000302 192.1682.101 SECU OME: FCS_SSHS_E | Failure tocstablish an SSH | 2¢39C1A48438:SHELF-1 001002 SHELF-1:18.05.21,18.22- xn session 52:Y EAR~2018,LOGNAME~SECUS17 LOGEVENT-SSH-SERVER- "ONNECT,UID=1"V,UPC~I,PORTTYPE~SSH,PORTADDR~"192.1682.123:3009 sTATUS-ERROR RESOURCE~\'rcasou™ Negotiation failed SSHELF-1:<134>1 2018.05 25714: 1:85.0008982 192.1682. 10L ALM OME ‘Unsuccesfl login at 2C39CLAS438 SHELF-1 O00189 SP--15SEC INTRUDER TC,05-25,4-11- wia_ara | Unsvecesfil ogiatiems/ 35 ED.NA,.mnision Atempt 5 times by *SURVEIL™” NONE:6100000000- (9614-1376, YEAR=2018,.MODE-NOM “SHEL-1:129>1 2018-05-25T141 15S 0008862 192.1682.101 ALM OME 239C A438 SHELF. OOOIBH SP-I-15.MJ,SEC_INTRUDER.NSA 05-25 1411 27|PFIA_UIA_EXT a FIA_UAU_EX 12 All use ofthe identification ‘nd authentcaion rechanis, All use ofthe autheneation mechani, SE.NEND.NA. "Intrusion tempt: NONE 0100000080614 (0267; ¥EAR=2018 MODE=NON" Local TL “SHELP-1:<133>1 2018.05.25716-02.00 0004162 192.1682.101 SECU OME: {2C39CLAKE438.SHELF-1 OOO27S SHELF-1:18-05-23,16-02- (0:YEAR=2018,LOGNAME=SECUSO,LOGEVENT-ACT- USER. UID=\"ADMINV’ UPC-4,PORTTYPE-SSH PORTADDR=V'10.0.02:65827", ‘STATUS-COMPLD" Remote SSH Public Key: “*SHELF-:<133>1 2018-05.25715-84-28 0006782 192.1682.101 SECU OME- 2C30CLALRI3N-SHELE-1 000263 SHELF-1:18405-23 15-54. 25:YEAR~2018,LOGNAME-SECUSI7, LOGEVENT-SSH SERVER. ‘CONNECT.UID=\"ADMINY’,UPC> ,PORTTYPE-SSH,PORTADDR~1"192.1682.12 ‘685344\ STATUS-SUCCESS RESOURCE=I"" SHELF I:-133>1 2018-05-25T15-54-23 0006712 192.1682.101 SECU OME- 2C39CLAASHS8-SHELF-| 000282 SHELF-118-05-2815-54- 23:YEAR2018,LOGNAME-SECU#00,LOGEVENT-SSH- ‘LOGIN,UID=’ADMINY,UPC=4,PORTTYPI '5344Y,STATUS-COMPLD" Remote SSH TL. “SHELF-1:<133>1 2018-05-23715-17-53 0007102 192.1682.101 SECU OME- 2€39CLAA8438-SHELE-1 000209 SHELF-1:18-05-2315.17- 53:YEAR-2018,LOGNAME~SECU400,LOGEVENT-ACT:- USER, UID="ADMINY,UPO~4,PORTTYPE~SSH,PORTADDR™Y"192.168.2.126:64 ‘96" STATUS-COMPLD’ See PIA_UIA.EXT.1 above FMT_MOF ManualUpdate Any attempt oie 8 ‘manual update Update filed to download from update sever: SHELE-1:<1341 2018-05.21717-00-08.0000032,192.1682.101 SECU OME- AC39CLAKSASKSHELF-1 000082 SHELF-1*1-05-21,17-00- (0:YEAR-2018,LOGNAME-SECUS01,LOGEVENT-DLVR- [RELEASE,UID-'TESTVUPC-2,PORTTYPE~SSHPORTADDR: 982)" STATUS-PIUCRESOURCE-\""" 192.168.2.124:1 Update Failure: "SSHELF-I:=134>1 2018-05-21717-00-08 000032 192.1682.101 SECU OME- 2€39CLA48438-SHELF-1 000842 SHELF-1:18-05-2,17-00- (06:YEAR-2018,LOGNAME-SECU401 LOGEVENT-DLYR- RELEASE, UID-\"TEST\"\UPC~2,PORTTYPE~SSH,PORTADDR- 952Y"STATUS-PIUC,RESOURCE=!""" ‘Not: "PIUCT indicates that te ven fled 192.168.1241 PMT_MOP. Functions Masato ofthe behaviour ofthe taneitsion of ait data toanoxteral IT ent, the handing of anit dt, the suit fuetonaty when Local Aut Storage Space is ul Modi the syslog tansitsion configuration SHELP-Tse134°1 2018-05-21T17-14-38,0000822 192.168.2101 DBCHG OME. 2C39C1AS8438SHELF-1 000953. DBCHGSEQ~716,DATE=18-08.21,TIME=17-14 38,USERID-ADMIN SOURCE~I,PRIORITY=GEN_TLL_CMD STATUS-COMEL DSET-SYSLOG- SETTINGS ::PRTCL~5424,SYSLOGFAC=16,SYSLOGSEV*7 SYSLOGTYPES"AL FMT Mor Service Staring and stopping of Stating of SSH service: SSSHELF-I:-14>1 2018-05-25717-12-19 0008122 192.1682.101 DRCHG OME- 2C39CLAAS438.SHELF-1 000204 DECHGSEQ790.DATE-18-05-23,TIME~17-12 19,USERID-ADMIN SOURCE-CTAG PRIORITY-GEN TL CMD,STATUS-CO [MPLD-ED-SSH:SERVER-ENABLED" ‘Stopping of SSH sevice: 28|PSHELF s134>1 2018-05-25717-10-41,0004092 192.1682.101 DBCHG OME- 2€39CLA48438SHELP-1 000291 DBCHGSEQ~789,DATE=18405-23,TIME=17-10. 44LUSERID=.SOURCE-CTAGPRIORITYGEN TLL_CMD STATUS-COMPLD:E DSSis:SERVER-DISABLED" Fwr_srp4 CorsData All management stivtes of TSF dats Refer Refer Reter Refer Refer Reter von pea. ut HOF-1/Function er yprokeys EXT. 1 Usare: FMT_MTD.4 Ceypiakeys Management of exyplogmphic keys ‘Use filed to generat keys ue to privilege lve: SHELF. :-134>1 2018-08.21717-39-11 005712 192.1682.101 SECU OME: {2C39CLAKE438-SHELF-1 000909 SHELF-1:18-05-21,17-39- 11:YEAR-2018,LOGNAME-SECUS0I,LOGEVENT-CRTE-SSH- .KEYS,UID~\"TEST\,UPC~2,PORTTYPE~SSH,PORTADDR=1192.168.2.124:1932) * STATUS-PIUCRESOURCE=)""" Admin created SSH Keys: °SHELF--134>1 2018-05-21717-42-15 0003452 192.1682.101 DACHG OME- 2C39CLAAS438-SHELF-1 000973 DECHGSEQ=719,DATE=18-05-21,TIME=17-42. |S,USERID-ADMIN SOURCE-CTAG PRIORITY-GEN_TL1_CMD,STATUS-CO [PLD CRTE.SSHLKEVS::KEYSIZE-2048,KEYTYPE-RSA" FPT_STM_EX. a ‘iscontinaous changes tite iter Administrator actuated or hanged via an sutomated process. (Note hat ‘no continuous changes to time need to be logged See also application note on PPT STMEXT.I inthe Nb&PP) ‘Manual change of system cock: “SHELF- 1 10>May 21 09-34-00 192.168.2101 SECU OME- 2C39C LAURA SHELF-1 000879 SHELF-1:18-05-21 00-34 (0:YEAR-2018,LOGNAME-SECUS20,LOGEVENT-TOD. (CHANGE, UID= "SYSTEM", UPC-8 PORTTYPE-SSH PORTADDR~°LOCALH ‘O81\"STATUS-COMPLD,RESOURCE~"SLOT=15,T0D-Update May’ 21, 2018, 1333:42256 to May 21,2018 -093400.0000"" FPT_TUD_EX Initiation of update; result of the update aempt euecess fale) Initiation of Update ‘SHELF-I:2134>1 2018:0S.24718-03-33 O007S1Z.192.168.2.101 SECU OME- 2€39C1LA48438-SHELP-1 