CCEVS Approved Assurance Continuity Maintenance Report



Similar documents
McAfee Endpoint Encryption 7.0

McAfee Endpoint Encryption for PC 7.0

McAfee Drive Encryption Software

McAfee Drive Encryption 7.1.0

McAfee Endpoint Encryption 7.0 Patch 1 Software

McAfee EETech for Mac 6.2 User Guide

McAfee Endpoint Encryption 7.0 for PC with McAfee epolicy Orchestrator 4.6 Common Criteria EAL2+ Security Target

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

Kaspersky Lab s Full Disk Encryption Technology

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

Windows Symantec Encryption Desktop (PGP) Install Guide. Symantec Encryption Desktop (PGP) Windows system requirements

YubiKey Integration for Full Disk Encryption

USB Portable Storage Device: Security Problem Definition Summary

Trustworthy Computing

HP Commercial Notebook BIOS Password Setup

McAfee epolicy Orchestrator * Deep Command *

Utimaco SafeGuard Easy Installation Instructions for Notre Dame installer v2.5

McAfee Endpoint Encryption for PC 7.0

GPT hard Disk Drives. For HP Desktops. Abstract. Why GPT? April Table of Contents:

USB Portable Storage Device: Security Problem Definition Summary

Sophos SafeGuard Disk Encryption, Sophos SafeGuard Easy Demo guide

Full Disk Encryption Agent Reference

Leading by Innovation McAfee Endpoint Security The Future of Malware-Detection: Activate protection on all Layers outside the Operating System

McAfee Endpoint Encryption (SafeBoot) User Documentation

ERNW Newsletter 42 / December 2013

Session ID: Session Classification:

Check Point FDE integration with Digipass Key devices

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

How Endpoint Encryption Works

Full Drive Encryption Security Problem Definition - Encryption Engine

SecureDoc Disk Encryption Cryptographic Engine

How to Encrypt your Windows 7 SDS Machine with Bitlocker

Remote Deposit Capture Installation Guide

McAfee Endpoint Encryption 7.0 Users Guide and FAQ

CardOS API V3.2. Standard cryptographic interface for using applications with CardOS smart cards

Digital Signatures on iqmis User Access Request Form

Intel Cyber Security Briefing: Trends, Solutions, and Opportunities. Matthew Rosenquist, Cyber Security Strategist, Intel Corp

Certification Report

Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media?

UEFI on Dell BizClient Platforms

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

SafeGuard Enterprise User help. Product version: 7

The client transfer between epo servers guide. McAfee Drive Encryption 7.1.3

SafeGuard Enterprise User help. Product version: 6.1

Firmware security features in HP Compaq business notebooks

Forcepoint Sidewinder, Virtual Appliance Evaluation for Desktop. Installation Guide 8.x. Revision A

UEFI Implications for Windows Server

Backup Manager Configuration and Deployment Guide. Version 9.1

Kingston KC300 Security Toolbox

UNCLASSIFIED CPA SECURITY CHARACTERISTIC SOFTWARE FULL DISK ENCRYPTION. Version 1.1. Crown Copyright 2011 All Rights Reserved

Backup & Recovery. 10 Suite PARAGON. Data Sheet. Automatization Features

Encrypting with BitLocker for disk volumes under Windows 7

SafeGuard Easy startup guide. Product version: 7

New Lab Upgrading Vista to Windows 7 Brought to you by RMRoberts.com

Innovative Secure Boot System (SBS) with a smartcard.

ProtectDrive. User Manual Revision: B00

Get Success in Passing Your Certification Exam at first attempt!

Enova X-Wall XO Frequently Asked Questions--FAQs

Support for the HIPAA Security Rule

Information Systems Services. SafeGuard Enterprise. enc. Device Encryption (DE) Installation V /11/2010

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

SafeGuard Enterprise Web Helpdesk

Symantec Endpoint Encryption Installation Guide

BEST PRACTICES. Encryption.

University of Rochester Sophos SafeGuard Encryption for Windows Support Guide

SecureD Technical Overview

POC Installation Guide for McAfee EEFF v4.1.x using McAfee epo 4.6. New Deployments Only Windows Deployment

SecureDoc for Mac v6.1. User Manual

ACER ProShield. Table of Contents

Protection Profile for Full Disk Encryption

Full Disk Encryption Pre-Boot Authentication Reference

Transition from PATA optical disc drives to SATA optical disc drives

Navigating Endpoint Encryption Technologies

Strategies for Firmware Support of Self-Encrypting Drives

installing UEFi-based Microsoft Windows Vista SP1 (x64) on HP EliteBook and Compaq Notebook PCs

Recover Tab & RecoverAssist User Guide

EMBASSY Remote Administration Server (ERAS) Administrator Manual

ViPNet ThinClient 3.3. Quick Start

VMware Horizon FLEX User Guide

Introducing etoken. What is etoken?

