1 HP StoreOnce Backup System Generation 3 Version Security Target Version 1.0 February 12, 2014 Prepared for: Hewlett-Packard Long Down Avenue Stoke Gifford Bristol BS34 8QZ UK Prepared By: Leidos Common Criteria Testing Laboratory 6841 Benjamin Franklin Drive Columbia, MD USA
2 TABLE OF CONTENTS 1 SECURITY TARGET INTRODUCTION SECURITY TARGET, TOE AND CC IDENTIFICATION CONFORMANCE CLAIMS CONVENTIONS GLOSSARY TOE DESCRIPTION TOE OVERVIEW TOE ARCHITECTURE TOE Physical Boundaries TOE Logical Boundaries TOE DOCUMENTATION SECURITY PROBLEM DEFINITION ASSUMPTIONS THREATS SECURITY OBJECTIVES SECURITY OBJECTIVES FOR THE TOE SECURITY OBJECTIVES FOR THE ENVIRONMENT IT SECURITY REQUIREMENTS ETENDED COMPONENT DEFINITION Extended Family Definitions Extended Requirements Rationale: TOE SECURITY FUNCTIONAL REQUIREMENTS Security audit (FAU) Cryptographic Support User data protection (FDP) Identification and authentication (FIA) Security management (FMT) Protection of the TSF (FPT) TOE Access (FTA) Trusted path/channels (FTP) TOE SECURITY ASSURANCE REQUIREMENTS Development (ADV) Guidance documents (AGD) Life-cycle support (ALC) Tests (ATE) Vulnerability assessment (AVA) TOE SUMMARY SPECIFICATION SECURITY AUDIT CRYPTOGRAPHIC SUPPORT USER DATA PROTECTION IDENTIFICATION AND AUTHENTICATION SECURITY MANAGEMENT PROTECTION OF THE TSF TOE ACCESS TRUSTED PATH/CHANNELS PROTECTION PROFILE CLAIMS RATIONALE
3 8.1.1 Security Objectives Rationale for the TOE and Environment SECURITY REQUIREMENTS RATIONALE Security Functional Requirements Rationale SECURITY ASSURANCE REQUIREMENTS RATIONALE REQUIREMENT DEPENDENCY RATIONALE TOE SUMMARY SPECIFICATION RATIONALE LIST OF TABLES Table 1 TOE Security Functional Components Table 2 Auditable Events Table 3 EAL 2 augmented with ALC_FLR.3 Assurance Components Table 4 Objective to Requirement Correspondence Table 5 Security Functions vs. Requirements Mapping
4 1 Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is HP StoreOnce Backup System, Generation 3 Version provided by Hewlett-Packard. The HP StoreOnce Backup System is a disk-based storage appliance for backing up host network servers or PCs to target devices on the appliance. These devices are configured as either Network-Attached Storage (NAS) or Virtual Tape Library (VTL) targets or StoreOnce Catalyst for backup applications. The Security Target contains the following additional sections: TOE Description (Section 2) Security Problem Definition (Section 3) Security Objectives (Section 4) IT Security Requirements (Section 5) TOE Summary Specification (Section 6) Protection Profile Claims (Section 7) Rationale (Section 8). 1.1 Security Target, TOE and CC Identification ST Title HP StoreOnce Backup System, Generation 3 Version Security Target ST Version Version 0.7 ST Date December 24, 2013 TOE Identification HP StoreOnce Backup System, Generation 3 Version Hardware Models Single Node Appliances HP StoreOnce 2610 iscsi Backup HP StoreOnce 2620 iscsi Backup HP StoreOnce 4210 iscsi Backup HP StoreOnce 4210 FC Backup HP StoreOnce 4220 Backup HP StoreOnce 4420 Backup HP StoreOnce 4430 Backup Multi-Node Appliances HP StoreOnce B6200 Backup System TOE Developer Hewlett-Packard Evaluation Sponsor Hewlett-Packard CC Identification Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 3, July Conformance Claims This TOE is conformant to the following CC specifications: 4
5 Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements, Version 3.1 Revision 3, July Part 2 Extended Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 Revision 3, July Conventions Part 3 Conformant Assurance Level: EAL 2 augmented with ALC_FLR.3 The following conventions have been applied in this document: Security Functional Requirements Part 2 of the CC defines the approved set of operations that may be applied to functional requirements: iteration, assignment, selection, and refinement. Iteration: allows a component to be used more than once with varying operations. In the ST, iteration is indicated by a letter placed at the end of the component. For example FDP_ACC.1a and FDP_ACC.1b indicate that the ST includes two iterations of the FDP_ACC.1 requirement, a and b. Assignment: allows the specification of an identified parameter. Assignments are indicated using bold and are surrounded by brackets (e.g., [assignment]). Selection: allows the specification of one or more elements from a list. Selections are indicated using bold and are surrounded by brackets (e.g., [selection]). Refinement: allows the addition of details. Refinements are indicated using bold, for additions, and strikethrough, for deletions (e.g., all objects or some big things ). Other sections of the ST Other sections of the ST use bolding to highlight text of special interest, such as captions. 1.4 Glossary Acronym AD CC CHAP CIFS FC HP HTTP HTTPS iscsi IQN LAN LDAP NAS NFS NTP SAN SNMP SSH ST TLS TOE TSF Description Active Directory Common Criteria Challenge-Handshake Authentication Protocol Common Internet File System Fibre Channel Hewlett-Packard Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Internet Small Computer System Interface iscsi Qualified Name Local Area Network Lightweight Directory Access Protocol Network Attached Storage Network File System Network Time Protocol Storage Area Network Simple Network Management Protocol Secure Shell Security Target Transport Layer Security Target of Evaluation TOE Security Function 5
6 VTL Virtual Tape Library 6
