Professional Documents
Culture Documents
ST Vid10925-Agd
ST Vid10925-Agd
APS Systems
Supplemental Administrative Guidance
for Common Criteria
Version 1.1
December 12, 2019
Prepared By:
1|Page
7.2.2 Unlocking a User Account .................................................................................................. 15
7.3 User Accounts and User Management ........................................................................................ 15
7.3.1 Assigning User Roles .......................................................................................................... 16
7.4 Password Management ............................................................................................................... 16
7.4.1 Configuring Password Policies ........................................................................................... 16
7.4.2 Resetting Passwords............................................................................................................ 16
7.5 Login Banner .............................................................................................................................. 17
7.6 Session Termination.................................................................................................................... 17
7.6.1 Admin Logout ..................................................................................................................... 17
7.6.2 Termination from Inactivity ................................................................................................ 17
7.7 System Time Configuration ........................................................................................................ 18
7.8 Secure Updates............................................................................................................................ 19
7.8.1 Display Current Version ..................................................................................................... 19
7.8.2 Uploading the Upgrade Files .............................................................................................. 20
7.8.3 Upgrading the Software ...................................................................................................... 20
8 Auditing .............................................................................................................................................. 21
8.1 Audit Storage .............................................................................................................................. 34
8.2 Stopping and Starting Audit Server ............................................................................................ 34
9 Operational Modes .............................................................................................................................. 35
10 Additional Support .......................................................................................................................... 35
Table of Tables
Table 1: AED/APS Hardware Specifications ............................................................................................... 4
Table 2: Evaluated Components of the Operational Environment ............................................................... 5
Table 4: Management Functions by Interface............................................................................................. 15
Table 5: AED/APS Sample Audit Records................................................................................................. 21
2|Page
1 Introduction
The NETSCOUT Arbor Edge Defense and Availability Protection System (APS) Systems (referred as
AED/APS (or APS for short) from this point forward) is a network device that includes hardware and
software whose primary functionality is to secure the internet data center’s edge from threats against
availability, specifically from application-layer distributed denial of service (DDoS) attacks. The
collaborative Protection Profile for Network Devices, version 2.0 + Errata 20180314 (NDcPP) defines a
network device as “a device composed of both hardware and software that is connected to the network
and has an infrastructure role within the network”. Additionally, the NDcPP says that example devices
that fit this definition include routers, firewalls, intrusion detection systems, and switches.
As a Common Criteria evaluated product, this guidance serves to define the ‘evaluated configuration’ in
which the evaluation was performed and to summarize how to perform the security functions that were
tested as part of the evaluation.
2 Intended Audience
This document is intended for administrators responsible for installing, configuring, and/or operating
AED/APS. Guidance provided in this document allows the reader to deploy the product in an
environment that is consistent with the configuration that was evaluated as part of the product’s Common
Criteria (CC) testing process. It also provides the reader with instructions on how to exercise the security
functions that were claimed as part of the CC evaluation. The reader is also expected to be familiar with
the general operation of the AED/APS product. This supplemental guidance includes references to
NETSCOUT’s standard documentation set for the product and does not explicitly reproduce materials
located there.
The reader is also expected to be familiar with the NETSCOUT Arbor Edge Defense and APS Systems
Security Target and the general CC terminology that is referenced in it. This document references the
Security Functional Requirements (SFRs) that are defined in the Security Target document and provides
instructions for how to perform the security functions that are defined by these SFRs. The AED/APS
product as a whole provides a great deal of security functionality but only those functions that were in the
scope of the claimed PP are discussed here. Any functionality that is not described here or in the
NETSCOUT Arbor Edge Defense and APS Systems Security Target was not evaluated and should be
exercised at the user’s risk.
3 Terminology
In reviewing this document, the reader should be aware of the terms listed below. These terms are also
described in the NETSCOUT Arbor Edge Defense and APS Systems Security Target.
CC: stands for Common Criteria. Common Criteria provides assurance that the process of specification,
implementation and evaluation of a computer security product has been conducted in a rigorous and
standard and repeatable manner at a level that is commensurate with the target environment for use.
