Compliant Product - Corelight Sensor AP 200, AP 1001, AP 3000 and AP 5000 BroLin v22.1
Certificate Date: 2022.05.02CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11253-2022
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
CC Testing Lab: Acumen Security
The TOE is a network device which is composed of hardware and software that offers a scalable solution to the end users. It satisfies all the criterion to meet the collaborative Protection Profile for Network Devices, Version 2.2e [NDcPP v2.2e]. The TOE operating system is BroLin v22.1. The TOE boundary is the hardware appliance, which is comprised of hardware and software components.
The TOE is comprised of the following models: AP 5000, AP 3000, AP 1001 and AP 200.
The TOE supports secure connectivity with another IT environment device as stated in Table 1.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Corelight Sensor AP 200, AP 1001, AP 3000 AP 5000 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. The product, when delivered configured as identified in the Corelight Sensor AP 200, AP 1001, AP 3000 & AP 5000 Common Criteria Guidance Document, satisfies all of the security functional requirements stated in the Corelight Sensor AP 200, AP 1001, AP 3000 and AP 5000 BroLin v22.1 Security Target. The project underwent CCEVS Validator review.The evaluation was completed in May 2022.Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE implements the following security functional requirements:
• Security Audit
• Cryptographic Support
• Identification and Authentication
• Security Management
• Protection of the TSF
• TOE Access
• Trusted Path/Channels
Each of these security functionalities are listed in more detail below:
The TOE generates audit events for all start-up and shut-down functions, and all auditable events as specified in Table 13 of the ST. Audit events are also generated for management actions specified in FAU_GEN.1. The TOE can store audit events locally and export them to an external audit server (via SFTP server using SSH v2). Each audit record contains the date and time of event, type of event, subject identity, and the relevant data of the event.
The TOE provides cryptographic support for the services described in Corelight Sensor AP 200, AP 1001, AP 3000 and AP 5000 BroLin v22.1 Security Target. The operating system is BroLin v22.1 which is based upon Linux Kernel version 4.19.143. The TOE leverages the Corelight Cryptographic Module for its cryptographic functionality.
Identification and Authentication
The TOE provides authentication services for administrative users to connect to the TOE’s secure CLI administrator interface. The TOE requires Authorized Administrators to authenticate prior to being granted access to any of the management functionality. The TOE supports password-based authentication and public key-based authentication. Password-based authentication can be performed on the serial console. The SSHv2 interface supports authentication using SSH keys.
· Local console CLI administration
· Remote CLI administration via SSHv2
· Password configurations and authentication failure handling
· Users – Security Administrator (Admin)
· Configurable banners to be displayed at login
· Timeouts to terminate administrative sessions after a set period of inactivity
· Protection of secret keys and passwords
Prior to establishing an administration session with the TOE, a banner is displayed to the user. The banner messaging is customizable. The TOE will terminate an interactive session after 60 minutes of session inactivity. A user can terminate their local CLI session and remote CLI session by entering exit at the prompt.
The TOE protects all passwords, pre-shared keys, symmetric keys and private keys from unauthorized disclosure. Passwords are stored on the file system in encrypted format. Passwords are stored as SHA-512 salted hash value as per standard Linux approach. The TOE executes self-tests during initial start-up to ensure correct operation and enforcement of its security functions. An administrator can install software updates to the TOE. The TOE internally maintains the date and time.
The TOE supports SSH v2 for secure communication to the following IT entities: Audit server (via) SFTP server. The TOE supports SSH v2 (remote CLI) for secure remote administration.