Common Criteria overview

This section contains steps for configuring the Extreme NetIron for Common Criteria (CC) standards with OS version 06.3.00aa collaborative Protection Profile for Network Devices (NDcPP) version 2.1.

Common Criteria certification for a device enforces a set of security standards and feature limitations on a device to be compliant with the Common Criteria standards, similar to placing the device in FIPS mode. To better understand the Common Criteria certification and the associated security functions that have been subject to certification, refer to the document Extreme NetIron R06.3.00aa (NDcPP21) Security Target.

FIPS 140-2 Security Level 1 specifies the security requirements that are satisfied by a cryptographic module utilized within a security system protecting sensitive information of the system.

Extreme NetIron switches running OS 06.3.00aa are designed to support FIPS-compliance mode. All cryptographic algorithms required and used in CC are certified by the Cryptographic Algorithm Validation System (CAVS). The RNG component does not require configuration and follows the specified requirements as above.

The Extreme NetIron management functions are isolated through user authentication. After completing successful login, all actions are audited. In addition, the remote management communication path is protected against modification and disclosure using SSHv2. The audit channel to an external Syslog server is protected using TLS encapsulation for NDcPP evaluation. The authentication channel between the TOE and external authentication servers like RADIUS or TACACS+ must be configured to be protected using TLS encapsulation.

Note

Common Criteria mode becomes available once a device is FIPS-enabled.

Note

To determine if the NetIron device and current software version is Common Criteria-certified, refer to https://www.niap-ccevs.org/CCEVS_Products/pcl.cfm. Refer to the release notes for the software version running on the device to verify that the software is FIPS-and Common Criteria-certified.

You can enable Common Criteria mode on a device directly from non-FIPS mode, or on a device already in FIPS mode. The following table summarizes the transitions.

Table 1. Transition to Common Criteria mode
From	To non-FIPS mode	To FIPS mode	To Common Criteria mode
Non-FIPS mode	Not applicable	Use the fips enable command	Use the fips enable common-criteria command
FIPS mode	Use the no fips enable command	Not applicable	Use the fips enable common-criteria command
Common Criteria mode	Use the no fips enable or no fips enable common-criteria command	Use the following commands in a sequence: no fips enable reload device fips enable	Not applicable

Following considerations are advised:

Disabling FIPS mode from the Common Criteria mode using the no fips enable command downgrades the device directly into the non-FIPS mode.
You cannot directly transition from Common Criteria mode to FIPS mode. To transition to FIPS mode, you must disable FIPS mode, reload the device, and then enable FIPS mode.

The following table lists the individual Extreme NetIron platforms that support Common Criteria certification requirements.

Table 2. Devices that support Common Criteria
Features supported	Extreme MLX Series	Extreme NetIron CER 2000-4X-RT Series
FIPS CC mode	MLXe: Yes MLX: No	Yes