National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

Transcription

1 Natinal Infrmatin Assurance Partnership Cmmn Criteria Evaluatin and Validatin Scheme Validatin Reprt Micrsft Windws 8, Micrsft Windws RT, Micrsft Windws Server 2012 IPsec VPN Client TM Reprt Number: CCEVS-VR-VID Dated: 31 January 2014 Versin: 1.0 Natinal Institute f Standards and Technlgy Natinal Security Agency Infrmatin Technlgy Labratry Infrmatin Assurance Directrate 100 Bureau Drive 9800 Savage Rad STE 6940 Gaithersburg, MD Frt Gerge G. Meade, MD

2 Micrsft Windws IPsec VPN Client ACKNOWLEDGEMENTS Validatin Team Ken Ellitt The Aerspace Crpratin Jim Dnndelinger The Aerspace Crpratin Cmmn Criteria Testing Labratry Leids (frmerly SAIC, Inc.) Clumbia, MD ii

3 Micrsft Windws IPsec VPN Client Table f Cntents 1 Executive Summary Evaluatin Details Interpretatins Threats Organizatinal Security Plicies Identificatin Security Plicy Security Audit Cryptgraphic Prtectin User Data Prtectin Identificatin & Authenticatin Security Management Prtectin f the TOE s Security Functins Trusted Path fr Cmmunicatin Assumptins Clarificatin f Scpe Architectural Infrmatin Dcumentatin Prduct Testing Develper Testing Evaluatin Team Independent Testing Penetratin Testing Evaluated Cnfiguratin Results f the Evaluatin Validatr Cmments/Recmmendatins Annexes Security Target Bibligraphy...9 iii

4 Micrsft Windws IPsec VPN Client List f Tables Table 1 Evaluatin Details... 1

5 1 Executive Summary VALIDATION REPORT Micrsft Windws IPsec VPN Client The evaluatin f the Micrsft Windws 8, Micrsft Windws RT, and Micrsft Windws Server 2012 IPsec VPN Client prduct was perfrmed by Leids (frmerly Science Applicatins Internatinal Crpratin (SAIC)) Cmmn Criteria Testing Labratry (CCTL) in Clumbia, Maryland, United States f America and was cmpleted in January The evaluatin was cnducted in accrdance with the requirements f the Cmmn Criteria and Cmmn Methdlgy fr IT Security Evaluatin (CEM), versin 3.1 and assurance activities specified in the Prtectin Prfile fr IPsec Virtual Private Netwrk (VPN) Clients, Versin 1.1, 30 December The evaluatin was cnsistent with Natinal Infrmatin Assurance Partnership (NIAP) Cmmn Criteria Evaluatin and Validatin Scheme (CCEVS) plicies and practices as described n their web site ( The SAIC evaluatin team determined that the prduct is cnfrmant t the Prtectin Prfile fr IPsec Virtual Private Netwrk (VPN) Clients, Versin 1.1, 30 December The infrmatin in this Validatin Reprt is largely derived frm the Evaluatin Technical Reprt (ETR) and assciated test reprts prduced by the SAIC evaluatin team. This Validatin Reprt is nt an endrsement f the Target f Evaluatin by any agency f the U.S. gvernment, and n warranty is either expressed r implied. The fcus f this evaluatin is n the IPsec Virtual Private Netwrk (VPN) client that is part f the Windws perating system. There are tw mechanisms cvered by this evaluatin that invke the IPsec VPN client: the Remte Access Service (RAS) interface, and the (raw) IPsec interface. The IPsec interface is a part f the cre netwrking stack and can be used t create IPsec security assciatins ver bth lcal and remte netwrks. Remte Access Service (RAS) prvides remte access capabilities t client applicatins n cmputers running Windws. Histrically RAS was used fr dial-up and pint-t-pint netwrking cnnectins. Hwever it can als be used t establish IPsec virtual private netwrk sessins. The prducts, when cnfigured as specified in the guidance dcumentatin, satisfy all f the security functinal requirements stated in the Micrsft Windws 8, Micrsft Windws RT, Micrsft Windws Server 2012 IPsec VPN Client Security Target (ST). 1.1 Evaluatin Details Table 1 Evaluatin Details Evaluated Prduct: Windws 8, Windws RT, Windws Server 2012 Spnsr: Develper: CCTL: Micrsft Crpratin Micrsft Crpratin Leids (frmerly SAIC) 6841 Benjamin Franklin Drive Clumbia, MD Kickff Date: 22 February 2013 Cmpletin Date: 31 January

