Common Criteria NDPP SIP Server EP Assurance Activity Report

Transcription

1 Common Criteria NDPP SIP Server EP Assurance Activity Report Pascal Patin ISSUED BY Acumen Security, LLC. 1

2 Revision History: Version Date Changes Initial Release 7/20/2015 Initial Release Version 1.0 8/26/2015 Updated with in response to Validator Comments. 2

3 Table of Contents 1 TOE Overview Assurance Activities Identification Reporting on Assurance Activities Reporting on TSS Assurance Activities Reporting on Guidance Assurance Activities Test Diagram Configuration Information Detailed Test Cases (Auditing) FAU_GEN.1 Guidance FAU_GEN.1 Guidance FAU_GEN.1 Test FAU_GEN FAU_STG_EXT.1.1 TSS FAU_STG_EXT.1.1 Guidance FAU_STG_EXT.1.1 TSS 1 (not audit server) FAU_STG_EXT.1.1 Guidance 1 (not audit server) FAU_STG_EXT.1 Test 1 (not audit server) Test Cases (Cryptographic Support) FCS_CKM.1.1 Test FCS_CKM.1.1 TSS FCS_CKM_EXT.4.1 TSS FCS_COP.1.1 (1) Test FCS_COP.1.1 (2) Test FCS_COP.1.1 (3) Test FCS_COP.1.1 (4) Test FCS_RBG_EXT.1.1 Test FCS_RBG_EXT.1.1 Test 2 (SP A DRBG) FCS_RBG_EXT.1.1 Guidance 1 (SP A DRBG) Test Cases (User Data Protection) FDP_RIP.2.1 TSS Test Cases (Identification and Authentication) FIA_PMG_EXT.1.1 Guidance

4 6.4.2 FIA_PMG_EXT.1 Test FIA_UIA_EXT.1 TSS FIA_UIA_EXT.1 Guidance FIA_UIA_EXT.1 Test # FIA_UIA_EXT.1 Test # FIA_UIA_EXT.1 Test # FIA_UAU_EXT FIA_UAU.7 Test # FIA_SIPS_EXT.1 TSS FIA_SIPS_EXT.1 Test # FIA_SIPS_EXT.1 Test # FIA_SIPS_EXT.1 Test # FIA_X509_EXT.1 TSS FIA_X509_EXT.1 Guidance FIA_X509_EXT.1 Test # Test Cases (Security Management) FMT_MTD.1 Guidance FMT_MTD.1 TSS FMT_SMF FMT_SMR.2 Guidance Test Cases (Protection of the TSF) FPT_SKP_EXT.1 TSS FPT_APW_EXT.1 TSS FPT_APW_EXT.1 TSS FPT_STM.1 TSS FPT_STM.1 Guidance FPT_STM.1 Guidance FPT_STM.1 Test # FPT_STM.1 Test # FPT_TUD_EXT.1 TSS FPT_TUD_EXT.1 TSS FPT_TUD_EXT.1 Test # FPT_TUD_EXT.1 Test #

5 FPT_TST_EXT.1.1 TSS FPT_TST_EXT.1.1 TSS FPT_TST_EXT.1.1 Guidance Test Cases (TOE Access) FTA_SSL_EXT.1 Test # FTA_SSL.3 Test # FTA_SSL.4 Test # FTA_SSL.4 Test # FTA_TAB.1 TSS FTA_TAB.1 Test # Test Cases (Trusted Path/Channels) FTP_ITC.1(1) TSS FTP_ITC.1(1) TSS FTP_ITC.1(1) Guidance FTP_ITC.1(1) Test # FTP_ITC.1(1) Test # FTP_ITC.1(2) TSS FTP_ITC.1(2) Test # FTP_ITC.1(3) TSS FTP_ITC.1(3) Test # FTP_TRP.1 TSS FTP_TRP.1 TSS FTP_TRP.1 Guidance FTP_TRP.1 Test # Test Cases (TLS) FCS_TLS_EXT.1.1 TSS FCS_TLS_EXT.1.1 Guidance FCS_TLS_EXT.1.1 Test # FCS_TLS_EXT.1.1 Test # FCS_HTTPS_EXT.1.1 TSS Security Assurance Requirements AGD_OPE.1 Guidance AGD_OPE.1 Guidance

6 AGD_OPE.1 Guidance AGD_OPE.1 Guidance AGD_PRE.1 Guidance ATE_IND AVA_VAN ALC_CMC.1 Guidance Conclusion

7 Assurance Activity Report (AAR) for a Target of Evaluation Cisco Unified Communications Manager (CUCM) 11.0 Cisco Unified Communications Manager Security Target, Version.03, 6 July, 2015 Network Device Protection Profile SIP Server Extended Package version 1.1 Version 1.0 Evaluated by: Office Park Dr. Montgomery Village, MD Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme 7

8 The Developer of the TOE: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA The Author of the Security Target: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA The TOE Evaluation was Sponsored by: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA Evaluation Personnel: Antony Busciglio Pascal Patin Common Criteria Version Common Criteria Version 3.1 Revision 4 Common Evaluation Methodology Version CEM Version 3.1 Revision 4 8