000878 SHELF-1'18-05-2418-03- |33:YEAR~2018,LOGNAME-SECUS06.LOGEVENT-DLVR- [RELEASE,UID- "ADMIN UPC-4,PORTTYPE-SSH,PORTADDR=\192.1682.12 (6517080 STATUS-COMPLD,RESOURCE-1"" ‘Validation Fie: “SHELF-1:<134>1 2018-05-24718-06-24 0000132 192.1682.101 ALM OME- 2C30CLALEA3KSHELF-1 000806 SP-1-15'SWETDIN,TC,0S-2418-05- 23,NENDNA, Release RELI2302.82' not delivered. Emr i Checksum validation {aire NONE0100000000-0000-0072, YEAR-2018, MODE-NON" FTA_SSL_EX om ‘The termination of lael session by the session locking mechanism. Configuration of Minute Timeout: SHELF I:<154>1 2018-05227 7-86-57 0008547 192.1682.101 DACHG OME- 2C39CLAASIS8SHELF-1 001261 DECHGSEQ-168,DATE-18-05-22,TIME~17-46 S7.USERID-ADMINSOURCE-CTAGPRIORITY-GEN TL CMDSTATUS-CO (MPLD ED SSH: IDLETIMEOUT- Adin Authetstion: ‘SHELF-1:-133>1 2018-05.2717-48-5, 000432 192.1682.101 SECU OME. 2C30CLAURL3N-SHELE-1 001367 SHELF-1:18.05-22,17-88 51:VEAR-2018,LOGNAME-SECUs00,LOGEVENT-ACT. USER, UID~)"ADMINYUPC-4,PORTTYPE-SSH PORTADDR ‘STATUS-COMPLD” 10.0.0.2.62876", 29|PageFTA. SSL The termination ofa remete session by the session Jocking mechanism. Session Timeout ‘SHELF-1:-153>1 2018-05.22T17-51-51,0002042 192,1682.101 SECU OME- 2C39CLAAS438SHELF | 001270 SHELF-1:18-05-22,1731- 51:YEAR=2018,LOGNAME~SECUs1 ,OGEVENT-SSH-SERVER: DISCONNECT, UID" ADMIN" UPC~1,PORTTYPE*SSH,PORTADDR“10.0.02: 462876" STATUS-SUCCESS RESOURCE" reason-Tuneout™ {3 Minute Timeout ConSiguration: *SHELF--<134>1 2018-05-21T14-56-56 0002132 192.1682.101 DBCHG OME- 2C39CLAASA38 SHELF-1 000727 DECHGSEQ-659 DATE-18-05-21,TIME=14-56 §56,USERID-ADMIN SOURCE-CTAGPRIORITY-GEN TLL CMD,STATUS-CO IMPLD-ED-$SHt:IDLETIMEOUT-3" Admin Autheneate: SHELF-I-e133>1 2018-05-21714-57-57 0005702 192.1682.101 SECU OME- 2€39CLAMSA38-SHIELP-1 000733 SHELP-1:18-05-2114-57- 5: YEAR~2018,LOGNAME-SECU400 LOGEVENT-ACT- USER, UID=\"ADMINV" UPC~4,PORTTYPE-SSHPORTADDR=V'192.168.2.126:17 04”, STATUS-COMPLD' Session Timeout SHELF. s0133>1 2018:05-21715.00-57 0007642 192.1682.101 SECU OME- 2€39CLAKS438-SHELP-1 000736 SHELP-1:18-05-21,15.00- §7:Y EAR-2018,LOGNAME~SECUsI ,LOGEVENT-SSH-SERVER. DISCONNECT, UID='V,UPC~1,PORTTYPE-SSH_PORTADDR=1"192.1682.12417 (04”,STATUS-SUCCESS, RESOURCE renton= Timeout" SHELE-1:-133>1 2018-05-21715-00-57 0007632 192,1682.101 SECU OME- 2C39CLA4S438-SHELF-1 000735 SHELF-1:18-05-2,15-00- ‘S7-YEAR-2018,LOGNAME-SECU400,LOGEVENT-CANC- ‘USER, UID=\"ADMINV’,UPC~4,PORTTYPE-SSHPORTADDR=V"1921682.126:17 04 STATUS-COMPLE FTA.SSLA The ermination of 2 se Terminated Sesto: 'SHELF-I:<143>1 2018-05.22T18-47-21 000982, 192.1682.101 