6 Micrsft Windws IPsec VPN Client CC: Interpretatins: CEM: Evaluatin Class: Descriptin: Disclaimer: PP: Evaluatin Persnnel: Validatin Bdy: Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin, Versin 3.1, Revisin 4, September Nne Cmmn Methdlgy fr Infrmatin Technlgy Security Evaluatin, Part 2: Evaluatin Methdlgy, Versin 3.1, Revisin 4, September Nne The TOE prvides capabilities fr establishing IPsec security assciatins ver bth lcal and remte netwrks. The infrmatin cntained in this Validatin Reprt is nt an endrsement f the Micrsft Windws 8, Micrsft Windws RT, Micrsft Windws Server 2012 IPsec VPN Client prduct by any agency f the U.S. Gvernment and n warranty f the prduct is either expressed r implied. Prtectin Prfile fr IPsec Virtual Private Netwrk (VPN) Clients, Versin 1.1, 30 December 2012 Leids (frmerly SAIC): Anthny J. Apted James L. Arnld, jr Tammy Cmptn Crnelius Haley Natinal Infrmatin Assurance Partnership CCEVS 1.2 Interpretatins Nt applicable. 1.3 Threats The ST identifies the fllwing threats that the TOE and its peratinal envirnment are intended t cunter: Security mechanisms f the TOE may fail, leading t a cmprmise f the TSF. A user may gain unauthrized access t the TOE data and TOE executable cde. A malicius user, prcess, r external IT entity may masquerade as an authrized entity in rder t gain unauthrized access t data r TOE resurces. A malicius user, prcess, r external IT entity may misrepresent itself as the TOE t btain identificatin and authenticatin data. A malicius party attempts t supply the end user with an update t the prduct that may cmprmise the security features f the TOE. 2

7 Micrsft Windws IPsec VPN Client Malicius remte users r external IT entities may take actins that adversely affect the security f the TOE. These actins may remain undetected and thus their effects cannt be effectively mitigated. User data may be inadvertently sent t a destinatin nt intended by the riginal sender. 1.4 Organizatinal Security Plicies The ST identifies the fllwing rganizatinal security plicies that the TOE and its peratinal envirnment are intended t fulfill: The TOE must meet Request fr Cmments (RFC) requirements fr implemented prtcls t facilitate inter-perability with ther netwrk equipment using the same prtcls. The TOE must prvide the capability t cnfigure security-relevant aspects f its peratin. 2 Identificatin The evaluated prduct is Micrsft Windws 8, Micrsft Windws RT, and Micrsft Windws Server 2012, with fcus n the IPsec Virtual Private Netwrk (VPN) client that is part f these Windws perating systems. 3 Security Plicy The TOE enfrces the fllwing security plicies as described in the ST. Nte: Much f the descriptin f the security plicy has been derived frm the Micrsft Windws 8, Micrsft Windws RT, Micrsft Windws Server 2012 IPsec VPN Client Security Target and Final ETR. 3.1 Security Audit Windws has the ability t cllect audit data, review audit lgs, prtect audit lgs frm verflw, and restrict access t audit lgs. Audit infrmatin generated by the system includes the date and time f the event, the user identity that caused the event t be generated, and ther event-specific data. Authrized administratrs can review audit lgs and have the ability t search and srt audit recrds. Authrized administratrs can als cnfigure the audit system t include r exclude ptentially auditable events t be audited based n a wide range f characteristics. 3.2 Cryptgraphic Prtectin Windws prvides FIPS validated cryptgraphic functins that supprt encryptin/decryptin, cryptgraphic signatures, cryptgraphic hashing, cryptgraphic key agreement (which is nt studied in this evaluatin), and randm number generatin. The TOE additinally prvides supprt fr public keys, credential management and certificate validatin functins and prvides supprt fr the Natinal Security Agency s Suite B cryptgraphic algrithms. Windws als prvides extensive auditing supprt f cryptgraphic peratins, the ability t replace cryptgraphic functins and randm number generatrs with alternative implementatins, 1 and a key islatin service designed t limit the ptential expsure f secret and private keys. In additin t using cryptgraphy fr its wn security functins, Windws ffers access t the cryptgraphic supprt functins fr user-mde and kernel-mde prgrams. Public key certificates generated and used by Windws authenticate users and machines as well as user prtect and system data in transit. 1 This ptin is nt included in the Windws Cmmn Criteria evaluatin. 3

