Compliant Product - RedSeal Server v9.4
Certificate Date: 2021.06.18CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11104-2021
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
CC Testing Lab: Leidos Common Criteria Testing Laboratory
The TOE is RedSeal Server 9.4.5 from RedSeal, Inc. The RedSeal Platform is a Network Infrastructure Security Management (NISM) platform that continuously identifies critical attack risk and non-compliance in complex enterprise security infrastructure. It provides organizations with an understanding of where security is working, where improvement is needed, and where the greatest cyber-attack risks lie.
The TOE uses a plugin architecture to import data from monitored networked assets. There are two types of plugins—Communications and Data. Communications plugins provide connectivity to external devices for facilitating data import, supporting various protocols, including SSH, SCP, SFTP, HTTPS, SMB, JDBC, and vendor-specific protocols to access device data directly from the device or from configuration management databases. Data plugins provide parsers for vendor-specific device configuration files and vulnerability scan data. The TOE can monitor most layer 3 network devices with the use of these vendor-specific data plugins. Note the evaluated configuration covers data import using only SSH.
The TOE requires users to be identified and authenticated before they can access any of the TOE functions. For each session, the user is required to log in prior to successfully establishing a session through which TOE functions can be exercised. The only capabilities allowed prior to users authenticating are the display of the warning banner before authentication, and the TOE may send Echo Reply in response to Echo Request ICMP messages received at the Management interface. The banner is displayed on every login attempt.
The TOE provides a Command Line Interface (CLI) for management and administration. The CLI is accessible locally via a laptop connected directly to a network port, or remotely via SSH. The TOE supports a single CLI user (cliadmin) that is equivalent to the Security Administrator role specified in collaborative Protection Profile for Network Devices.
The TOE comprises the RedSeal Server application running on a Linux operating system, together with a database, all installed on a physical appliance provided by RedSeal, or provisioned as a virtual appliance image that can be deployed on a virtual platform. The scope of the evaluation covers both the hardware appliance and the virtual appliance deployed on VMware ESXi (other platforms that support the RedSeal Server virtual appliance, such as KVM, Oracle VirtualBox, and Microsoft Hyper-V, are not covered by this evaluation).
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the collaborative Protection Profile for Network Devices, Version 2.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered configured as identified in the guidance document, satisfies all of the security functional requirements stated in the RedSeal Server v9.4 Security Target. The evaluation was completed in June 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE is able to generate audit records of security relevant events, including the events specified in collaborative Protection Profile for Network Devices, Version 2.1. The TOE stores audit records locally and can also be configured to send the audit records to an external syslog server over a protected communication channel.
The logs comprising the audit trail are stored in the TOE’s file system and protected from unauthorized modification and deletion by file system permissions. The TOE maintains a maximum of five log files—the current log file and four backups or archives. Each file has a default maximum of 50 megabytes (which is configurable by an administrator). When the current log file reaches its configured maximum size, it is closed and rotated to an archive, and a new current log file is created. If the maximum number of archive files already exists, the oldest one is deleted. The TOE will generate a warning message if the storage space for audit records reaches 80% capacity.
The TOE implements cryptographic algorithms and mechanisms that provide random bit generation, asymmetric cryptographic key pair generation, key establishment, symmetric data encryption and decryption, digital signature generation and verification, cryptographic hashing, and keyed-hash message authentication services in support of higher level cryptographic protocols, including SSH and TLS.
Identification and Authentication
The TOE requires all users to be successfully identified and authenticated prior to accessing its security management functions and other capabilities. The TOE offers local and remote access (via SSH) to a Command Line Interface (CLI) and remote access (protected by TLS) using the Java client to support interactive administrator sessions. There is also a browser-based Web UI available for non-administrative users to interact with the TOE.
The TOE provides a local password-based authentication mechanism for all users and enforces a minimum length for passwords. The TOE will deny remote access to a user after a configurable number of consecutive failed authentication attempts (default is three).
The TOE provides the security management functions necessary to configure and administer its security capabilities, including: configuring a login access banner; configuring a remote session inactivity time limit before session termination; configuring the parameters (number of consecutive failures, lockout period) for the authentication failure handling mechanism; setting the system date and time and also configuring NTP; performing software updates and verifying updates using a published hash.
The TOE provides a CLI to access its security management functions. Administrators can access the CLI locally via a laptop connected directly to a network port and remotely using SSH. Additionally, some security management functions are accessible via the Java client. Security management commands are limited to administrators and are available only after they have been successfully identified and authenticated.
Protection of the TSF
The TOE protects sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator.
The TOE provides reliable time stamps for its own use and can be configured to synchronize its time via NTP.
The TOE provides a trusted means for determining the current running version of its software and to update its software. The integrity of software updates can be verified using a published hash.
The TOE implements various self-tests that execute during the power-on and start up sequence, including cryptographic known answer tests that verify the correct operation of the TOE’s cryptographic functions.
The TOE will terminate local and remote interactive sessions after a configurable period of inactivity. The TOE additionally provides the capability for administrators to terminate their own interactive sessions. The TOE can be configured to display an advisory and consent warning message before establishing a user session.
The TOE protects interactive communication with remote administrators using SSH (for remote access to the CLI) and remote non-administrative users using HTTPS (for access to the Web UI).
The TOE is able to protect transmission of audit records to an external audit server using TLS. It uses SSH to connect to external IT entities for the purpose of data collection, to support building its model of the network. It also protects communication with the Java client using TLS.