NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Airguard 3e-525/523 Series Wireless Access Points

Certificate Date:  2018.05.10

Validation Report Number:  CCEVS-VR-VID10859-2018

Product Type:    Wireless LAN
   Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
  Extended Package for Wireless LAN Access System

CC Testing Lab:  Gossamer Security Solutions

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is classified as a Wireless Local Area Network (WLAN) Access Device. The TOE employs mesh networking, which allows multiple TOEs to network within the operational environment (IEEE 802.11s is not validated).

The TOE sits between wired and wireless portions of an enterprise network and provides integrity and confidentiality of wireless traffic and restricts access of wireless endpoints to wired network systems.  The TOE provides a secure, yet flexible, WLAN environment as an Access Point that mediates authenticated wireless client’s data through encryption/decryption and integrity protection between the wireless link and the wired LAN.

Evaluated Configuration

The TOE is the 3e Technologies International AirGuard 3e-525/523 Wireless Access Points running on firmware version 5.1.0. 

The evaluated configuration consists of the following series and models:


Number of Radios

Radio Mode





Access Point

Ruggedized for industrial and outdoor


3e-525N MP


Access Point

Ruggedized for industrial and outdoor

Same as 3e-525N except mobile power input



Access Point

Ruggedized for industrial and outdoor

Same as 3e-525N with extra video capture card



Access Point

Indoor Enclosure

Operate in Industrial temperature range -40C to 75C



Access Point

Indoor Enclosure

Same as 3e-523N Operate in -10-60C



Access Point

Ruggedized for industrial and outdoor

Same as 3e-523N except  enclosure for outdoor deployment

The evaluated configuration of the TOE requires the following Operational Environment support which is not included in the TOE’s physical boundary.

  • RADIUS Server: The TOE requires a RADIUS Server in the Operational Environment for wireless client authentication.
  • Wireless Clients: All wireless client hosts connecting to the wired network from the wireless network.
  • Administrator Workstations:  Trusted administrators access the TOE through the HTTPS protocol.
  • Audit Servers:  The TOE relies upon the audit server for storage of audit records.
  • NTP Servers:  The TOE relies upon an NTP server to provide reliable time.

Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, July 2012.  Gossamer Security Solutions determined that the evaluation assurance level (EAL) for the TOE is EAL 1.  The product, when delivered and configured as identified in the Ultra Electronics 3eTI AirGuard User’s Guide (3e-523N, 3e-523NR, 3e-523NF, 3e-525N, 3e-525N-MP, 3e-525NV), 08 May 2018, 29010012-001, Revision G document, satisfies all of the security functional requirements stated in the Airguard 3e-525/523 Series Wireless Access Points (NDcPP20E/WLANASEP10) Security Target, Version 0.5, May 08, 2018.  The project underwent CCEVS Validator review.  The evaluation was completed in May 2018.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-10859-2018) prepared by CCEVS.

Environmental Strengths

The logical boundaries of the 3eTI Airguard 3e-525/523 Series Wireless Access Points are realized in the security functions that it implements. Each of these security functions is summarized below.

Security audit:

The TOE generates auditable events for actions on the TOE with the capability of selective audit record generation. The records of these events can be viewed within the Web User Interface (UI) or they can be exported to audit log servers in the Operational Environment. The TOE generates records for its own actions, containing information about the user/process associated with the event, the success or failure of the event, and the time that the event occurred. Additionally, all administrator actions relating to the management of TSF data and configuration data are logged by the TOE’s audit generation functionality.

Cryptographic support:

The TOE uses NIST SP 800-90 DRBG random bits generator and the following cryptographic algorithms: AES, RSA, ECDSA, SHA, HMAC to secure the wireless client data to the LAN, trusted channel and trusted path communication. The TOE zeroizes Critical Security Parameters (CSPs) to mitigate the possibility of disclosure or modification.

Identification and authentication:

The TOE provides Identification and Authentication security functionality to ensure that all users are properly identified and authenticated before accessing TOE functionality. The TOE displays a configurable access banner and enforces a local password-based authentication mechanism to perform administrative user authentication. Passwords are obscured when being displayed during any attempted login.

The wireless users are authenticated by the RADIUS server in the Operational Environment. EAP-TLS is used for WPA2 wireless authentication via x.509 certificates. The TOE sets up an IPsec tunnel with a RADIUS server and supports IKEv2 with x.509 certificates for IPsec endpoints mutual authentication with its IPsec peer.

Security management:

The Web User Interface (UI) of the TOE provides the capabilities for configuration and administration. The Web UI can be accessed via the dedicated local Ethernet port configured for “out-of-band” management. There is no local access such as a serial console port. Therefore, the local and remote management is considered the same for this evaluation. 

An authorized administrator has the ability to modify, edit, and delete security parameters such as audit data, configuration data, and user authentication data.   The Web UI also offers an authorized administrator the capability to manage how security functions behave. For example, an administrator can enable/disable certain audit functions query and set encryption/decryption algorithms used for network packets.

Protection of the TSF:

Internal testing of the TOE hardware, software, and software updates against tampering ensures that all security functions are running and available before the TOE accepts any communications.  The TSF prevents reading of pre-shared keys, symmetric keys, private keys, and passwords.  The TOE uses electronic signature verification before any firmware/software updates are installed.

TOE access:

The TOE provides the following TOE Access functionality:

  • Configurable MAC address and/or IP address filtering with remote management session establishment
  • TSF-initiated session termination when a connection is idle for a configurable time period
  • Administrative termination of own session
  • Configurable MAC  address filtering for wireless client session establishment (either allow or deny the client access)
  • TOE Access Banners

Trusted path/channels:

The TOE protects interactive communication with administrators using TLS/HTTPS, both integrity and disclosure protection is ensured.

The TOE protects communication with wireless clients using WPA2 with 802.1x EAP-TLS. IPsec tunnels are used by the TOE to setup trusted channels with an NTP, RADIUS and Audit Log server.

Vendor Information

Paul Spaven
Site Map              Contact Us              Home