3|Page
SFR: stands for Security Functional Requirement. An SFR is a security capability that was tested as part
of the CC process.
TOE: stands for Target of Evaluation. This refers to the aspects of the AED/APS product that contain the
security functions that were tested as part of the CC evaluation process.
4 References
The following security-relevant documents are included with the TOE. This is part of the standard
documentation set that is provided with the product. Documentation that is not related to the functionality
tested as part of the CC evaluation is not listed here.
[1] Arbor Networks APS Appliance Quick Start Card
[2] Arbor Networks AED Appliance Quick Start Card
[3] Arbor Networks APS Compliance Guide for Common Criteria and FIPS, Version 6.0.1
[4] Arbor Edge Defense Compliance Guide for Common Criteria and FIPS, Version 6.2.2
[5] Arbor Networks APS User Guide, Version 6.2
[6] Arbor Edge Defense User Guide, Version 6.2
The following document was created in support of the AED/APS CC evaluation:
[7] NETSCOUT Arbor Edge Defense and APS Systems Security Target, version 1.1
5.3 Assumptions
In order to ensure the product is capable of meeting its security requirements when deployed in its
evaluated configuration, the following conditions must be satisfied by the organization, as defined in the
claimed Protection Profile:
Physical security: The AED/APS product does not claim any sort of physical tamper-evident or
tamper-resistant security mechanisms. Therefore, it is necessary to deploy the product in a locked
or otherwise physically secured environment so that it is not subject to untrusted physical
modification.
Limited functionality: The AED/APS product must only be used for its intended networking
purpose. General purpose computing applications, especially those with network-visible
interfaces, may compromise the security of the product if introduced.
No through traffic protection: The security boundary of the Common Criteria evaluation is
limited to traffic flowing to or from the TOE. The intent is for AED/APS to protect data that
originates on or is destined to the device itself, to include administrative data and audit data.
Traffic that is traversing the network device, destined for another network entity, is not covered
by the NDcPP. It is assumed that this protection will be covered by cPPs for particular types of
network devices (e.g., firewall).
Trusted administration: The AED/APS product does not provide a mechanism to protect
against the threat of a rogue or otherwise malicious administrator. Therefore, it is the
5|Page
responsibility of the organization to perform appropriate vetting and training for Security
Administrators prior to granting them the ability to manage the product.
Regular updates: NETSCOUT provides regular product updates for the AED/APS product that
include bug fixes as well as functionality and security enhancements. It is expected that
administrators are reasonably diligent in ensuring that software patches are applied regularly as
they are made available.
Secure admin credentials: AED/APS protects the administrator’s credentials stored on
AED/APS that are used to access it. Additionally, it is assumed that any administrative
credentials maintained by an environmental server are secured in order to mitigate the risk of
impersonation.
Residual information: It is the responsibility of the administrator to ensure that there is no
unauthorized access possible for sensitive residual information (e.g. cryptographic keys, keying
material, PINs, passwords etc.) on networking equipment when the equipment is discarded or
removed from its operational environment.
6|Page
NOTE: During installation, in order to use APS in FIPS mode, enter yes to the Enable FIPS mode?
prompt in the installation script. When FIPS mode is enabled, APS supports FIPS compliant algorithms
only.
NOTE: Default username is admin and default password is arbor. Change this password for security
purposes after logging in for the first time.
7|Page
6.1.3 Logging in through Remote CLI
To log in through SSH via the remote CLI:
1. Start the SSH client and establish a connection by entering the IP address or DNS hostname for
the TOE as needed.
2. At the remote CLI login prompt, enter valid Security Administrator credentials (username and
password).
8|Page
6.2 Power-On Self Tests
During the start-up of the TOE, the TSF runs a cryptographic module integrity test as well as a
cryptographic known-answer test. These tests verify that the cryptographic module is operating correctly
and has not been tampered with. If a cryptographic self-test fails, the device will become inoperable. The
only remediation for this test failure is to have a Security Administrator contact NETSCOUT support per
the guidance in Section 10..