7 2 TOE Description The Target of Evaluation (TOE) is an HP StoreOnce Backup System system with one or more hardware appliances. The TOE models that offer either a single-node or multi-node system and are running Generation 3 Version software are the target of evaluation. The following appliances allow the TOE to provide varying types of faulttolerance and are the hardware platform for the TOE. HP StoreOnce B6200 HP StoreOnce 2610 iscsi Backup HP StoreOnce 2620 iscsi Backup HP StoreOnce 4210 iscsi Backup HP StoreOnce 4210 FC Backup HP StoreOnce 4220 Backup HP StoreOnce 4420 Backup HP StoreOnce Single-node appliances operate as standalone devices and do not operate as part of a cluster. Multi-node appliances operate as a cluster. A cluster is composed of from 1 to 4 couplets each couplet having two nodes. A cluster is the scope of administrative control, with the configuration of the cluster defining the behavior of all nodes within the cluster. The B6200 appliance is a multi-node appliance. The number of nodes in a model B6200 is determined by the customer. The B6200 can be ordered as a single couplet (2 nodes), a 2 couplet (4 node) cluster, a 3 couplet (6 node) cluster or a 4 couplet (8 node) cluster. A customer can buy a cluster of one couplet and then buy additional couplets to expand the cluster up to a maximum of 4 couplets. 2.1 TOE Overview The HP StoreOnce Backup System is a disk-based storage appliance for backing up host network servers or PCs to target devices on the appliance. These devices are configured as either Network-Attached Storage (NAS) or Virtual Tape Library (VTL) or StoreOnce Catalyst stores for backup applications. The total number of backup targets offered by an HP StoreOnce Backup System is split between VTL, NAS and StoreOnce Catalyst devices. The number of supported backup targets varies according to model (for single-node appliances) or number of nodes (for clusters). Each node in a cluster is capable of supporting 48 target devices. So as examples, a couplet can support 96 backup targets, while an 8 node (4 couplet) B6200 can support 384 (i.e., 48 x 8) backup targets. These devices may be all VTL, all NAS, or any combination of StoreOnce Catalyst, NAS and VTL devices. The HP StoreOnce Backup System supports both Common Internet File System(CIFS) and Network File System (NFS) protocols for connectivity to TOE provided NAS. This allows the TOE to provide backup targets for both Windows and UNI/Linux hosts. All devices (i.e., VTL, NAS and StoreOnce Catalyst) automatically include the TOE s data Deduplication functionality. Data Deduplication is a process in which the TOE compares blocks of data being written to a backup device with data blocks previously stored on the device. If duplicate data is found, a pointer is established to the original data, rather than storing the duplicate data. The TOE performs data deduplication at the block level and not at the file level, which reduces the amount of data actually stored on physical disks. The HP StoreOnce Backup System products are hardware appliances that offer network accessible administration interfaces in the form of an HTTPS based Graphical User Interface or SSH protected Command Line Interface. A single node appliance or a couplet provides network access using a number of network distinct ports. There are four (4) physical 1GB ports and two (2) physical 10GB ports for Ethernet connections. Another two (2) 10GB network connections are used for the internal network (internal to the cluster only) and not accessible to client-hosts. 7
8 Fibre Channel connections (available on some appliances) are only used to present VTL devices that have been configured on the nodes in a couplet. Figure 1 Supported Network Separation Figure 1 presents a high level depiction of one possible network topology supported by the HP StoreOnce Generation 3 product. Shown in Figure 1 are 3 distinct networks: a management network, a data network and an internal network. The management network would connect the product to any devices associated with managing the product such as an administration workstation, NTP server or LDAP server. The Data Network provides client hosts a communication path with the product. Finally, the internal network is used for communication between nodes of a multi-node system and storage devices (e.g., a SAN storage device). Remote administration sessions occurring through the management network are protected using cryptography (SH and HTTPS). Network traffic between the product and NTP or LDAP servers occurs utilizing only protections inherent in the NTP and LDAP protocols. The HP StoreOnce Backup System allows a site to choose to combine the data and management networks. In single-node configurations, the data and management network must be combined. Both single-node and multi-node configurations utilize an Internal network for communication with storage devices. The configuration shown in Figure 1 represents a multi-node configuration. The HP StoreOnce Backup Systems provides Ethernet network connections for use as a management network (i.e., used for all management traffic). All Ethernet-based networks support only IPv4 networking functionality. IPSec and IPv6 security features are not available, though some protection is supported for administrator network communications (e.g., SSH and HTTPS). The data network can be either Ethernet or Fibre Channel. The internal network will be Ethernet. The HP StoreOnce Backup Systems include hardware-based RAID 5 or RAID 6 to reduce the risk of user data loss due to disk failure within a couplet. 2.2 TOE Architecture The HP StoreOnce Backup System product line is available in single-node or multi-node configurations. The Gen 3 architecture of a multi-node configuration is depicted in Figure 2. A single-node configuration would be identical to the architecture of a single node as shown in Figure 2. The multi-node architecture provides mechanisms for high availability support by offering the ability to continue operation in the event of the failure of one node within each couplet as well as by offering support of RAID levels to protect user and TSF data. Single-node configurations support availability of data through the support of RAID levels to protect user and TSF data store within the control of the TOE. Figure 2 depicts a cluster composed of two couplets. Each couplet includes two nodes. This is an example of a multinode StoreOnce configuration. 8
