The TOE is the IBM DataPower XS40 XML Security Gateway and the XI50 Integration Appliance, version 3.6 (XS40 and XI50), developed by DataPower Technology, Inc. of Cambridge, MA. DataPower is a wholly-owned subsidiary of IBM. The XS40 and XI50 are network devices that provide Application-Level Firewall functionality. They are hardware enforcement points for Application-Level Firewall policies. The TOE boundary is the hardware appliance and includes the OS and router application software loaded on the appliance. The XS40 and XI50 are separate products, but from the TOE viewpoint are identical when configured in the evaluated configuration.
\r\nThe TOE is a special-purpose device that serves as an HTTP-based proxy for one or more backend enterprise services. As such, an important function of the TOE is transformation of an incoming URL into a URL appropriate for the desired backend service and/or transformation of one or more HTTP message header fields. The TOE also provides the typical firewall services of blocking messages from undesired subject addresses, and throttling messages.
\r\nThe TOE allows administrators to set firewall policies based on
\r\nThe TOE also allows administrators to set firewall policies based on HTTP header values (with HTTP considered as an application protocol; TCP is the transport protocol).
\r\nThe TOE does not allow any information flow through it except under administrative directive. The default policy is \"no traffic flow\".
\r\nThe TOE will not accept any malformed (i.e. deviating from specification) messages. All layers in the communications protocol stack are validated for correctness. Management must be performed locally using a management interface that is included in the Target of Evaluation (TOE).
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the OE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. Science Application International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the TOE is EAL 4 augmented with ALC_FLR.1. The TOE, configured as specified in the secure deployment guide, satisfies all of the security functional requirements stated in the Security Target. Several validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in November 2008. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report for IBM DataPower XS40 XML Security Gateway and the XI50 Integration Appliance, version 3.6 (XS40 and XI50) prepared by CCEVS.
","environmental_strengths":"The is a specialized configuration of an application firewall as defined in the U.S. Department of Defense Application-level Firewall Protection Profile for Basic Robustness Environments. It limits traffic to correctly formed HTTP over TCP/IP and filters traffic according to administrator defined policies.
","features":[]}