Compliant Product - Xceedium GateKeeper Version 5.2.1
Certificate Date: 25 March 2011
Validation Report Number: CCEVS-VR-VID10350-2010
Product Type: Sensitive Data Protection, System Access Control
Conformance Claim: EAL4 Augmented with ALC_FLR.2
PP Identifiers: None
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The TOE is designed to reside between untrusted users on an unprotected network and a protected network. Its purpose is to limit access to the resources on the protected network and provide for management of those resources from a centralized location.
The appliance requires all users to perform authentication to it using an identifier and a password. Once successful logon has occurred, administrators can perform management. When users log into the appliance they are doing so in order to access a device (e.g., service, network device) located on the protected network behind the appliance. Users are subject to an access control policy enforced by the appliance when they attempt to access a protected resource. The access control policy enforced on users is based upon user identity and services provided by the backend device. Users are given access to particular services on specific devices.
- GateKeeper Appliance - The GateKeeper appliance is a rack mounted network device. It provides access control to the devices located on the protected network and provides management interfaces for its policies. The appliance contains an internal database to store its configuration information, access policies, and audit records. The appliance also contains a web server to communicate with administrators managing the appliance via browsers. Within the web server, the appliance implements SSLv3 to support its management connections.
- GateKeeper Agents (Socket Filter Agent) – The GateKeeper agents can run on Windows, UNIX or Linux servers located on the protected network. The purpose of the agents is to further limit access from servers on the protected network, to other devices within the protected network in order to enforce audit and access policies. Once users gain access via the policies supported on the appliance, the agents can further limit access by restricting which ports may be utilized to create outbound connections to other resources within the protected environment.
- Management Interface – Management of the TOE is performed by administrators using a Java enabled web browser. The TOE provides a set of graphical interfaces in which to perform the management functions for the appliance and agents. The TOE also provides an SNMP interface to allow Administrators to retrieve management configuration information.
- GateKeeper Client - A set of Java Applets used by end users to access the GateKeeper Appliance. The clients do not enforce any security policies.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Xceedium GateKeeper 5.2.1 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2, September 2007. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 2, September 2007. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL4 augmented with ALC_FLR.2 family of assurance requirements. The product, when configured as specified in the Xceedium GateKeeper Administration Guide satisfies all of the security functional requirements stated in the Xceedium GateKeeper 5.2.1 Security Target, Version 2.9, 3 February 2011. Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in March 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID10350-2011, dated 25 March 2011.
The security environment assumes physical protection and the TOE itself offers only a very limited interface and can only be configured during initialization, offering essentially no opportunity for an attacker to subvert the security policies without physical access. As such, it is believed that EAL4 augmented with ALC_FLR.2 provides an appropriate level of assurance in the security functions offered by the TOE. Within such environments it is assumed that attackers will have little attack potential. Xceedium GateKeeper 5.2.1 supports the following six security functions:
Security Audit: The TOE Web Server generates audit records related to the authentication and management of the TOE that are stored and protected in an internal database. The TOE records attempts to access itself, such as successful and failed authentication attempts, as well as the actions taken by users once authenticated. The appliance generates audit records for all access control decisions it makes. All auditable actions can be found in Active Logins, Sessions, Logs and Report interface. The Logs Report Parameters screen allows administrator selection of the specific report information to be generated.
Cryptographic Support: The TOE has been FIPS 140-2 evaluated and is configured to run in FIPS mode in the evaluated configuration. The TOE implements SSL to all user communication with the TOE. Users establish an SSL connection to the TOE before submitting a username/password to perform authentication. Users then use the SSL channel to transmit all information to the TOE. The TOE also supports x509v3 certificate generate and validation.
User Data Protection: The TOE enforces an access control policy that controls access between users and devices. Access to devices is limited based upon the user identifier associated with the requestor and device service access list. A user can access a given service on a given device if the device service access control list specifically allows access to the requested service for the device. The TOE also supports two additional policies that can be configured in addition to the basic device access policy. The first policy limits access to particular sockets on devices and the second perform keyword filtering on device commands.
Identification and Authentication: The TOE requires users to provide unique identification and authentication data before any access to the system is granted. The TOE supports password, client certificate, and external LDAP authentication. The TOE also maintains security privileges used for role assignments.
Security Management: An authorized administrator is any user that has an administrative privilege. Users with no administrative privileges are simply called users. The TOE is managed through the Administrative modules (Config, Services, Sessions, Users, Devices, Policy), accessed via a SSL web-based interface. Through this interface all TOE management can be performed, including user management and the configuration of IT devices access functions. This interface is restricted to authorized administrators, which provides the administrator the ability to set user attributes and privileges, as well as assign privileges for different levels of administrative access.
Protection of the TSF: The TOE is a hardware appliance that contains a custom operating system that runs in firmware, and supports only trusted processes. The GateKeeper appliance provides no file abstractions or permanent storage for user access for “executables” to remain for further execution. Furthermore, the TOE has been carefully designed to offer well-defined interfaces that ensure that access to protected resources is subject to the applicable GateKeeper security policies. The agents are service processes on Windows or daemon processes on UNIX. In either case, the operating system provides a separate address for the agent to run. Additionally, all communication between the appliance and agent is protected using SSL. If the TOE is configured in a cluster and one GateKeeper becomes unavailable, another GateKeeper will automatically start receiving all requests and will maintain a secure state. The TOE also generates timestamps for use within the audit trail or can optionally get time from an NTP server.