SECU OME: 2C39CLAAS438-SHELF-1 00147 SHELF-1:18-05-20,18-47- 21:YEAR~2018,LOGNAME-SECUSO0 LOGEVENT-CANC USER,UID-)*ADMINY{UPC-4,PORTTYPE-SSHPORTADDR-'"10.002: 163316 STATUS-COMPLD’ Fresca Iniation of he trusted hana. ‘Teminaton of the trusted hanne. Faure ofthe trusted channel Fats, ‘* AUDIT SERVER ## Intation of trusted channel. SHELF: 54>1 2018-05-22715-01-53 0005362 192.1682.101 SECU OME- 2C39CLAAE438 SHELF-1 001144 SHELF-1:18-05-22,15-01- 33: YEAR~2018, LOGNAME-SECU#06LOGEVENT-RTRV- ‘SYSLOG UID-""SURVEILV,UPC-5 PORTTYPE-SSH PORTADDR-1"192 1682.12 2:40434\ STATUS-COMPLD,RESOURCE-"" “SHELF s-134>1 2018-05-29T15-01-20 0008712 192.1682.101 SECU OME- 2€39CLAAS438-SHELF-1 001143 SHELF-1:18-05-2215.01- 29:YEAR-2018,LOGNAME-SECU06 LOGEVENT-INH.MSG- ‘ALL,UID="SURVEIL' UPC~S,PORTTYPESSH,PORTADDR=192.168 2.12240 434,STATUS-COMPLD,RESOURCE=(""" °SHELF-I:133>1 2018-05-22715-01-29 0007132 192.1682.101 SECU OME- 2C39CLAAS4S8-SHELF-1 001142 SHELF-1:13-05-2215-01- 20:YEAR-2018,OGNAME-SECU400.LOGEVENT-ACT- {USER,UiD=\'SURVEIL\"UPC-5 PORTTYPE-SSH.PORTADDR-\"192.1682.1224 (04347, STATUS-COMPLD’ “SHELF-:e133>1 2018-05-22715-01-28 0008482 192.1682.101 SECU OME- 2€39CLAMBA3S-SHELP-1 OO1141 SHELP-118-05-22,15.01- 28:YEAR-2018,LOGNAMB-SECUI?,LOGEVENT-SSH-SERVER- ‘CONNECT,UID=VeienaUPC=I,PORTTYPESSH,PORTADDR=\7192.168.2.1224 (0434V,STATUS-SUCCESS RESOURCE-" SSHELF-1:<133>1 2018-05-22T15-01-28 0005422 192.1682.101 SECU OME- 2C39CLAAS438 SHELF-1 001140 SHELF-113-05-2215-01- 2/:YEAR=2018, LOGNAME-SECUS00 LOGEVENT-SSH. 30|PageLOGIN, UID=" cient, UPC=4.PORTTYPE=SSHLPORTADDR=192,16821224085, 4y,STATUS-COMPLD’ “Termination of tsted chan: “SSHELF-1:<133>1 2018-05-22T15-01-33 000782 192.1682.101 SECU OME- 2C39CLAAS4S8-SHELF-1 001146 SHELF-1:13-05-2215-01- |33:YEAR-2018,LOGNAME-SECUS17,LOGEVENT-SSH.SERVER- DISCONNECT. ID-\ciena UPC=I,PORTTYPE-SSHPORTADDR-7192.168.2.1 22340434 STATUS-SUOCESS RESOURCE!" SHELF-1:<153>1 2018-05-23715-01-33 0006592 192.1682.101 SECU OME- 2€39CLAASA38-SHIELP-1 001145 SHELP-1:18-05-22,15.01- 33: YEAR2018,LOGNAME~SECU400,LOGEVENT-CANC- ‘USER, UiD=\'SURVEIL\"UPC-S PORTTYPE-SSH.PORTADDR-\"192.1682.1224 (04347,STATUS-COMPLD" Failure of trusted chant: *SHELF-:-133>1 2018-05-22715-27-27 0004142 192.1682.101 SECU OME- 2C30CLAUSL3NSHELE-1 001163 SHELF-1:18:05-22,15.27- 27:YEAR~2018,LOGNAME-SECUSI7, LOGEVENT-SSH SERVER. ‘CONNECT.UID=1"V,UPC=1.PORTTYPE>SSHPORTADDR=192.1682.12240454 \V STATUS*ERROR RESOURCE reson Negation ie” ‘8 UPDATE SERVER # Intation of trusted channel. “*SHELF-:134>1 2018-05.22715-45.08 0009762 192.1682.101 ALM OME: 