PRODUCT DESCRIPTION

The TOE, SecureWave Sanctuary Application Control Desktop version 2.8, is a three-tiered client/server application that provides the capability to centrally control the programs and applications users are able to execute on their client computers. The TOE controls authorization of applications and executable files by maintaining a database of hashes of approved executables. When a user logs on to a client that is protected by the TOE, the TOE client driver contacts the server and downloads the list of authorized hashes. Whenever the user attempts to execute a file on the client, the TOE client driver intercepts the execution request at the operating system level, calculates the hash value of the file and searches for a match in the list of authorized hashes. If a match is found, execution of the file proceeds; otherwise, execution is blocked.

The three tiers of a Sanctuary Application Control Desktop (SACD) deployment comprise:

• An SQL database — the database management system (Microsoft SQL Server 7.0 or higher, or MSDE version 1.0 or 2000) and underlying operating system (Windows 2000 Server or Professional, Windows XP Professional, or Windows Server 2003) are in the TOE environment
• One or more servers — the Sanctuary Application Server (SXS) runs as a service on the underlying operating system (Windows 2000 Server or Professional, or Windows Server 2003)
• A client kernel driver (SXD) that is installed on each of the client computers to be protected. Client kernel drivers are available for the following operating systems: Windows NT4 SP6a Server or Workstation; Windows 2000 Server or Professional; Windows XP Professional; or Windows Server 2003.

An administrative toolkit, comprising a GUI-based application (the SecureWave Management Console, or SMC) and various command-line tools, also operates in the client tier, and is supported on Windows 2000 Server or Professional, Windows XP Professional, or Windows Server 2003.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the SecureWave Sanctuary Application Control Desktop version 2.8 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1 and International Interpretations effective on 22 August 2003. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL2 family of assurance requirements. The product, when configured as specified in “Sanctuary Application Control Desktop Setup Guide”, satisfies all of the security functional requirements stated in the SecureWave Sanctuary Application Control Desktop Security Target. One validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in June 2006. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-06-0052) prepared by CCEVS.

For this evaluation, it was appropriate for the Security Target to claim compliance with the external standard for RSA and SHA for the definition of the encryption algorithm. There are many ways of determining compliance with a standard. SecureWave Sanctuary Application Control Custom Edition has chosen to make a developer claim of compliance. This means that there has been no independent verification (by either the evaluators or a third party standards body, such as a FIPS laboratory) that the implementation of the cryptographic algorithms actually meets the claimed standards. Potential users of this product should confirm that the cryptographic capabilities are suitable to meet the user's requirements.

ENVIRONMENTAL STRENGTHS

SecureWave Sanctuary Application Control Desktop version 2.8 provides a low to moderate level of independently assured security in a conventional TOE and is suitable for both commercial and government IT environments that require control over the applications and executable files utilized by the users on the computer systems.

The primary security functionality of the TOE is to provide a centrally-managed capability for controlling the applications and executable files users in a networked environment are authorized to run. This capability is provided through the combination of the following security functions:

• User Data Protection

  The fundamental rule used within the TOE is to allow only the use and/or execution of known and authorized executables and deny all else. In other words, the TOE does not use a “black list” of what is to be prevented. It only uses a “white list” of what is authorized; everything else is denied by default. The product also authenticates, at every attempt to initiate, that the “authorized” executable is valid.

  The TOE provides two methods for granting access to authorized executable files. One is based on matching the SXD-generated file hash to the centrally authorized hash assigned to an executable file. In addition, the administrator can grant specific users the privilege to locally authorize executable files on their client computer.

  The second method is the use of Path Rules that grant access to executable files and/or file directories on the client computer based on a their location within the directory hierarchy.

• Cryptographic Function

  The TOE uses the SHA-1 algorithm to create the hashes that are assigned to each executable file and that are created from the contents of the file. On the client computers, SHA-1 is used to create hashes from the files the user attempts to execute. The resulting hashes are used for comparison against the authorized file hashes.

  The TOE digitally signs the listings retrieved by the application server from the database and sent to the client computers, using the RSA asymmetric algorithm and a private key generated for the application server. The client component verifies the signature using the application server’s public key and rejects the hash lists if it cannot verify the signature.

• Security Management

  The TOE provides the tool sets that are used by the administrator to manage and configure the TOE security functions. These functions include authorizing executable files, the ability to manage and review the audit and log records, and the management of the access control policy.

• Resource Utilization

  The TOE ensures that its access control policy is always enforced even if the client computer loses communication with the SXS. The client component of the TOE stores the listing of the file hashes on the client computer. In the event the client is unable to connect to the SXS component, the client uses the most recently downloaded list of file hashes to enforce the access control policy when a user attempts to access an executable file.

• Security Audit

  The TOE records the actions that occur at the administrator and the client driver components. All administrative actions performed by the SMC are audited by the TOE. The SXD logs the actions of the client on the client computer. These logs are stored and protected by the operating environment of the client computer until they are transferred to the SXS, where they are stored and protected by the SecureWave database in the SXS operating environment.

• Protection of the TSF

  The TOE implements security mechanisms to detect any tampering of the listing of file signatures and path rules that may have occurred during transmission of the listing from the SXS to the client’s computer and the enforcement of the access control policy.

Vendor Information

Lumension Security (formerly SecureWave)
Dee Liebenstein
+1 (703) 713-3960
Dee.Liebenstein@lumension.com

http://www.lumension.com