Validated Product - CA Siteminder Web Access Manager r12 SP1-CR3Certificate Date: 12 June 2009 Validation Report Number: CCEVS-VR-VID10317-2009 Product Type: Network Access Control, System Access Control Conformance Claim: EAL3 Augmented with ALC_FLR.1,ASE_TSS.2 PP Identifiers: None CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
PRODUCT DESCRIPTION
CA SiteMinder Web Access Manager r12 SP1-CR3 provides an enterprise-scale Web access management system that enables you to control access to Web applications and portals for employees, customers and business partners—both securely and efficiently. EVALUATED CONFIGURATION
The TOE was evaluated on the following platforms: Windows Server 2003 SP2:
Red Hat Advanced Server 4.0:
Solaris 10:
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. CA SiteMinder Web Access Manager r12 SP1 CR3 software was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1.Revision 2 The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision2. It has been determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL3 augmented with ALC_FLR.1 and ASE_TSS.2. Validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in May 2009. ENVIRONMENTAL STRENGTHS
Authentication CA SiteMinder supports a broad range of authentication methods including passwords, Integrated Windows Authentication, and X.509 certificates. Authentication methods can also be combined for stronger authentication, for example, a certificate can be required in addition to a password. SiteMinder administrators can also define password policies, and web resource policies based on realms and domains. Authorization SiteMinder authorization protects the server resources from unauthorized access. Administrators define policies, rules, and responses to handle the HTTP operations of end users and allow, deny, or redirect the operations accordingly. Audit The TOE generates audit records for selected security events. Events are tracked based on occurrence and who triggered them. Audit data is written to local files on the machine to which SiteMinder has been installed. Anyone who wishes to review the audit data must have Administrator (or root) privileges on that machine. SiteMinder can also audit to a central RDBMS and tools are available to bulk load audit files into the RDBMS audit store. Data Protection The access control features of the underlying operating system, LDAP user store, and Oracle database protect all the TOE data. Local access is not permitted by any user other than an authorized IT environment administrator that has an account on the local machine. Administrators manage the TOE remotely using the web-based WAM Admin UI. Protected Data Transmission The TOE uses an encryption scheme known as the TLI handshake protocol that utilizes vendor-asserted AES, AES Key Wrap, and HMAC-SHA256 algorithms to protect data transmitted between the networked components of the TOE. Security Management Security Management is handled by a remote administrator using the web-based WAM Admin UI. The local machine onto which SiteMinder is installed contains a Policy Server Management Console, but this is only used for initial configuration of the TOE. Resource Utilization A SiteMinder Web Agent can specify multiple clustered Policy Servers to connect to in order to ensure continued access control to protected resources if there is a failure in any of the clustered Policy Servers. For more information on CA SiteMinder, refer to the technology brief http://ca.com/files/TechnologyBriefs/siteminder-web-access-manager.pdf
|
![[X]](/assets/images/button_close.gif){kind=small}
![[PDF]](http://www.niap-ccevs.org:80/assets/images/icon_pdf.gif){kind=icon}
