Compliant Product - SecuGATE SIP Server v5.0
Certificate Date: 2022.08.26CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11281-2022
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
PP-Module for Enterprise Session Controller (ESC) Version 1.0
CC Testing Lab: Gossamer Security Solutions
The TOE is the SecuGATE SIP server version 5.0. The SecuGATE SIP Server enables use of the Session Initiation Protocol (SIP) to establish secure connections between mobile devices.
The SecuGATE SIP Server is the centerpiece in the SecuSUITE Security Solution. The SecuSUITE Security Solution includes the SecuGATE SIP server and client software for mobile device platforms. Together these form a system that provides end-to-end secure mobile voice communication and instant messaging, using IP-based mobile data connections such as EDGE, UMTS/HSPA, LTE, and Wi-Fi.
The SecuGATE SIP Server is an infrastructure component of the SecuSUITE Security Solution. The SIP Server does not work in isolation but relies on other infrastructure components to enable secure VoIP communications.
 The client software is the target for another evaluation.
The SecuGATE SIP server runs on RHEL 8 OS within an ESXi version 6.7 virtualized environment using one of the following physical platforms.
· Dell PowerEdge R640 system with an Intel Xeon Silver 4210 processors (Cascade Lake microarchitecture)
· PacStar 451 system with an Intel Xeon E-2276ME (Coffee Lake microarchitecture).
The Dell PowerEdge R640 system can support either Broadcom Ethernet or Intel Ethernet network interfaces, while the PacStar 451 system supports only Intel Ethernet network interfaces.
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the BlackBerry SecuGATE Common Criteria Configuration Guide SecuSUITE for Government 5.0, version 0.7 document, satisfies all of the security functional requirements stated in the SecuGATE SIP Server v5.0 Security Target, Version 0.8, August 22, 2022. The project underwent CCEVS Validator review. The evaluation was completed in August 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11281-2022) prepared by CCEVS.
The logical boundaries of the SecuGATE SIP Server are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE generates audit events for numerous activities including policy enforcement, system management, authentication and system status (i.e., system log records). The TOE also generates call detail records providing information about connections that are mediated by the TOE. A syslog server in the environment is relied on to store audit and system log records generated by the TOE. The TOE generates a complete audit record including the IP address of the TOE, the event details, and the time the event occurred. The time stamp is provided by the TOE appliance hardware.
The TOE contains CAVP-tested cryptographic implementations that provide key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher level cryptographic protocols including HTTPS, NTP, SSH and TLS.
User data protection:
The TOE mediates connections between VVoIP endpoints, allowing enrolled endpoints to establish “calls” with other enrolled endpoints.
Identification and authentication:
The TOE authenticates administrative users. In order for an administrative user to access the TOE, a user account including a user name and password must be created for the user, and an administrative role must be assigned. The TOE performs the validation of the login credentials. The TOE also performs extensive X.509v3 certificate validation checks on certificates it receives as identification and authentication material.
The TOE also provides a Web UI (protected by HTTPS) and Command Line Interface (protected by SSH) to configure the TOE. Security management commands are limited to authorized users (i.e., administrators) and available only after they have provided acceptable user identification and authentication data to the TOE. The security management functions are controlled through the use of privileges associated with roles that can be assigned to TOE users. Among the available privileges, only the Authorized Administrator role can actually manage the security policies provided by the TOE and the TOE offers a complete set of functions to facilitate effective management.
Protection of the TSF:
The TOE implements a number of features design to protect itself to ensure the reliability and integrity of its security features.
It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for log accountability) and can obtain time from external time sources using NTP.
The TOE performs self-tests and integrity checks on TOE executables during system start-up as well as periodically during normal operation. The TOE also includes mechanisms (i.e., verification of the digital signature of each new update package) so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.
The TOE can be configured to display a warning banner when an administrator establishes an interactive session and subsequently will enforce an administrator-defined inactivity timeout value after which the inactive session (local or remote) will be terminated.
The TOE protects interactive communication with administrators using SSHv2 for CLI access, ensuring both integrity and disclosure protection. The TOE also provides a Web UI API interface for security management that is protected with HTTPS/TLS. If the negotiation of an encrypted session (either SSH or TLS) fails or if the user does not have authorization for remote administration, an attempted connection is not be established.
The TOE protects communication with network peers, such as an NTP server, an audit server, VVoIP endpoints, ESC devices for trunking, and a VVoIP conferencing system using TLS connections to prevent unintended disclosure or modification of data.