NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Motorola Network Router, S6000 and GGM 8000 with EOS version 16.9

Certificate Date:  2017.03.23

Validation Report Number:  CCEVS-VR-VID10738-2017

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 1.0

CC Testing Lab:  UL Verification Services Inc. (Formerly InfoGard)

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Motorola Network Device models S6000 and GGM 8000 provide a flexible routing solution for integrated data, voice and virtual private network (VPN) applications. 

The GGM 8000 platform is suitable for use as edge routers for analog and digital voice systems as well as remote radio frequency (RF) site routers in digital voice systems. The GGM 8000 may include up to 2 V.24 modules that allow the processing of digital voice, Voice over IP (VoIP). When combined with the analog conventional pluggable module (E&M), the GGM 8000 is also suitable as a Conventional Channel Gateway (CCGW) in a Motorola ASTRO® 25 trunked radio communication network. In this role, the TOE exchanges call control traffic via communication with peer devices with ASTRO® 25 controllers.

The GGM 8000 and S6000 series are suitable as a Wide Area Network (WAN) interface for radio communications network transport systems or as a Core/Edge Network Device. 

The GGM 8000 and S6000 series can also be used to maintain connectivity among small, midsize, and large Local Area networks via a wide variety of WAN services and accommodates extensive virtual port tunneling capabilities with data compression and high speed processing.

When used in the network core, the GGM 8000 and S6000 supply high speed, scalable performance for WAN concentration, virtual private network (VPN) tunnel termination, and efficient bandwidth utilization. However the S6000 concentrates T1/E1 or T3/E3 internet traffic at the network core, enabling multiple secure tunnels to be maintained through the public network to many remote locations simultaneously.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the product meets the security requirements contained in the Security Target. The criteria against which the Motorola Network Router was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4. UL Verification Services Inc. (UL) determined that the product is conformant to requirements in the collaborative Protection Profile for Network Devices, Version 1.0, dated 27 February 2015. The product, when delivered configured according to the administrative guidance documentation provided with the product, satisfies all of the security functional requirements stated in the Motorola Network Router Security Target. Three validators, on behalf of the CCEVS Validation Body, monitored the evaluation carried out by UL. The evaluation was completed 2017-03-22. Results of the evaluation can be found in the Common Criteria NDcPP Assurance Activity Report for Motorola Network Router, prepared by UL.

Environmental Strengths

The logical boundary of the TOE includes those security functions implemented exclusively by the TOE. These security functions are described below. A more detailed description of the implementation of these security functions are provided in Section 7 “TOE Summary Specification” of the Motorola Network Router Security Target v1.1. All TOE features not described are not within the scope of this certification.


  • The TOE will audit all events and information defined in Table 11: Auditable Events of the Security Target.
  • The TOE will also include the identity of the user that caused the event (if applicable), date and time of the event, type of event, and the outcome of the event.
  • The TOE protects storage of audit information from unauthorized deletion.
  • The TOE prevents unauthorized modifications to the stored audit records.
  • The TOE can transmit audit data to an external IT entity using IPsec protocol.

Cryptographic Operations

  • The TSF performs the following cryptographic operations:
  • SSH with AES-CBC-128 or AES-CBC-256 for protection of remote administrative sessions.
  • IPsec with AES-CBC-128 or AES-CBC-256 for protection of communication paths with RADIUS, Syslog, and NTP hosts/servers.

The TSF zeroizes all plaintext secret and private cryptographic keys and CSPs once they are no longer required.

Identification and Authentication

  • The TSF supports passwords consisting of alphanumeric and special characters. The TSF also allows administrators to set a minimum password length and support passwords with 15 characters or more.
  • The TSF requires all administrative-users to authenticate before allowing the user to perform any actions other than:
    • Viewing the warning banner
    • ARP
    • ICMP
    • Routing Services
    • BFD Send
    • DHCP Services
    • SSH
    • IPDV (port UDP/49402)
    • RSVP ( port UDP/1698)
    • NTP (port UDP/123)
  • The TSF allows for authentication via password or public-key infrastructure (PKI).
  • All authentication information is obfuscated.
  • The TOE supports the use of X.509 certificates for the purposes of IPsec peer authentication, including support for creating and validating certificates.

Security Management

  • The TOE manages the following TSF data:
    • User account names
    • User passwords
    • Internally generated cryptographic keys
    • Imported SSH public keys
  • The only role in the TOE is that of the Administrator.
  • All administration is performed over an SSH connection or via direct console session.

Protection of the TSF

  • The TSF prevents the reading of secret and private keys.
  • The TOE provides reliable time stamps for itself.
  • The TOE runs a suite of self-tests during the initial start-up (upon power on) to demonstrate the correction operation of the TSF.
  • The TOE provides a means to verify firmware/software updates to the TOE using a digital signature mechanism prior to installing those updates.

TOE Access

  • The TOE, for local interactive sessions, terminates the administrative session after an Authorized Administrator-specified period of session inactivity.
  • The TOE terminates a remote interactive session after an Authorized Administrator-configurable period of session inactivity.
  • The TOE allows Administrator-initiated termination of the Administrator’s own interactive session.
  • Before establishing an administrative user session, the TOE is capable of displaying an Authorized Administrator-specified advisory notice and consent warning message regarding unauthorized use of the TOE.

Trusted Path/Channels

  • The TOE uses IPsec to provide a trusted communication channel between itself and all authorized IT entities that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data.
  • The TOE permits the TSF, or the authorized IT entities to initiate communication via the trusted channel.
  • The TOE permits remote administrators to initiate communication over SSH.
  • The TOE requires the use of the trusted path for initial administrator authentication and all remote administration actions.


Vendor Information

Motorola Solutions, Inc.
Tomasz Chmiel
+48 12 297-9431
Site Map              Contact Us              Home