Compliant Product - BlackBerry SecuGATE version 4.0
Certificate Date: 2019.12.19CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10977-2019
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
Extended Package for Enterprise Session Controller (ESC) Version 1.0
CC Testing Lab: Gossamer Security Solutions
The TOE is the SecuGATE SIP server version 4.0. The SecuGATE SIP Server enables use of the Session Initiation Protocol (SIP) to establish secure connections between mobile devices.
The SecuGATE SIP Server is the centerpiece in the SecuSUITE Security Solution. The SecuSUITE Security Solution includes the SecuGATE SIP server and client software for mobile device platforms. Together these form a system that provides end-to-end secure mobile voice communication and instant messaging, using IP-based mobile data connections such as EDGE, UMTS/HSPA, LTE, and Wi-Fi. The SecuGATE SIP Server v4.0 is a network appliance providing SIP server, RTP Proxy and SCA functionality as well as interfaces for management.
The Target of Evaluation (TOE) is SecuGATE SIP Server v4.0. The SecuGATE SIP Server v4.0 enables use of the Session Initiation Protocol (SIP) to establish secure connections between mobile devices. The SecuGATE SIP server runs on RHEL 7.6 OS within an ESXi version 6.5 virtualized environment using a physical platform which includes an Intel Xeon E3-1240, Xeon E3-1515 or Xeon Gold 5218 processor including:
• the SUPERMICRO system with an Intel Xeon E3-1240,
• the SUPERMICRO system with an Intel Xeon Gold 5218. and
• the PacStar 451 system with an Intel Xeon E3-1515.
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the SecuGATE Common Criteria Configuration Guide, SecuSUITE for Government 4.0, doc version 1.3, satisfies all of the security functional requirements stated in the SecuGATE SIP Server (NDcPP21/ESCEP10) Security Target, Version 0.7, December 19, 2019. The project underwent CCEVS Validator review. The evaluation was completed December 19, 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE generates audit events for numerous activities including policy enforcement, system management, authentication and system status (i.e., system log records). The TOE also generates call detail records providing information about connections that are mediated by the TOE. A syslog server in the environment is relied on to store audit and system log records generated by the TOE. The TOE generates a complete audit record including the IP address of the TOE, the event details, and the time the event occurred. The time stamp is provided by the TOE appliance hardware.
The TOE contains CAVP-tested cryptographic implementations that provide key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher level cryptographic protocols including HTTPS, NTP, SSH and TLS.
User Data Protection:
The TOE mediates connections between VVoIP endpoints, allowing enrolled endpoints to establish “calls” with other enrolled endpoints.
Identification and Authentication:
The TOE authenticates administrative users. In order for an administrative user to access the TOE, a user account including a user name and password must be created for the user, and an administrative role must be assigned. The TOE performs the validation of the login credentials. The TOE also performs extensive X.509 certificate validation checks on certificates it receives as identification and authentication material.
The TOE also provides a Web UI (protected by HTTPS) and Command Line Interface (protected by SSH) to configure the TOE. Security management commands are limited to authorized users (i.e., administrators) and available only after they have provided acceptable user identification and authentication data to the TOE. The security management functions are controlled through the use of privileges associated with roles that can be assigned to TOE users. Among the available privileges, only the Authorized Administrator role can actually manage the security policies provided by the TOE and the TOE offers a complete set of functions to facilitate effective management.
Protection of the TSF:
The TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its security features.
It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for log accountability) and can obtain time from external time sources using NTP.
The TOE performs self-tests and integrity checks on TOE executables during system start-up as well as periodically during normal operation. The TOE also includes mechanisms (i.e., verification of the digital signature of each new image) so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.
The TOE can be configured to display a warning banner when an administrator establishes an interactive session and subsequently will enforce an administrator-defined inactivity timeout value after which the inactive session (local or remote) will be terminated.
The TOE protects interactive communication with administrators using SSHv2 for CLI access, ensuring both integrity and disclosure protection. The TOE also provides a Web UI API interface for security management that is protected with HTTPS/TLS. If the negotiation of an encrypted session (either SSH or TLS) fails or if the user does not have authorization for remote administration, an attempted connection is not be established.
The TOE protects communication with network peers, such as an NTP server, an audit server, VVoIP endpoints, ESC devices for trunking, and a VVoIP conferencing system using TLS connections to prevent unintended disclosure or modification of data.