Validated Product - CA eHealth Network Performance Manager v5.7 SP9

Certificate Date: 28 January 2009

Validation Report Number: CCEVS-VR-VID10267-2009

Product Type: Network Management

Conformance Claim: EAL2

PP Identifiers: None

CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory

Security Target [PDF]
Validation Report [PDF]
CC Certificate [PDF]

PRODUCT DESCRIPTION

CA eHealth Suite Version 5.7 SP9 unifies and automates performance management of multivendor, multitechnology networks with proactive, real-time analysis, distilling data from disparate sources across all technology silos into clear, predictive and actionable information

EVALUATED CONFIGURATION

The TOE was evaluated on the following platform:

  • Sun SunBlade 1500 running Solaris 2.9
  • 1062 MHz CPU
  • 140 GB Disk Drive
  • 4GB of RAM
  • eHealth Version 5.7 Service Pack 9
  • Apache Web Server v1.3.31 (included in eHealth) with Apache SSL plug-in (from CA Technical Support) installed and configured.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. CA eHealth Suite r5.7 SP9 software was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. It has been determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL2. Validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in January 2009.

For this evaluation, it was appropriate for the Security Target to claim compliance with the external standard for OpenSSL-based cryptographic module (mod_SSL). The TOE uses openssl v9.7d for the definition of the encryption algorithm. There are many ways of determining compliance with a standard. CA eHealth Suite Version 5.7 SP9 has chosen to make a developer claim of compliance. This means that there has been no independent verification (by either the evaluators or a third party standards body, such as a FIPS laboratory) that the implementation of the cryptographic algorithms actually meets the claimed standards. Potential users of this product should confirm that the cryptographic capabilities are suitable to meet the user's requirements.

ENVIRONMENTAL STRENGTHS

Authorization

eHealth Suite Authorization protects the server resources from unauthorized access. An End User’s capability of accessing pages and files, and running applications or reports are controlled by the corresponding authorization policy.

Authentication

Authentication services are handled internally through passwords. eHealth Authentication is the process of determining the End User’s true identity and mapping them to the appropriate role (i.e., eHealth administrator or End User). This is enforced by the TOE. The end users identity and password is maintained in a web server configuration file stored on the local Solaris file system.

Audit

The TOE generates audit records for selected security events. Events are tracked based on occurrence and who triggered them. As a result, the eHealth System Administrator can utilize the contents of the log files for further processing. A web browser in the TOE environment is required to read the audit records.   The eHealth System Administrator interacts with the TOE from a Remote Workstation. The eHealth System Administrator is required to successfully identify and authenticate themselves to the TOE before being granted permission to review the generated audit information.

Data Protection

The access control features of the underlying operating system protect all the TOE data. Local access is not permitted by any user other than an authorized IT environment administrator that has an account on the local machine. End Users log on to the machine via a Remote Workstation, and are not permitted to edit any of the information stored on the eHealth Server.

Protected Data Transmission

The TOE uses an Apache web-server to support protection of external TOE communication with the users by performing SSL encryption through Apache’s OpenSSL-based cryptographic module (mod_SSL).

Security Management

Security Management is handled by an authorized eHealth Systems Administrator via the Remote Workstation. Access to the Security Management user interface is secured by the core operating system authentication scheme and role based permissions. Administrators are permitted to edit user account attributes and access permissions while end users are denied these privileges.

Vendor Information


CA, Inc.
William F. Clark
703-708-3501
703-708-3683 (Fax)
william.clark@ca.com

http://www.ca.com

--->