9 1 TOE Overview The Cisco Unified Communications Manager (CUCM) TOE serves as the hardware and softwarebased call-processing component of the Cisco Unified Communications family of products. The TOE extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-ip (VoIP) gateways, and multimedia applications. 2 Assurance Activities Identification Test Case ID Activity Type Name of Evaluator/ Tester FAU_GEN.1 Test 1 Testing Pascal Patin FAU_GEN.1 Guidance 1 Guidance Pascal Patin FAU_GEN.1 Guidance 2 Guidance Pascal Patin FAU_STG_EXT.1.1 TSS 1 TSS Pascal Patin FAU_STG_EXT.1.1 Guidance 1 Guidance Pascal Patin FAU_STG_EXT.1 Test 1 Testing Pascal Patin (not audit server) FAU_STG_EXT.1.1 TSS 1 TSS Pascal Patin (not audit server) FAU_STG_EXT.1.1 Guidance 1 Guidance Pascal Patin (not audit server) TCS_CKM.1.1 TSS 1 TSS Pascal Patin FCS_CKM.1.1 Test 1 Testing Pascal Patin FCS_CKM_EXT.4.1 TSS 1 TSS Pascal Patin FCS_COP.1.1 (1) Test 1 Testing Pascal Patin FCS_COP.1.1 (2) Test 1 Testing Pascal Patin FCS_COP.1.1 (3) Test 1 Testing Pascal Patin FCS_COP.1.1 (4) Test 1 Testing Pascal Patin FCS_RBG_EXT.1.1 Test 1 Testing Pascal Patin FCS_RBG_EXT.1.1 Test 2 Testing Pascal Patin (SP A DRBG) FCS_RBG_EXT.1.1 Guidance 1 Guidance Pascal Patin (SP A DRBG) FDP_RIP.2.1 TSS 1 TSS Pascal Patin FIA_PMG_EXT.1.1 Guidance 1 Guidance Pascal Patin FIA_PMG_EXT.1 Test 1 Testing Pascal Patin FIA_UIA_EXT.1 TSS 1 TSS Pascal Patin FIA_UIA_EXT.1 Guidance 1 Guidance Pascal Patin FIA_UIA_EXT.1 Test #1 Testing Pascal Patin FIA_UIA_EXT.1 Test #2 Testing Pascal Patin FIA_UIA_EXT.1 Test #3 Testing Pascal Patin FIA_UAU.7 Test #1 Testing Pascal Patin FIA_SIPS_EXT.1 TSS TSS Pascal Patin FIA_SIPS_EXT.1 Test #1 Testing Pascal Patin 9

10 Test Case ID Activity Type Name of Evaluator/ Tester FIA_SIPS_EXT.1 Test #2 Testing Pascal Patin FIA_SIPS_EXT.1 Test #3 Testing Pascal Patin FIA_X509_EXT.1 Guidance 1 Guidance Pascal Patin FIA_X509_EXT.1 Test #1 Testing Pascal Patin FMT_MTD.1 Guidance 1 Guidance Pascal Patin FMT_MTD.1 TSS 1 TSS Pascal Patin FMT_SMR.2 Guidance 1 Guidance Pascal Patin FPT_SKP_EXT.1 TSS 1 TSS Pascal Patin FPT_APW_EXT.1 TSS 1 TSS Pascal Patin FPT_APW_EXT.1 TSS 2 TSS Pascal Patin FPT_STM.1 TSS 1 TSS Pascal Patin FPT_STM.1 Guidance 1 Guidance Pascal Patin FPT_STM.1 Guidance 2 Guidance Pascal Patin FPT_STM.1 Test #1 Testing Pascal Patin FPT_STM.1 Test #2 Testing Pascal Patin FPT_TUD_EXT.1 TSS 1 TSS Pascal Patin FPT_TUD_EXT.1 TSS 2 TSS Pascal Patin FPT_TUD_EXT.1 Test #1 Testing Pascal Patin FPT_TUD_EXT.1 Test #2 Testing Pascal Patin FPT_TST_EXT.1.1 TSS 1 TSS Pascal Patin FPT_TST_EXT.1.1 TSS 2 TSS Pascal Patin FPT_TST_EXT.1.1 Guidance 1 Guidance Pascal Patin FTA_SSL_EXT.1 Test #1 Testing Pascal Patin FTA_SSL.3 Test #1 Testing Pascal Patin FTA_SSL.4 Test #1 Testing Pascal Patin FTA_SSL.4 Test #2 Testing Pascal Patin FTA_TAB.1 TSS 1 TSS Pascal Patin FTA_TAB.1 Test #1 Testing Pascal Patin FTP_ITC.1(1) TSS 1 TSS Pascal Patin FTP_ITC.1(1) TSS 2 TSS Pascal Patin FTP_ITC.1(1) Guidance 1 Guidance Pascal Patin FTP_ITC.1(1) Testing Pascal Patin Test #1 FTP_ITC.1 (1) Test #2 Testing Pascal Patin FTP_ITC.1(2) TSS 1 TSS Pascal Patin FTP_ITC.1(2) Test #1 Testing Pascal Patin FTP_ITC.1(3) TSS 1 TSS Pascal Patin FTP_ITC.1(3) Test #1 Testing Pascal Patin FTP_TRP.1 TSS 1 TSS Pascal Patin FTP_TRP.1 TSS 2 TSS Pascal Patin FTP_TRP.1 Guidance 1 Guidance Pascal Patin 10

11 Test Case ID Activity Type Name of Evaluator/ Tester FTP_TRP.1 Test #1 Testing Pascal Patin FTP_TRP.1 Test #2 Testing Pascal Patin FCS_TLS_EXT.1.1 TSS 1 TSS Pascal Patin FCS_TLS_EXT.1.1 Guidance 1 Guidance Pascal Patin FCS_TLS_EXT.1.1 Test #1 Testing Pascal Patin FCS_TLS_EXT.1.1 Test #2 Testing Pascal Patin 11

