CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide: Illumio Core® v22.2.30 

Administrative Guide: PCE Administration Guide 

Administrative Guide: Security Policy Guide 

Administrative Guide: VEN Administration Guide 

Illumio Core v22.2.30 is an Enterprise Security Management Policy Management (ESM PM) product that manages communications within, and across, tiers of applications by defining access control policy. The TOE is a software application used in the enterprise setting.

 The TOE is a distributed software application consisting of the Policy Compute Engine (PCE) and the Virtual Enforcement Node (VEN). PCE is designed to run on Red Hat Enterprise Linux (RHEL) 8.2 and to integrate with the Illumio Virtual Enforcement Node (VEN) Access Control application.

The VEN is only evaluated on the Windows 10 enterprise operating system.

The TOE does not include the hardware or operating systems of the systems on which it is installed. It also does not include the third-party software that is required for the TOE to run.

The TOE supports a number of features that are not part of the core functionality. Those features are excluded from scope of the evaluation:

·       Use of the SMTP 

·       High Availability and Failover functionality

·       JSON/REST API use 

·       Policy-based encryption (SecureConnect)

·       Configuration of policy targeting unmanaged Workloads 

·       Linux-based VEN

·       LDAP Authentication

·       VEN running on Linux operating system.

·       All visual aspects of the visualization feature, (also known as Illumination map), except the feature to add rules.

VEN runs on multiple platforms, however not all of them were tested, therefore they are not part of the evaluated configuration.

Platform services: (Excluded from the TOE)

·       Trusted CertificateStore 

·       Syslog daemon (syslog-ng)

·       Operating System (RHEL 8.2; Windows 10 enterprise)

• Platform-provided Cryptographic Module (Red Hat Enterprise Linux OpenSSL Cryptographic Module, Windows Cryptographic Primitives Library)

External IT services:

·       Audit Server (syslog)

·       Authentication Server (SAML)

·       DNS Server

·       NTP Server

Optional external servers:

·       SMTP Server  

·       External Certificate Authority (CA)

Excluded Functionality:

The TOE supports several features that are not part of the evaluated functionality. These features are not tested and excluded from the scope of the evaluation:

·                Use of the SMTP

·                High Availability and Failover functionality

·                JSON/REST API use

·                Policy-based encryption (SecureConnect)

·                Configuration of policy targeting unmanaged Workloads

·                LDAP Authentication

·                VEN running on Linux operating system.

·                All visual aspects of the visualization feature, also known under the term      

·                Illumination map (except the option of “adding rule” through the feature)

The VEN (part of the TOE) runs on multiple OS platforms, however not all of them were tested, only the Windows Enterprise is part of the evaluated configuration.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Illumio Core v22.2.30 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Illumio Core v22.2.30 Security Target, version 0.6, March 01, 2023, document. The evaluation underwent CCEVS Validator review. The evaluation was completed in March 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID11335-2023 prepared by CCEVS.

Security audit:

The TOE generates audit records of security relevant events as they occur. Any use of a management functions via the Web UI, as well as relevant IT environment events, will be audited. The PCE uses the RHEL auditing daemon (rsyslog or syslog-ng) for storing local audit trail (e.g., in /var/log/), and is capable of uploading logs to an external audit server over a secure channel.

VEN does not use the Windows audit daemon. The VEN sends the following types of audit events to the PCE by invoking the PCE API

• Heartbeat events are reported every 5 minutes.
• Traffic flows are reported every 10 minutes.
• Changes to network interfaces are reported asynchronously.

The PCE generates audit events when the APIs are invoked.

Security Management

The PCE maintains the administrative user roles: Global Organization owner, Global Administrator, Global Viewer, Global Policy Object provisioner, Global Ruleset Provisioner and Full Ruleset Manager, each of these roles has varying levels of privileges which determine what management functions the administrative users are able to perform via the TOE’s Console interface which is a web-based GUI.

The TOE maintains a list of roles. Each authenticated user is automatically associated with a role. Global Organization Owners also have the ability to create custom roles and assign or change all Limited Scope roles.

The TOE restricts management functions to the “Global Organization Owner” administrator role. An administrator will authenticate to the TOE by providing their local or domain user credentials. 

Identification and authentication:

The TOE requires users to be identified and authenticated before they can access any of the TOE’s functions. Users are locked out of their accounts when they fail to log in after consecutive failures. The number of unsuccessful authentication attempts can be configured by changing the default value of the runtime variable in the configuration file.

The TOE also integrates with external authentication servers that manage external domain credentials. The TOE does not directly manage domain passwords and does not implement any Security Functions that creates or modifies these credentials.

The TOE associates all of a user’s security attributes (e.g., username, email, role, scope) with the subjects acting on behalf of that user. Users receive their privileges by way of membership in roles. 

Enterprise Security management:

The Illumio PCE’s policy model supports policies using either a label-based system or plain IP lists.  By using labels, the rules don't require the use of an IP address or subnet, like traditional firewall solutions. Illumio PCE also supports the writing of IP list-based policies, like traditional firewalls.

Once managed workloads (VEN) are labeled, administrators can write policies that use those labels. For example, an administrator can write a policy to allow traffic between the API Server of an ERP application to a specific port on the Database Server of the ERP application.  This makes it easy to write and maintain policies that are understandable by humans.

The TOE implements a whitelist access control policy model; consequently, the TOE does not allow any contradictory policy to be defined.

The PCE generates policy that the VEN consumes and implements. When an administrator modifies or creates a security policy rule, the PCE generates an updated overall policy and calculates policy changes for each affected VEN as part of the process called provisioning. All paired VENs periodically connect to the PCE to check for policy updates. If the VEN cannot connect to the PCE, it continues to enforce the last-known-good policy. If the VEN fails to connect to PCE on two consecutive occasions (an outage approximately corresponding to 10 minutes), the VEN enters a degraded state.

Protection of the TSF:

The TOE internally uses a database as a persistent store to ensure its proper functioning. Login credentials to the PCE console, i.e., passwords of users who are authorized to access the Product, are also stored in the database. Users’ password credentials are stored in the form of salted hashes in the database. The database itself is internal to the Illumio Product.

All secrets, when stored in non-volatile memory, are encrypted by the platform when using an encrypting filesystem in the operational environment. 

The operational environment implements all protocols and handles associated session keys. The TOE does not implement a mechanism designed to circumvent OS security measures. 

TOE access:

The TOE can be configured by an administrator to force an interactive session’s termination based on a timeout value. A remote session that is inactive for the defined timeout value will be terminated. Once terminated, the user will be required to re-enter their username and password in order to establish a new session. The TOE can be configured to display advisory banners as part of the authentication prompt.

Trusted path/channels:

The TOE uses cryptographic primitives provided by the Operation Environment to implement secure channel functionality. The TOE consists of two components PCE and VEN. PCE implements secure remote administration, exports audit records to an external audit server, integrates with an external authentication server, and securely transfers policy updates to VEN. VEN securely connects to PCE to receive policy updates.

The TOE supports SAML-based external authentication server (Active Directory Federation Services). The TOE acts as a SAML consumer and accepts digitally signed tokens as a proof of identity. The TOE supports TLS v1.2 protocol to securely communicate between PCE and VEN. In this case, PCE acts as a server and VEN acts as a client.

Vendor Information