9 From the perspective of shared configuration data (i.e., TOE Data), there are two significant types of data depicted in Figure 2. The storage of TOE Security Function data is depicted by the box labeled Fusion Manager Store. This store of data is accessible to all of the nodes in the cluster. The second type of configuration data is labeled as Ibrix FS with N sets of node configuration data. This data is available within a couplet even after one node of that couplet fails. The multi-node architecture includes distinct physical network ports that are used to isolate node-to-node communications from client-data backup operations. The ability to isolate internal TOE communications (which is not encrypted) to a dedicated network strengthens protection of TSF data. Administrative communication is cryptographically protected using SSHv2 and HTTPS/TLSv1.0. While the administrative communication would occur on the same network as client-data backup operations, they are protected cryptographically. The middle and lower end model single-node configuration, there would be no need for node-to-node communications, so no dedicated network would be employed. In a high end single node product, there is an internal network between the node and the storage devices. The multi-node architecture supports up to four couplets of nodes in a cluster. Each cluster portrays a single management interface and one data interface per node. When a node in a couplet fails, the lost physical data interface is virtualized by the other node. Virtualization can occur for either an Ethernet or Fibre Channel interface. When both nodes of a couplet fail, the data within that couplet is unavailable to users. Each time the active management node fails, reboots or is put in to a maintenance mode for repairs, a negotiation occurs between all remaining nodes in the cluster to elect a new active management node. The single-node architecture makes use of RAID to provide availability of data stored by a node. In multi-node configurations, RAID of physical storage occurs inside a couplet with both nodes accessing the same RAID arrays. There is no RAID or other redundancy between couplets in a cluster. Deduplication (a.k.a., deduping), allows data to be stored only once. When the same data occurs multiple times (as in the backup of data that has not changed) it is handled by reference as opposed to storing multiple copies. Remote copy (i.e., site replication) basically allows all the data to be copied to another cluster and makes use of the same deduping technology. Remote administrator sessions are encrypted using SSHv2 or HTTPS/TLS. SNMPv2 is also supported. Internal cluster and client-host connections are not encrypted by the TOE. A cluster can be configured to use NTP to synchronize time with an external server. When so configured, one node in the cluster becomes an NTP server. This NTP server node connects (as a client) to an external NTP server to obtain a time value from that external entity. The NTP server node then acts as a server to each of the other nodes within the cluster which are acting as NTP clients to the one node designated as the NTP server within the cluster. 9
10 2.2.1 TOE Physical Boundaries Figure 2 StoreOnce MultiNode Service Architecture The physical boundary of a HP StoreOnce Backup System is the physical boundary of the hardware of the cluster. Interfaces to this hardware include the following: a per-node serial port which provides limited administrative access, Fibre Channel ports for Fibre Channel host access to the data network, Four (4) Ethernet connections for iscsi host access to the data network, Two (2) Ethernet connections for administrative device access to the management network, and two (2) Ethernet connections used for an internal network. The TOE can be configured to rely on and utilize a number of other components in its operational environment. Active Directory servers The HP StoreOnce Backup System can be configured to utilize Active Directory as an external authentication server. Network Time Protocol (NTP) server The HP StoreOnce Backup System can be configured to act as an NTP client to synchronize the internal clock of the active node with an external source. The product can also be configured to offer NTP server functionality to each individual node in a cluster, to synchronize the clocks within the cluster. 10
11 iscsi and Fibre Channel client hosts The HP StoreOnce Backup System attaches to applicable ports which access available storage resources (SANs and VTLs). Network Storage Devices The HP StoreOnce Backup System is typically connected to a storage controller that manages the actual physical storage. Figure 1 depicts three networks to which the HP StoreOnce Backup System nodes (couplets) may be attached. The TOE nodes, storage devices, and internal network must have physical protections that are consistent with the data being stored and transmitted. This internal network is expected to be dedicated such that communication between the TOE and either another TOE node or a storage device is not modified or disclosed. The management network is expected to provide connectivity for the TOE, administrative devices, and NTP servers. Active directory servers are accessed from the data network to manage NAS share permissions. Active Directory servers can be deployed with or without cryptographic protections depending on the needs of the operational environment. While physical security of this network is appropriate, TOE remote administrative sessions are protected from disclosure and modification using SSH and HTTPS/TLS, The data network is used by clients to send data to the TOE for backup purposes. The data network is also expected to provide physical protections that are consistent with the data being stored and transmitted. Network devices on the Ethernet SAN are expected not to intercept, impersonate or otherwise modify communications on the SAN TOE Logical Boundaries The HP StoreOnce Backup System includes a number of security features with claims in the security functional requirements of this Security Target (Section 5.2). The HP StoreOnce Backup system also includes features such as deduplication and replication which can be used but for which this Security Target contains no claims (i.e., no security functional requirements). The