Compliant Product - Gigamon LLC GigaVUE version 7.2.29
Certificate Date: 14 November 2011
Validation Report Number: CCEVS-VR-VID10451-2011
Product Type: Security Management
Conformance Claim: EAL2 Augmented with ALC_FLR.1
PP Identifiers: None
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
The Security Target (ST) defines the Information Technology (IT) security requirements for the Gigamon LLC GigaVUE version 7.2.29. GigaVUE receives copied network data from external source (tap or SPAN port) and forwards that copied network data to one or many packet capture or analyzing tools based on user selected criteria. GigaVUE can also copy the network traffic itself when sitting in-line with the network flow. GigaVUE features extensive filtering abilities enabling authorized users to forward precise customized copied data from many sources to a single tool, from a single source to many tools, or from many sources to many tools.
The TOE was evaluated on the following platforms:
GigaVUE chassis with 10 ports standard with optional 4 additional ports. There are (2) 10 Gb ports and (8) 1 Gb ports. There are 4 additional (1) Gb optional ports that can be inserted or can be replaced with an electrical tap or an in-line bypass tap.
GigaVUE chassis with 4 ports standard and an optional 20 additional ports. There are (4) optional 10 Gb ports and (16) optional 1 Gb ports. The additional (4) 10 Gb ports can house an optical tap, or a stacking module used for stacking multiple TOE’s together. The additional (20) 1G ports are inserted via modules. The GigaVUE 420 chassis is expandable to 4 internal 1G modules. Optional modules can include 2 x 1G optical or electrical full duplex taps, 1 x electrical Bypass Tap or a 4 Port expansion module. All ports can be configured as either a Network or Tool ports with no restrictions or licenses. Hot swappable redundant power supplies and fans are also included.
GigaVUE chassis with 28 ports. This model has (24) 10 Gb ports and (4) 1 Gb ports. This model has 3 blades which can be swapped out: 2 blades, each with 8 expansion ports and 1 system blade with 4 x 10/100/1000 ports & 8 x 10G ports. Different/optional blades can also be installed with 4 x Full duplex Taps and can be either 1G or 10G optical. All GigaVUE ports are available for use as either a Network or Tool port with no restrictions or licenses. All 10 Gb ports can also be used as 1 Gb ports with the corresponding SFP’s; both copper and fiber are supported. Hot swappable redundant power supplies and fans are also included.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. GigaVUE version 7.2.29 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 3. It has been determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL2 augmented with ALC_FLR.1. Validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in September 2011.
User Data Protection
The TOE’s core functionality is to forward, flow map and/or filter copied network data to be delivered to specific tools. This is a one-way data flow. The TOE contains a forwarding policy to determine which copied network data is sent to which tools and denies any return path back to the production network from any user or connected tool. The policy is used to control various subjects (TOE interfaces from which information is received and TOE interfaces to which information is forwarded) and objects (copied network data). The TOE accounts for specific security attributes, such as port identifiers, source identity, destination identity, and protocols used. A forward occurs if the network and tool port identifiers are within the rule set, the copied network data security attributes match attributes within a forward policy rule, and the rule specifies that the forwarding is permitted.
The TOE contains mechanisms to generate audit data based upon successful and unsuccessful management actions initiated by all authorized users of the TOE. The TOE explicitly allows all roles to read audit data within the TOE. The TOE contains mechanisms to determine if a potential security violation has occurred by monitoring audit events that are based upon the changing of the TOE’s configuration file, updating the firmware, changing modules, a change in port link status, failed authentication attempts, and the existence of a TOE reset. In the event of any of these changing or occurring, the TOE sends an SNMP trap.
The TOE provides mechanisms to generate and destroy cryptographic keys to set up the SSH connection. The evaluated configuration requires the generation and use of 2048 bit RSA keys only. Supers users must upload 3rd party 2048 bit RSA key pairs signed by a key authority to use for communication through the GUI (HTTPS).When keys are uploaded or generated the old keys are overwritten. The evaluated configuration of the TOE then uses AES with SHA-1 in CBC mode with 256 bit keys (HTTPS) or 128 bit keys (SSH) to encrypt the data within TOE trusted paths and channels.
Identification and Authentication
All TOE users must be identified and authenticated before performing any TSF-relevant actions. The TOE supports several methods of authentication in addition to native username/password authentication: RADIUS and TACACS+ integration are supported. When using enterprise authentication, all user data is stored on the enterprise authentication server, and the necessary user data is queried by the TOE to perform user authentication and to create user sessions. All native user accounts must contain specific standards for password complexity, which requires passwords to be 8 to 30 characters and contain at least one number, one upper case letter, one lower case letter, and one special character (ASCII 0x21-0x2f inclusive).
The TOE maintains three distinct roles for user accounts: Super, Normal, and Audit. These roles determine the scope of management functions available to the user. The Super role assumes all TOE management functionality. The Normal role can perform read operations and can modify the TOE’s forwarding policy. The Audit role can perform read operations only.
Lock-Levels – Specific lock-levels (none, medium, high) exist to further describe what actions are available to Normal users. The “none” lock-level allows all network and tool ports to be assigned by any Super or Normal user. The “medium” lock-level requires tool ports to be owned by the Normal before allowing an action. The “high” lock-level requires both network and tool ports to be owned by Normal user before allowing an action.
Protection of the TSF
The TOE maintains accurate system time to provide accurate timestamps on audit and system records.
The TOE provides fault tolerance by ensuring that the flow of network traffic is unaffected when used in a tap configuration in the event of TOE or CPU failure. However, copied network data that has been configured to flow from a network port to a tool port will cease in the event of a TOE or CPU failure.
All users are shown a configurable banner before being allowed to authenticate to the TOE. The TOE revokes user sessions after a specific user-definable amount of time has passed without an action being performed within an active session. This number varies based upon whether the GUI or CLI was used to access the TOE. The TOE also maintains functionality for all users to terminate their own sessions by logging out.
Connections to/from the TOE are protected using the standards defined within the Cryptographic Support section. Trusted paths are used to secure all user sessions to the GUI or Clonal connections are protected from modification and disclosure by using these cryptographic methods.