12 3 Reporting on Assurance Activities 3.1 Reporting on TSS Assurance Activities Information required to be in the TSS is largely self-documenting, meaning that the evaluator in most cases is required to ensure that it is present in the TSS, but little beyond that is required in most PPs. For most TSS assurance activities in the AAR, a simple indication that the information is present and a pointer to that information in the ST is sufficient; it is not required to copy and paste the assurance activity or the information in the TSS into the AAR. It is expected that the evaluator ensure that the information in the TSS as a whole is consistent, and that spurious information is not included. For some information in the TSS, the evaluator may be required to make a judgment on that information relative to the security requirement being levied. For these requirements, the evaluator shall write up their rationale in the TSS section of the AAR. 3.2 Reporting on Guidance Assurance Activities The AAR lists specifically all documents used for each platform, model, and hardware component (chassis, blade, processor, etc.) to satisfy the requirements for operational guidance assurance activities. Each applicable administrative manual must be identified in a manner such that an end user can locate the specific manual used for the evaluation. It is acceptable to list general manuals that have evaluation-specific addenda, as long as both are identified. For each assurance activity referencing information in the operational guidance, the AAR must list for each model that has a distinct manual or manuals the specific manual that contains the information, along with a pointer to the section or sections that satisfy the requirement in the assurance activity. 12

13 4 Test Diagram Jabber Client #1 CUCM #1 (TOE) Cisco RTMT (Audit Server) Switch NTP Server Jabber Client #2 CUCM #2 (TOE) Mgt. Console 13

14 5 Configuration Information CUCM#1 (TOE): o Hardware Model: C210 M2 o Version: 11.0 o IP address: o Configuration Details: Phone Profile configured for Jabber1 Device configured Jabber1 User configured Jabber1 SIP Trunk Profile configured connecting CUCM#1 to CUCM#2 Packet Capture on outgoing/incoming interfaces configured CUCM #2 (TOE): o Hardware Model: C210 M2 o Version: 11.0 o IP address: o Configuration Details: Phone Profile configured for device1 Device configured device1 User configured jabber1 SIP Trunk Profile configured connecting CUCM#2 to CUCM#1 Packet Capture on outgoing/incoming interfaces configured SIP Client #1 o Windows 8 o Cisco Jabber version 11.0 (SIPClient1) o IP address: o Configuration/Installed tools: Wireshark version SIP Client #2 o Windows 8 o Cisco Jabber version 11.0 (SIPClient2) o IP address: o Configuration/Installed tools: Wireshark version Management Console o Windows 8 o IP address: o Configuration/Installed tools: Wireshark version Vsphere NTP Server: o HW version: Cisco ISR 1921 o IP address: Audit Server: 14

15 o Windows 8 Workstation o Cisco Real-Time Monitoring Tool (RTMT ) version 11.0 (audit server) o IP address: o Configuration/Installed tools: Wireshark version Switch: o Linksys SRW

16 6 Detailed Test Cases (Auditing) FAU_GEN.1 Guidance 1 The evaluator shall check the administrative guide and ensure that it lists all of the auditable events and provides a format for audit records. Each audit record format type must be covered, along with a brief description of each field. The evaluator shall check to make sure that every audit event type mandated by the PP is described and that the description of the fields contains the information required in FAU_GEN1.2, and the additional information specified in Table Evaluator Findings The evaluator checked the administrative guide to ensure that it lists all of the auditable events and provides a format for audit records. Section of AGD was used to determine the verdict of this assurance activity. Section contained two tables which showed the format of audit entries as well as a list of events that generate audit records. Based on this the assurance activity is considered satisfied Verdict FAU_GEN.1 Guidance 2 The evaluator shall also make a determination of the administrative actions that are relevant in the context of this PP. The evaluator shall examine the administrative guide and make a determination of which administrative commands, including subcommands, scripts, and configuration files, are related to the configuration (including enabling or disabling) of the mechanisms implemented in the TOE that are necessary to enforce the requirements specified in the PP. The evaluator shall document the methodology or approach taken while determining which actions in the administrative guide are security relevant with respect to this PP. The evaluator may perform this activity as part of the activities associated with ensuring the AGD_OPE guidance satisfies the requirements Evaluator Findings The evaluator made a determination of the administrative actions that are relevant in the context of this PP. The AGD document was used to determine the verdict of this work unit. The evaluator performed the following actions to identify the set of security relevant GUI commands required by the evaluated configuration, 1. The evaluator first began stepping through the AGD document. In addition to providing configuration specific guidance for configuring the TOE in the evaluated configuration, the document acts as a mapping document to other general guidance documents for the TOE. 2. As part of this review, the evaluator successfully compared the AGD document to the ST to verify that each of the claimed security functionalities are discussed. 3. Next, the evaluator reviewed each section of the other configuration documents referenced by the AGD 16