following sections summarize security functionality of the product Security Audit The HP StoreOnce Backup System includes its own logging of management events and also user authentication. Administrators can also review the audit data collected by the product. Finally, the product protects audit data, and overwrites the storage space used for audit data once the available storage space becomes full Cryptographic Support The HP StoreOnce Backup System currently includes cryptographic functions to support SSHv2 and HTTPS (using TLS) protection for communication with remote administrative sessions. Connections to the HP StoreOnce Backup System can be made through SSHv2 to support a Command Line Interface for an administrator. Connections to the HP StoreOnce Backup System utilize HTTPS/TLS to support a graphical user interface for an administrator User data protection The HP StoreOnce Backup System is designed to offer reliable disk-based backup storage services. Access to TOE resources Network-Attached Storage (NAS), StoreOnce Catalyst or Virtual Tape Library (VTL) is provided either through iscsi, CIFS or NFS, Ethernet and Fibre Channel. iscsi VTL The product permits access based upon assigned hosts using its iscsi Qualified Name (IQN). CIFS-based NAS The product permits access based upon a list of users with read-write or read-only permissions. Alternately, the product can use AD user accounts and AD defined access permissions. NFS-based NAS The product permits access based upon a list of hosts defined as permitted for the NFS share. Fibre Channel VTL The product permits Fibre Channel resources to be assigned to specific Fibre Channel ports. Note that the SAN can be zoned to restrict access to specific devices, but that is out of scope of the TOE. The TOE implements RAID on physical disks. The single-node architecture makes use of RAID 5 or RAID 6 to provide availability of user data stored by a node. Multi-node configurations support only RAID 6, however, RAID of physical storage occurs inside a couplet with both nodes accessing the same RAID arrays. There is no RAID or other redundancy between couplets in a cluster. 11
12 TSF data stored by a single-node appliance is protected only using the RAID array within the appliance. TSF data is stored by a multi-node appliance (i.e., a couplet) as a mirrored set in a stripped set (i.e., RAID 1+0). Any disk failure causes the TOE to generate an alert via SNMP or SMTP. Failures of one node within a couplet also generate an alert via SNMP or SMTP Identification & Authentication The HP StoreOnce Backup System requires that administrators must login with username and password prior to being able to access functions associated with their defined role. The HP StoreOnce Backup System uses only locally defined accounts to define the Administrator and Operator accounts. The HP StoreOnce Backup System can be configured to use an Active Directory (LDAP) server for user identification and authentication associated with CIFS-based NAS access. Fibre Channel (FC), iscsi, and NFS hosts are always identified when they access backup targets, but are not usually authenticated. Fibre Channel hosts are identified using a Fibre Channel port prior to the TOE granting access to a backup target over a FC network (i.e., part of the Data network shown in Figure 1). An iscsi host is identified using an iscsi qualified name (IQN). Since the TOE supports CHAP authentication for iscsi, a site can choose to use CHAP to authenticate iscsi hosts. Use of CHAP for authentication is suggested but not required to satisfy the claims in this Security Target NFS hosts are identified solely using their IP address. Security Management The HP StoreOnce Backup System is responsible for enabling the management of available storage resources and access by client-hosts. Users manage the product with either a graphical user interface or command line interface. Both interfaces enforce the same administrative constraints which limit the operations available to the user. Each user is assigned a role which is currently limited to administrator (read and write functionality) or operator (read-only functionality). The HP StoreOnce Backup System also supports a read-only SNMPv2 interface to allow network monitoring of a running system Protection of the TSF The HP StoreOnce Backup System includes a real-time clock. It also protects especially sensitive security data such as password and cryptographic keys TOE Access The HP StoreOnce Backup System can terminate an inactive remote administrative session after an administratordefined period of inactivity Trusted Paths/Channels As mentioned above, the HP StoreOnce Backup System currently provides cryptographic functions that are used to protect administrator sessions. These cryptographic functions include SSHv2 and HTTPS (TLS). 2.3 TOE Documentation The HP StoreOnce Backup System offers a series of documents that describe the installation of the product as well as guidance for subsequent use and administration of the applicable security features. These documents include 2 : 1) HP StoreOnce Backup System Concepts Guide, September ) HP StoreOnce Backup System User Guide, November Since single-node appliances are not part of a couplet or cluster, such failures do not generate alarms. 2 The documents listed here are those available with the version of the product shipping today. 12
13 3) HP StoreOnce Backup System Installation and Configuration Guide, December