2€39CLAASA38-SHELF-1 001176 SP-1-15:SWETDWN,TC-2215-45- O5\NEND.NA,°Remote ranserof file "Thomo cieoa 10 REL 12302. SE!coatg/atlog’ fale (SFTP: Objects not Aceioey)"NONE:0100000000-0000-0072 VEAR=2018.MODE-NON” “SHELF <133>1 2018-08-29T15-45-08 0008052 192 1682.10] SECU OME- 2C39CLAAS438-SHELF-1 OO117S SHELF-1:18-05-22,15-45- (06:YEAR-2018 LOGNAME-SECUI4LOGEVENT-SFTP CLIENT. ‘CONNECT,UID=\eien\*,UPC-3,PORTTYPESSH,PORTADDR~\192.168.2.122:2 2)" STATUS-SUCCESS RESOURCE™\'finerprin'~2:6E 5D 2F.C5:t1 BECE 91:5 B:D990536:263330"" “SHELF. :<131>1 2018-05.22715-45.08 0008012 192.168 2.101 ALM OME. 2C39CLA4S438 SHELF-1 OOL174 SP-I-15:MNSWFIDLIPNSA,05-22 15-45. (05. NEND.NA.'Software Delivery In Progress”.NONE-0100000027-2029- (0454; YEAR-2018. MODE-NON" “Termination of ted chan “SHELF. s133>1 2014-05-22715-45-08 0009897 192.1682.101 SECU OME 2C39CLAUS438-SHELF-1 OO1177 SHELF-1:18-05-2215-45- (8:YEAR~2018,LOGNAME-SECUSI4,LOGEVENT-SFTP CLIENT. DISCONNECT, UID ~\cieaa”,UPC~3 PORTTYPE-SSHPORTADDR="192.1682.1 22:22 STATUS-SUCCESS RESOURCE=""" Failure of trusted chant: ‘SHELF. :=134>1 2018-05-22715-85-S4 0008067 192.1682. 2C30CLAMBAISHELF-1 001316 SP-L-1SSSWETDWN,TC,05-2 “S4NENDNA,, Release server connection fie”, NONE:0100000000-1000- (072;:YBAR=2018 MODE-NON" “SHELF. I-134>1 2018-05-22715-55-54 0007282 192.1682.101 ALM OME 2C39CLAKSLSK-SHELP-1 OO1215 SP-1-15:SWPTDWN,TC,0S-22,15.55- S4NENDNA,,"delivery Release filed: SFTP: Prtoco moe" NONE:0100000000- (00-0072; YEAR=2018. MODE-NON" USHELF.L:<133>1 2018-05-22715-85-54 0006967 192.1682.101 SECU OME- 2C39CLAAS438-SHELF-1 001214 SHELF-1:18-05-2215-85- ‘S4YEAR-2018,LOGNAME-SECUS14,LOGEVENT-SFTP-CLIENT. (CONNECT UID="eies\UPC-3,PORTTYPE-SSHPORTADDR="192.168.2.12222 2Y,STATUS-FRROR, RESOURCE-."reaon~Negotation fled" FTP_TRP.LIA rin ‘nition ofthe trust shanne. Termination ofthe tasted shane “Termination of tasted pth: “SHELF. <133>1 2018-05-29716-11-36 0002702 192.1682.101 SECU OME: 239014438 SHELF-1 001239 SHELF-1:18405.22,16-11 31|Pey le Audit Records Faiuresofthetustedpath | 36.YEAR-2018,LOGNAME-SECUSI7,LOGEVENT-SSH SERVER: fietions. DISCONNECT, UID= ADMIN'",UPC™1 PORTTYPE~SSH,PORTADDR~\'182 168 21126:507799 STATUS*SUCCESS RESOURCE" Fed establishment of usted pth: SSHELF-Lse133>1 2018-05207 16-10-31 0007862 192.1682.101 SECU OME, 2C39CLAMBA38-SHELF-1 001293 SHELF-1:18-05-20,16-10- 31:YEAR-2018.LOGNAME-SECUs1 ,LOGEVENT-SSH-SERVER- ‘CONNECT UID=1"V,UPC=I,PORTTYPE~SSH PORTADDR"192.1682.1260772 \".STATUS-ERROR RESOURCE~\'eason~ Negotiation filed" Successful estabisbment of nased pat SSSHELE-[se133>1 2018-08-291 16-09-40 00027%2 192.1682.101 SECU OME: 2C39CLAMBA38-SHELF-1 001281 SHELF-1:18-05-2216-09- 40:YEAR~2018,LOGNAME-SECUSI7, LOGEVENT-SSH-SERVER- ‘CONNECT UID=\"ADMINY,UPC=,PORTTYPE-SSH,PORTADDR~1"182.1662.12 {650763 STATUS-SUCCESS RESOURCE=1"\" ‘SHELF-:-133>1 2018-05-22716-09-40 003682 192.1682.101 SECU OME- 2C39C1A4SASESHELP-1 001230 SHELF-1:18-08.22,16.09. 