The TOE also performs a file system self-test during start-up to ensure the underlying hardware does not
have any anomalies that would cause the software to be executed in an unpredictable or inconsistent
manner. This test calls the standard test method in the ext3 file system to check the file system data
structures and confirm that they are in a consistent state.
In the event that a POST fails, the boot process will terminate. The TOE will need to be rebooted to
attempt to clear the error. If the TOE has been corrupted or the hardware has failed such that rebooting
will not resolve the issue, a Security Administrator will need to contact NETSCOUT support per the
guidance in Section 10.
9|Page
administrator manually configuring the remaining items (i.e., algorithms, certificates, elliptic curves). For
this reason, other configurations require no further administrative action.
NOTE: The use of other cryptographic engines and cryptographic settings were not evaluated nor tested
during the Common Criteria evaluation of the TOE.
10 | P a g e
Execute the following command on the TOE to import and then delete the generated SSH host key:
services ssh key host set disk:keys_to_upload
system files delete disk:keys_to_upload
For ecdsa-sha2-nistp256, the TOE can generate this SSH host key type by performing the following
steps:
1. Authenticate to the TOE via the CLI.
2. Execute the following command:
services ssh key generate
3. If asked to overwrite, enter “y”.
Execute the following commands on the test machine to generate an ecdsa-sha2-nistp384 host key and
transfer it to the TOE:
ssh-keygen -t ecdsa -b 384 -f ssh_host_key_ecdsa
echo -e "\001\002" > keys_to_upload
tar cf - ssh_host_key_ecdsa* >> keys_to_upload 2>/dev/null
scp -c aes128-ctr keys_to_upload admin@<TOE-IP-Address>:
Execute the following command on the TOE to import and then delete the generated SSH host key:
services ssh key host set disk:keys_to_upload
system files delete disk:keys_to_upload
Execute the following commands on the test machine to generate an ecdsa-sha2-nistp521 host key and
transfer it to the TOE:
ssh-keygen -t ecdsa -b 521 -f ssh_host_key_ecdsa
echo -e "\001\002" > keys_to_upload
tar cf - ssh_host_key_ecdsa* >> keys_to_upload 2>/dev/null
scp -c aes128-ctr keys_to_upload admin@<TOE-IP-Address>:
Execute the following command on the TOE to import and then delete the generated SSH host key:
services ssh key host set disk:keys_to_upload
system files delete disk:keys_to_upload
11 | P a g e
When the TOE is operating in “FIPS mode”, TLS uses only the following ciphersuites:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289
NOTE: The TOE supports this full list. However, when an RSA certificate is loaded, only the RSA
ciphers will be available. When ECDSA certificate is loaded only the ECDSA ciphers will be available.
When the TOE uses TLS client functionality, the presented identifier for the server certificate has to
match the reference identifier in order to establish the connection. The TOE supports either the hostname
or IP address as reference identifiers. Wildcards cannot be used when defining the reference identifier on
the TOE.
NOTE: When the TOE uses TLS server functionality, it will reject all connection attempts from TLS
versions other than v1.2.
To set the reference identifier to be used for certificate validation:
7. Authenticate to the TOE via the CLI.
8. Perform the following steps to install the required CA certificates into the TOE CA trust store:
a) Authenticate to the TOE via the CLI.
b) Execute the following command:
services http certificate import ca_only disk:<concatenated-
CA-file>
Note: For “concatenated-CA-file”, specify the concatenated CA file for the web GUI TLS
server certificate and the set of CA files (e.g. rootCA) that form the trust chain for the remote
audit server.
9. Execute the following command:
services logging remote set <SYSLOG-SERVER-HOSTNAME> tcp
<PORT> secure
Note: The reference identifier is specified by “<SYSLOG-SERVER-HOSTNAME>”.
12 | P a g e
Substitute the curve type (secp256r1 (prime256v1), secp384r1, secp521r1) with the desired selection and
perform the following steps:
Generate an ECDSA certificate using curve secp256r1 (prime256v1) for the elliptic curve private key.
1. Transfer the generated certificate to the TOE:
a. Authenticate to the TOE via the web GUI.
b. Navigate to Administration > Files.
c. Choose Upload File.
d. Specify the signed certificate and choose Upload.