14 3 Security Problem Definition This section describes the security environment in which the TOE operates. The security environment is defined in terms of assumptions made by the TOE and threats to the TOE. 3.1 Assumptions The following conditions are assumed to exist in the operational environment. Assumption A.NO_GENERAL_PURPOSE A.PHYSICAL A.TRUSTED_ADMIN A.HOST_IDENTITY A.MGMT_NET A.DATA_NET A.INTERNAL_NET A.ETHERNET Definition It is assumed that there are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE. Physical security, commensurate with the value of the TOE and the data it contains, is assumed to be provided by the environment. TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner. It is assumed that iscsi and Fiber Channel host identities properly reflect the adapters and hence the hosts to which they are associated such that authentication is not necessary. It is assumed that a dedicated and protect Management Network exists between nodes of the TOE and hosts providing supporting services (e.g., AD and NTP). Clients on the Data Network do not have direct access to the Internal or Management networks that are used for managing, accessing, and supporting the TOE operations. It is assumed that a dedicated and protected Internal Network exists that connects nodes of the TOE with network storage devices. It is assumed that network devices on the Internal Network do not intercept, impersonate or otherwise modify communications on the Internal network. 3.2 Threats Threat T.ADMIN_ERROR T.DATA_AVAILABILITY T.DATA_DISCLOSURE T.UNAUTHORIZED_ACCESS Definition An administrator may unintentionally install or configure the TOE incorrectly, resulting in ineffective security mechanisms that may go undetected. User data may become unavailable due to isolated storage resource failures, node failures or due to resource exhaustion. A connected host might obtain access to user data for which they have no authorization. A user may gain unauthorized access to the TSF data and TSF executable code. A malicious user, process, or external IT entity may masquerade as an authorized entity in order to gain unauthorized access to TSF data or TSF resources. A malicious user, process, or external IT entity may misrepresent itself as the TSF to obtain identification and authentication data. 14
15 T.UNDETECTED_ACTIONS Malicious remote users or external IT entities may take actions that adversely affect the security of the TOE. These actions may remain undetected and thus their effects cannot be effectively mitigated. 15
16 4 Security Objectives This chapter identifies the security objectives of the TOE and its environment. Security objectives identify the responsibilities of the TOE and the support need by the TOE from its environment. 4.1 Security Objectives for the TOE Objective O.AVAILABILITY O.LIMIT_ACCESS O.PROTECTED_COMMUNICATIONS Definition The TOE will ensure that data can be stored in a manner that is protected from underlying resource failure and exhaustion. The TOE will ensure that connected hosts can access only data resources for which they are authorized. The TOE will provide protected communication channels for administrators. O.SYSTEM_MONITORING O.TOE_ADMINISTRATION The TOE will provide the capability to generate audit data and provide the means to store and review those data. The TOE will provide mechanisms to ensure that only administrators are able to log in and configure the TOE, and restrict logged-in administrators to authorized functions and TSF data. 4.2 Security Objectives for the Environment Objective OE.NO_GENERAL_PURPOSE OE.PHYSICAL OE.TRUSTED_ADMIN OE.HOST_IDENTITY OE.MGMT_NET OE.DATA_NET OE.INTERNAL_NET OE.ETHERNET Definition There are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE. Physical security, commensurate with the value of the TOE and the data it contains, is provided by the environment. TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner. iscsi hosts correctly reflect the iscsi identifier associated with their Host Bus Adapters (HBAs). A dedicated Management network provides reliable ad secured communication between the TOE, hosts supporting remote administrative sessions and peer hosts providing supporting services such as Active Directory or NTP. Clients on the Data Network do not have direct access to the Internal or Management networks that are used for managing, accessing, and supporting the TOE operations. A dedicated and protected Internal Network exists that connects nodes of the TOE with one another and with network storage devices. Hosts on the Internal Network do not intercept communications on the Internal Network, do not modify communications on the Internal Network, and do not impersonate endpoints on the Internal Network. 16
18 5 IT Security Requirements The security requirements for the TOE have been drawn from Parts 2 and 3 of the Common Criteria. The security functional requirements have been selected to correspond to the actual security functions implemented by the TOE while the assurance requirements have been selected to offer a low to moderate degree of assurance that those security functions are properly realized. 5.1 Extended Component Definition This Security Target includes Security Functional Requirements (SFR) that are not drawn from CC Part 2. These Extended SFRs are identified by having a label _ET after the requirement name for TOE SFRs. The structure of the extended SFRs is modeled after the SFRs included in CC Part 2. The structure is as follows: A. Class The extended SFRs included in this ST are part of the identified classes of requirements. B. Family The extended SFRs included in this ST are part of several SFR families including the new families defined below. C. Component The extended SFRs are not hierarchical to any other components, though they may have identifiers terminating on other than 1. The dependencies for each extended component are identified in the TOE SFR Dependencies section of this ST (Section 8.4, Requirement Dependency Rationale) Extended Family Definitions FCS_COMM_PROT_ET Family Behavior This family identifies the protocols used to protection remote administrative sessions. Management: FCS_COMM_PROT_ET.1 There are no management activities foreseen. Audit: FCS_COMM_PROT_ET.1 There are no auditable events foreseen FCS_COMM_PROT_ET.1 Remote Administrative Session Communication Protection Hierarchical to: No other components. Dependencies: FCS_COMM_PROT_ET FCS_HTTPS_ET Family Behavior None The TSF shall protect remote administrative session communications using [selection: IPsec, SSH] and [selection: TLS/HTTPS, no other protocol]. This family identifies the behavior of the TOE when the HTTPS protocol is implemented. Management: FCS_HTTPS_ET.1 There are no management activities foreseen. Audit: FCS_SSH_ET.1 Basic Level: Failure to establish an HTTPS Session Establishment/Termination of an HTTPS session 18