17 After performing the testing required by the NDPP and SIP EP the evaluator found that no additional commands or interfaces were required to complete testing. Based on this the assurance activity is considered satisfied Verdict FAU_GEN.1 Test 1 Item Data/Description Test ID FAU_GEN.1 Test 1 Test Type Testing Objective The evaluator shall test the TOE s ability to correctly generate audit records by having the TOE generate audit records for the events listed in table 1 and administrative actions. This should include all instances of an event--for instance, if there are several different I&A mechanisms for a system, the FIA_UIA_EXT.1 events must be generated for each mechanism. The evaluator shall test that audit records are generated for the establishment and termination of a channel for each of the cryptographic protocols contained in the ST. If HTTPS is implemented, the test demonstrating the establishment and termination of a TLS session can be combined with the test for an HTTPS session. For administrative actions, the evaluator shall test that each action determined by the evaluator above to be security relevant in the context of this PP is auditable. When verifying the test results, the evaluator shall ensure the audit records generated during testing match the format specified in the administrative guide, and that the fields in each audit record have the proper entries. Test 1. Configure the Audit log functionality on Cisco Unified Serviceability Execution page and enable the audit log functionality. Steps 2. Enable the audit utility from CLI 3. From the CLI, verify the audit status and ensure it is in running state. Expected 1. Evidence of steps taken (e.g., screenshots or CLI output) Output 2. Generated logs (including explanation of the logs) /Fail The TOE is able to generate audit records for the events listed in FAU_GEN.1. Criteria Results FAU_GEN.2 None The evaluation of this SFR is tested in conjunction with the testing of FAU_GEN FAU_STG_EXT.1.1 TSS 1 The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored locally; what happens when the local audit data store is full; and how these records are protected against unauthorized access. 17

18 Evaluator Findings The evaluator examined the TS to determine if ti describes the amount of audit data that is stored locally, what happens when the local audit data store is full and how audit records are protected against unauthorized access. Table 19 of section 6.1 of the ST was used to determine the verdict of this work unit. Because CUCM can be run on different server hardware the amount of audit data storage space is variable. The TSS entry for FAU_STG_EXT.1 describes various thresholds that the TOE s Log Partition Monitoring function uses to monitor audit log storage. Alerts are sent when a specified percentage of log storage space To clarify, those updates need to be made to the AGD as well.is used up, and log files can be automatically purged to free up storage space. Audit logs are protected against unauthorized access by being transmitted to RTMT over HTTPS. Based on these findings the assurance activity is considered satisfied Verdict FAU_STG_EXT.1.1 Guidance 1 The evaluator shall also examine the operational guidance to determine that it describes the relationship between the local audit data and the audit data that are sent to the audit log server (for TOEs that are not acting as an audit log server). For example, when an audit event is generated, is it simultaneously sent to the external server and the local store, or is the local store used as a buffer and cleared periodically by sending the data to the audit server Evaluator Findings The evaluator examined the operational guidance to determine that it describes the relationship between the local audit data and the audit data that are sent to the audit log server. Section of the AGD document was used in support of the activity. Upon examination the evaluator found that audit logs are stored on the TOE and reviewed with the Cisco Real Time Monitoring Tool (RTMT). If an administrator wishes to store or backup audit records externally that is done through RTMT. Based on these findings the assurance activity is considered satisfied Verdict FAU_STG_EXT.1.1 TSS 1 (not audit server) The evaluator shall examine the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided Evaluator Findings The evaluator examined the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided. Table 19 of Section 6.1 was used to determine the verdict of this work unit. Upon investigation, the 18

19 evaluator found that the TOE uses Cisco s Real Time Monitoring Tool (RTMT) to collect and store audit records externally. Communications with RTMT are protected by HTTPS Verdict FAU_STG_EXT.1.1 Guidance 1 (not audit server) The evaluator shall also examine the operational guidance to ensure it describes how to establish the trusted channel to the audit server, as well as describe any requirements on the audit server (particular audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed to communicate with the audit server Evaluator Findings The evaluator examined the operational guidance to ensure it describes how to establish the trusted channel to the audit server, as well as describe any requirements on the audit server (particular audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed to communicate with the audit server. Section of the AGD document was used to determine the verdict of this assurance activity. Upon investigation it was found that communications between the TOE and Cisco RTMT are protected by HTTPS/TLS. The guidance document provides a detailed description of how to install RTMT on a host PC, the system requirements for the system hosting RTMT and how to place RTMT in a protected configuration. The guidance note that the default setting is for a secure connection, and this setting must be used in the evaluated configuration. Based on this the assurance activity is considered satisfied Verdict FAU_STG_EXT.1 Test 1 (not audit server) Item Test ID Test Type Objective Test Execution Steps Data/Description FAU_STG_EXT.1 Test 1 (not audit server) Testing The evaluator shall establish a session between the TOE and the audit server according to the configuration guidance provided. The evaluator shall then examine the traffic that passes between the audit server and the TOE during several activities of the evaluator s choice designed to generate audit data to be transferred to the audit server. The evaluator shall observe that these data are not able to be viewed in the clear during this transfer, and that they are successfully received by the audit server. The evaluator shall record the particular software (name, version) used on the audit server during testing. 1. From audit server, connect to the TOE with the following options, 19

20 a. Secure Connection b. Port: 443 c. OK 2. From audit server, download the audit logs, a. Trace and logs > Audit Logs 3. Examine traffic to ensure it is not plaintext. Note: This should be repeated for each secure mechanism. Expected Output Evidence of steps taken (e.g., screenshots or CLI output). Packet capture showing: Encrypted traffic Establishment of secure session Events that were generated and sent to the audit server /Fail Criteria The TOE s connections to an audit server should be protected by TLS. Results 6.2 Test Cases (Cryptographic Support) FCS_CKM.1.1 Test 1 The evaluator shall use the key pair generation portions of "The FIPS Digital Signature Algorithm Validation System (DSA2VS)", "The FIPS Elliptic Curve Digital Signature Algorithm Validation System (ECDSA2VS)", and "The RSA Validation System (RSA2VS)" as a guide in testing the requirement above, depending on the selection performed by the ST author Evaluator Findings The evaluator shall use the key pair generation portions of "The RSA Validation System (RSA2VS)" was used to perform this assurance activity. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X5670 OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux CAVP Algorithm Certificate # Verdict FCS_CKM.1.1 TSS 1 The evaluator shall ensure that the TSS contains a description of how the TSF complies with A and/or B, depending on the selections made. This description shall indicate the 20

