CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

This section provides an overview of the TOE architecture, including physical boundaries, security functions, and relevant TOE documentation and references. In the below diagram, the TOE consists of the appliance within the blue line. Everything else is not included within the TOE and is part of the TOE environment.

Physical Boundaries

The TOE consists of the following hardware:

• ISA 6000
• ISA 8000C
• ISA 8000F

Running:

• Ivanti Policy Secure (IPS) v22.2R3

The TOE can also be a virtual appliance (ISA-V) on VMware ESXi 6.7, with a Dell PowerEdge R640 as the hardware platform. The IPS software runs on any of the TOE hardware appliance platforms or on a virtual appliance. The TOE is delivered with the IPS v22.2R3 software installed on one of the ISA appliances. The platforms provide different amounts of processing power and network connectivity options.

Table 1- TOE Hardware Details

The TOE can also be a virtual appliance on VMware ESXi 6.7, with a Dell PowerEdge R640 as the hardware platform. ESXi is a bare-metal hypervisor so there is no underlying operating system. In the evaluated configuration, there are no guest VMs on the physical platform providing non-network device functionality. The virtual appliance platform is described below.

The virtual appliance can be download by customers from https://my.pulsesecure.net/ and installed on compliant hardware listed below. License are provided by Ivanti Secure via email. When a customer request is received, Ivanti will provide an authcode via email. Customers must register in https://my.pulsesecure.net portal and generate the license string by providing Hardware id with earlier provided authcode. These auth codes are not reusable.

Table 2 – Vmware Host Details

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Ivanti Policy Secure 22.2 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.  Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1.  The product, when delivered configured as identified in the Ivanti Policy Secure 22.2 Common Criteria Configuration Guide, satisfies all of the security functional requirements stated in the Ivanti Policy Secure 22.2 Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in March 2024.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

The TOE provides the security functions required by the Collaborative Protection Profile for Network Devices, hereafter referred to as NDcPP v2.2e or NDcPP.

Security Audit

The TOE generates audit records for security relevant events. The TOE maintains a local audit log as well as sending the audit records to a remote Syslog server. Audit records sent to the remote server are protected by a TLS connection. Each audit record includes identity (username, IP address, or process), date and time of the event, type of event, and the outcome of the event. The TOE prevents modification to the local audit log.

Cryptographic Support

The TOE includes the Ivanti Secure Cryptographic Module that implements CAVP-validated cryptographic algorithms for random bit generation, encryption/decryption, authentication, and integrity protection/verification. These algorithms are used to provide security for the TLS and HTTPs connections for secure management and secure connections to a syslog server. TLS and HTTPs are also used to verify firmware updates.

Identification and Authentication

The TOE authenticates administrative users using a username/password or username/X.509 certificate combination. The TOE does not allow access to any administrative functions prior to successful authentication. The TOE validates and authenticates X.509 certificates for all certificate uses.

The TOE supports passwords consisting of alphanumeric and special characters and enforces minimum password lengths. The TSF supports certificates using RSA or ECDSA signature algorithms. The TOE only allows users to view the login warning banner and send/receive ICMP packets prior to

authentication.

Remote administrators are locked out after a configurable number of unsuccessful authentication attempts.

Security Management

The TOE allows users with the Security Administrator role to administer the TOE over a remote web UI or a local CLI. These interfaces do not allow the Security Administrator to execute arbitrary commands or executables on the TOE. Security Administrators can manage connections to an external Syslog server, as well as determine the size of local audit storage.

Protection of the TSF

The TOE implements several self-protection mechanisms. It does not provide an interface for the

reading of secret or private keys. The TOE ensures timestamps, timeouts, and certificate checks are accurate by maintaining a real-time clock. Upon startup, the TOE runs a suite of self-tests to verify that it is operating correctly. The TOE also verifies the integrity and authenticity of firmware updates by verifying a digital signature of the update prior to installing it.

TOE Access

The TOE can be configured to display a warning and consent banner when an administrator attempts to establish an interactive session over the local CLI or remote web UI. The TOE also enforces a configurable inactivity timeout for remote and local administrative sessions.

Trusted Path/Channels

The TOE uses TLS to provide a trusted communication channel between itself and remote Syslog servers. The trusted channels utilize X.509 certificates to perform mutual authentication. The TOE initiates the TLS trusted channel with the remote server.

The TOE uses HTTPS/TLS to provide a trusted path between itself and remote administrative users. The TOE does not implement any additional methods of remote administration. The remote administrative users are responsible for initiating the trusted path when they wish to communicate with the TOE.    

Vendor Information