19 FCS_HTTPS_ET.1 Secure Shell Protocol Hierarchical to: Dependencies: No other components. FCS_TLS_ET.1 FCS_HTTPS_ET.1.1 The TSF shall implement the HTTPS protocol that complies with RFC FCS_HTTPS_ET FCS_SSH_ET Family Behavior The TSF shall implement HTTPS using TLS as specified in FCS_TLS_ET.1. This family identifies the behavior of the TOE when the Secure Shell (SSH) protocol is implemented. Management: FCS_SSH_ET.1 There are no management activities foreseen. Audit: FCS_SSH_ET.1 Basic Level: Failure to establish an SSH Session Establishment/Termination of an SSH session FCS_SSH_ET.1 Secure Shell Protocol Hierarchical to: Dependencies: FCS_SSH_ET.1.1 FCS_SSH_ET.1.2 FCS_SSH_ET.1.3 FCS_SSH_ET.1.4 FCS_SSH_ET.1.5 FCS_SSH_ET.1.6 FCS_SSH_ET.1.7 FCS_SSH_ET.1.8 FCS_SSH_ET FCS_TLS_ET Family Behavior No other components. FCS_COP.1 The TSF shall implement the SSH protocol that complies with RFCs 4251, 4252, 4253, and The TSF shall ensure that the SSH connection be rekeyed after no more than 228 packets have been transmitted using that key. The TSF shall ensure that the SSH protocol implements a timeout period for authentication as defined in RFC 4252 of [assignment: timeout period], and provide a limit to the number of failed authentication attempts a client may perform in a single session to [assignment: maximum number of attempts] attempts. The TSF shall ensure that the SSH protocol implementation supports the following authentication methods as described in RFC 4252: public key-based, password-based. The TSF shall ensure that, as described in RFC 4253, packets greater than [assignment: number of bytes] bytes in an SSH transport connection are dropped. The TSF shall ensure that the SSH transport implementation uses the following encryption algorithms: AES-CBC-128, AES-CBC-256, [selection: AEAD_AES_128_GCM, AEAD_AES_256_GCM, no other algorithms]. The TSF shall ensure that the SSH transport implementation uses SSH_RSA and [selection: PGP-SIGN-RSA, PGP-SIGN-DSS, no other public key algorithms,] as its public key algorithm(s). The TSF shall ensure that data integrity algorithms used in SSH transport connection is [selection: hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96]. The TSF shall ensure that diffie-hellman-group14-sha1 is the only allowed key exchange method used for the SSH protocol. 19
20 This family identifies the behavior of the TOE when the Transport Layer Transport Layer Security (TLS) protocol is implemented. Management: FCS_TLS_ET.1 There are no management activities foreseen. Audit: FCS_TLS_ET.1 Basic Level: Failure to establish an TLS Session Establishment/Termination of an TLS session FCS_TLS_ET.1 Transport Layer Security Protocol Hierarchical to: Dependencies: FCS_TLS_ET FPT_PTD_ET Family Behavior No other components. FCS_COP.1 The TSF shall implement one or more of the following protocols [selection: TLS 1.0 (RFC 2346), TLS 1.1 (RFC 4346), TLS 1.2 (RFC 5246)] supporting the following ciphersuites: Mandatory Ciphersuites: TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA Optional Ciphersuites: [selection: None TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_ SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ]. This family defines the protections required for critical security parameters used by the TOE for authentication or cryptography. Management: FPT_PTD_ET.1 There are no management activities foreseen. Audit: FPT_PTD_ET.1 There are no auditable events foreseen FPT_PTD_ET.1 Protection of TSF Data Hierarchical to: No other components. Dependencies: FPT_PTD_ET.1.1 None The TSF shall prevent reading of [assignment: critical security parameters]. 20
Cisco Email Security Appliance Security Target Version 1.0 October 2014 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA 2014 Cisco Systems, Inc. All rights
Mobile Billing System Security Target Common Criteria: EAL1 Version 1.2 25 MAY 11 Document management Document identification Document ID Document title Product version IDV_EAL1_ASE IDOTTV Mobile Billing
3e Technologies International 3e-636 Series Network Security Device Security Target 45040-007-01 Revision J March 12, 2015 Version 1.0 Page 1 2015 3e Technologies International, Inc. All rights reserved.
McAfee Web Gateway Version 22.214.171.124 EAL 2 + ALC_FLR.2 Release Date: 5 October 2012 Version: 1.0 Prepared By: Primasec Ltd. Prepared For: McAfee Inc. 3965 Freedom Circle Santa Clara, CA 95054 Document Introduction
Protection Profile for Wireless Local Area Network (WLAN) Access Systems Information Assurance Directorate 01 December 2011 Version 1.0 Table of Contents 1 Introduction to the PP... 1 1.1 PP Overview of
Protection Profile for Network Devices Information Assurance Directorate 08 June 2012 Version 1.1 Table of Contents 1 INTRODUCTION... 1 1.1 Compliant Targets of Evaluation... 1 2 SECURITY PROBLEM DESCRIPTION...
Marimba Client and Server Management from BMC Software Release 6.0.3 Version 2.3.0 4 June, 2007 Prepared by: BMC Software, Inc. 2101 City West Blvd. Houston, Texas 77042 TABLE OF CONTENTS 1. Introduction...
U.S. Government Protection Profile for Application-level Firewall In Basic Robustness Environments Information Assurance Directorate Version 1.1 July 25, 2007 Forward This Protection Profile US Government
Protection Profile for Server Virtualization 29 October 2014 Version 1.0 i 0 Preface 0.1 Objectives of Document This document presents the Common Criteria (CC) Protection Profile (PP) to express the fundamental
Security Requirements for Network Devices Information Assurance Directorate 10 December 2010 Version 1.0 Table of Contents 1 INTRODUCTION... 1 1.1 Compliant Targets of Evaluation... 1 2 SECURITY PROBLEM
SQL Server 2008 Team Author: Roger French Version: 1.04 Date: 2011-09-26 Abstract This document is the (ST) for the Common Criteria certification of the database engine of Microsoft SQL Server 2008 R2.