2. Authenticate to the TOE via the CLI.
3. Execute the following commands to load the generated certificate onto the TOE web server:
services http certificate import disk:<signed-certificate>
disk:<combined-CA-file>
Note: For “combined-CA-file”, specify the concatenated CA file for the web GUI TLS server
certificate and the set of CA files (e.g. rootCA) that form the trust chain for the remote audit server.
13 | P a g e
3. Specify the responses to the interactive prompts to establish Common Name, Organization,
Organizational Unit, and Country values.
4. Submit the “mycsr.csr” file to the CA for signing.
14 | P a g e
NOTE: If an account is locked automatically, then the user cannot log in with a password. However, if
SSH key authentication was enabled previously on the TOE, then the user can log in with an SSH key.
15 | P a g e
Modify User Passwords X X X
Modify Password Policy X X
Generate X.509 Certificate Request Message X X
Initiate Manual Update X X
Configure System Time X X
Configure Idle Session Timeout X X
Configure Banner Text X
Custom user roles (functionality out of scope of the evaluation) are created based on privileges by the
Security Administrator via the CLI. The Security Administrator can assign users to the custom role on
either the web GUI or the CLI. Only one role can be assigned to a user, however, a role can be assigned
to multiple users.
16 | P a g e
services aaa local password admin interactive
3. Create a password.
17 | P a g e
services http idle
18 | P a g e
services aps start
For AED:
services aed stop
clock set MMDDhhmmCCYY
services aed start
Note: MM = Month, DD = Day, hh = Hour (24 hour format), mm = Minute, CCYY =
Year
3. Execute the following command to verify the clock was set to the specified value:
clock
19 | P a g e
7.8.2 Uploading the Upgrade Files
1. Authenticate to the TOE via the web GUI.
2. Navigate to Administration > Files
3. Click Upload File.
4. Specify the ArbOS update file and click Upload.
5. Click Upload another.
6. Specify the APS/AED updated file and click Upload File.
NOTE: At this point Common Criteria refers to this as a delayed activation because until the following
steps are completed the update has not been activated and the previous version is still executing. There is
no method of determining the version other than a directory listing showing the filename that has the
version in the name.
7. Authenticate to the TOE via the CLI.
8. Execute the following command to stop the APS/AED services:
If APS:
services aps stop
If AED:
services aed stop
9. Execute the following command to save the current configuration:
config write
20 | P a g e
<APS/AED-package-name>= the file name of the new APS/AED file that was
uploaded
6. After the installation is finished, execute the following commands to reboot the TOE:
reload
y
NOTE: All services and security mechanisms will now cease to operate until installation is complete.
7. After the TOE has rebooted, authenticate to the TOE via the CLI.
8. Execute the following command to start the APS/AED services:
If APS:
services aps start
If AES:
services aed start
9. Execute the following command to save the configuration:
config write
10. Repeat Step 2 of Section 7.8.1 “Display Current Version” to verify the TOE is the same version
of the newly installed software updates.
8 Auditing
In order to be compliant with Common Criteria, the TOE audits the events in the table below. The TOE
generates audit records for all administrative functions performed on the TOE. The audit records are
generated and stored in the form of syslog records which are sent to a remote syslog server. The
transmission of this data to the syslog server is protected from unauthorized modification and deletion
using TLSv1.2.
The following is an example of an audit record that AED/APS produces:
Jan 8 22:43:39 omicron sshd[14215]: #LOGIN-CLI-SUCCEED admin
10.1.0.112
Each audit record contains identifying information required by Common Criteria including the date and
time the event occurred [Jan 8 22:43:39], the type of event [LOGIN-CLI], the subject identity of the event
[admin 10.1.0.112], and the outcome of the event [LOGIN-CLI-SUCCEED].
The TOE allows any user to view audit records via the CLI. In the evaluated configuration, the TOE does
not provide any interface for users to modify or delete audit data. Sample audit records for each security-
relevant auditable event are included in the following table.
