Compliant Product - Citrix ADC (formerly NetScaler) Platinum Edition Version 11.1
Certificate Date: 2019.10.18Security Target Validation Report Assurance Activity
Validation Report Number: CCEVS-VR-VID10974-2019
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
CC Testing Lab: Acumen Security
The Citrix ADC (formerly NetScaler) is an Application Delivery Controller that accelerates application performance, enhances application availability with advanced Layer 4 – Layer 7 load balancing, secures applications from attacks, and lowers server expenses by offloading computationally intensive tasks. The TOE comprises Citrix ADC running on the following hardware appliances.
· MPX 14030 FIPS
· MPX 14060 FIPS
· MPX 14080 FIPS
Citrix MPX 14XXX FIPS appliances are network devices that combine Layer 4 - Layer 7 load balancing and content switching with application acceleration, data compression, static and dynamic content caching, SSL acceleration, network optimization, application performance monitoring, application visibility, and robust application security via an application firewall. The ADC appliance supports NIST-approved FIPS 140-2 algorithms.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Citrix ADC Platinum Edition Version 11.1 is evaluated as described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4. Acumen Security determined that the evaluation is a collaborative Protection Profile for Network Devices v2.0 (NDcPP). The product, when delivered configured as identified in the Operational User Guidance and Preparative Procedures, satisfies all of the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review. The evaluation was completed in September 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundary of the TOE includes those security functions implemented exclusively by the TOE.
The TOE keeps local and remote audit records of security relevant events.
The TOE provides cryptographic support for the SSH and TLS protocols. The related FIPS 140-2 validation details are provided in Table 1.
Identification and Authentication
The TOE provides two types of authentication to provide a trusted means for Security Administrators and remote endpoints to interact: X.509v3 certificate-based authentication for remote devices and password-based or public-key authentication for Security Administrators. Device-level authentication allows the TOE to establish a secure communication channel with a remote endpoint.
Security Administrators can set a minimum length for passwords (between 4 and 127 characters). Additionally, the TOE detects and tracks consecutive unsuccessful remote authentication attempts and will prevent the offending attempts from authenticating when a Security Administrator defined threshold is reached.
The TOE enables secure local and remote management of its security functions, including:
o Local console CLI administration
o Remote CLI administration via SSHv2
o Administrator authentication using a local database
o Timed user lockout after multiple failed authentication attempts
o Password complexity enforcement
o Role Based Access Control - the TOE supports several types of administrative user roles. Collectively these sub-roles comprise the “Security Administrator”
o Configurable banners to be displayed at login
o Timeouts to terminate administrative sessions after a set period of inactivity
o Protection of secret keys and passwords
Protection of the TSF
The TOE ensures the authenticity and integrity of software updates through hash comparison and requires administrative intervention prior to the software updates being installed.
Prior to login, the TOE displays a banner with a message configurable by the Security Administrator. The TOE terminates user connections after an Authorized Administrator configurable amount of time.
Trusted Path Channels
The TOE uses TLS to provide a trusted channel between itself and remote syslog and LDAP servers.
The TOE uses SSH to provide a trusted path between itself and remote administrators.
Hardware and software located in the TOE environment are not included in the scope of the evaluation.
Only security functionality specified in the SFRs and TSS is covered by the scope of evaluation against this Security Target. The following other product features or functionality are considered unevaluated, because they are not included in the scope of the Security Target:
· Web Logging
· Application Firewall
· Global Server Load Balancing (GSLB)
· AAA-TM Authentication
· External authentication methods: Kerberos, TACACS+, SAML, RADIUS
· Rewrite (URL Transformation)
· Layer 3 Routing
· High Availability
· Integrated Disk Caching
· General TLS VPN functionality
· Clientless VPN functionality
· SSL acceleration – SSL termination for application servers
· Cache Redirection
· Compression Control
· Content Accelerator
· Content Filtering
· Content Switching
· RDP Proxy
· HTM Injection
· Http DoS Protection
· Integrated Caching
· Surge Protection
· Priority Queuing
· Sure Connect
· NetScaler Push
Additionally, the following features may not be used when the TOE is operated in a manner compliant with this Security Target:
· NTP based updates to the time
· Use of superuser privileges except as described in [CCECG]
· ADC GUI (HTTP/HTTPS), ADC Nitro API and ADM
Citrix Systems Inc.