Compliant Product - NIKSUN NetOmni, and NetDetector/NetVCR/LogWave running Everest Software v126.96.36.199
Certificate Date: 2022.01.19CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11204-2022
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
CC Testing Lab: Acumen Security
The TOE includes the NIKSUN NetOmni, and NIKSUN NetDetector/NetVCR/LogWave appliances, running the software Everest version 188.8.131.52. NIKSUN NetOmni, and NetDetector/NetVCR/LogWave independently represents a TOE. Each of the appliances are running the exact same Everest software and the functionality is distinguished based on the licenses that are activated on the appliance.
Table 1 - TOE Hardware Models
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the NetOmni and NetDetector/NetVCR/LogWave were evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5, April 2017. The product, when delivered configured as identified in the NIKSUN NetOmni, and NetDetector/NetVCR/LogWave running Everest software v184.108.40.206 Common Criteria Guidance Addendum, Version 1.2, January 13, 2022, satisfies all of the security functional requirements stated in the NIKSUN NetOmni, and NetDetector/NetVCR/LogWave running Everest software v220.127.116.11 Security Target, Version 0.8, January 06, 2022. The project underwent CCEVS Validator review. The evaluation was completed in January 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11204-2022) prepared by CCEVS.
The TOE provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions. The TOE generates an audit record for each auditable event. The TOE keeps local and remote audit records of security relevant events. The TOE internally maintains the date and time, which can be set manually. Each security relevant audit event has the date, timestamp, event description, and subject identity. The TOE provides the administrator with a circular audit trail. The TOE can be configured to transmit its audit messages to an external syslog server over an encrypted channel using TLS.
The TOE relies on its NIKOS FIPS Object Module and NIKOS Java Object Module to implement cryptographic methods and trusted channels. The TOE uses mutually authenticated TLS to secure the automatic transfer of syslog audit files and VAR logs to the Syslog Server. The TOE uses TLS to secure the connection to the LDAP/AD Server for remote authentication. When a user utilizes the “Forgot Username/Password” feature on the login screen, the TOE will send an email to the SMTP Server over a protected TLS channel. TOE communicates with another NIKSUN appliance over TLS. X.509v3 certificates are used to support authentication mechanisms. SSH is used to secure the remote CLI interface for remote management of the TOE. SSH is also used to secure the communication with the SCP Server when the TOE receives software image updates. TLS/HTTPS is used to secure the connection for remote management of the TOE via the web GUI as well as connections to other devices. The TOE will deny any connections for disallowed protocols and invalid X.509v3 certificates.
Identification and Authentication
The TOE verifies the identity of users connecting to the TOE. All users must be identified and authenticated before being allowed to perform actions on the TOE. This is true of users accessing the TOE via the local console, or through protected paths using the remote CLI via SSH or the web GUI via TLS 1.2. Users can authenticate to the TOE using a username and password. In addition, when authenticating by the remote CLI, users can instead use SSH public-key authentication. LDAP can be configured to provide external authentication. Passwords can consist of upper-case letters, lower-case letters, numbers, and a set of selected special characters. Password information is never revealed during the authentication process including during login failures. Before a user authenticates to the device, a customizable warning banner is configured to be displayed. In addition, via the web GUI only, the user has the option to use a “Forgot Username/Password” feature prior to authenticating.
The TOE uses X.509v3 certificates to perform mutual authentication for the Syslog Server. The TSF determines the validity of the certificates by confirming the validity of the certificate chain and verifying that the certificate chain ends in a trusted Certificate Authority (CA). The TSF connects with a CRL distribution point through HTTP to confirm certificate validity and to access certificate revocation lists (CRL).
The TOE has a role-based authentication system where roles (permissions) are assigned to groups for the web GUI. Authorized actions for a particular user are dependent on which group they are assigned to. There are 4 initial groups: Administrator, Account Administrator, Advanced Users, and Users. Only users assigned to the Administrator group can perform SFR related management functions via the web GUI and thus, are Security Administrators in the context of the evaluation. The VCR user is the Security Administrator user for the remote and local CLI and can update the TOE’s software and verify it via published hash.
The NDcPP’s definition of “role” is synonymous with NIKSUN’s definition of “permissions”. NIKSUN’s terminology fits into the Protection Profiles by using the term “user roles” in place of “user permissions”. For the remainder of this document, “user permissions” is used to match the terminology used by Common Criteria.
Protection of the TSF
The TOE stores passwords in a variety of locations depending on their use and encryption. They cannot be viewed by any user regardless of the user’s role. The VCR user passwords are stored in the OS hashed by SHA-512. Web GUI passwords are stored in the PostgreSQL Database hashed with SHA-256. Pre-shared keys, symmetric keys, and private keys cannot be accessed in plaintext form by any user. There is an underlying hardware clock that is used for accurate timekeeping and is set by the Security Administrator. Power-on self-tests are executed automatically when the cryptographic module is loaded into memory. It verifies its own integrity using an HMAC-SHA-256 digest computed at build time and tests all algorithms for integrity. The TOE also performs self-tests on the CPU, RAM, and disk components. The TOE’s DRBG also performs its own health tests.
The version of the TOE is verified via the CLI or web GUI. The TOE is updated by the VCR user via the CLI. Updated software images are downloaded to the SCP Server and are transferred to the TOE via the SCP using SSH. The administrator is also capable of copying the image to a CD and manually loading it to the TOE. The TOE conducts a hash verification on the system image using SHA-256 against the known hash to ensure the integrity of the update.
Before any user authenticates to the TOE, the TOE displays a configurable Security Administrator banner for the web GUI. The local and remote CLI interfaces display the default security banner prior to authentication that is also configurable. The TOE can terminate local CLI, remote CLI, and web GUI sessions after a specified time period of inactivity. Administrative users have the capability to terminate their own sessions.
The TOE connects and sends data to IT entities that reside in the Operational Environment via trusted channels. In the evaluated configuration, the TOE connects to Syslog Server via TLS to send audit data for remote storage. The TLS connection to the Syslog server is over mutually authenticated TLS channel. TLS is used to connect to an SMTP email server for secure credentials reset. TLS is also used for the TOE’s connection with the LDAP/AD Server for its remote authentication store. TLS is used for the transfer of data between the NIKSUN appliances. SSH is used for the connection to the SCP Server when the TOE receives software image updates.
TLS/HTTPS and SSH are used for remote administration of the TOE via the web GUI and remote CLI respectively.