Table 4: AED/APS Sample Audit Records
Auditable Event Sample Audit Record
21 | P a g e
Startup of audit functions
Starting device
May 22 13:20:56 (none) kernel: [ 0.000000] Initializing cgroup subsys
cpuset
May 22 13:20:56 (none) kernel: [ 0.000000] Linux version 4.1.15-arbux
(root@a8b593f653a8) (gcc version 6.4.1 20170727 (Red Hat 6.4.1-1)
Start-up and shutdown of the (GCC) ) #1 SMP PREEMPT Thu Nov 8 18:53:22 UTC 2018
audit functions.
Shutdown of audit functions
Shutdown of audit function requires a Shutdown of the device.
Shutdown device
May 22 09:17:28 arbor-aps2600.catl.local shutdown[45522]: shutting
down for system reboot
CLI logout
22 | P a g e
Oct 15 10:57:03 arbor-aps2600.catl.local sshd[44432]: Received
disconnect from 192.168.1.3 port 33644:11: disconnected by user
Oct 15 10:57:03 arbor-aps2600.catl.local sshd[44432]: Disconnected from
192.168.1.3 port 33644
GUI logout
Oct 15 10:59:03 arbor-aps2600.catl.local login[25768]: [S] #LOGOUT-
UI-SUCCEED admin 192.168.1.98
Setting maximum
Oct 15 13:24:53 arbor-aps2600.catl.local auditcomsh: User: admin
Command: / services aaa password_length max 72
For GUI:
Oct 15 10:35:48 arbor-aps2600.catl.local auditcomsh: User: admin
Command: / services http idle set 3
Successful login
23 | P a g e
Oct 15 13:26:33 arbor-aps2600.catl.local sshd[73607]: pam_arbor: set
group system_admin
Oct 15 13:26:33 arbor-aps2600.catl.local sshd[73607]: pam_arbor: set
auth_method LOCAL
Oct 15 13:26:33 arbor-aps2600.catl.local sshd[73607]: pam_arbor:
#AUTH-LOCAL-SUCCEED admin:system_admin
Oct 15 13:26:33 arbor-aps2600.catl.local sshd[73607]: #LOGIN-CLI-
SUCCEED admin 192.168.1.3
Oct 15 13:26:33 arbor-aps2600.catl.local sshd[73607]: Accepted
password for admin from 192.168.1.3 port 33687 ssh2
24 | P a g e
Oct 15 12:51:15 arbor-aps2600.catl.local sshd[3501]: pam_arbor:
#AUTH-LOCAL-FAILED admin
Oct 15 12:51:17 arbor-aps2600.catl.local sshd[3501]: Failed password for
admin from 192.168.1.3 port 33675 ssh2
Oct 15 12:51:21 arbor-aps2600.catl.local sshd[3501]: #LOGIN-CLI-FAIL
admin 192.168.1.3
Oct 15 12:51:21 arbor-aps2600.catl.local sshd[3501]: pam_arbor:
#AUTH-LOCAL-FAILED admin
Oct 15 12:51:23 arbor-aps2600.catl.local sshd[3501]: Failed password for
admin from 192.168.1.3 port 33675 ssh2
Oct 15 12:51:28 arbor-aps2600.catl.local sshd[3501]: #LOGIN-CLI-FAIL
admin 192.168.1.3
Oct 15 12:51:28 arbor-aps2600.catl.local sshd[3501]: pam_arbor:
#AUTH-LOCAL-FAILED admin
Oct 15 12:51:31 arbor-aps2600.catl.local sshd[3501]: Failed password for
admin from 192.168.1.3 port 33675 ssh2
Oct 15 12:51:31 arbor-aps2600.catl.local sshd[3501]: Connection closed
by 192.168.1.3 port 33675 [preauth]
Oct 15 12:51:39 arbor-aps2600.catl.local sshd[3909]: #AUTH-FAIL-
MAX-LOGINS-EXCEEDED admin
Oct 15 12:51:39 arbor-aps2600.catl.local sshd[3909]: #LOGIN-CLI-FAIL
admin 192.168.1.3
Oct 15 12:51:39 arbor-aps2600.catl.local sshd[3909]: pam_arbor:
#AUTH-LOCAL-FAILED admin
Oct 15 12:51:42 arbor-aps2600.catl.local sshd[3909]: Failed password for
admin from 192.168.1.3 port 33676 ssh2
25 | P a g e
All use of identification and
See ‘Administrative login and logout.’
authentication mechanism.