440:YEAR=2018,LOGNAME-SECUS00,LOGEVENT-SSHL ‘LOGIN, UID~\" ADMIN" UPC~4,PORTTYPE-SSH,PORTADDR™I"192 168212635 (0763, STATUS-COMPLD’ Table 3: Ciena 6500 Auditable Events 8.1 Audit Storage The TOE stores audit data locally in three distinct files: security log, autonomous outputs (AO) log, and. syslog. The security log is the record of events such as login/authentication, authorized commands, changes made in the network configuration. The AO contains the detailed information about the event such as what parameters were used. ‘The TOE aggregates both the security log and the AO files into the syslog records file. The syslog file contains all the information required to satisfy the PP requirements and is therefore the file that is subject to export to the external audit server. ‘The maximum audit size is approximate as the TSF limits the audit logs based on the number of records per log file or a combined file size of approximately 7MB of data. The security log holds 2 maximum of 1000 records or 800KB. The AO log hold a maximum of 9000 records or 4MB. Syslog records hold a maximum of 1000 records or 2MB. When a locally stored audit file has reached its defined maximum. number of records allowed, or has reached the maximum file size, the oldest record is overwritten with new audit data. The TOE does not provide a user mechanism to delete or modify the locally-stored audit data and the filesystem is not accessible by any user of the TOE. In the evaluated configuration, the syslog file is periodically pulled to a remote audit server, via an automated script, using SFTP over an SSH trusted channel. Depending on the usage of the TOE depends on how fast the audit logs will fill and start overwriting the old records. Therefore, it is recommended that the script be scheduled to execute every 1-6 hours, even though the frequency could be scheduled for as little as every minute or long as once every 24 hours, to mitigate any potential of audit records not being remotely stored 32|Page8.1.1 Example Audit retrieval script {At this point it is assumed that the required key pair has been generated and installed per Section 7. The following is an example python script