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

How To Encrypt Files And Folders With A Password Protected By A Password Encrypted By A Safesafe (Mafee) (Eeff) 4

ADSelfService Plus: 3rd party Winlogon Client Software Support

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Yale Software Library

Client side. DESlock + Data Encryption

2014 All Rights Reserved ecfirst. An ecfirst Case Study: Encryption

DriveLock and Windows 7

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

McAfee Endpoint Encryption for PC 6.2

Disk Encryption. Aaron Howard IT Security Office

McAfee DAT Reputation Implementation Guide. Version 1.0 for Enterprise

DriveLock and Windows 8

Citrix Password Manager, Enterprise Edition Version 4.5

BIOS Update SOP. Updating BIOS under Windows Mode for Intel Series (PXX/ZXX/X79)... 2

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

ICT Professional Optional Programmes

Certification Report

Advanced Diploma In Hardware, Networking & Server Configuration

Implementing McAfee Device Control Security

Transcription:

Record ID: VID10486-0004-ACMR TM CCEVS Approved Assurance Continuity Maintenance Report Product: Orchestrator 4.6 EAL: 2 augmented with ALC_FLR.3 Date of Activity: 25 March 2013 References: Documentation Updated: Common Criteria Evaluation and Validation Scheme - Assurance Continuity: Guidance for Maintenance and Re-evaluation, Version 2.0, September 8, 2008 Orchestrator 4.6 Impact Analysis Report, Version 1.0, 18 February 2013 Orchestrator 4.6 Common Criteria EAL2+ Security Target, 9 February 2013, version 017 Orchestrator 4.6 Common Criteria EAL2+ Configuration List, 18 February 2013 Orchestrator 4.6 Common Criteria EAL2+ Functional Specification, 09 February 2013, version 003 Product Guide McAfee Endpoint Encryption 7.0 For use with epolicy Orchestrator 4.6 Software, 2012 Orchestrator 4.6 Common Criteria EAL2+ Administrative Guidance and Preparative Procedures Supplement, 09 February 2013, version 004 McAfee Endpoint Encryption for PC with McAfee epolicy Orchestrator Common Criteria EAL2+ Functional Test Specification Win7 x86, 10 February 2013, version 002 McAfee Endpoint Encryption for PC with McAfee epolicy Orchestrator Common Criteria EAL2+ Functional Test Specification Win8 x64, 13 February 2013, version 002 I. Introduction On 18 February 2013, McAfee submitted an Impact Analysis Report (IAR) for Endpoint Encryption PC v7.0 with McAfee epolicy Orchestrator 4.6 to CCEVS for approval. The IAR is intended to satisfy requirements outlined in Common Criteria Evaluation and Validation Scheme - Assurance Continuity: Guidance for Maintenance and Reevaluation, Version 2.0, September 8, 2008. In accordance with those requirements, the IAR describes the changes made to the certified TOE, the evidence updated as a result of the changes, and the security impact of the changes. 1

II. Changes to the TOE The primary reason for the Assurance Continuity activity for MEE PC 7.0 is the support of Windows 8 Endpoint PC clients. The most important change in the MEE PC 7.0/ePO 4.61 TOE (from MEE PC 6.2/ePO 4.62) is: Windows 8 support There are two variants of the product configuration supported on Windows 8 Legacy BIOS Preboot environment This configuration is the same as that used for Windows 7 as certified for MEE 6.2 (as detailed in [MEE62_ST]). This configuration uses the FIPS validated crypto libraries as used in the MEE PC 6.2 evaluation specified in [MEE62_ST]. Therefore, this change is considered to be UEFI Support in Preboot environment This configuration uses a new boot process, PBA environment and crypto library and hence is not supported in the evaluated configuration and this change is considered to be The following enhancements have been made to the MEE PC 7.0 firmware between MEE PC 6.2 and MEE PC 7.0: MEE Out of Band Management There are three new features providing Out Of band management (Remediation, Unlock PBA and User Management) that rely on the AMT chip. Use of these features is not supported in the evaluated Therefore, these changes are considered to be Near native performance This relates to the improvements to an AES-NI algorithm, applied to the new crypto libraries. These new crypto libraries are not used in the evaluated configuration, which requires the product to the installed in FIPS mode (which installs the FIPS validated crypto libraries integrated in MEE 6.2, as specified in [MEE62_ST]). Therefore, this change is considered to be Hardware entropy source This relates to the crypto libraries use of Intel RdRand instruction as a source of entropy. These new crypto libraries are not used in the evaluated configuration, which requires the product to the installed in FIPS mode (which installs the FIPS validated crypto libraries integrated in MEE 6.2, as specified in [MEE62_ST]). Therefore, this change is considered to be Offline Activation This functionality is used when a 3rd party is responsible for provisioning a machine with an encrypted hard disk. As the 3rd party does not have access to epo, this provides a method of protecting the created DEK. 2

