Validation Report

Security Target

The PAM Server includes a set of services executing on a hardened Linux platform, the X304L.

The PAM Server is one component of the PAM product.

The PAM Server is logically in between the users and servers, mediating access attempts (connections) between the entities. Because the PAM Server is not physically in between the
users and servers, it is the responsibility of the Operational Environment to ensure that that all users access the protected servers via PAM. The PAM Server provides the policy management
component of the PAM product, along with a portion of the access control aspects of the product.

PAM enables enterprises to secure the access to critical infrastructure by enforcing configured policies to limit connectivity between users (including privileged users) and targets. The PAM Server acts as the Policy Manager (PM) for the PAM product components, enabling policies to be configured and distributed to access control components.

The PAM Server GUI enables administrators to configure policies controlling what users may access what target devices, and using what access mechanisms (protocols). The policies operate within a “deny all, permit by exception” model. Attributes for users (subjects) and targets (objects) may be defined, and policies specify authorized connections between the configured users and targets. The policies may also specify whether users are permitted to connect to a third system after connecting to a target according to a policy.

Users and administrators may connect to the PAM Server GUI via HTTPS. Credentials required to gain access to the GUI are imported from an enterprise server (such as Active Directory) and saved on PAM Server as salted SHA-512 hashes for validation. The imported credentials are periodically updated from the enterprise server. Credentials supplied by users during login are hashed (SHA-512 with salt) are compared to the saved values by the PAM Server.

After successful login, administrators are provided access to the GUIs for configuration of the server and policies. Both users and administrators have access to a list of targets that they are permitted to connect to, and may activate one or more of those connections via the HTTPS session.

Administrators may also define rules to restrict access to the GUI to specific days and/or times, as well as from specific IP addresses. HTTPS sessions may be terminated by the users; idle sessions are also terminated by the TOE after a configured period of time.

The PAM Server communicates policies and audit configuration information to other product components, such as the Socket Filter Agents executing on target systems. Policies are transmitted to remote components via trusted channels.

Audit records are generated for security relevant events on the TOE. The PAM Server acts as the audit server for its own audit records, so audit records are stored locally. Functionality is provided by the PAM Server for the viewing of audit records by authorized users, but this functionality is outside the scope of this evaluation.

Vendor Information