21 sections in A and/or B that are implemented by the TSF, and the evaluator shall ensure that key establishment is among those sections that the TSF claims to implement. Any TOE-specific extensions, processing that is not included in the documents, or alternative implementations allowed by the documents that may impact the security requirements the TOE is to enforce shall be described Evaluator Findings The evaluator examined the TSS to ensure that it contains the information required for compliance with A and/or B. Table 19 of section 6.1 of the ST was used to determine the verdict of this work unit. The evaluator found that the TSS claims conformance to NIST B s standard for a random number generator for RSA key establishment. X.509v3 certificates can also be used for establishing TLS and SIP sessions. There are no TOE-specific extensions or alternative implementations. Based on these findings the work unit is considered satisfied Verdict FCS_CKM_EXT.4.1 TSS 1 The evaluator shall check to ensure the TSS describes each of the secret keys (keys used for symmetric encryption), private keys, and CSPs used to generate key; when they are zeroized (for example, immediately after use, on system shutdown, etc.); and the type of zeroization procedure that is performed (overwrite with zeros, overwrite three times with random pattern, etc.). If different types of memory are used to store the materials to be protected, the evaluator shall check to ensure that the TSS describes the zeroization procedure in terms of the memory in which the data are stored (for example, "secret keys stored on flash are zeroized by overwriting once with zeros, while secret keys stored on the internal hard drive are zeroized by overwriting three times with a random pattern that is changed before each write") Evaluator Findings The evaluator examined table 20 in section 7.1 of the ST and found the following: Name Description Zeroization User word Shared Secret (8-25 characters); used to authenticate the user Overwrite with new password (NVRAM) TLS server private key RSA (1024/1536/2048 bit); Private key used for SSLv3.1/TLS CLI command zeroize RSA (NVRAM) Command: crypto key zeroise TLS server public key RSA (1024/2048/3072 bit); Public key used for SSLv3.1/TLS verify with command: show crypto key mypubkey all CLI command zeroize RSA (NVRAM) Command: crypto key 21

22 Name Description Zeroization zeroise TLS pre-master secret TLS session encryption key TLS session integrity key Shared Secret (384-bits); Shared Secret created using asymmetric cryptography from which new TLS session keys can be created Triple-DES (168-bits/AES (128/196/256-bits); Key used to encrypt TLS session data HMAC-SHA-1 (160-bits); HMAC-SHA-1 used for TLS data integrity protection verify with command: show crypto key mypubkey all Automatically after TLS session terminated. (SDRAM) Automatically after TLS session terminated. (SDRAM) Automatically after TLS session terminated. The entire object is overwritten by 0 s. Overwritten with: 0x00 (SDRAM) Each secret key and CSP are described along with zeroization characteristics. Based on these findings, this Assurance Activity is considered satisfied Verdict FCS_COP.1.1 (1) Test 1 The evaluator shall use tests appropriate to the modes selected in the above requirement from "The Advanced Encryption Standard Algorithm Validation Suite (AESAVS)", "The XTS-AES Validation system (XTSVS)", The CMAC Validation System (CMACVS)", "The Counter with Cipher Block Chaining Message Authentication Code (CCM) Validation System (CCMVS)", and "The Galois/Counter Mode (GCM) and GMAC Validation System (GCMVS)" as a guide in testing the requirement above Evaluator Findings The tester verified that multiple modes of operation were tested via the AESAVS. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X5670 OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux CAVP Algorithm Certificate # Certificate # Verdict 22

23 6.2.5 FCS_COP.1.1 (2) Test 1 The evaluator shall use the signature generation and signature verification portions of "The Digital Signature Algorithm Validation System (DSAVS or DSA2VS), "The Elliptic Curve Digital Signature Algorithm Validation System (ECDSAVS or ECDSA2VS), and "The RSA Validation System (RSAVS) as a guide in testing the requirement above. The Validation System used shall comply with the conformance standard identified in the ST (i.e., FIPS PUB or FIPS PUB 186-3) Evaluator Findings The tester confirmed that the module was tested against both the signature generation and verification portions of the RSA2AVS. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X5670 OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux CAVP Algorithm Certificate # Certificate # Verdict FCS_COP.1.1 (3) Test 1 The evaluator shall use "The Secure Hash Algorithm Validation System (SHAVS)" as a guide in testing the requirement above Evaluator Findings The evaluator found that the modules SHS implementation was tested against the SHAVS and that the testing encompassed what was found in the ST. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X5670 OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux 2.6. CAVP Algorithm Certificate # Certificate # Verdict 23

