CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

The MMA10G-EXE Series switches are Internet Protocol (IP) switches optimized for video-over-IP traffic (compressed or uncompressed). The TOE is classified as a network device (a generic infrastructure device that can be connected to a network). Models of the EXE included in the evaluation provide identical functionality. The only differences between them are the supported speed, the physical size, and the number of physical interfaces supported, and the processor. These differences are detailed at the end of this section.

The EXE builds on the capabilities of the existing Evertz line of video routing switches. Video routers receive video signals in various formats, such as Serial Digital Interface (SDI), Serial Data Transport Interface (SDTI), or Asynchronous Serial Interface (ASI), and switch dedicated physical input ports to dedicated physical output ports based on external commands. The EXE provides the same capability within the context of packet-based networks using shared network infrastructure.

The TOE provides a packet-based switching fabric from a video perspective, rather than relying on traditional packet-based network architecture.

A typical EXE installation will also include a standard video routing switch software platform (such as Evertz Magnum) to route data between program streams in a manner sufficient to meet broadcast video standards for signal availability and integrity. Equipment to prepare video for IP transport, or to convert it into other video formats, and non-network-based video switching/processing, is outside the scope of this TOE. Such equipment includes, but is not limited to, cameras, KVMs, codecs, video servers and video displays. Equipment to perform functions such as embedding audio and/or other information within the video stream is also outside the scope of this TOE.

The TOE provides secure remote management using an HTTPS/TLS web interface. Administrators only may access EXE via a dedicated management workstation operating over an Out-of-Band Management (OOBM) network. Sites may close this OOBM network or may operate EXE within an existing OOBM as long as the topology is compliant with the security parameters listed below. Users and administrators may also access EXE software via direct connection using a terminal session.

The TOE generates audit logs and transmits the audit logs to a remote syslog server over an authenticated TLS channel. The TOE verifies the authenticity of software updates by verifying the digital signature prior to installing any update.

The summary of the evaluated functionality provided by the TOE includes the following:

·        Secure connectivity with remote audit servers and secure retention of audit logs locally

·        Identification and authentication of the administrator of the TOE

·        Secure remote administration of the TOE via TLS and secure Local administration of the TOE

·        Secure access to the management functionality of the TOE

·        Secure software updates

·        Secure communication with the non-TOE ‘video switch control systems’ via TLS.

The TOE hardware devices are the Evertz:

The EXE appliances are Ethernet switches optimized for video content.

The item outlined in red is considered the TOE boundary for testing purposes:

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Evertz MMA10G-EXE Series was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Rev 5, April 2017.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.  The product, when delivered configured as identified in the MMA10G-EXE Series Security Administration Guide Addendum for Common Criteria, version 1.2, March 2024, satisfies all of the security functional requirements stated in the MMA10G-EXE Series Security Target, version 1.4, March 2024. The project underwent CCEVS Validator review.  The evaluation was completed in April 2024.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11428-2024) prepared by CCEVS.

The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below.

·        Security Audit

·        Cryptographic Support

·        Identification and Authentication

·        Security Management

·        Protection of the TSF

·        TOE Access

·        Trusted Path/Channels

The TOE provides the security functions required by the Collaborative Protection Profile for Network Devices, hereafter referred to as NDcPP v2.2e or NDcPP.

Security Audit:                                                                                                         

The TOE’s Audit security function supports audit record generation and review. The TOE provides date
and time information that is used in audit timestamps. The Audit events generated by the TOE include:

·        Establishment of a Trusted Path or Channel Session

·        Failure to Establish a Trusted Path or Channel Session

·        Termination of a Trusted Path or Channel Session

·       Failure of Trusted Channel Functions

·       Identification and Authentication

·       Unsuccessful attempt to validate a certificate

·       Changes to trust anchors in the TOE’s trust store

·       Any update attempts

·       Result of the update attempt

·       Management of TSF data

·       Changes to Time

·       Session termination for inactivity

·       Power-on self tests verification

·       Changes to audit server configuration

·       Users locked out due to failed authentication attempts

The TOE can store the generated audit data on itself, and it can be configured to send syslog events to a syslog server, using a TLS protected collection method. Logs are classified into various predefined categories. The logging categories help describe the content of the messages that they contain. Access to the logs is restricted to only Security Administrators, who are authorized to edit them, copy or delete (clear) them. Audit records are protected from unauthorized modifications and deletions.

The TSF provides the capability to view audit data by using the Syslog tab in the local console. The log records the time, host name, facility, application, and “message” (the log details). The previous audit records are overwritten when the allocated space for these records reaches the threshold on a FIFO basis.

