Compliant Product - Layer 7 SecureSpan Product Suite v4.1
Certificate Date: 13 August 2010
Validation Report Number: CCEVS-VR-VID10207-2010
Product Type: Firewall
Conformance Claim: EAL4 Augmented with ALC_FLR.2
PP Identifiers: None
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is the Layer 7 SecureSpan Product Suite 4.1.
The TOE consists of two components, the SecureSpan Gateway and the SecureSpan Manager. The SecureSpan Gateway is a hardware-based XML firewall and service gateway designed to protect Web services and mediate communications between client and services residing in different identity, security or middleware domains. The SecureSpan Manager application is a GUI application that provides the user with an administrative interface to manage the SecureSpan Gateway.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the Layer 7 SecureSpan Product Suite 4.1 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL4 assurance requirements package, augmented with ALC_FLR.2. The product satisfies all of the security functional requirements stated in the Layer 7 SecureSpan Product Suite 4.1 Security Target, when configured and operated as specified in the SecureSpan Administrator Guidance, v4.1CC and SecureSpan User Guidance, v4.1CC.
A validation team on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in June 2010. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10207-2010), prepared by CCEVS.
Layer 7 SecureSpan Product Suite 4.1 provides a moderate level of assurance in a conventional TOE and is suitable for generalized environments with a low level of risk to the applicable assets.
Layer 7 SecureSpan Product Suite 4.1 support the following security functions:
- Security Audit
The TOE has the capability to generate audit records of management activities performed by an authorized administrator and of information flow control decisions taken by the SecureSpan Gateway component. Generated audit records contain information that includes date and time of event, type of event, the identity of the subject that caused the event, and the outcome (success or failure) of the event. It should be noted that the SecureSpan Gateway provides the timestamp for all audit records.
Access to the audit records is restricted to authorized administrators, thus protecting them from unauthorized modification and deletion. The SecureSpan Manager provides a GUI interface for an authorized administrator to review the audit records, including searching and sorting the records based on date/time, severity, node identifier, service name, and message text. The TOE also allows an authorized administrator to select which events will be audited. The TOE can be also be configured to send SNMP Trap notifications and/or e-mail message notifications. If SNMP Trap notifications and/or e-mail message notifications assertions are configured, the servers to support this capability will be required in the operating environment.
- Cryptographic Support
The TOE implements cryptographic functionality to support SSL that is used to protect communication between the TOE components from disclosure and modification. The TOE also ensures that cryptographic operations are validated in the policy context and the routing decisions are made in that context. The TOE incorporates the Sun Crypto Accelerator 6000 PCI-E Adaptor, which is FIPS 140-2 Level 3 validated (certificate #778).
- User Data Protection
The TOE enforces an information flow control policy on service requests sent by consumers to services (SOAP web services and XML applications) published via the TOE, and on service responses sent by published services to consumers. The information flow does not involve consumers sending messages to other consumers, or web services sending responses to other web services. The TOE enforces the information flow control policy using consumer identities to authenticate the user and policy assertions to validate the content/structure of incoming messages. Accepted messages are routed to the destination service.
- Identification and Authentication
The TOE maintains user IDs, authentication data, and role information for TOE users and user ID, authentication data, and groups for web service consumers. The Internal Identity Provider (IIP) users and groups are controlled by the TSF. The IIP is populated during installation and configuration of the TOE. There are two types of users defined in the IIP; those that logon to the TOE (TOE users) and those that only appear in the message traffic (web service consumers). The TOE allows unauthenticated access to Web services on behalf of the user to be performed before the user is successfully identified and authenticated. The TOE also supports multiple authentication methods, credentials such as passwords and X.509 client certificates.
- Security Management
The TOE supports a number of security management roles that provide for fine-grained control of the security management functions. The users that are assigned to security management roles are considered to be authorized administrators. The TOE provides the authorized administrators with the ability, based on role assignments, to manage the policy assertions, user accounts, and audit function.
- Protection of the TSF
The TOE uses SSL to create a secure channel to protect the communication between the SecureSpan Manager and the SecureSpan Gateway. In addition, the TOE ensures that the TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed. The SecureSpan Gateway provides the timestamp for the audit records while the IT environment is relied upon to provide a reliable timestamp for the SecureSpan Manager component, to support its inactivity timeout
- TOE Access
The TOE provides the capability for the TSF to determinate when there is user inactivity and terminates the session. A user will have to re-authenticate and start a new session.