24 6.2.7 FCS_COP.1.1 (4) Test 1 The evaluator shall use "The Keyed-Hash Message Authentication Code (HMAC) Validation System (HMACVS)" as a guide in testing the requirement above Evaluator Findings The evaluator found that the modules HMAC implementation was tested against the HMACVS and that the testing encompassed what was found in the ST. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X5670 OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux CAVP Algorithm Certificate # Certificate # Verdict FCS_RBG_EXT.1.1 Test 1 Documentation shall be produced and the evaluator shall perform the activities in accordance with Annex D, Entropy Documentation and Assessment Evaluator Findings See separately submitted Entropy Assessment Report (EAR) for details Verdict FCS_RBG_EXT.1.1 Test 2 (SP A DRBG) The evaluator shall perform 15 trials for the RBG implementation. If the RBG has prediction resistance enabled, each trial consists of (1) instantiate drbg, (2) generate the first block of random bits (3) generate a second block of random bits (4) uninstantiate. If the RBG does not have prediction resistance, each trial consists of (1) instantiate drbg, (2) generate the first block of random bits (3) reseed, (4) generate a second block of random bits (5) uninstantiate Evaluator Findings The evaluator found that the modules DRBG implementation was tested against the DRBGVS and that the testing encompassed what was found in the ST. Upon investigation, the evaluator found that the TOE includes the following processors and underlying hardened OS, Processor: Intel Xeon X

25 OS: RHEL 6 (kernel 2.6) The algorithms were tested on the TOE hardware as evidenced by the algorithm certificates including the following operational environment: Intel Xeon w/ Linux CAVP Algorithm Certificate # Certificate # Verdict FCS_RBG_EXT.1.1 Guidance 1 (SP A DRBG) The evaluator shall also confirm that the operational guidance contains appropriate instructions for configuring the RBG functionality Evaluator Findings The evaluator confirmed that the operational guidance contains appropriate instructions for configuring the RBG functionality. AGD document and SEC COM document were used to determine the verdict of this working. Upon investigation, the evaluator found that there are no RBG specific configuration options available to the user within the TOE. Therefore, this Assurance Activity is considered satisfied Verdict 6.3 Test Cases (User Data Protection) FDP_RIP.2.1 TSS 1 The evaluator shall check to ensure that the TSS describes packet processing to the extent that they can determine that no data will be reused when processing network packets. The evaluator shall ensure that this description at a minimum describes how the previous data are zeroized/overwritten, and at what point in the buffer processing this occurs Evaluator Findings The evaluator checked to ensure that the TSS describes packet processing to the extent that they can determine that no data will be reused when processing network packets. Table 19 in section 6.1 of the ST was used to determine the verdict of this assurance activity. Upon examination the evaluator found that once packet handling is completed its content is zeroized before the memory which held the packed is re-allocated. This ensures that residual data is never transmitted from the TOE. Based on this the assurance activity is considered satisfied Verdict 25

26 6.4 Test Cases (Identification and Authentication) FIA_PMG_EXT.1.1 Guidance 1 The evaluator shall examine the operational guidance to determine that it provides guidance to security administrators on the composition of strong passwords, and that it provides instructions on setting the minimum password length Evaluator Findings The evaluator examined the operational guidance to determine that it provides guidance to security administrators on the composition of strong passwords, and that it provides instructions on setting the minimum password length. AGD was used as part of this evaluation. Upon investigation, the evaluator found that section of AGD provides instructions and guidance for configuring passwords on the TOE. This includes configuring strong passwords. Based on these findings, this assurance activity is considered satisfied Verdict FIA_PMG_EXT.1 Test 1 Item Data/Description Test ID FIA_PMG_EXT.1 Test 1 Test Type Testing Objective The evaluator shall compose passwords that either meet the requirements, or fail to meet the requirements, in some way. For each password, the evaluator shall verify that the TOE supports the password. While the evaluator is not required (nor is it feasible) to test all possible compositions of passwords, the evaluator shall ensure that all characters, rule characteristics, and a minimum length listed in the requirement are supported, and justify the subset of those characters chosen for testing. Prerequisites Example word subset: Good: Exactly minimum character length, one of each type of character, appended with! till min is reached More than minimum character length, all lowercase letters, one number, one special character, one uppercase letter Exactly minimum character length, all numbers, one lowercase letter, one special character, one uppercase letter Exactly minimum character length, equal number uppercase letters, lowercase letters, numbers, special characters Bad: Short password One less then minimum character and all other requirements met 26

27 Test Execution Steps 1. Access the TOE s credential policy configuration screen. a. User Management > User Credentials > Credential Policy 2. Configure the TOE to support a minimum password length of 15 characters. a. Minimum Credential Length: Attempt to enter a variety of passwords which meets the TOE password criteria. a. TestwordOne! i. User Management > Application User > <name of user> ii. Enter TestwordOne! b. TestwordNum@2 i. User Management > Application User > <name of user> ii. Enter TestwordNum@2 c. TestwordNum@2 i. User Management > Application User > <name of user> ii. Enter TestwordNum@2 d. testingpassword#3 i. User Management > Application User > <name of user> ii. Enter testingpassword#3 e. TestPa$$wordFour i. User Management > Application User > <name of user> ii. Enter TestPa$$wordFour f. Te%tP^$$wordFive i. User Management > Application User > <name of user> ii. Enter Te%tP^$$wordFive g. testp*()wordsix i. User Management > Application User > <name of user> ii. Enter testp*()wordsix 4. Attempt to enter a variety of passwords which do not meet the TOE password criteria. a. Test i. User Management > Application User > <name of user> ii. Enter Test b. TestPa55w*rd i. User Management > Application User > <name of user> 27