EMC Documentum EMC Documentum Content Server TM V5.3 and EMC Documentum Administrator TM V5.3 Security Target V2.0 December 8, 2005 ST prepared by Suite 5200, 4925 Jones Branch Drive McLean, VA 22102-3305
Security Target: Symantec Endpoint Protection Version 11.0 ST Version 1.6 June 2, 2008 Document Version 1.6 Symantec Corporation Page 1 of 68 Prepared For: Prepared By: Symantec Corporation 20330 Stevens
Security Target McAfee Enterprise Mobility Management 9.7 Document Version 0.9 July 5, 2012 Document Version 0.9 McAfee Page 1 of 39 Prepared For: Prepared By: McAfee, Inc. 2821 Mission College Blvd. Santa
Microsoft Forefront UAG 2010 Common Criteria Evaluation Security Target Microsoft Forefront Unified Access Gateway Team Author: Microsoft Corp. Version: 1.0 Last Saved: 2011-03-10 File Name: MS_UAG_ST_1.0.docx
Senforce Endpoint Security Suite Version 3.1.175 Security Target Version 1.0 06/19/07 Prepared for: Senforce Technologies, Inc. 147 W Election Rd Ste 110 Draper UT 84020 Prepared By: Science Applications
Evaluating Windows: Something Old, Something New, Something Borrowed, Something Blue September 11, 2013 Mike Grimm, Microsoft Corp. Agenda History of Windows CC evaluations Experiences with Windows 7 and
U.S. Government Protection Profile for Database Management Systems Information Assurance Directorate Version 1.3 December 24, 2010 Protection Profile Title: 1 U.S. Government Protection Profile for Database
Cisco 800, 1900, 2900, 3900 Series Integrated Service Routers (ISR) Security Target Revision 1.0 August 2011 1 Table of Contents 1 SECURITY TARGET INTRODUCTION... 6 1.1 ST and TOE Reference... 6 1.2 Acronyms
Check Point Endpoint Security Media Encryption Security Target Version 1.0 June 23, 2010 Prepared for: 5 Ha Solelim St. Tel Aviv, Israel 67897 Prepared By: Science Applications International Corporation
Microsoft SQL Server 2012 Database Engine Common Criteria Evaluation (EAL2) Security Target SQL Server 2012 Team Author: Version: 1.2 Roger French (Microsoft Corporation) Date: 2012-08-07 Abstract This
GuardianEdge Data Protection Framework 9.0.1 with GuardianEdge Hard Disk Encryption 9.0.1 and GuardianEdge Removable Storage Encryption 3.0.1 Security Target Version 2.01 Common Criteria EAL4 augmented
Extended Package for Mobile Device Management Agents 31 December 2014 Version 2.0 REVISION HISTORY Version Date Description 1.0 21 October 2013 Initial Release 1.1 7 February 2014 Typographical changes
Trustwave Secure Web Gateway Security Target Version 1.5 September 18, 2013 Trustwave 70 West Madison Street Suite 1050 Chicago, IL 60602 Prepared By: Common Criteria Consulting LLC 15804 Laughlin Lane
Cisco Catalyst Switches (3560- and 3750-) Security Target Revision 1.0 6 June 2012 1 Table of Contents 1 SECURITY TARGET INTRODUCTION... 6 1.1 ST and TOE Reference... 6 1.2 Acronyms and Abbreviations...
Security Target SQL Server 2008 Team Author: Roger French Version: 1.2 Date: 2009-01-23 Abstract This document is the Security Target (ST) for the Common Criteria certification of the database engine of
Teradata Database Version 2 Release 6.1.0 (V2R6.1.0) Security Target Version 2.0 February 2007 TRP Number: 541-0006458 NCR, Teradata and BYNET are registered trademarks of NCR Corporation. Microsoft, Windows,
Security Target Symantec TM Network Access Control Version 12.1.2 Document Version 0.12 February 14, 2013 Document Version 0.12 Symantec Page 1 of 39 Prepared For: Prepared By: Symantec Corporation 350
v8.2.0 and McAfee Firewall Enterprise Control Center v5.2.0 10 January 2012 Version 1.1 Prepared By: Primasec Ltd For McAfee Inc 2340 Energy Park Drive St. Paul, MN 55108 USA Contents 1 Introduction...
Cisco Unified Communications Manager Security Target Version 1.0 10 August 2015 EDCS - 1502591 Page 1 of 53 Table of Contents 1 SECURITY TARGET INTRODUCTION... 8 1.1 ST and TOE Reference... 8 1.2 TOE Overview...
SenSage, Inc. SenSage 4.6.2 Security Target Evaluation Assurance Level: EAL2+ Document Version: 1.2 Prepared for: Prepared by: SenSage, Inc. 55 Hawthorne Street San Francisco, CA 94105 United States of
EAL4+ Security Target Common Criteria: EAL4 augmented with ALC_FLR.3 Version 1.0 21-DEC-10 Document management Document identification Document ID Document title Release authority E14_EAL4_ASE Microsoft
Security Target Securonix Security Intelligence Platform 4.0 Document Version 1.12 January 9, 2015 Document Version 1.12 Copyright Securonix Page 1 of 41 Prepared For: Prepared By: Securonix 5777 W. Century
DataPower S40 ML Security Gateway and DataPower I50 Integration Appliance Version 3.6 Security Target Version 0.75 10/09/2008 Prepared for: IBM SOA Appliance Group One Rogers St Cambridge, MA 02142 Prepared
Imperva SecureSphere Security Target Version 0.4 12 November 2015 Prepared for: Imperva Inc. 3400 Bridge Parkway, Suite 200 Redwood Shores, CA 94065 United States Prepared by: Leidos Inc. (formerly Science
31 December 2014 Version 2.0 REVISION HISTORY Version Date Description 1.0 21 October 2013 Initial Release 1.1 7 February 2014 Typographical changes and clarifications to front-matter 2.0 31 December 2014
3eTI Technologies International 3e-525/523 Series Wireless Network Access Points Security Target Version 1.0 Revision I October 8 th, 2015 Page 1 2015 3e Technologies International, Inc. All rights reserved.
Security Target McAfee Enterprise Mobility Management 12.0 Document Version 1.16 September 17, 2014 Prepared For: Prepared By: McAfee, Inc. 2821 Mission College Blvd. Santa Clara, CA 95054 Primasec Ltd
JMCS Northern Light Video Conferencing System Security Target Common Criteria: EAL2 Version 1.2 22 FEB 12 Document management Document identification Document ID Document title Product version NLVC_ST_EAL2
McAfee Firewall Enterprise v7.0.1.02 Security Target 8 Nov 2010 Version 1.3 Prepared By: Primasec Ltd For McAfee Inc 2340 Energy Park Drive St. Paul, MN 55108 USA McAfee Inc. Page 1 of 60 Contents 1 Introduction...
