Compliant Product - Apriva MESA VPN
Certificate Date: 2020.01.14CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10996-2020
Product Type: Virtual Private Network
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
Extended Package for VPN Gateways Version 2.1
CC Testing Lab: UL Verification Services Inc. (Formerly InfoGard)
The Apriva MESA VPN server is an IPsec VPN gateway designed to provide mobile devices with a secure connection to a protected network. The Apriva MESA VPN is a standards-based VPN concentrator with no proprietary modes of operation, and supporting most native VPN clients in Microsoft, Android, and Apple iOS operating systems. The MESA VPN supports full IKEv2 and MOBIKE standards.
The TOE consist of the following hardware:
· Dell PowerEdge R640
o CPU: 2xIntel® Xeon® Silver 4109T
o RAM: 16GB
o NICs: Qty 4, 1Gb/s
· Red Hat Enterprise Linux v7.6
· Vendor proprietary user interface scripts and networking functionality scripts
· The above two components are managed and updated together as Apriva MESA VPN release 2.00.18-3
The guidance documentation is also part of the TOE. A list of the guidance documents can be found in Table 12 of the Security Target.
The TOE’s operational environment must provide the following services to support the secure operation of the TOE:
· Syslog Server supporting Syslog over TLSv1.2 for remote audit record capture
· VPN Clients supporting IPsec/IKEv2 (RFC 5996) & IPsec/ESP (RFCs 4301 & 4303) for VPN tunneling
· Local Console for local management (RS-232)
· SSH Client for remote management [SSHv2 (RFCs 4251, 4252, 4253, 4254, 4344, 5656, & 6668)]
 MOBIKE is an unevaluated capability.
Functional testing of the TOE was performed on the Dell PowerEdge R640 with Apriva MESA VPN release 2.00.18-3 installed and configured as per the CC Preparative and Administrative Guidance documentation provided as part of the TOE.
The Operational Environment included the following components to support the secure operation of the TOE:
· Local Console
· Syslog Server
· An SSHv2 Client
· An IPsec VPN Client
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Apriva MESA VPN 2.0 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The TOE, when installed and configured per the instructions provided in the preparative and administrative guidance, satisfies all the security functional requirements stated in the Apriva MESA VPN Security Target. The evaluation underwent CCEVS Validator review. The evaluation was completed in January 2020.
o The TOE will audit all events and information defined in Table 3: Auditable Events in the Security Target.
o The TOE will also include the identity of the user that caused the event (if applicable to the event), date and time of the event, type of event, and the outcome of the event.
o The TOE can transmit audit data to an external IT entity using Syslog over TLSv1.2.
o The TSF performs the following cryptographic operations:
· IPsec protocol for establishing VPN tunnels
· TLSv1.2 client protocol for sending audit logs to a Syslog server
· SSHv2 server protocol for remote administration
· Generation of RSA and ECDSA asymmetric cryptographic keys
· Generation of keys to encrypt stored keys
· RSA 2048-bit Digital signature verification of software (updates and power-up)
o The algorithms supported for each protocol are specified in Section 1.3.4 of the Security Target.
· The TSF zeroizes all plaintext secret and private cryptographic keys and CSPs once they are no longer required.
· Identification and Authentication
o The TSF supports passwords consisting of alphanumeric and special characters.
o The TSF also allows administrators to set a minimum password length of 8 to 64 characters.
o In addition to password-based authentication, the TSF supports SSH public key authentication for remote administrators.
o The TSF requires all administrative-users to authenticate before allowing the user to perform any actions other than:
· Viewing the warning banner
o The TSF performs the following actions in response to unauthenticated user actions:
· Respond to ICMP Echo Request with an Echo Reply
· Respond with ICMP Destination Unreachable message
o The TSF supports X.509 certificate authentication for the following purposes:
· Identification of the TLS/Syslog server
· Identification of the TOE to the TLS/Syslog server
· Identification of VPN peers
· Identification of the TOE to VPN peers
· Security Management
o The TOE implements a limited command line interface (CLI) to allow authorized administrators to configure the TOE. This interface restricts the administrator to executing commands required to configure and administer the TOE
o All authorized administrators are assigned the Security Administrator role
· Packet Filtering
o The TOE can be configured to allow or deny packets based on IPv4 source address, IPv4 destination address, IPv6 source address, IPv6 destination address, TCP or UDP source port, TCP or UDP destination port.
· Protection of the TSF
o The TSF prevents the reading of secret and private keys
o The TOE provides reliable time stamps for itself using an internal real-time clock
o The TOE runs a suite of self-tests during the initial start-up (upon power on) to demonstrate the correction operation of the TSF
o The TOE continually performs health tests on the entropy sources
o The TOE verifies the authenticity and integrity of updates to the TOE using a digital signature prior to installing those updates
· TOE Access
o The TOE, for local interactive sessions, will terminate a user session after an Authorized Administrator-specified period of session inactivity has elapsed
o The TOE terminates a remote interactive session after an Authorized Administrator-configurable period of session inactivity has elapsed
o The TOE allows Administrator-initiated termination of the Administrator’s own interactive session
o Before establishing an administrative user session, the TOE is capable of displaying an Authorized Administrator-specified advisory notice and consent warning message regarding unauthorized use of the TOE
· Trusted Path/Channels
o The TOE uses IPsec or TLS to provide a trusted communication channel between itself and all authorized IT entities that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data
o The TOE permits the TSF or the authorized IT entities to initiate communication via the IPsec trusted channel
o The TOE initiates communication via the TLS trusted channel
o The TOE permits remote administrators to initiate communication via the SSH trusted path
o The TOE requires the use of the trusted path for initial administrator authentication and all remote administration actions
Apriva ISS, LLC
Thomas C. Grandy