However, use of this offline activation feature is not supported in the evaluated Therefore, this change is considered to be Support of biometric tokens for authentication The support of tokens for authentication was provided in MEE PC 6.2. This change just extends the list of supported tokens. Therefore, this change is considered to be EEGo This new tools spiders the network, querying connected workstations/laptops to report any incompatibility or potential issues with installing MEE PC on the workstation/laptop. This tool is used prior to installation of the TOE on the workstation/laptop and is not relevant to any of the security functional requirements specified in [MEE62_ST]. Therefore, this change is considered to be Pre-boot Smart Check This policy option runs at activation time iterating through possible configurations of MEE (in accordance with specified policies) prior to encrypting the workstation disk to ensure the disk is not encrypted when there is a compatibility issue with the configuration of the workstation that may render the data inaccessible. Once a good configuration is found, it is used thenceforth. If no good configuration is found, MEE is deactivated. Use of this policy option is not supported in the evaluated configuration, and therefore, this change is considered to be WACOM support Support of serial WACOM driver for use of a tablet pen during preboot was provided in MEE 6.2. This extends that support for use of USB pens also. This change does not relate to any of the security functionality as specified in [MEE62_ST]. Therefore, this change is considered to be GPT Drive support In MEE 6.2 the address space for disk access was limited to 32 bits, meaning disks larger than 2.8TB were not supported. In MEE 7.0 the 32 bit integer has been extended to a 64 bit integer to support large GPT drives. The mechanism for disk access is unchanged, only the size of integer used for LBA addressing has increased (32 to 64 bits). Therefore, this change is considered to be Export recovery information based on Disk Keycheck The ability to export a DEK was available via an API in MEE 6.2. This change has merely added the capability to the epo UI. The same data is available for export through this MEE 7.0 epo extension interface, and the key is exported using the same file format. Therefore, this change is considered to be Require Endpoint Encryption Logon This functionality has been removed (this does not relate to MEE pre-boot authentication; but rather it relates to MEE s Credential Provider and GINA which provided Windows authentication). This change does not affect any of the security functionality specified in [MEE62_ST] and therefore is considered to be Enhanced Administrator Recovery This functionality relates to the information that can be gained during pre-boot. If the user forgets their password 3

and needs to go through administrator controlled recovery using the MEE Out-ofband Management password recovery (item, above), the machine ID can be gained from the pre-boot About screen in order to help the administrator to identify the machine to manage. This data is not considered to be sensitive and therefore, this change is considered to be Encryption Status Monitor During encryption of the disk (following installation) a status window can be displayed. This status window has been enhanced to display the percentage of disk encryption completed. This data is not considered to be sensitive and the enhancement is security irrelevant to the disk encryption function that is in progress at the time (it is unable to affect the behavior of the function performing the disk encryption). Therefore, this change is considered to be WinPE4 WinPE4 is required for UEFI. As support of UEFI platforms is not supported in the evaluated configuration (see item #1 above), this functionality is not available in the evaluated configuration and is therefore considered to be Crypto for (UEFI platforms for) Windows 8 The crypto libraries used for UEFI platforms have been modified (these libraries have not yet been through FIPS validation). However, as support of UEFI platforms is not supported in the evaluated configuration (see item #1 above), these libraries are not available in the evaluated Therefore, this change is considered to be Re-organisation of Guides The scope of the Product Guide and the Scripting Guide have been extended to cover MEE PC 7.0 and any platform specific documentation needed for MEE Mac 7.0.. Additional information relating to installation (including offline installation), use of biometric tokens and recovery have been provided in the Product Guide. The reorganization of the product guides and the additional information required to support the minor changes in MEE PC 7.0 as described above are considered to be The following enhancements have been made to epo 4.6 firmware between epo 4.6 patch 2 and epo Patch 4: epo Improved Dashboards The colors and fonts used in the epo Dashboards have been updated to increase legibility. The MyAverts Threat Advisory dashboard has been replaced with the McAfee Labs dashboard to provide accurate information from McAfee Labs and multiline charts can be sorted by value. None of these changes relate to the security functionality specified in [MEE62_ST]. Therefore, these changes are considered to be epo corrections Releases 4.6.3 and 4.6.4 of epo incorporate a number of corrections to documented epo functionality. As these changes are to correct the implementation and behavior of epo to match the documented design, these changes are considered to be 4

III. Analysis and Testing The test cases used for the original evaluation were successfully re-run with slight modifications to cover new biometric identification credentials and the new operating system. The vendor analysis shown in Section II supports the conclusion that only minor security affects to the evaluated configuration have resulted from the product updates. IV. Conclusion This maintenance activity covers the assessment of the evaluation impact of the changes applied to Orchestrator 4.6. The listed changes for Orchestrator 4.6 show that small changes to the I&A functionality and the addition of a new supported operating system. Therefore the conclusion is that the changes are acceptable under the assurance maintenance program. The following additional guidance is provided to emphasize which features should not be used in the evaluated configuration as the result of these changes. See the updated ST and guidance document for further details. UEFI Support in Pre-boot environment should not be used in the evaluated - WinPE4 is not available without UEFI MEE Out of Band Management should not be used in the evaluated The product should only be used in the FIPS mode which means the new features of improved or extended crypto use cannot be used in the evaluated configuration: Near native performance Hardware entropy source Crypto for (UEFI platforms for) Windows 8 Offline Activation should not be used in the evaluated Pre-boot Smart Check should not be used in the evaluated In addition, it is important for the user of this product to review the original Validation Report Sections 4 and 10 and the new ST to understand the limitations on the evaluated 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information