NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Citrix ADC (formerly NetScaler) Platinum Edition Version 11.1

Certificate Date:  2019.10.18

Validation Report Number:  CCEVS-VR-VID10974-2019

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314

CC Testing Lab:  Acumen Security


Security Target [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]


Product Description

The Citrix ADC (formerly NetScaler) is an Application Delivery Controller that accelerates application performance, enhances application availability with advanced Layer 4 – Layer 7 load balancing, secures applications from attacks, and lowers server expenses by offloading computationally intensive tasks. The TOE comprises Citrix ADC running on the following hardware appliances.

·        MPX 14030 FIPS

·        MPX 14060 FIPS

·        MPX 14080 FIPS

Citrix MPX 14XXX FIPS appliances are network devices that combine Layer 4 - Layer 7 load balancing and content switching with application acceleration, data compression, static and dynamic content caching, SSL acceleration, network optimization, application performance monitoring, application visibility, and robust application security via an application firewall. The ADC appliance supports NIST-approved FIPS 140-2 algorithms.

 


Evaluated Configuration


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Citrix ADC Platinum Edition Version 11.1 is evaluated as described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  Acumen Security determined that the evaluation is a collaborative Protection Profile for Network Devices v2.0 (NDcPP).  The product, when delivered configured as identified in the Operational User Guidance and Preparative Procedures, satisfies all of the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in September 2019.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

The logical boundary of the TOE includes those security functions implemented exclusively by the TOE.

Security Audit

The TOE keeps local and remote audit records of security relevant events.

Cryptographic Support

The TOE provides cryptographic support for the SSH and TLS protocols. The related FIPS 140-2 validation details are provided in Table 1.

Algorithm

CAVP Cert #

Standard

Operation

SFR

NITROXIII CNN3560-NFBE-G Algorithms (CMVP Cert. #2850)

RSA

1634

FIPS 186-4

Signature Verification

FCS_COP.1/SigGen

DRBG

680

SP 800-90A

Random Bit Generation

FCS_RBG_EXT.1

AES

2034

3205

AES specified in ISO 18033-3

CBC specified in ISO 10116

TLS Encryption/Decryption

DRBG Primitive

FCS_COP.1/DataEncryption

SHA

1780

ISO/IEC 10118-3:2004

Hashing

FCS_COP.1/Hash

HMAC

1233

ISO/IEC 9797-2:2011

Keyed-Hashing

FCS_COP.1/KeyedHash

Citrix FIPS Cryptographic Module Algorithms (CMVP Cert. #2988)

RSA

2379

FIPS 186-4

Key Generation

Signature Generation/Verification

FCS_CKM.1

FCS_COP.1/SigGen

ECDSA

1056

FIPS 186-4

Key Generation

FCS_CKM.1

DRBG

1417

SP 800-90A

Random Bit Generation

FCS_RBG_EXT.1

SHA

3626

ISO/IEC 10118-3:2004

Hashing

FCS_COP.1/Hash

HMAC

2923

ISO/IEC 9797-2:2011

Keyed-Hashing

FCS_COP.1/KeyedHash

AES

4397

AES specified in ISO 18033-3

CBC specified in ISO 10116

CTR specified in ISO 10116

SSH Encryption/ Decryption

DRBG Primitive

FCS_COP.1/DataEncryption

CVL (SP800-56A)

1106

SP 800-56A

Key Establishment

FCS_CKM.2

Table 1 CAVP Algorithm Testing References

 

Identification and Authentication

The TOE provides two types of authentication to provide a trusted means for Security Administrators and remote endpoints to interact: X.509v3 certificate-based authentication for remote devices and password-based or public-key authentication for Security Administrators. Device-level authentication allows the TOE to establish a secure communication channel with a remote endpoint.

Security Administrators can set a minimum length for passwords (between 4 and 127 characters). Additionally, the TOE detects and tracks consecutive unsuccessful remote authentication attempts and will prevent the offending attempts from authenticating when a Security Administrator defined threshold is reached.

Security management

The TOE enables secure local and remote management of its security functions, including:

o   Local console CLI administration

o   Remote CLI administration via SSHv2

o   Administrator authentication using a local database

o   Timed user lockout after multiple failed authentication attempts

o   Password complexity enforcement

o   Role Based Access Control - the TOE supports several types of administrative user roles. Collectively these sub-roles comprise the “Security Administrator”

o   Configurable banners to be displayed at login

o   Timeouts to terminate administrative sessions after a set period of inactivity

o   Protection of secret keys and passwords

 

Protection of the TSF

The TOE ensures the authenticity and integrity of software updates through hash comparison and requires administrative intervention prior to the software updates being installed.

 

TOE Access

Prior to login, the TOE displays a banner with a message configurable by the Security Administrator. The TOE terminates user connections after an Authorized Administrator configurable amount of time.

Trusted Path Channels

The TOE uses TLS to provide a trusted channel between itself and remote syslog and LDAP servers.

The TOE uses SSH to provide a trusted path between itself and remote administrators.

Excluded Functionality:

Hardware and software located in the TOE environment are not included in the scope of the evaluation.

Only security functionality specified in the SFRs and TSS is covered by the scope of evaluation against this Security Target. The following other product features or functionality are considered unevaluated, because they are not included in the scope of the Security Target:

 ·       Web Logging

·        Application Firewall

·        Global Server Load Balancing (GSLB)

·        AAA-TM Authentication

·        External authentication methods: Kerberos, TACACS+, SAML, RADIUS

·        Responder

·        Rewrite (URL Transformation)

·        Layer 3 Routing

·        Vpath

·        RISE

·        High Availability

·        CloudBridge

·        CallHome

·        Integrated Disk Caching

·        General TLS VPN functionality

·        Clientless VPN functionality

·        SSL acceleration – SSL termination for application servers

·        AppFlow

·        AppQoE

·        BGP

·        Cache Redirection

·        Compression Control

·        Content Accelerator

·        Content Filtering

·        Content Switching

·        FEO

·        OSPF

·        LSN

·        RDP Proxy

·        RIP

·        HTM Injection

·        Http DoS Protection

·        Integrated Caching

·        Surge Protection

·        ISIS

·        Priority Queuing

·        Reputation

·        Sure Connect

·        NetScaler Push

 

 

Additionally, the following features may not be used when the TOE is operated in a manner compliant with this Security Target:

·       IPv6

·       NTP based updates to the time

·       Use of superuser privileges except as described in [CCECG]

·       ADC GUI (HTTP/HTTPS), ADC Nitro API and ADM

 


Vendor Information


Citrix Systems Inc.
Vijay Gajula
800-424-8749
vijay.gajula@citrix.com

www.citrix.com
Site Map              Contact Us              Home