SolarWinds Log and Event Manager Software Security Target Version 1.5 August 25, 2014 SolarWinds Worldwide, LLC 3711 South MoPac Expressway Building Two Austin, Texas 78746 Copyright 2013 SolarWinds Worldwide,
COMMON CRITERIA PROTECTION PROFILE for SECURE COMMUNICATION MODULE FOR WATER TRACKING SYSTEM (SCM-WTS PP) Revision No 1.1 Revision Date 11.07.2014 Document Code File Name SCM-WTS PROTECTION PROFILE Prepared
Check Point Endpoint Security Full Disk Encryption Security Target ST Version 2.4 June 22, 2009 Prepared for: 5 Ha Solelim St. Tel Aviv, Israel 67897 Prepared by: Metatron Ltd. 66 Yosef St., Modiin, Israel
IBM WebSphere Message Broker Security Target Version 2.1.2 2007-08-22 Document History Version Date Summary Author 1.0 2006-10-23 Final EAL3 ST plus changes by IBM. SAIC / IBM 1.1 2006-12-11 Fixed inconsistencies.
Cisco Aggregation Services Router (ASR) 900 Series Security Target Version 1.0 26 March 2015 Table of Contents 1 SECURITY TARGET INTRODUCTION...8 1.1 ST AND TOE REFERENCE... 8 1.2 TOE OVERVIEW... 8 1.2.1
Protection Profile for Mobile Device Management 7 March 2014 Version 1.1 1 Revision History Version Date Description 1.0 21 October 2013 Initial Release 1.1 7 March 2014 Typographical changes and clarifications
AAR Test Summary FireEye CM, FX, EX, and NX Series Appliances FireEye CM, FX, EX, and NX Series Appliances Series Security Target, version 1.0 Protection Profile for Network Devices (NDPP), version 1.1,
Protection Profile for USB Flash Drives Mitigating the Risk of a Manipulated, Misplaced, or Stolen USB Flash Drive Information Assurance Directorate 01 December 2011 Version 1.0 Table of Contents 1 Introduction
Microsoft Windows Common Criteria Evaluation Microsoft Windows 8 Microsoft Windows RT Microsoft Windows Server 2012 IPsec VPN Client Security Target Document Information Version Number 1.0 Updated On January
RSA, The Security Division of EMC RSA Data Loss Prevention Suite v6.5 Security Target Evaluation Assurance Level: EAL2 Augmented with ALC_FLR.1 Document Version: 0.7 Prepared for: Prepared by: RSA, The
Security Target for Cisco Remote Access VPN Reference: ST 16 May 2007 Version 1.17 CISCO Systems Inc. 170 West Tasman Drive San Jose CA 95124-1706 USA Copyright: 2007 Cisco Systems, Inc. Table of Contents
Security Target for LANCOM Systems Operating System LCOS 8.70 CC with IPsec VPN Version 1.15 Release LANCOM Systems GmbH 2013 LANCOM Systems GmbH LANCOM, LANCOM Systems and LCOS are registered trademarks.
CA CA, Inc. Identity Manager 12.5 Identity Manager r12.1 Security Target Version 2.0 June Version 21, 2010 0.6 December 29, 2008 Prepared for: Prepared CA for: 100 Staples CA, Inc. Drive Framingham, 100
Firewall Protection Profile V2.0 2008. 4. 24 (This page left blank on purpose for double-side printing) Protection Profile Title Firewall Protection Profile for Government Evaluation Criteria Version This
Rapid7 Nexpose Vulnerability Management and Penetration Testing System V.5.1 Security Target Version 1.7 May 11, 2012 Prepared for: Rapid7 LLC 545 Boylston Street, Suite 400 Boston, MA 02116 Prepared By:
HP TippingPoint Intrusion Prevention Systems Security Target Version 1.0 July 29, 2011 Prepared for: TippingPoint/Hewlett-Packard Corporation 14231 Tandem Blvd Austin, TX 78728 USA Prepared By: Science
Security Target Microsoft SQL Server Team Author: Roger French Version: 1.27 Date 2008-07-23 File Name: MS_SQL_ST_1.27 Abstract This document is the Security Target (ST) for the Common Criteria evaluation
LogRhythm Integrated Solution Security Target Version 1.1 March 30, 2012 Prepared for: LogRhythm, Inc. 4780 Pearl East Circle Boulder, CO 80301 Prepared By: Science Applications International Corporation
Security Target Symantec Security Information Manager Version 4.8.1 Document Version 1.7 January 30, 2014 Document Version 1.7 Copyright Symantec Corporation Page 1 of 42 Prepared For: Prepared By: Symantec
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report 3eTI 3e-636 Series Network Security Devices Report Number: CCEVS-VR-VID10580 Dated: March 25,
Security Target: Symantec Mail Security 8300 Series Appliances Version 5.0 ST Version 1.6 August 20, 2007 Document Version 1.6 Symantec Corporation Page 1 of 55 Prepared For: Prepared By: Symantec Corporation
Cisco Unified Wireless Network and Wireless Intrusion Detection System: Security Target This document provides the basis for an evaluation of a specific Target of Evaluation (TOE), the Cisco Aironet 1130,
Doc Ref RD/JL/069 Replaces: N/A EXTOL epassport Suite v2.5 ECSB/MyCC/JL/002 Common Criteria EAL1 Certification Extol Corporation (M) Sdn Bhd (121135-U) (643683-U) Extol Group www.extolcorp.com Unit G1,
BMC ProactiveNet Performance Management 9.5 Security Target Version 0.4 18 July 2014 Copyright 2014 BMC Software, Inc. All rights reserved. BMC, BMC Software, and the BMC Software logo are the exclusive
Security Target McAfee Data Loss Prevention Endpoint 9.4 and epolicy Orchestrator 5.1.3 Document Version 1.0 November 24, 2015 Prepared For: Prepared By: Intel Corporation. 2821 Mission College Blvd. Santa