8 VALIDATION REPORT Micrsft Windws IPsec VPN Client IPsec: Windws implements IPsec t prvide prtected, authenticated, cnfidential, and tamperprf netwrking between tw peer cmputers. 3.3 User Data Prtectin In this cntext f this evaluatin, Windws prvides bject and subject residual infrmatin prtectin. 3.4 Identificatin & Authenticatin In the cntext f this evaluatin, Windws prvides the ability t use, stre, and prtect X.509 certificates that are used fr IPsec. Windws als has the ability t use pre-shared keys fr IPsec. 3.5 Security Management Windws includes several functins t manage security plicies. Plicy management is cntrlled thrugh a cmbinatin f access cntrl, membership in administratr grups, and privileges. 3.6 Prtectin f the TOE s Security Functins Windws prvides a number f features t ensure the prtectin f TOE security functins. Windws prtects against unauthrized data disclsure and mdificatin by using a suite f Internet standard prtcls including IPsec, IKE, and ISAKMP. Windws ensures prcess islatin security fr all prcesses thrugh private virtual address spaces, executin cntext, and security cntext. The Windws data structures defining prcess address space, executin cntext, memry prtectin, and security cntext are stred in prtected kernel-mde memry. Windws includes self-testing features that ensure the integrity f executable prgram images and its cryptgraphic functins. Finally, Windws prvides a trusted update mechanism t update Windws binaries itself. 3.7 Trusted Path fr Cmmunicatin Windws uses the IPsec suite f prtcls t prvide a Virtual Private Netwrk Cnnectin (VPN) between itself, acting as a VPN client, and a VPN gateway. 4 Assumptins The ST identifies the fllwing assumptins abut the use f the prduct: Infrmatin cannt flw nt the netwrk t which the VPN client's hst is cnnected withut passing thrugh the TOE. Physical security, cmmensurate with the value f the TOE and the data it cntains, is assumed t be prvided by the envirnment. TOE Administratrs are trusted t fllw and apply all administratr guidance in a trusted manner. 4.1 Clarificatin f Scpe All evaluatins (and all prducts) have limitatins, as well as ptential miscnceptins that need clarifying. This text cvers sme f the mre imprtant limitatins and clarificatins f this evaluatin. Nte that: 1. As with any evaluatin, this evaluatin nly shws that the evaluated cnfiguratin meets the security claims made, with a certain level f assurance (the assurance activities specified in the Prtectin Prfile fr IPsec Virtual Private Netwrk (VPN) Clients and perfrmed by the evaluatin team). 4

9 Micrsft Windws IPsec VPN Client 2. This evaluatin cvers nly the specific prduct versin identified in this dcument, and nt any earlier r later versins released r in prcess. 3. This evaluatin did nt specifically search fr, nr attempt t explit, vulnerabilities that were nt bvius r vulnerabilities t bjectives nt claimed in the ST. The CEM defines an bvius vulnerability as ne that is easily explited with a minimum f understanding f the TOE, technical sphisticatin and resurces. 5 Architectural Infrmatin This sectin prvides a high level descriptin f the TOE and its cmpnents as described in the Security Target and guidance dcumentatin. The lgical bundary f the TOE includes: The IPv4 / IPv6 netwrk stack in the kernel. The IPsec mdule in user-mde. The IKE and AuthIP Keying Mdules service which hsts the IKE and Authenticated Internet Prtcl (AuthIP) keying mdules. These keying mdules are used fr authenticatin and key exchange in Internet Prtcl security (IPsec). The Remte Access Service device driver in the kernel, which is used primarily fr ad hc r user-defined VPN cnnectins; knwn as the RAS IPsec VPN r RAS VPN. The IPsec Plicy Agent service which enfrces IPsec plicies. The Cryptgraphic Services mdule which cnfirms the signatures f Windws prgram files. Windws Explrer which can be used t create VPN cnnectins and check the integrity f Windws files and updates. The Certificates MMC snap-in which is used when the authrized administratr needs t add a certificate, such as a rt CA r machine certificate, t their certificate stre. 2 The Cmputer Cnfiguratin MMC snap-in which can be used t set the auditing plicy fr the cmputer. The Event Viewer MMC snap-in which is used t view entries in the audit lg. The IP Security Mnitr MMC snap-in which can be used t view active IPsec security assciatins. The IP Security Plicies MMC snap-in which is used t cnfigure IPsec plicies. The Windws Registry t manually set certain prperties fr the RAS interface. The netsh cmmand line applicatin which can be used t manage IPsec settings. The auditpl cmmand line applicatin which can be used t set the auditing plicy fr the cmputer. The sfc cmmand line applicatin which can be used t check the integrity and repair Windws files. 2 Fr cmmn deplyment scenaris manually adding these certificates shuld nt be necessary. 5