28 ii. Enter TestPa55w*rd c. Testpassword i. User Management > Application User > <name of user> ii. Enter Expected Output Evidence (e.g., screen capture or CLI output) from each password creation attempt. /Fail Criteria The TOE is capable of accepting appropriate length passwords which contain the special characters listed in the ST, and rejects passwords which do not meet the minimum length requirement. Results FIA_UIA_EXT.1 TSS 1 The evaluator shall examine the TSS to determine that it describes the logon process for each logon method (local, remote (HTTPS, SSH, etc.)) supported for the product. This description shall contain information pertaining to the credentials allowed/used, any protocol transactions that take place, and what constitutes a successful logon Evaluator Findings The evaluator examined the TSS to determine that it describes the logon process for each logon method (local, remote (HTTPS, SSH, etc.)) supported for the product. Table 19 of section 6.1 of the ST was used to determine the verdict of this analysis. Users are able to access the TOE through a local console connection or remotely via HTTPS/TLS. The process for authentication is the same regardless of what method is used. Users are required to enter their username and enter a password to gain administrative access to the TOE. If a login attempt is unsuccessful the TOE does not provide a reason. Based on this the assurance activity is considered satisfied Verdict FIA_UIA_EXT.1 Guidance 1 The evaluator shall examine the operational guidance to determine that any necessary preparatory steps (e.g., establishing credential material such as pre- shared keys, tunnels, certificates, etc.) to logging in are described. For each supported the login method, the evaluator shall ensure the operational guidance provides clear instructions for successfully logging on. If configuration is necessary to ensure the services provided before login are limited, the evaluator shall determine that the operational guidance provides sufficient instruction on limiting the allowed services Evaluator Findings The evaluator examined the operational guidance to determine that any necessary preparatory steps (e.g., establishing credential material such as pre- shared keys, tunnels, certificates, etc.) 28

29 to logging in are described. The AGD document was used with the evaluation activity. Upon investigation, the evaluator found that two method of administration are available to the user, Local (directly connected) CLI Remote GUI Sections 3 and 4 of the AGD document, Secure Installation and Configuration &Secure Management, describe the configuration activities required to configure both individual users of the TOE and the management interfaces themselves to provide the functionality specified in the NDPP. The evaluator found that other than the creation of an administrative account and password (performed during initial installation) there are no preparatory steps required for secure administrative login. Based on this the assurance activity is considered satisfied Verdict FIA_UIA_EXT.1 Test #1 Item Data/Description Test ID FIA_UIA_EXT.1 Test #1 Test Type Testing Objective The evaluator shall use the operational guidance to configure the appropriate credential supported for the login method. For that credential/login method, the evaluator shall show that providing correct I&A information results in the ability access the system, while providing incorrect information results in denial of access. Test Execution Steps 1. Attempt to log into the TOE from the CLI by providing bad credentials: a. acumensec b. test 2. Attempt to log into the TOE from the GUI by providing bad credentials: a. acumensec b. test 3. Log into the CLI with correct credentials: a. acumensec b. Pa55w*rd 4. Log into the GUI with correct credentials: a. acumensec b. Pa55w*rd Expected Output Evidence (e.g., screen capture or CLI output) from each successful login Evidence (e.g., screen capture or CLI output) from each denied login Logs showing the successful and unsuccessful login /Fail Criteria The evaluator is able to access the TOE when correct credentials are 29

30 Results entered and is denied access when incorrect credential are used FIA_UIA_EXT.1 Test #2 Item Data/Description Test ID FIA_UIA_EXT.1 Test #2 Test Type Testing Objective The evaluator shall configure the services allowed (if any) according to the operational guidance, and then determine the services available to an external remote entity. The evaluator shall determine that the list of services available is limited to those specified in the requirement. Test Execution Steps No services are available prior to login 1. Examine the GUI screen to show that no functionality is available prior to authentication Expected Output Evidence (e.g., screen capture or CLI output) that no additional services are available /Fail Criteria An evaluator should not be able to access any TOE administrative functions prior to authentication. Results FIA_UIA_EXT.1 Test #3 Item Data/Description Test ID FIA_UIA_EXT.1 Test #3 Test Type Testing Objective For local access, the evaluator shall determine what services are available to a local administrator prior to logging in, and make sure this list is consistent with the requirement. Test Execution Steps No services are available prior to login 1. Examine the Local CLI screen to show that no functionality is available prior to authentication Expected Output Evidence (e.g., CLI output) to show that no functionality is available prior to authentication /Fail Criteria An evaluator should not be able to access any TOE administrative functions prior to authentication. Results FIA_UAU_EXT.2 None The evaluation of this SFR is tested in conjunction with the testing of FIA_UIA_EXT FIA_UAU.7 Test #1 Item Data/Description 30

31 Test ID FIA_UAU.7 Test #1 Test Type Testing Objective The evaluator shall locally authenticate to the TOE. While making this attempt, the evaluator shall verify that at most obscured feedback is provided while entering the authentication information. Test Execution Steps 1. Attempt to log into the local CLI with incorrect credentials: a. acumensec b. Test 2. Log into the local CLI with correct credentials: a. acumensec b. Pa55w*rd Expected Output Evidence (e.g., screenshot or CLI output) from each successful and unsuccessful login attempt. /Fail Criteria The administrator s password should not be revealed when an evaluator logs in to the TOE through a local console. Results FIA_SIPS_EXT.1 TSS The evaluator shall examine the TSS to verify that it describes how the SIP session is established. This shall include the initiation of the SIP session, registration of the user, and how both outgoing and incoming calls are handled (initiated, described, and terminated). This description shall also include a description of the handling of the password from the time it is received by the TOE until the time the user is authenticated Evaluator Findings The evaluator examined the TSS to verify that it describes how the SIP session is established. Table 19 of section 6.1 was used to determine the verdict of this work unit. The ST states that password authentication is required for the establishment of the SIP register connection Verdict FIA_SIPS_EXT.1 Test #1 Item Data/Description Test ID FIA_SIPS_EXT.1 Test #1 Test Type Testing Objective The evaluator shall follow the procedure for initializing their device to include establishing a connection to the SIP Server. The evaluator shall confirm that they are prompted for a password prior to successfully completing the SIP REGISTER request. Test Execution Steps 1. Verify from a SIP client that no SIP packets were sent prior to presenting authentication credentials 2. From Cisco Jabber, enter credentials and connect to the TOE: a. jabber1 31