Cryptographic Support:

The TOE includes an OpenSSL library (Version 1.1.1k with Fedora Patches) that implements CAVP validated cryptographic algorithms for random bit generation, encryption/decryption, authentication, and integrity protection/verification. These algorithms are used to provide security for the TLS/HTTPs connections for secure management and secure connections to a syslog and authentication servers. TLS and HTTPs are also used to verify firmware updates. The cryptographic services provided by the TOE are described below:

Table 3 – TOE Cryptographic Protocols

Each of these cryptographic algorithms have been validated for conformance to the requirements specified in their respective standards, as identified below and are part of the EXE Cryptographic Module.

Table 4 – CAVP Algorithm Testing References

Identification and Authentication:

All Administrators wanting to use TOE services are identified and authenticated prior to being allowed access to any of the services other than the display of the warning banner. (“Regular” EXE users do not access EXE directly; they control IP video switching through the EXE using a switch control system, such as Evertz’s Magnum. The switching of those IP video transport streams is outside the scope of the TOE.)

Once an Administrator attempts to access the management functionality of the TOE, the TOE prompts the Administrator for a username and password for password-based authentication. The identification and authentication credentials are confirmed against a local user database. Only after the Administrator presents the correct identification and authentication credentials will access to the TOE functionality be granted. If the user fails to provide the correct authentication credentials, the user will be locked out after a configurable threshold until the user is manually unlocked by an Administrator.

The TOE provides the capability to set password minimum length rules. This is to ensure the use of strong passwords in attempts to protect against brute force attacks. The TOE also accepts passwords composed of a variety of characters to support complex password composition. During authentication, no indication is given of the characters composing the password.

Remote administrators are locked out after a configurable number of unsuccessful authentication attempts.

The EXE requires a password-protected serial connection to perform initial configuration of the system IP address(es). Once each address is established, administrators use IP connectivity for all further administrative actions, including configuration, operations, and monitoring.

The TOE uses X.509v3 certificates as defined by RFC 5280 to support authentication for TLS/HTTPS connections.

Security Management:

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs either through a secure session or a local console connection. The TOE provides the ability to perform the following actions:

·        Administer the TOE locally and remotely;

·        Configure the access banner;

·        Configure the session inactivity time before session termination or locking;

·        Update the TOE, and to verify the updates using digital signature capability prior to installing those updates;

·        Specify the time limits of session inactivity;

·        Ability to modify the IP address and the port of the remote syslog server;

·        Generate Certificate Signing Requests, import and manage x509 certificates, delete/replace x509 certificates;

·        Re-enable an Administrator account;

·        Set the time which is used for time-stamps.

All these management functions are restricted to Security Administrators who are authorized to administer the TOE via a local CLI and a remote web interface. Administrators are individuals who manage specific types of administrative tasks. The EXE implements role-based access control of these management functions to users that have been identified, authenticated, and authorized with the Security Administrator role.

Primary management is done using the Webeasy web-based interface using HTTPS. This provides a network administration console from which one can manage various identity services. These services include authentication, authorization, and reporting. All these services can be managed from the interface, which uses a menu-driven navigation system.

There is also a very simple serial-based connection (RS-232) that provides a simple menu interface. This is used to configure the IP interface (IP address, etc.). It is password-protected, and is typically only used once, for initial set-up.

Protection of the TSF:

The TOE will terminate inactive sessions after an Administrator-configurable time period. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. The TOE provides protection of TSF data (authentication data and cryptographic keys). In addition, the TOE internally maintains the date and time. This date and time is used as the time stamp that is applied to TOE generated audit records. The TOE also ensures firmware updates are from a reliable source. Finally, the TOE performs testing to verify correct operation.

An administrator initiates update processes from the web interface for all update installations. EXE automatically uses the RSA digital signature mechanism to confirm the integrity of the product before installing the update.

TOE Access:

Aside from the automatic Administrators session termination due to inactivity described above, the TOE also allows Administrators to terminate their own interactive session. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.

The TOE will display an Administrator-specified banner on the web browser management interface prior to allowing any administrative access to the TOE.

Trusted Path/Channels:

The TOE allows the establishment of a trusted channel between a video control system (such as Evertz’ Magnum) and the EXE. The TOE also establishes a secure connection for sending syslog data to a syslog server using TLS.

The TOE uses HTTPS/TLS to provide a trusted path between itself and remote administrative users. The TOE does not implement any additional methods of remote administration. The remote administrative users are responsible for initiating the trusted path when they wish to communicate with the TOE.

Vendor Information