10 Micrsft Windws IPsec VPN Client The Get-Authenticde PwerShell Cmdlet which can be used t cnfirm the signatures f Windws prgram files. The fllwing PwerShell Cmdlets t manage IPsec: Get-NetIPsecMainMdeSA Get-NetIPsecQuickMdeSA New-NetIPsecAuthPrpsal New-NetIPsecPhase1AuthSet New-NetIPsecMainMdeCryptPrpsal New-NetIPsecMainMdeCryptSet New-NetIPsecMainMdeRule New-NetIPsecQuickMdeCryptPrpsal New-NetIPsecQuickMdeCryptSet New-NetIPsecRule Set-NetIPsecMainMdeCryptSet Set-NetIPsecQuickMdeCryptSet. Physically, each TOE tablet, wrkstatin, r server cnsists f an ARMv7 Thumb-2, x86 r x64 cmputer. The TOE executes n prcessrs frm Intel (x86 and x64), AMD (x86 and x64), Qualcmm (ARM), r NVIDIA (ARM). A set f devices may be attached as part f the TOE: Display Mnitrs Fixed Disk Drives (including disk drives and slid state drives) Remvable Disk Drives (including USB strage) Netwrk Adaptr Keybard Muse Printer Audi Adaptr CD-ROM Drive Smart Card Reader Trusted Platfrm Mdule (TPM) versin 1.2 r 2.0. While this set f devices is larger than is needed t evaluate IPsec, it is the same set f devices as the General Purpse Operating System Prtectin Prfile evaluatin. By using the same set f devices fr bth evaluatins, cnsumers can gain assurance by using bth cre OS capabilities and IPsec in cmbinatin. The TOE des nt include any netwrk infrastructure cmpnents. 6

11 Micrsft Windws IPsec VPN Client 6 Dcumentatin 6.1 Prduct Guidance The guidance dcumentatin examined during the curse f the evaluatin and delivered with the TOE is as fllws: Micrsft Windws 8, Micrsft Windws Server 2012, Micrsft Windws RT Cmmn Criteria Supplemental Admin Guidance fr IPsec VPN Clients On-line dcumentatin referenced by the Supplemental Admin Guidance 7 Prduct Testing This sectin describes the testing effrts f the Evaluatin Team. It is derived frm infrmatin cntained in the Micrsft Windws 8, Windws RT, Windws Server 2012 Test Reprt and Micrsft Windws 8, Windws RT, Windws Server 2012 Detailed Test Results. Evaluatin team testing was cnducted at the Leids (frmerly SAIC) CCTL in Clumbia, MD. 7.1 Develper Testing The assurance activities in the Prtectin Prfile fr IPsec Virtual Private Netwrk (VPN) Clients d nt specify any requirement fr develper testing f the TOE. 7.2 Evaluatin Team Independent Testing The evaluatin team devised a Test Plan based n the Testing Assurance Activities specified in the Prtectin Prfile fr IPsec Virtual Private Netwrk (VPN) Clients. The Test Plan described hw each test activity was t be instantiated within the TOE test envirnment. The evaluatin team executed the tests specified in the Test Plan and dcumented the results in the Micrsft Windws 8, Windws RT, Windws Server 2012 IPsec VPN Client Test Reprt. Tests were executed n all platfrms claimed in the ST, with the exceptin f Windws Server 2012 Datacenter Editin, fr which an equivalence argument t the Windws Server 2012 Standard Editin was prvided. The testing demnstrated the TOE satisfies the security functinal requirements specified in the Prtectin Prfile fr IPsec Virtual Private Netwrk (VPN) Clients. 7.3 Penetratin Testing The evaluatin team cnducted an pen surce search fr vulnerabilities in the prduct. The pen surce search did nt identify any vulnerabilities applicable t the TOE in its evaluated cnfiguratin, but did identify a general vulnerability f IPsec VPN clients, related t unverified Cmmn Name in X.509 certificates. The evaluatin team determined the tests already specified in the Prtectin Prfile fr IPsec Virtual Private Netwrk (VPN) Clients were sufficient t test fr this vulnerability, and evaluatin team testing demnstrated the TOE is nt subject t the vulnerability. 8 Evaluated Cnfiguratin The evaluated versin f the TOE is Micrsft Windws 8, Micrsft Windws RT, and Micrsft Windws Server The TOE is delivered by six prduct variants f Windws 8, Windws RT, and Windws Server 2012: Micrsft Windws 8 Editin (32-bit and 64-bit versins) Micrsft Windws 8 Pr Editin (32-bit and 64-bit versins) 7

