Validated Product - Owl Computing Technologies Data Diode Network Interface Card Version 4

Certificate Date: 01 February 2007

Validation Report Number: CCEVS-VR-07-0018

Product Type: Guard

Conformance Claim: EAL4

PP Identifiers: None

CC Testing Lab: SAIC Common Criteria Testing Laboratory

Maintenance Releases:

16 November 2007 - Owl Computing Technologies Dual Diode Network Interface Card Version 6 for EAL4 Certification
11 December 2008 - Owl Computing Technologies DualDiode Network Interface Card Version 4 Revision B

CC Certificate

Security Target

Validation Report

PRODUCT DESCRIPTION

The Data Diode network interface card (NIC) is designed and manufactured by Owl Computing Technologies Incorporated. This Data Diode NIC was developed to support higher-level application software packages to provide secure one-way network communications. Owl markets and sells application programs that utilize the Data Diode Technology for specific data transfers.

The TOE is a pair of Owl Data Diode NIC network interface cards. Each card has two external interfaces. One external interface is the Peripheral Component Interface which connects to the PCI Bus of the host in which the DDNIC is installed. The other interface is the fiber optic network connection physically located on the card. The purpose for the Data Diode NIC is to provide assurance of one-way operation occurs at the physical interface between a network sender and receiver.

This Data Diode NIC was developed to support higher-level application software packages to provide secure one-way network communications. Owl markets and sells application programs that utilize the Data Diode Technology for specific data transfers; however the TOE is only the Data Diode NIC. The information flow policy enforced by the Data Diode NIC does not rely on passwords, authentication, or encryption to protect host data. Rather the physics of a photo-detector and light emitting diode enforce the TSP.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Owl Data Diode TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4. The product, when configured as specified in the Owl Computing Technologies, Inc., Version 4 Card (type 236) OEM Installation Manual for All Operating Systems, Document Release 01i, 6/09/2006.

One Validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in February 2007. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (CCEVS-VR-07-0018, dated 01 February 2007) prepared by CCEVS.

ENVIRONMENTAL STRENGTHS

The Data Diode modifies a bi-directional Commercial-Off-The-Shelf (COTS) product into a unidirectional optical fiber connection between two networks. The physically modified Asynchronous Transfer Mode (ATM) network interface cards and connecting optical fiber is termed the Data Diode TOE. Each of the ATM adapter network cards has been physically modified, and color-coded red and blue, such that the red card can only receive data, while the blue card can only send data. The Data Diode supports two security functions:

Information Flow: The Data Diode NIC protects itself by not exporting any interface that can be used to modify the Target Security Functions (TSF) of the TOE. The only interfaces exported for communication are the PCI and the optical interface of the DDNIC. The PCI interface is not relevant to the TSF. The optical interface presents Send-Only or Receive-Only capability, as determined by hardware component configurations that are inherent to the Target Security Functions (TSF) of the TOE. No interface is exported for communication which can significantly alter the operation of the TOE, since the TOE has been manufactured to physically enforce its policies and would have to be physically modified to change its behavior and violate the TOE security policies. Since the TOE environment is assumed to provide adequate physical protection, it is impossible to breach the unconditional one-way data transfer security policies of the TOE.

Logically, the Data Diode NIC is protected largely by virtue of the fact that its interfaces are limited to primarily support only network traffic. While the TOE includes driver software for the Data Diode Network Interface Cards, all TSFs operate at the physical level which is below the level or protocols or binary logic, so it is unaffected by buffer content or network traffic. The TOE includes two Data Diode Network Interface Cards that are each connected to a standard PCI slot in a computer and may be connected to each other using fiber optic network interfaces and a fiber optic cable.

Given the assumption that all relevant data must pass through both interfaces (PCI and Optical) of the TOE, and since all information received by the TOE is unconditionally subject to its unidirectional information flow policy, there is no process present to bypass this security mechanism. There is only one path for information flow through each Owl Data Diode Network Interface Card, and that path only allows unidirectional information flow across the card. As there is physically only one path available for information flow, that path cannot be bypassed.

For the unidirectional flow to occur across a given DDNIC, the DDNIC must function correctly. If a DDNIC is not functioning or is malfunctioning, only unidirectional information flow is permitted, or no information flow occurs. The Send-Only DDNIC only allows information to flow from the host system across the card to the external optical interface. The Receive-Only DDNIC only allows information to flow from the external optical interface across the card to the host system.

The Owl Data Diode System becomes part of the security domains of the two separate host systems for its own execution. The Owl Data Diode System works in conjunction with the separation that exists between the security domains of two separate host networks. The security domain in which each Owl DDNIC is hosted protects the DDNIC from interference and tampering by untrusted subjects. Furthermore, each DDNIC protects itself by not exporting any interface that can be used to modify the Target Security Functions (TSF) of the DDNIC. The only interfaces exported are the PCI Bus interface and the optical interface of the DDNIC, which are not relevant to the TSF. No interface is exported which can alter the operation of the TOE since the TOE has been manufactured to physically enforce its policies and would have to be physically modified to violate the TSF..

TOE Self Protection: All TOE Security Functions (TSF) in the TOE operate at the physical level which is below the level or protocols or binary logic, so are unaffected by buffer content or network traffic. The Data Diode NIC protects itself by not exporting any interface that can be used to modify the TSF. The only interface exported to directly to the host platforms is the PCI interface of the DDNIC, which is not relevant to the TSF. Each Data Diode NIC presents only a single Optical interface to the outside world, which is either an Send-Only or Receive-Only interface, but not both. The Optical interface interacts with another DDNIC on a separate network; possibly through an ATM switch.

The use of Send-Only or Receive-Only optical interface hardware components is inherent to the TSF, and renders the TSF impervious to software attack. The TOE has been manufactured to physically enforce its policies and would have to be physically modified to change its behavior and violate the TSF. Since the TOE environment is assumed to provide adequate physical protection, it is impossible to modify the TOE in a manner that breaches its one-way-only data flow security policy. While reconfiguration of driver software may result in failure to transmit data in the forward direction, it is impossible to bypass or breach Target Security Functions and transmit data in the reverse direction without physically altering hardware.

Logically, the Data Diode NIC is protected largely by virtue of the fact that its interface is limited to primarily only support network traffic. The Target Security Functions (TSF) operates at the physical level which is below the level or protocols or binary logic, so it is unaffected by buffer content or network traffic.

Vendor Information

Owl Computing Technologies
Jeffrey Menoher
203.894.9342
203.894.1297 (Fax)
jmenoher@owlcti.com

http://www.owlcti.com