NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Citrix ADC (formerly NetScaler) Platinum Edition Version 11.1

Certificate Date:  2019.10.18

Validation Report Number:  CCEVS-VR-VID10974-2019

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314

CC Testing Lab:  Acumen Security

Security Target [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]

Product Description

The Citrix ADC (formerly NetScaler) is an Application Delivery Controller that accelerates application performance, enhances application availability with advanced Layer 4 – Layer 7 load balancing, secures applications from attacks, and lowers server expenses by offloading computationally intensive tasks. The TOE comprises Citrix ADC running on the following hardware appliances.

·        MPX 14030 FIPS

·        MPX 14060 FIPS

·        MPX 14080 FIPS

Citrix MPX 14XXX FIPS appliances are network devices that combine Layer 4 - Layer 7 load balancing and content switching with application acceleration, data compression, static and dynamic content caching, SSL acceleration, network optimization, application performance monitoring, application visibility, and robust application security via an application firewall. The ADC appliance supports NIST-approved FIPS 140-2 algorithms.


Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Citrix ADC Platinum Edition Version 11.1 is evaluated as described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  Acumen Security determined that the evaluation is a collaborative Protection Profile for Network Devices v2.0 (NDcPP).  The product, when delivered configured as identified in the Operational User Guidance and Preparative Procedures, satisfies all of the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in September 2019.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

The logical boundary of the TOE includes those security functions implemented exclusively by the TOE.

Security Audit

The TOE keeps local and remote audit records of security relevant events.

Cryptographic Support

The TOE provides cryptographic support for the SSH and TLS protocols. The related FIPS 140-2 validation details are provided in Table 1.


CAVP Cert #




NITROXIII CNN3560-NFBE-G Algorithms (CMVP Cert. #2850)



FIPS 186-4

Signature Verification




SP 800-90A

Random Bit Generation





AES specified in ISO 18033-3

CBC specified in ISO 10116

TLS Encryption/Decryption

DRBG Primitive




ISO/IEC 10118-3:2004





ISO/IEC 9797-2:2011



Citrix FIPS Cryptographic Module Algorithms (CMVP Cert. #2988)



FIPS 186-4

Key Generation

Signature Generation/Verification





FIPS 186-4

Key Generation




SP 800-90A

Random Bit Generation




ISO/IEC 10118-3:2004





ISO/IEC 9797-2:2011





AES specified in ISO 18033-3

CBC specified in ISO 10116

CTR specified in ISO 10116

SSH Encryption/ Decryption

DRBG Primitive


CVL (SP800-56A)


SP 800-56A

Key Establishment


Table 1 CAVP Algorithm Testing References


Identification and Authentication

The TOE provides two types of authentication to provide a trusted means for Security Administrators and remote endpoints to interact: X.509v3 certificate-based authentication for remote devices and password-based or public-key authentication for Security Administrators. Device-level authentication allows the TOE to establish a secure communication channel with a remote endpoint.

Security Administrators can set a minimum length for passwords (between 4 and 127 characters). Additionally, the TOE detects and tracks consecutive unsuccessful remote authentication attempts and will prevent the offending attempts from authenticating when a Security Administrator defined threshold is reached.

Security management

The TOE enables secure local and remote management of its security functions, including:

o   Local console CLI administration

o   Remote CLI administration via SSHv2

o   Administrator authentication using a local database

o   Timed user lockout after multiple failed authentication attempts

o   Password complexity enforcement

o   Role Based Access Control - the TOE supports several types of administrative user roles. Collectively these sub-roles comprise the “Security Administrator”

o   Configurable banners to be displayed at login

o   Timeouts to terminate administrative sessions after a set period of inactivity

o   Protection of secret keys and passwords


Protection of the TSF

The TOE ensures the authenticity and integrity of software updates through hash comparison and requires administrative intervention prior to the software updates being installed.


TOE Access

Prior to login, the TOE displays a banner with a message configurable by the Security Administrator. The TOE terminates user connections after an Authorized Administrator configurable amount of time.

Trusted Path Channels

The TOE uses TLS to provide a trusted channel between itself and remote syslog and LDAP servers.

The TOE uses SSH to provide a trusted path between itself and remote administrators.

Excluded Functionality:

Hardware and software located in the TOE environment are not included in the scope of the evaluation.

Only security functionality specified in the SFRs and TSS is covered by the scope of evaluation against this Security Target. The following other product features or functionality are considered unevaluated, because they are not included in the scope of the Security Target:

 ·       Web Logging

·        Application Firewall

·        Global Server Load Balancing (GSLB)

·        AAA-TM Authentication

·        External authentication methods: Kerberos, TACACS+, SAML, RADIUS

·        Responder

·        Rewrite (URL Transformation)

·        Layer 3 Routing

·        Vpath

·        RISE

·        High Availability

·        CloudBridge

·        CallHome

·        Integrated Disk Caching

·        General TLS VPN functionality

·        Clientless VPN functionality

·        SSL acceleration – SSL termination for application servers

·        AppFlow

·        AppQoE

·        BGP

·        Cache Redirection

·        Compression Control

·        Content Accelerator

·        Content Filtering

·        Content Switching

·        FEO

·        OSPF

·        LSN

·        RDP Proxy

·        RIP

·        HTM Injection

·        Http DoS Protection

·        Integrated Caching

·        Surge Protection

·        ISIS

·        Priority Queuing

·        Reputation

·        Sure Connect

·        NetScaler Push



Additionally, the following features may not be used when the TOE is operated in a manner compliant with this Security Target:

·       IPv6

·       NTP based updates to the time

·       Use of superuser privileges except as described in [CCECG]

·       ADC GUI (HTTP/HTTPS), ADC Nitro API and ADM


Vendor Information

Citrix Systems Inc.
Vijay Gajula
Site Map              Contact Us              Home