Compliant Product - VMware Unified Access Gateway (UAG) 2209
Certificate Date: 2023.07.06CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11360-2023
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
CC Testing Lab: Leidos Common Criteria Testing Laboratory
Administrative Guide: Guidance Supplement
Administrative Guide: Horizon Administration
Administrative Guide: Deploying and Configuring VMware Unified Access Gateway
The Target of Evaluation (TOE) is the VMware Unified Access Gateway (UAG) 2209. The UAG is a virtual network device that is used as a remote access server to allow users on an untrusted network (e.g. a home office or other offsite location) to access enterprise resources on a protected internal network. The UAG is a secure remote access gateway that acts as a reverse proxy for protected network resources and allows a user on an unprotected network to gain access to those resources.
The UAG is responsible for identification and authentication of remote users that are attempting to use other VMware products that are deployed within an enterprise environment. With respect to this TOE, the primary use case for this is for VMware Horizon.
VMware Horizon is a suite of components that establish a virtualization environment within an organization. The Horizon product components collectively allow users to access virtualized desktops or enterprise resources from their end user device. These resources are made available with granular security controls that allow users to access only the capabilities for which they are authorized.
VMware Horizon as a suite consists of several components:
· Horizon Clients are applications that are installed on end user devices. A user accesses their virtual desktop through the Horizon Client.
· Horizon Agents are applications that run on virtual servers in the enterprise environment. These agents facilitate remote access to the desktop of a virtual server or to specific applications running on that server that may be served directly to the virtual desktop.
· The Horizon Connection Server is responsible for brokering connections between Horizon Clients and Horizon Agents to authenticate users and serve appropriate resources to a particular user based on enterprise permissions.
The UAG’s role in this is to be the initial gateway that a Horizon Client interacts with when attempting to access Horizon Agents. The UAG is responsible for maintaining a linkage between the external network connection initiated by the user and the internal network connection that it initiates to other Horizon components. The UAG authenticates the Horizon Client user and passes an assertion to the Connection Server that identifies the user. Based on the user’s privileges, the Connection Server notifies relevant Horizon Agents that an authorized user is requesting access to them. The UAG then establishes a second connection to the relevant Agent(s) that is then used to pass interactions back and forth between the external Horizon Client and the internal Horizon Agent(s). All such interactions occur over separate TLS channels.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the collaborative Protection Profile for Network Devices, Version 2.2e. The evaluation methodology used by the Evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the VMware Unified Access Gateway (UAG) 2209 Security Target, Version 1.0, May 24, 2023. The evaluation was completed in July 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE generates audit records of security-relevant activity. Audit data is stored locally on the TOE in several different files based on event type; local audit records are protected against unauthorized modification and deletion. A log rotation exists to overwrite the oldest stored records when audit storage space has been exhausted. The TOE also has the ability to export all audit records to an external syslog server over a TLS protected channel.
The TOE implements cryptographic functions in support of trusted communications, key pair generation for X.509 certificate requests, and self-testing. The TOE includes both OpenSSL and Bouncy Castle BC-FJA cryptographic libraries. For trusted communications, the TOE implements TLS as a server with HTTPS, and TLS as a client with and without HTTPS. TLS/HTTPS server connectivity between the environmental Horizon Client and the TOE enforces mutual authentication of TLS client certificates. The TOE relies on platform hardware to generate entropy that is used to seed its DRBG to ensure that generated keys have the advertised security strength.
Identification and Authentication
The TOE uses a local password-based mechanism for administrator authentication. The TOE enforces restrictions on the length and character composition of administrator passwords. Excessive failed authentication attempts on a remote administrative interface will cause a lockout that is resolved by a waiting period. The TOE also uses X.509 certificates for authentication of TLS connections. The TOE has a mechanism by which a certificate signing request can be generated so that it may obtain a certificate for its own use from a trusted CA.
The TOE has a web-based remote management interface as well as a local console. Most functionality is administered over the remote interface. The TOE uses a single Security Administrator role to authorize the use of management functions.
Protection of the TSF
The TOE protects sensitive data from unauthorized access. It enforces integrity of its own contents through the use of self-tests to ensure that the TSF has not been modified. Software updates are obtained through the operational environment (e.g. downloaded from the vendor’s support site); updates have a published hash that an administrator can verify prior to their application.
The TOE controls access through enforcement of idle session timeout on its management interfaces. These interfaces also display a configurable pre-authentication warning banner that advises against unauthorized use of the TOE.
The TOE implements TLS and TLS/HTTPS trusted channels between itself and environmental systems. The TOE also implements a TLS/HTTPS trusted path for secure remote administration.
Vannn@vmware.com (triple N's)