Certificate expired
Oct 22 17:53:18 arbor-aps2600.catl.local stunnel: LOG4[1]: CERT: Pre-
verification error: certificate has expired
Oct 22 17:53:18 arbor-aps2600.catl.local stunnel: LOG4[1]: Rejected by
CERT at depth=0: C=US, ST=Maryland, L=Laurel, O=BAH, OU=CCTL,
CN=syslog01.catl.local
Oct 22 17:53:18 arbor-aps2600.catl.local stunnel: LOG3[1]:
Unsuccessful attempt to validate a
SSL_connect: 14090086: error:14090086:SSL
certificate.
routines:ssl3_get_server_certificate:certificate verify failed
26 | P a g e
Oct 23 09:56:26 arbor-aps2600.catl.local stunnel: LOG4[1]: Rejected by
OCSP at depth=2: C=US, ST=Maryland, O=BAH, OU=CCTL,
CN=CCTL Intermediate 01 CA
Oct 23 09:56:26 arbor-aps2600.catl.local stunnel: LOG3[1]:
SSL_connect: 14090086: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
Invalid CA
Apr 29 17:04:53 arbor-aps2600.catl.local stunnel: LOG4[1]: s_connect:
connected 192.168.1.3:6514
Apr 29 17:04:53 arbor-aps2600.catl.local stunnel: LOG4[1]: CERT: Pre-
verification error: invalid CA certificate
Apr 29 17:04:53 arbor-aps2600.catl.local stunnel: LOG4[1]: Rejected by
CERT at depth=1: C=US, ST=Maryland, L=Laurel, O=BAH, OU=CCTL,
CN=CCTL Intermediate 02 CA FALSE
27 | P a g e
Apr 29 17:04:53 arbor-aps2600.catl.local stunnel: LOG3[1]:
SSL_connect: 14090086: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
Starting services
Jan 28 12:17:07 arbor-aps2600.catl.local auth: COMMAND services
logging remote set syslog01.catl.local tcp 6514 secure BY admin FROM
cli VIA 192.168.1.3
Jan 28 12:17:07 arbor-aps2600.catl.local auditcomsh: User: admin
Command: / services logging remote set syslog01.catl.local tcp 6514
secure
Jan 28 12:17:09 arbor-aps2600.catl.local rsyslogd: [origin
software="rsyslogd" swVersion="8.26.0" x-pid="122400" x-
info="http://www.rsyslog.com"] start
Starting and stopping of services.
Jan 28 12:17:09 arbor-aps2600.catl.local stunnel: LOG4[0]: s_connect:
connected 192.168.1.152:6514
Jan 28 12:17:09 arbor-aps2600.catl.local stunnel: LOG4[0]: TLS
connected: new session negotiated
Stopping services
Jan 28 12:15:44 arbor-aps2600.catl.local auth: COMMAND services
logging remote clear BY admin FROM cli VIA 192.168.1.3
Jan 28 12:15:44 arbor-aps2600.catl.local auditcomsh: User: admin
Command: / services logging remote clear
Generation of SSH host keys
Apr 11 12:38:27 arbor-aps2600.catl.local auth: COMMAND services ssh
key generate BY admin FROM cli VIA 192.168.1.3
Apr 11 12:38:27 arbor-aps2600.catl.local auditcomsh: User: admin
Command: / services ssh key generate
Apr 11 12:38:28 arbor-aps2600.catl.local ssh: User admin successfully
Management of cryptographic generated host key
keys.
CLI Output
admin@arbor-aps2600.catl.local:/# services ssh key generate
Destination file exists.
