Validated Product - Blue Ridge Networks BorderGuard Centrally Managed Embedded PKI/VPN Firmware Release 6.2 & VPN Manager Application Software Release 2.2Certificate Date: 09 August 2004 Validation Report Number: CCEVS-VR-04-0071 Product Type: VPN Conformance Claim: EAL2 PP Identifiers: None CC Testing Lab: COACT Inc. CAFE Laboratory
PRODUCT DESCRIPTIONThe Blue Ridge Networks Centrally Managed PKI Embedded Virtual Private Network (VPN) Firmware Release 6.2 and VPN Manager Application Software Release 2.2 enable multiple sites (enclaves) to communicate securely over an untrusted communication infrastructure (i.e. the internet). It provides secure communications combining the best security practices with simplicity of use. Blue Ridge Networks VPN allows access to corporate information from anywhere, at any time, with appropriate security. The TOE consists of the BorderGuard 3140/4000 Firmware (release 6.2) and the VPN Manager Application Software (release 2.2). The functionality offered by the TOE provides the capability for BorderGuard enclaves to communicate sensitive unclassified information securely with other BorderGuard enclaves. The TOE only provides protection of data in transit over a network. It does not provide security for data stored on enclave systems. The TOE has the capability of encrypting network traffic between peer BorderGuard Cryptoservers running the BorderGuard 3140/4000 Firmware, authenticating an Authorized Administrator via a trusted path, and auditing security-relevant events that occur in the TOE. The TOE is intended for use in environments that are restricted to the processing of, up to and including, sensitive unclassified information. This security target is closely based upon the NIAP developed Basic VPN Protection Profile (preliminary draft as of July, 2002). The principal difference is the TOE definition. Whereas, the Basic VPN PP defines a distributed managed architecture, the Blue Ridge security target defines a centrally managed VPN. Blue Ridge Networks believes that the expanded TOE better reflects the way customers actually deploy and use VPNs, especially within the U.S. Government. Blue Ridge Networks believes the skill and expertise required to reliably operate a VPN is not available at each site that hosts a VPN appliance. Therefore, these devices are commonly managed remotely over untrusted networks. Blue Ridge Networks believes the Basic VPN PP addresses a remote management model that will not scale. The proper handling of public-keys used for authentication is a core requirement for all other VPN security. The Blue Ridge Networks VPN TOE includes trusted channels among Cryptoservers and the central management station. This expanded TOE scope encompasses all of the elements required for the exchange of public-key certificates used for node authentication. It should be noted that the default data encryption algorithm (IDEA) for the Cryptoservers is outside the evaluated configuration; therefore users must select AES or 3DES in order to bring the Cryptoservers into the evaluated configuration. Also, the remote access configuration, where the VPN Client software is installed on a remote workstation to allow encrypted communication with a Cryptoserver, was NOT evaluated and the use of this capability, which is discussed in detail in the Administration Guides, removes the system from the evaluated configuration. Finally, the Site-to-Site VPN Administrator's Guide discusses allowing Blue Ridge Networks to act as the VPN Manager for a customer's installation; this option was explicitly removed from the security target for evaluation purposes. Further details on these restrictions on the evaluated configurations are provided in the Validation Report and Security Target. ENVIRONMENTAL STRENGTHSThe evaluation was performed under the Common Criteria Evaluation and Validation Scheme (CCEVS). The purpose of the evaluation was to demonstrate that the combined Blue Ridge Networks BorderGuard Centrally Managed PKI Embedded Virtual Private Network (VPN) Firmware Release 6.2 and VPN Manager Application Software Release 2.2 product meets the EAL2 security assurance requirements according to the Common Criteria for Information Technology Security Evaluation, Version 2.1 and Part 2 of the Common Methodology for Information Technology Security Evaluation, Version 1.0. A Validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by COACT, Inc. CAFE Lab. The evaluation was completed on 23 July 2004. The results of the Blue Ridge Networks BorderGuard Centrally Managed PKI Embedded Virtual Private Network (VPN) Firmware Release 6.2 and VPN Manager Application Software Release 2.2 product evaluation can be found in Blue Ridge Networks BorderGuard Centrally Managed PKI Embedded Virtual Private Network (VPN) Firmware Release 6.2 and VPN Manager Application Software Release 2.2 Validation Report prepared by the CCEVS Validator. |
![[X]](/assets/images/button_close.gif){kind=small}
![[PDF]](http://www.niap-ccevs.org:80/assets/images/icon_pdf.gif){kind=icon}