that must be installed on the remote audit server in order to pull audit information. ‘FevEUEePRUeseEEneEGENEEOEOdSeeREGAeRaREEHaRAREEHAREIED # Note: this script is meant as a simple oxanple of # how to periodically scrape a 6500 NE of it's syslogs # through $s and is not meant to be used as ie in a # production environment. ‘deeeversresersenerenneroeedseentessneasenseansanansney import 0s import sys import tine import aatetine ‘seeesseseunseestaeeatarsotasaceatassesasenseassananstes # Information on pexvect python Library, instellation # and support at: # hetpa://pexpect .ceacthedocs io/en/steble/install nem ‘FEPEUEEPRUEHEEDEHEEGENEEOEOSSDEREOS HaORENAEAREEHARSEED import pexpect ##erieaereradacensadenaadenssansananiona fNake euaten changes here ‘HEVEVEFTEvEner Ener OEREEOROEAOEREOaeneRseneRaNy tine_interval_seconds = 60 mui_iogin_t4 = "suRVEIL' Thi llogin password = ‘SURVEIL' eee Log postfix camo = "sexe sevbeeeorendersenereenrroeedseensessneasenseansanansney # ino of custom changes ‘deveueedeuedesueseeseaeeueacacensacsusasenseansenanateg aehtext = 'aeh ' + sahVeertd + 1" + host ‘seveversrenersenereeneroeesssentessneasenseansanansne# # Loop forever, executing TLi comands through an SH # seasion. Output the result of the SysLog retrieval # to a new file on each time interval. Sleep until # time interval expires and start over FEPEUEEPRUENEEPREEGENEEOEOSSEE REGS HROEENAEAREBHARSOED while True: child ~ pexpect .epava (ehtText) gatesStamp = datetine.datetine.now() .stertine *2Y-an-2q~ei: 21235" child. expect ("<") child. sendiine(ACT-USER:*'4TLI_1ogin TaF':CTAGL::"+TLI_Login pasavaras*s") child. expect (*\=\57") child. sendline (" INHAMSG-ALL: ::CTAG2;") child.oxpect ("\s\07") child, sendline (* IN-MsG-BROADCAST: child.expect ("\r\07") Fout + openlog_name, "wo! child, sendl ine (*RIRV-S¥SLOG: + :C7AG child. expect ("\r\n7 mac 33|Page35 fout .close(} 56. child. send ine (*CANC-SER:: "#Th1_Login_1d+* :¢TAG5;") 37. child. expect ("\r\n7 3e child. close (True} 50. print ‘Back to sleep for ' + str(time_interval_seconds) + * second(s) su. tine. sleep (tine interval, seconds! 52. except pexpect..g0F 6a, print ‘Unexpected £0F reached’ 65. except pexpect TIMEOUT: 56. print "Expect timeout error! 6 break: 58. except 1oError 59 print "Error opening log rile" n 72, print ‘Exiting! 