12 Micrsft Windws IPsec VPN Client Micrsft Windws 8 Enterprise Editin (32-bit and 64-bit versins) Micrsft Windws RT Micrsft Windws Server 2012 Standard Editin Micrsft Windws Server 2012 Datacenter Editin The fllwing security updates and patches must be applied t the abve Windws 8 prducts: All critical security updates published as f February The fllwing security updates must be applied t the abve Windws RT prducts: All critical security updates published as f February The fllwing security updates must be applied t the abve Windws Server 2012 prducts: All critical security updates published as f February Physically, each TOE tablet, wrkstatin, r server cnsists f an ARMv7 Thumb-2, x86 r x64 cmputer. The TOE executes n prcessrs frm Intel (x86 and x64), AMD (x86 and x64), Qualcmm (ARM), r NVIDIA (ARM). Evaluatin testing tk place n the fllwing hardware platfrms: Micrsft Surface RT Micrsft Surface Pr ASUS VivTab RT Dell XPS 10 Dell OptiPlex 755, 3.0 GHz Intel Cre 2 Du E8400, 64-bit. The evaluatin cvered the fllwing mechanisms that invke the IPsec VPN Client: the Remte Access Service (RAS) interface; and the underlying (raw) IPsec interface. 9 Results f the Evaluatin The evaluatin was cnducted based upn the assurance activities specified in the Prtectin Prfile fr IPsec Virtual Private Netwrk (VPN) Clients, in cnjunctin with versin 3.1, revisin 4 f the CC and the CEM. A verdict fr an assurance cmpnent is determined by the resulting verdicts assigned t the crrespnding evaluatr actin elements. The evaluatin team assigned a Pass, Fail, r Incnclusive verdict t each wrk unit f each assurance cmpnent. Fr Fail r Incnclusive wrk unit verdicts, the evaluatin team advised the develper f issues requiring reslutin r clarificatin within the evaluatin evidence. In this way, the evaluatin team assigned an verall Pass verdict t the assurance cmpnent nly when all f the wrk units fr that cmpnent had been assigned a Pass verdict. The validatin team s assessment f the evidence prvided by the evaluatin team is that it demnstrates that the evaluatin team perfrmed the assurance activities in the Prtectin Prfile fr IPsec Virtual Private Netwrk (VPN) Clients, and crrectly verified that the prduct meets the claims in the ST. The details f the evaluatin are recrded in the Evaluatin Technical Reprt (ETR), which is cntrlled by the SAIC CCTL. The security assurance requirements are listed in the fllwing table. TOE Security Assurance Requirements 8

13 Micrsft Windws IPsec VPN Client Assurance Cmpnent ID ADV_FSP.1 AGD_OPE.1 AGD_PRE.1 ALC_CMC.1 ALC_CMS.1 ATE_IND.1 AVA_VAN.1 Assurance Cmpnent Name Basic functinal specificatin Operatinal user guidance Preparative prcedures Labeling f the TOE TOE CM cverage Independent testing - cnfrmance Vulnerability survey 10 Validatr Cmments/Recmmendatins The validatrs d nt have any additinal cmments r recmmendatins regarding the TOE. 11 Annexes Nt applicable. 12 Security Target The ST fr this prduct s evaluatin is Micrsft Windws 8, Micrsft Windws RT, Micrsft Windws Server 2012 IPsec VPN Client Security Target, Versin 1.0, January 23, Bibligraphy 1. Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 1: Intrductin and general mdel, Versin 3.1, Revisin 4, September 2012, CCMB Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 2: Security functinal requirements, Versin 3.1, Revisin 4, September 2012, CCMB Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 3: Security assurance requirements, Versin 3.1, Revisin 4, September 2012, CCMB Cmmn Methdlgy fr Infrmatin Technlgy Security: Evaluatin Methdlgy, Versin 3.1, Revisin 4, September 2012, CCMB Prtectin Prfile fr IPsec Virtual Private Netwrk (VPN) Clients, Versin 1.1, 30 December Micrsft Windws 8, Micrsft Windws RT, Micrsft Windws Server 2012 IPsec VPN Client Security Target, Versin 1.0, January 23,