Overwrite? [n] y
Generating new SSH host key file.....done.
admin@arbor-aps2600.catl.local:/#
28 | P a g e
Discontinuous changes (CLI only) Administrator change of date & time
to time - either Oct 15 11:32:57 arbor-aps2600.catl.local auditcomsh: User: admin
Administrator actuated Command: / global clock set 1015113418
or changed via an automated admin@arbor-aps2600.catl.local:/# clock
process. Mon Oct 15 11:34:38 EST 2018
Initiation of update
May 3 06:14:48 arbor-aps2600.catl.local auth: COMMAND system files
install disk:arbos-7.0-JD3H-x86_64 BY admin FROM cli VIA
192.168.1.3
May 3 06:19:19 arbor-aps2600.catl.local auth: COMMAND system files
install disk:Arbor-APS-6.2.2-JD3H-x86_64 BY admin FROM cli VIA
192.168.1.3
Initiation of update; result of the
update attempt (success or
Update failure
failure).
Apr 3 09:30:40 arbor-aps2600.catl.local arbpkg: (admin) Failed package
install of /base/store/files/arbos-7.0-JC1J-x86_64_invalid_payload: No
valid signature on package
Apr 3 09:31:18 arbor-aps2600.catl.local arbpkg: (admin) Failed package
install of /base/store/files/Arbor-APS-6.2.1-JC1J-
x86_64_invalid_payload: No valid signature on package
29 | P a g e
Oct 15 10:35:48 arbor-aps2600.catl.local auditcomsh: User: admin
Command: / services http idle set 3
Oct 15 10:36:55 arbor-aps2600.catl.local arbos_login: #LOGIN-UI-
SUCCEED admin 192.168.1.98
Oct 15 10:39:59 arbor-aps2600.catl.local mod_auth_tkt: #UI-SESSION-
TIMEOUT admin 192.168.1.98
30 | P a g e
May 30 07:44:46 arbor-aps2600.catl.local stunnel: LOG4[0]: TLS
connected: new session negotiated
Termination of the trusted channel (Remote syslog via TLS)
May 30 07:44:43 arbor-aps2600.catl.local auth: COMMAND services
logging remote set syslog01.catl.local tcp 6514 secure BY admin FROM
cli VIA 192.168.1.3
May 30 07:44:43 arbor-aps2600.catl.local auditcomsh: User: admin
Command: / services logging remote set syslog01.catl.local tcp 6514
secure
May 30 07:44:46 arbor-aps2600.catl.local rsyslogd: [origin
software="rsyslogd" swVersion="8.26.0" x-pid="121957" x-
info="http://www.rsyslog.com"] start
May 30 07:44:46 arbor-aps2600.catl.local stunnel: LOG4[0]: s_connect:
connected 192.168.1.152:6514
May 30 07:44:46 arbor-aps2600.catl.local stunnel: LOG4[0]: OCSP:
Connecting to the AIA responder "http://192.168.1.3:8886"
May 30 07:44:46 arbor-aps2600.catl.local stunnel: LOG3[0]: s_connect:
connect 192.168.1.3:8886: Connection refused (111)
May 30 07:44:46 arbor-aps2600.catl.local stunnel: LOG4[0]: OCSP:
Connecting to the AIA responder "http://192.168.1.3:8887"
May 30 07:44:46 arbor-aps2600.catl.local stunnel: LOG3[0]: s_connect:
connect 192.168.1.3:8887: Connection refused (111)
May 30 07:44:46 arbor-aps2600.catl.local stunnel: LOG4[0]: OCSP:
Connecting to the AIA responder "http://192.168.1.3:8888"
Termination of the trusted May 30 07:44:46 arbor-aps2600.catl.local stunnel: LOG3[0]: s_connect:
channel. connect 192.168.1.3:8888: Connection refused (111)
May 30 07:44:46 arbor-aps2600.catl.local stunnel: LOG4[0]: TLS
connected: new session negotiated
May 30 07:44:50 arbor-aps2600.catl.local auth: COMMAND services
logging view syslog tail 30 BY admin FROM cli VIA 192.168.1.3
May 30 07:44:50 arbor-aps2600.catl.local auditcomsh: User: admin
Command: / services logging view syslog tail 30
May 30 07:44:54 arbor-aps2600.catl.local auth: COMMAND / commands
services dns show raw BY (system) FROM web
May 30 07:44:54 arbor-aps2600.catl.local auth: COMMAND / commands
