NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Compact Rugged Router, Series 1000 (CRR-1000), v1.0

Certificate Date:  2018.11.23

Validation Report Number:  CCEVS-VR-VID10910-2018

Product Type:    Network Device
   Virtual Private Network

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
  Extended Package for VPN Gateways Version 2.1

CC Testing Lab:  UL Verification Services Inc. (Formerly InfoGard)


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

Architecture Technology Corporation (ATCorp) designed a router and VPN gateway for the National Security Agency/Central Security Service (NSA/CSS) Commercial Solutions for Classified (CSfC) Program. This VPN gateway device was built with the ATC Routing & Encryption Suite (ARES), an End User Device (EUD) VPN Client and a Cloud Server. The EUD VPN Client and Cloud Server were not evaluated.

The outer firewall implements a security barrier between the black network and the outer encryptor, which checks all IP packets coming in from the black network interface as well as from the outer encryptor, and accepts/rejects the packets according to the rules specified in a filtering table set up for the outer firewall.


Evaluated Configuration

The TOE is the Architecture Technology Corporation (ATCorp) router and VPN gateway. The appliance models are:

  • CRR-1000-1-2E Version 1.0 
  • CRR-1000-1-4E Version 1.0 
  • CRR-1000-1-6E Version 1.0 
  • CRR-1000-2 Version 1.0 
  • CRR-1000-3 Version 1.0 
  • CRR-1000-4 Version 1.0 
  • CRR-1000-5 Version 1.0 
  • CRR-1000-6 Version 1.0 
  • CRR-1000-7 Version 1.0 
  • CRR-1000-8 Version 1.0 
  • CRR-1000-9 Version 1.0 
  • CRR-1000-10 Version 1.0 
  • CRR-1000-11 Version 1.0 
  • CRR-1000-12 Version 1.0 

 
All devices run the ARES v1.0.0.7 Software


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. ATCorp Compact Rugged Router, Series 1000 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The TOE, when installed and configured per the instructions provided in the preparative and administrative guidance, satisfies all of the security functional requirements stated in the ATCorp Compact Rugged Router, Series 1000 Security Target. The evaluation underwent CCEVS Validator review. The evaluation was completed in September 2018. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (CCEVS-VR-10910-2018, dated November 23, 2018), prepared by CCEVS, and the Assurance Activities Report (AAR) (18-3853-R-0020 V1.1).
 


Environmental Strengths

Audit

The TOE will audit all events and information defined in Table 3 of the Security Target. The TOE will also include the identity of the user that caused the event (if applicable), date and time of the event, type of event, and the outcome of the event. The TOE can transmit audit data to an external IT entity using the Syslog over the IPsec protocol.

Cryptographic Operations

The TOE uses cryptographic algorithms and protocols to protect Syslog server communication, remote administrator sessions, test the TOE itself, and verify the integrity of updates to the TOE. The TSF overwrites all plaintext secret and private cryptographic keys and CSPs once they are no longer required.

User Data Protection

The TOE protects user data in transit by using IPsec VPN tunnels between itself and authorized endpoints or remote networks.  The TOE permits VPN Mobility clients to connect and pass traffic into protected networks.
 
Identification and Authentication

The TOE supports passwords consisting of alphanumeric and special characters. The TSF also allows administrators to set a minimum password length and support passwords with 15 characters or more.
 
The TOE requires all administrative-users to authenticate. The TOE allows the following unauthenticated actions:

  • Viewing the warning banner
  • Responding to ICMP echo requests
  • Performing ARP
  • Performing routing services (.e.g. RIP, OSPF)

Security Management

The TOE can be administered via a local console port or remotely over IPsec. Both methods of administration present the user with a CLI. Authorized administrators are assigned the Security Administrator role when they login.

Packet Filtering

The TOE implements IPv4 and IPv6 packet filtering on TCP/UDP port numbers, source and destination IP addresses, time of day, and day of week.  The TOE permits the administrator to configure the packet filtering rules to accept, deny, and/or log any packet matching the specified rule.

Protection of the TSF

The TOE protects itself by:

  • Preventing the reading of plaintext passwords.
  • Preventing the reading of secret and private keys.
  • Providing reliable time stamps for itself.
  • Running a suite of self-tests during the initial start-up (upon power on) to demonstrate the correction operation of the TSF.
  • Verifying firmware updates to the TOE using public key signature verification prior to installing those updates.

TOE Access

For local console sessions and remote IPsec sessions, the TSF terminates sessions after an administrator configured inactivity period. Before establishing an administrative user session, the TOE is capable of displaying a configurable advisory notice and consent warning message regarding unauthorized use of the TOE.

Trusted Path/Channels

The TOE uses IPsec to provide a trusted communication channel with the Syslog server.  The TOE permits remote administrators to connect using IPsec.


Vendor Information

Logo
Architecture Technology Corporation
Jordan Bonney
952-829-5864
952-829-9392
jbonney@atcorp.com

www.atcorp.com
Site Map              Contact Us              Home