32 Expected Output /Fail Criteria Results b. 123Test Verify that after the logging via the SIP client, the SIP REGISTER request is completed. Evidence (e.g., screenshot or CLI output) from each successful and unsuccessful login attempt. No SIP REGISTER request is completed until a correct password is provided FIA_SIPS_EXT.1 Test #2 Item Data/Description Test ID FIA_SIPS_EXT.1 Test #2 Test Type Testing Objective The evaluator shall follow the procedure for initializing their device to include establishing a connection to the SIP Server. The evaluator shall confirm that entering an incorrect password results in the device not being registered by the SIP Server (e.g. they are unable to successfully place or receive calls). The evaluator shall also confirm that entering the correct password allows the successful registration of the device (e.g. by being able to place and receive calls). Test Execution Steps 1. From the SIP client attempt to connect to the TOE with incorrect credentials: a. jabber1 b. 12Test2112Test21 2. Verify that the SIP client does not register to the TOE. 3. Connect to the TOE using correct credentials: a. jabber1 b. 123Test Verify that the connection was made. Expected Output Evidence (e.g., screenshot or CLI output) from each successful and unsuccessful login attempt. /Fail Criteria Entering an incorrect password prevents an evaluator from establishing a SIP session, while entering a correct password results in a SIP session being established. Results FIA_SIPS_EXT.1 Test #3 Item Data/Description Test ID FIA_SIPS_EXT.1 Test #3 Test Type Testing Objective The evaluator shall set up the test environment such that a variety of passwords are shown to be accepted by the TOE, such that the 32

33 length and character set identified in FIA_SIPC_EXT.1.3 is represented. The test report shall contain a rationale by the evaluator that the test set used is representative of the allowed lengths and characters. Test Execution Steps See FIA_PMG_EXT.1 Test 1. Expected Output See FIA_PMG_EXT.1 Test 1. /Fail Criteria The requirements of this test were satisfied by FIA_PMG_EXT.1 Test 1. The same password policy is applied to all passwords used by the TOE, so the passwords tested in that test apply to SIP passwords as well. Results FIA_X509_EXT.1 TSS 1 The evaluator shall ensure the TSS describes all certificate stores implemented that contain certificates used to meet the requirements of this EP. This description shall contain information pertaining to how certificates are loaded into storage, and how the storage is protected from unauthorized access Evaluator Findings The evaluator examined the TSS to ensure it describes all certificate stores implemented that contain certificates used to meet the requirements of the EP. Table 19 in section 6.1 was used to determine the verdict of this assurance activity. According to the TSS X509 certificates are used by the TOE to support authentication for TLS connections. Certificates themselves are protected with digital signatures. Any modification or tampering would result in an invalid hash value. The physical security of the TOE also prevents certificates from being tampered with or deleted. Certificates are stored in a hidden, protected directory that has no external interfaces. Based on this the assurance activity is considered satisfied Verdict FIA_X509_EXT.1 Guidance 1 The evaluator shall examine the guidance documentation to ensure it describes how to configure either the TOE or the environment to prevent unauthorized modification or deletion of the certificates Evaluator Findings The evaluator examined the guidance documentation to ensure it describes how to configure the TOE to prevent unauthorized modification or deletion of certificates. The AGD document s description of the TOE s certificate functionality in section was used to determine the verdict of this work unit. The evaluator found that certificates are controlled through the 33

34 administrative interface to the TOE. Users without administrative credentials have no access to the TOE s certificate management functionality. Based on this the assurance activity is considered satisfied Verdict FIA_X509_EXT.1 Test #1 Item Data/Description Test ID FIA_X509_EXT.1 Test #1 Test Type Testing Objective The evaluator shall demonstrate that using a certificate without a valid certification path results in the function failing. The evaluator shall then load a certificate or certificates needed to validate the certificate to be used in the function, and demonstrate that the function succeeds. The evaluator then shall delete one of the certificates, and show that the function fails. Test Execution Steps 1. Attempt to upload a certificate without a valid certification path. 2. Verify that the TOE rejected the certificate. 3. Upload a certificate with a valid certification path. 4. Verify that the certificate was accepted. Expected Output Evidence (e.g., screenshot or CLI output) from each successful and unsuccessful login attempt. /Fail Criteria Certificates with an invalid certification path are rejected. Certificates with a valid certification path are accepted. Results 6.5 Test Cases (Security Management) FMT_MTD.1 Guidance 1 The evaluator shall review the operational guidance to determine that each of the TSF-datamanipulating functions implemented in response to the requirements of this PP is identified, and that configuration information is provided to ensure that only administrators have access to the functions Evaluator Findings The evaluator reviewed the operational guidance to determine that each of the TSF-datamanipulating functions implemented in response to the requirements of this PP is identified, and that configuration information is provided to ensure that only administrators have access to the functions. The AGD document was used to as part of this evaluation activity. Upon investigation, the evaluator found that the AGD document address the configuration of the following items in response to the requirements of the NDPP and the SIP EP, Section 3.4 Network Protocols and Cryptographic Settings 34