Validated Product - Boeing Secure Network Server (SNS-3010 and SNS-3210)Certificate Date: 10 May 2007 Validation Report Number: CCEVS-VR-07-0028 Product Type: Guard Conformance Claim: EAL4 Augmented with ALC_FLR.2 PP Identifiers: None PRODUCT DESCRIPTIONThe Boeing Secure Network Server (SNS) provided by The Boeing Company is a network appliance, more specifically a guard that serves to control the flow of information between attached subscriber devices. It is capable of controlling information flows based on information in packet headers, packet contents, and security labels associated with packets and the subscribers. Each subscriber is configured with a sensitivity label range that limits (via Mandatory Access Controls (MAC)) the labels that can be associated with information that can come from or go to a given subscriber. In addition to MAC, the SNS can be configured to limit the flow of information based on packet attributes (e.g., addresses), contents (e.g., XML), and other datagram characteristics as well as to constrain the flow of information to mitigate the potential for covert channels. The information flow policies are managed by SNS administrators that can manage subscriber devices and the policy rules to affect an information flow policy suitable for their specific application.
The Boeing SNS is a network appliance running on a custom kernel that runs on COTS hardware (with a custom BIOS) based on the Intel Pentium 4 processor. The SNS utilizes the Intel Pentium 4 ring architecture to separate its own functions resulting in a well-layered design that implements a least privilege principle. Each appliance supports serial devices (management consoles) and network devices (subscriber devices).
The evaluated configuration consists of hardware and firmware, composing one or more Boeing SNS appliances with one acting as a Network Management (NM) appliance. The distributed components are always synchronized with the NM and are managed from the central NM appliance. Also, the connections among the distributed TOE components must be distinct from the connections to the subscriber devices since the entire connection media must be protected to protect sensitive TOE communications.
SECURITY EVALUATION SUMMARYThe evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Boeing SNS TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3 and International Interpretations effective on November 19, 2003. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.2. The product, when configured as specified in the following documents: · Operation and Maintenance Manual, SNS – 3010/3210, Document Number D658-10984-1
· Trusted Facility Manual, SNS – 3010/3210, Document number D658-10974-1
satisfies all of the security functional requirements stated in the Boeing Secure Network Server (SNS-3010 and SNS-3210) Security Target (Version 1.0). Two validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in February 2007. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-07-0028, dated 10 May 2007) prepared by CCEVS.
ENVIRONMENTAL STRENGTHSThe SNS provides five security functions. Each is summarized below..
Security Audit: The Boeing SNS generates audit events for security relevant events, including covert channel indicators. The audit events are stored and protected, and forwarded to the NM for review and archival purposes. The SNS sends warning when the audit storage capacity is nearing or has exceeded its capacity and it can be configured to automatically overwrite events or to stop operations altogether until the situation is remedied.
User Data Protection: The Boeing SNS is designed primarily to control the flow of information between subscriber devices. It enforces a rich set of information flow policies including mandatory access controls based on subscriber sensitivity labels, packet filtering, and content filtering (SMTP, XML, and binary messages). It also provides routing and processing functionality to offer static routing, multicast support, and ICMP.
Identification and Authentication: While all users (administrators) and subscriber devices are identified by the SNS, it also requires that administrators are authenticated at an appropriate management console prior to offering management functions. This is accomplished by managing user definitions, including user identities, roles, and associated authentication data (i.e., passwords).
In order to help mitigate attempts to bypass the authentication mechanisms, the Boeing SNS informs users each time they log in of the last time they successfully logged in, the number of unsuccessful logins that have occurred since the last successful login, and the time of the last unsuccessful login attempt.
Security management: The Boeing SNS offers command line interfaces for the management of the TOE Security Functions. There are three defined roles: Network Administrator (NA), Security Administrator (SA), and Super-SA. The Super-SA primarily manages the administrator accounts, the SA primarily manages the security functions, and the NA primarily manages the general operational capabilities of the TOE. Each administrator must log into the appropriate console before applicable functions can be accessed.
Protection of the TOE Security Functions: The Boeing SNS is designed around a custom operating kernel that makes use of the ring architecture offered by Intel Pentium 4 processors to protect itself and to separate itself to implement a least privilege principle. All traffic flowing through the TOE is subject to its security policies. Furthermore, the TOE includes self tests that run at initial start-up and also periodically when the TOE is operational. The TOE also includes failure detection and recovery features to ensure that it continues to operate correctly when recoverable failures occur and to ensure that it shuts down when necessary when manual recovery becomes necessary.
The Boeing SNS is designed so that a given part of a distributed SNS system can continue to operate properly when some other system components (i.e., other SNSs) fail. It is also designed to limit the throughput of a given device to protect itself and other network components as may be necessary.
Vendor: The Boeing Company Contact: Ryan Hammond Phone: 425.965.1448 Email: ryan.d.hammond@boeing.com CC Testing Lab: SAIC Common Criteria Testing Laboratory |
![[X]](/assets/images/button_close.gif){kind=small}
![[PDF]](http://www.niap-ccevs.org/assets/images/icon_pdf.gif){kind=icon}
