NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Cisco AnyConnect Secure Mobility Client v4.0 for Android

Certificate Date:  2017.03.01

Validation Report Number:  CCEVS-VR-VID10770-2017

Product Type:    Virtual Private Network

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for IPsec Virtual Private Network (VPN) Clients Version 1.4

CC Testing Lab:  Gossamer Security Solutions

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is the Cisco AnyConnect Secure Mobility Client for Android.  The Cisco AnyConnect Secure Mobility client provides remote users with secure IPsec (IKEv2) VPN connections to the Cisco 5500 Series Adaptive Security Appliance (ASA) VPN Gateway. The TOE is a software-only VPN client application executing on an Android mobile device platform that provides IPsec to authenticate and encrypt network traffic travelling across an unprotected public network.  By protecting the communication from unauthorized disclosure or modification, the TOE allows remote users to securely connect to an organization’s network resources and applications.  The TOE executes on one of the following underlying mobile platforms considered to be part of the IT environment: 

  • Samsung Galaxy S7/S7 Edge, S6/S6 Edge, Galaxy Note 5, and Galaxy Tab S2

The underlying platform provides some of the security functionality required in the VPNv1.4 Client PP. Refer to the Samsung Galaxy Devices with Android 6 Security Target[1] and the Samsung Galaxy S7 Devices on Android 6 Security Target[2] for information regarding the evaluated configuration requirements.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, July 2012. 

The TOE, configured as specified in the evaluated guidance, satisfies all of the security functional requirements stated in the Security Target.  The project underwent CCEVS Validator review.   The evaluation was completed March 1, 2017 and results of the evaluation can be found in the National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Cisco AnyConnect Secure Mobility Client for Android (report number CCEVS-VR-VID10770-2017) prepared by CCEVS.

Environmental Strengths

The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.

Cryptographic support: The TOE provides cryptography in support of IPsec with ESP symmetric cryptography for bulk AES encryption/decryption and SHA-2 algorithm for hashing.   In addition, the TOE provides the cryptography to support Diffie-Hellman key exchange and derivation function used in the IKEv2 and ESP protocols.  The cryptographic algorithm implementation has been validated for CAVP conformance.  The TOE platform provides asymmetric cryptography, which is used by the TOE for IKE peer authentication using digital signature and hashing services.  The TOE platform also provides a DRBG.

User data protection: The TOE platform ensures that residual information from previously sent network packets processed through the platform are protected from being passed into subsequent network packets.

Identification and authentication: The TOE and TOE platform perform device-level X.509 certificate-based authentication of the VPN Gateway during IKE v2 key exchange.  Device-level authentication allows the TOE to establish a secure channel with a trusted VPN Gateway.  The secure channel is established only after each endpoint successfully authenticates each other. 

Security management: The TOE, TOE platform, and VPN Gateway provide the management functions to configure the security functionality provided by the TOE. 

Protection of the TSF: The TOE performs a suite of self-tests during initial start-up to verify correct operation of its FIPS 140-2 validated algorithms.  Upon execution, the integrity of the TOEs software executables is also verified.   The TOE Platform provides for verification of TOE software updates prior installation.

Trusted path/channels: The TOE’s implementation of IPsec provides a trusted channel ensuring sensitive data is protected from unauthorized disclosure or modification when transmitted from the host to a VPN gateway.

Vendor Information

Cisco Systems, Inc.
Terrie Diaz
Site Map              Contact Us              Home