Compliant Product - IronPort Email Security Appliances (ESA), comprising the C160, C370, X1060, and X1070 appliance models, running IronPort AsyncOS software, version 7.1, and the C670 appliance model running IronPort AsyncOS version 7.3
Certificate Date: 01 December 2010
Validation Report Number: CCEVS-VR-010438-2010
Product Type: IDS/IPS
Conformance Claim: EAL2 Augmented with ALC_FLR.2
CC Testing Lab: SAIC Common Criteria Testing Laboratory
- 21 March 2011 - Cisco IronPort Email Security Appliances (ESA) running IronPort AsyncOS versions 7.1 and 7.3
The IronPort Email Security Appliances (ESA) Target of Evaluation (TOE) comprises the Cisco IronPort Systems’ IronPort hardware appliance models C160, C370, X1060, and X1070, running IronPort AsyncOS software, version 7.1, and the C670 appliance model running IronPort AsyncOS version 7.3. Note that version 7.3 of AsyncOS has been specifically created to support use of a FIPS 140-2 validated Hardware Security Module (HSM), which is included only in the C670 appliance model. The vendor asserts the correct implementation of cryptographic algorithms in the appliance models running AsyncOS Version 7.1, which have not been FIPS validated. Otherwise, all appliance models comprising the TOE provide the same security functionality. They differ only in the number and speed of their network connections and their processing capacity (in terms of memory and processor speeds).
The TOE is an IDS System-type product that monitors Simple Mail Transfer Protocol (SMTP) network traffic, analyzes the monitored network traffic using various techniques, and reacts to identified threats associated with email messages (such as spam and inappropriate or malicious content). The TOE handles any traffic it receives on its network interfaces as if it were SMTP—any non-SMTP traffic will produce SMTP command errors. There is a limit to the number of bad commands that can be executed before the TOE drops the connection.
The TOE is designed to serve as the SMTP gateway or Mail Exchanger (MX), providing the Message Transfer Agent (MTA) role in the customer’s network infrastructure. The TOE provides separate physical interfaces allowing it to be connected to separate internal and external networks. The TOE can be configured to monitor email network traffic sent from the internal network to the external network, and vice versa.
The TOE provides capabilities to manage its monitoring, analysis and reaction functions, and controls access to those capabilities through the use of administrative roles with varying security management authorizations. All administrative users of the TOE are required to be identified and authenticated before accessing the TOE’s management capabilities, and administrative actions are audited.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco IronPort TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 2. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 augmented with ALC_FLR.2. The product, when delivered configured as identified in IronPort AsyncOS Common Criteria Guide for IronPort Appliances, Version 1.0, October 2010 document, satisfies all of the security functional requirements stated in the Cisco IronPort Email Security Appliances Security Target (Version 1.0). The project underwent one Validation Oversight Panel (VOR) panel review. The evaluation was completed in November 2010. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10438-2010, dated 1 December 2010) prepared by CCEVS.
The logical boundaries of IronPort are realized in the security functions that it implements. These security functions are realized at the IronPort interfaces that service clients and via the administrator commands. Each of these security functions is summarized below.
Security Audit – IronPort generates audit events for the start up and shutdown of audit functions, access to the TOE and System data, all use of the authentication and identification mechanism and all modifications made to the security function configuration, to the values of IronPort data and to the group of users that are part of a role. Authorized users can read all audit information via the CLI. IronPort provides capabilities to sort audit data for review. In the event the space available for storing audit records is exhausted, the product alerts the administrator and commences overwriting the oldest stored audit records.
Cryptographic Support - IronPort provides the cryptographic algorithms and key management capabilities necessary to support Secure Shell (SSH), allowing secure remote administration of the TOE at its CLI. In the C670 appliance model, the cryptographic capabilities are provided by a Cavium HSM, the FIPS 140-2 validated Nitrox XL CN15xx-NFBE FIPS Cryptographic Module (FIPS 140-2 certificate # 1360). In the other appliance models, the cryptographic capabilities are provided by OpenSSL, version 0.9.8k 25 Mar 2009.
Identification & Authentication - IronPort maintains user identities, authentication data, and role information. The product implements a local authentication mechanism for administrators, based on the attributes stored in its own internal database. Additionally, IronPort can be configured to support authentication using an external RADIUS or LDAP server
Security Management - IronPort provides capabilities to manage its security functions, and controls access to those capabilities through the use of administrative roles with varying security management authorizations. In the evaluated configuration, all security management functions specified in this ST must be performed via the CLI.
TSF Protection – IronPort downloads signature updates over HTTPS. These signature updates are verified using an MD5 (128 bit) hash algorithm, in order to ensure their integrity. The product provides reliable time stamps for its own use, based on its own internal clock and can also be configured to synchronize its time with other computers via an NTP server.
Intrusion Detection - IronPort monitors SMTP network traffic. It performs signature analysis, detection of spam, anti-virus scanning, and application of content filters on collected email network traffic and records corresponding event data. IronPort provides the administrators with capabilities to review the stored event data. In the event the space available for storing event data is exhausted, the product alerts the administrator and commences overwriting the oldest stored event data.