services ntp show raw BY (system) FROM web
May 30 07:44:54 arbor-aps2600.catl.local auth: COMMAND / commands
ip access show BY (system) FROM web
May 30 07:45:01 arbor-aps2600.catl.local CROND[122528]: (admin)
CMD (/bin/cronexec /etc/c.min)
May 30 07:45:01 arbor-aps2600.catl.local CROND[122527]: (admin)
CMD (/bin/cronexec /etc/c.emin)
May 30 07:45:02 arbor-aps2600.catl.local auth: COMMAND services
logging remote clear BY admin FROM cli VIA 192.168.1.3
May 30 07:45:02 arbor-aps2600.catl.local auditcomsh: User: admin
Command: / services logging remote clear
May 30 07:45:02 arbor-aps2600.catl.local stunnel: LOG3[main]:
Terminated
31 | P a g e
Failure of the trusted channel (Remote syslog via TLS)
Oct 23 10:49:40 arbor-aps2600.catl.local stunnel: LOG4[0]: s_connect:
Failure of the trusted channel connected 192.168.1.152:6514
functions. Oct 23 10:49:40 arbor-aps2600.catl.local stunnel: LOG3[0]:
SSL_connect: 14077410: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Initialization of the trusted path (SSH/CLI)
Apr 11 13:11:44 arbor-aps2600.catl.local sshd[39939]: pam_arbor: set
group system_admin
Apr 11 13:11:44 arbor-aps2600.catl.local sshd[39939]: pam_arbor: set
auth_method LOCAL
Apr 11 13:11:44 arbor-aps2600.catl.local sshd[39939]: pam_arbor:
#AUTH-LOCAL-SUCCEED admin:system_admin
Apr 11 13:11:44 arbor-aps2600.catl.local sshd[39939]: #LOGIN-CLI-
SUCCEED admin 192.168.1.3
Apr 11 13:11:44 arbor-aps2600.catl.local sshd[39939]: Accepted
password for admin from 192.168.1.3 port 37741 ssh2
Apr 11 13:11:44 arbor-aps2600.catl.local auth: LOGIN admin FROM cli
VIA 192.168.1.3
32 | P a g e
Apr 11 13:19:28 arbor-aps2600.catl.local auth: LOGIN admin FROM web
VIA 192.168.1.98
33 | P a g e
Apr 11 13:30:11 arbor-aps2600.catl.local httpd[52806]: [ssl:info] [pid
52806] SSL Library Error: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher -- Too restrictive
SSLCipherSuite or using DSA server certificate?
Apr 11 13:30:11 arbor-aps2600.catl.local httpd[52806]: [ssl:notice] [pid
52806] [client 192.168.1.98:5453] AH01998: Connection closed to child
8 with abortive shutdown (server 127.0.0.1:443)
34 | P a g e
9 Operational Modes
When the TOE is first installed and FIPS mode is enabled, the TOE supports FIPS compliant algorithms
only. After initial installation, the TOE must still be placed into its evaluated configuration by performing
the steps described in Section 6 of this document. Once placed in the evaluated configuration, the TOE’s
operational mode will perform the functions as described in [7].
NOTE: FIPS mode does not place the TOE in another mode of operation but is instead a term for
executing a script that updates system settings for the evaluated configuration.
In the event that a POST fails, the TOE will need to be rebooted. If the TOE has been corrupted or the
hardware has failed such that rebooting will not resolve the issue, a Security Administrator will need to
contact NETSCOUT support per the guidance in Section 10.
10 Additional Support
NETSCOUT provides technical support for its products if needed. Customers can register for a support
account at www.netscout.com/support-services under Customer Portals. Additionally, customers can open
a ticket with NETSCOUT support by calling +1 (888) 357-7667, or by emailing support@netscout.com.
International support phone numbers are also available on their website, www.netscout.com/support-
services.
35 | P a g e