9 Operational Modes When the TOE is first installed, itis considered to be in its normal operational mode. After initial installation, the TOE must stil be placed into its evaluated configuration by performing the steps described in Section 6 of this document. Once placed in the evaluated configuration, the TOE’s normal operational mode will perform the functions as described in [5]. In the event that a POST fails, the TOE will attempt to reboot itself. If the TOE has been corrupted or the hardware has failed such that rebooting will not resolve the issue, an Administrator will need to contact Ciena support per the guidance in Section 11. 10 TL1 Commands These are the security relevant commands used for TL1. For details of each command, use the TL1 reference. 1.ACT-USER 2.CANC-USER 3..RTRV-ACTIVE-USER 4.ED-SECU-PID 5 .ENT-SECU-BADPID 6. DLI-SECU-BADPID ‘7 JRTRV-SECU-BADPID 8..ENT-SECU-USER 9. BD-SECU-USER 10 .ALW-SECU-USER 11.DLT-SECU-USER 12. RTRV-SECU-USER 13. SET-ATTR-SECUDELT 14 .RTRV-SECU-DELT 34|Page15 .CLR-ALM-SECU 16. ALN-SECU-CID 17 .RTRV-SECU-CID 18 .RTRV-AUDIT-SECULOG 19 .RTRV-SECU-UPC 20. INH-SECU-USER 21. SET~BANNER-LINE 22. DLT-BANNER 23 .RTRV-BANNER 24. CANC-SECU-SESSION 25.ED-SSH 26. RTRV-SSH 27. RTRV-SSH-PUBKEY 28. CHK-SSH-KEYS 29. CRTE-SSH-KEYS 30 .RTRV-INTRUDED-USER 31.ED-SECU 32.RTRV-SECU 33 .ED-SECU-PWDRLS 34. RTRV-SECU-PADRLS 35. RTRV-SYSLOG 36. SET-SYSLOG-SERVER 37 .RTRV-SYSLOG-SERVER 38. SET-AUTH-DFLT 39. RTRV-AUTH-DELT 40. SET-AUTH-MODE 41. RTRV-AUTH-MODE, 42. SBT-SYSLOG-SETTINGS 43 .RTRV-SYSLOG-SETTINGS 44. ENT-SSH-HOSTKEY 45 . DLT-SSH-HOSTKEY 46. RTRV-SSH-HOSTKEY 47 .ENT-SSH-AUTHUSER 48, DLT-SSH-AUTHUSER 49. RTRV-SSH-AUTHUSER 50. INIT-ZEROIZE 51. RTRV-ALMPROFILE 52. RTRV-ALMPRO® [LE-ACTIVE 53 .RTRV-ALMPRO®ILE-DFLT 54. SET-ALMPROFILE-ACTIVE 55. SET-ALMPROFILE-DFLT 56. SET-ALMPROFILE-ATTR 57. RTRV-ALM-ALL 58. RTRV-ALM-ENV 59. SET-ATTR-ENV 35|Page60.SET-ATTR-CONT 61..RIRV-AO 62 .RTRV-AO-BROADCAST 63 .RTRV-COND-ALL, 64.RIRV-SW-VER 65 .RIRV-UPGRD-STATE 66 .RTRV-UPGRD-DEPEND 67 .RTRV-RELEASE 68 .RIRV-NODE-RELEASE, 69..CANC-RELEASE 70 .CANC-UPGRD ‘11. CHK-RELEASE 12..CAK-UPGRD 73..CMMT-UPGRD 14, SAV-RELEASE 15. DLT-RELEASE ‘16. DLT~RELEASE-SERVER 77, DIVR-RELEASE 78 .INVK-UPGRD 719. LOAD-UPGRD 80 .ENT-RELEASE-SERVER 81. APPLY-SRVPACK 82. RMV-SRVPACK 83 ED-TOD-MODE 84. OPR-TOD-SYNC 85. SET-TOD-SER 86.ED-DAT 87.SAV-LOG 88..CANC-LOG 89. CANC-PROV 90 ..CHK-PROV 91 ..cMMr-PROV 92.RST-PROV 93.SAV-PROV 11 Additional Support Ciena provides technical support for its products if needed. Customers can register for a support account at hitp://my.ciena.com/CienaPortal/. Additionally, customers can open a ticket with Ciena support by calling +1 (800) 243-6224 (U.S. and Canada only). Please visit https://www.ciena,com/support/ for international phone numbers. 36|Page