Validated Product - Senforce Endpoint Security Suite Version 3.1.175

Certificate Date: 07 June 2007

Validation Report Number: CCEVS-VR-07-0045

Product Type: Firewall,Network Management,Sensitive Data Protection

Conformance Claim: EAL4 Augmented with ALC_FLR.2

PP Identifiers: None

CC Testing Lab: SAIC Common Criteria Testing Laboratory

Security Target [PDF]
Validation Report [PDF]
CC Certificate [PDF]

PRODUCT DESCRIPTION

The TOE, Senforce Endpoint Security Suite v3.1.175, is designed to protect computing resources and data assets stored on mobile clients, such as notebook computers and tablet PCs, using centrally managed servers to create and distribute security policies to enforcement components installed on each mobile client. Furthermore, it is designed to protect those resources and assets, regardless of the mobility of the mobile client, by enforcing an appropriate security policy based on the location (or inability to determine the location) of the client.

The mobile client enforcement component mediates between external connections, from which it receives secure requests, and internal resources, to which it makes requests on behalf of users. The mobile client enforcement component also mediates between network-based storage, where data resides, and controls writing data to locally-attached storage.

The TOE architecture comprises four main components that are placed at key points within the enterprise architecture: Distribution Server, Management Server, Client Location Assurance Service (CLAS), and Senforce Security Client (SSC). In addition, the TOE includes the Policy Editor, an application that provides the interface for administrators to configure and manage the TOE and to create, edit and publish the security policies that are distributed to endpoint clients.

Each of the TOE components is a software application designed to execute within an operating system context provided by the environment. The three server components (i.e., Distribution, Management, and CLAS) are designed to operate on a Windows 2000 Server SP4 or Advanced Server SP4 or Windows 2003 Server. The CLAS component is designed to co-exist with either of the other server components, or alternately in its own server. The Policy Editor and SSC components are designed to operate on Windows XP SP1, Windows XP SP2, or any Windows 2000 SP4 system. Alternatively, the Policy Editor can be installed on the same server as the Management Service, or on its own workstation. In addition to basic operating system services, including process, memory, and file management, the TOE also requires access to a database (Microsoft SQL Server 2000 SP4, SQL Server Standard, or SQL Server Enterprise), web server (Microsoft Internet Information Server), web browser (Microsoft Internet Explorer), and secure socket layer (SSL) capabilities.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Senforce Endpoint Security Suite v3.1.175 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2 and International Interpretations effective on 21 May 2004. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL4 family of assurance requirements, augmented with ALC_FLR.2 (Flaw reporting procedures). The product, when configured as specified in Senforce Endpoint Security Suite v3.1 Installation and Quick-Start Guide, version 4.3, satisfies all of the security functional requirements stated in the Senforce Endpoint Security Suite Security Target. One validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in April 2007. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-07-0045) prepared by CCEVS.

ENVIRONMENTAL STRENGTHS

The evaluation assurance level against which the Senforce Endpoint Security Suite v3.1.175 TOE has been evaluated (EAL4+) provides a moderate to high level of independently assured security in a conventional commodity TOE and is suitable for a generalized environment with a low to medium level of risk to the applicable assets.

The primary security functionality of the TOE is to provide protection of mobile computing assets using centrally managed policies. The client component of the TOE is “location-aware”, so policies can be tailored to the various networking environments the mobile platform typically uses, providing greater or lesser restrictions on device and network access depending on location.

Senforce Endpoint Security Suite provides the following security functions:

User Data Protection – The SSC is installed in each mobile host at various points in the network protocol and file driver layers of the host operating system. The SSC enforces policies retrieved from the Distribution Server to ensure that only appropriate network operations can occur relative to the current environment of the mobile host, whether the traffic is incoming or outgoing, where the traffic is coming from or going to, and also various additional attributes of the network traffic such as transport protocol, network application, etc.

The SSC also enforces access policies for a number of devices and resources. In particular, it can restrict access to specific removable media devices and files and directories to read, read/write, or no access. It can restrict execution access to application programs. It can also restrict the use of specific network communication devices (e.g., adapters) and network access points.

Security Audit – Auditing is performed by and initially stays on the SSC until the client “checks-in” with the Distribution Server. Audit data for a specific SSC is retrieved from the client upon check-in and check-in frequency is configured by policy and location.

When the SSC checks-in with the Distribution Server, the adherence and client compliance audit data is collected and stored in a Microsoft SQL database. Subsequently, the Management Server downloads the audit data from the Distribution Server and provides reporting views to this information through a web based user interface.

Security Management – Security management is primarily performed via the Policy Editor, which is used to manage policies stored on the Management Server and subsequently distributed to client computers via the Distribution Server.

The following list summarizes some aspects of the security policy that can be defined and enforced on client computers relative to the current SSC environment:

  • Manage which wired/wireless/analog network communication devices can be used
  • Manage which network access points (APs) users can use
  • Manage access to network applications
  • Manage the use of network protocols (e.g., HTTP MIME types)
  • Manage communication with specific network hosts
  • Manage user communication to corporate LANs enforcing Virtual Private Networking (VPN)
  • Manage access to removable storage devices (e.g., CD/RW, DVD/RW, floppy disk drives, firewire disk drives, USB thumb drives, etc.)
  • Manage access to specific files and directories
  • Manage endpoint integrity of third-party solutions (such as Antivirus solutions)
  • Manage the use and distribution of wireless security encryption keys
  • Manage which application programs users may invoke.

Cryptographic Support – The Distribution Server and Management Servers are each configured with a shared private/public key pair so that they can communicate using mutually authenticated SSL. Additionally, security policies distributed between the two can be secured with encryption and signed for integrity. The Management Server public key is also provided to each SSC. The SSC initializes itself by establishing an SSL connection with the Management Server to obtain the key used to encrypt policy keys (each policy is encrypted with its own encryption key which is encrypted and distributed with the policy). Once the keys are configured, policies are signed and encrypted by the Management Server so the SSC can verify them before enforcing them. In addition, audit records generated by managed SSCs are encrypted using the Management Server public key so that they can be decrypted only by the Management Server. All cryptographic operations performed by the TOE use the FIPS 140 validated ‘Crypto++’ cryptomodule. Note however that the SSL capabilities provided by the IT environment were not tested as part of the evaluation.

Protection of the TSF – The cryptographic operations, summarized above, are used primarily to protect the security policies when they are being transmitted between the various TOE components to ensure that the client computers ultimately enforce the appropriate security policies.

The solution contains various Client Self Defense mechanisms, intended to protect the client component of the TSF from unauthorized manipulation or disabling.

Vendor Information


Senforce Technologies, Inc.
Scott Richards
801-838-7878
srichards@senforce.com

http://www.senforce.com

--->