{"product_id":10035,"v_id":10035,"product_name":"NetApp DataFort FC520 v2, LKM 2.5.1","certification_status":"Not Certified","certification_date":"2009-02-20T00:02:00Z","tech_type":"Sensitive Data Protection, System Access Control","vendor_id":{"name":"NetApp, Inc.","website":"www.netapp.com"},"vendor_poc":"Ajay Singh","vendor_phone":"408-822-3253","vendor_email":"ajay.singh@netapp.com","assigned_lab":{"cctl_name":"CygnaCom Solutions, Inc"},"product_description":"<p>NetApp Inc.&rsquo;s product &ldquo;Decru DataFort FC520v2, LKM 2.5.1&rdquo; is a fault-tolerant 2U security appliance that provides managed, encrypted network storage in a Storage Area Network (SAN). The appliance encrypts network data in transit to storage, and decrypts data retrieved from storage; providing authentication, fine grain access controls and secure logging in the process. As data flows through the DataFort, an encryption algorithm is applied, which transforms cleartext (unencrypted) data into ciphertext (encrypted) data. DataFort supports the creation of secured storage targets called Cryptainer<sup>TM</sup> vaults, in which encrypted data is stored. Data remains encrypted while stored in a Cryptainer vault, protected from unauthorized access. When an authorized host requests data, DataFort checks that the initiator is authorized for the data, decrypts it, and then forwards it to the appropriate network destination.  The TOE also includes the Lifetime Key Management<sup>TM</sup> Software and the Decru Host Authentication (DHA) client.  The Lifetime Key Management Software is used to manage wrapped keys and configuration information for multiple DataForts within an organization. DHA client side application software offers an additional level of protection that can be used to ensure that the Windows host issuing an I/O request is the authorized host.</p>","evaluation_configuration":null,"security_evaluation_summary":"<p>The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Decru DataFort FC520v2, LKM 2.5.1 software was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. CygnaCom Solutions has determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL4 augmented with ALC_FLR.1. A validator, on behalf of the CCEVS Validation Body, monitored the evaluation.  The evaluation was completed in November 2008.</p>\r\n<p>Note : For this evaluation, it was appropriate for the Security Target to claim compliance with the external standard for AKEP2. There are many ways of determining compliance with a standard. Decru DataFort FC520v2 has chosen to make a developer claim of compliance. This means that there has been no independent verification (by either the evaluators or a third party standards body, such as a FIPS laboratory) that the implementation of the cryptographic algorithms actually meets the claimed standards. Potential users of this product should confirm that the cryptographic capabilities are suitable to meet the user's requirements.</p>","environmental_strengths":"<p>The following security functions are in the scope of the evaluation:</p>\r\n<ul>\r\n<li><strong>Audit</strong> &ndash; Audit records are generated within the TOE for the specified security relevant events. The DataFort may be configured to store audit log messages in temporary storage in the RAM, in the DataFort internal database and/or on a remote syslog server.  In the Common Criteria configuration, the DataFort must be configured to store log messages both in its internal database and to a remote syslog server.  The LKM server software will store audit records locally on the LKM server.  Audit records on the LKM server may be viewed with a standard text editor.  Audit records from the Windows based DHA client system are stored locally on the DHA client system.  In addition, the DHA client software may be configured to send audit records to a remote syslog server or to the DHA system&rsquo;s local Windows event logger.</li>\r\n<li><strong>Cryptographic Support</strong> &ndash; The TOE provides cryptographic services to implement TSF security functionality such as user data protection, identification and authentication, protection of TSF data, and trusted channels. The TOE contains a separate, physically secure cryptographic module, the Storage Encryption Processor (SEP). The SEP performs cryptographic operations in support of zeroization, and self-protection.  The SEP has received FIPS 140-2 level 3 certification, certificate No.833.</li>\r\n<li><strong>User data protection</strong> - The TOE enforces a crypto-based information flow control policy to ensure that only authorized subjects are able to access plain text user data.  DataFort Administrators can compartmentalize aggregated data in shared storage using Cryptainer storage vaults. Cryptainer vaults, or &ldquo;Cryptainers&rdquo;, cryptographically partition stored data at the level of Logical Unit Number (LUNs) and so provide an additional layer of threat containment. Administrators may specify information flow rules that specify which Fibre Channel Initiators (HBAs) may access which LUNs .</li>\r\n<li><strong>Identification and Authentication </strong>- The TOE is capable of authenticating administrators, users, and IT entities.  Users are authenticated by passwords and possession of a Smart Card, depending upon their role.  A DataFort administrator must be associated with an Admin Card and authorized by another DataFort Administrator with the Authorizer role in order to access the WebUI interface. IT entities are authenticated using cryptographic authentication protocols [authentication protocols that involve cryptography] and password-based authenticated protocols [protocols that use cryptography to protect the credentials (username/password)].  Access to security functions and data is prohibited until a user is identified, with the exception that Fibre Channel Initiators may send non-data status commands prior to identification and authentication.</li>\r\n<li><strong>Security Management</strong> - The TOE supports multiple administrative roles to support separation of security management functions.  DataFort Administrators include the Full Administrator who can perform all DataFort administrative functions through the WebUI interface and &ldquo;specialty&rdquo; administrators who can each perform a subset of the DataFort administrative functions and can be used to enforce separation of duty.  DataFort Administrators may also execute a limited set of security management commands through the serial port of the DataFort appliance.</li>\r\n<p>The Physical Security Officer is responsible for inserting the System Card into the front of the DataFort prior to boot.  This ensures that the DataFort cannot be booted unless the Physical Security Officer is present.</p>\r\n<p>The LKM Software is managed locally at the LKM Server by the LKM operator. Recovery Officers are required to perform secure installation and/or recovery operations. Recovery Officers do not perform runtime TOE administration.  Recovery Officers are authenticated by a password and the possession of a smart card, the Recovery Card, and may only perform operations when acting in a quorum.  During installation/recovery operations, key material is backed up and/or shared with other DataFort appliances.</p>\r\n<li><strong>Protection of the TSF</strong> - The TOE supports fault-tolerant configurations in which DataFort appliances are clustered together to provide failover in case of link failure. The fault-tolerance feature requires installation of an additional TOE in the evaluated configuration and the use of failover-capable software running on the initiator.</li>\r\n<p>The TOE contains two security zones that perform self-protection functions. The first zone consists of TOE platform software. Multiple software protection mechanisms such as a non executable stack and heap, the segregation of network-based interface processes to chroot areas, BSD security levels, and immutable/no unlink bits on executables protect the platform software from modification.</p>\r\n<p>The second security zone consists of the Storage Encryption Processor (SEP), which is a FIPS 140-2 level 3 cryptographic module with its own physical security. The SEP maintains a potentially adversarial relationship with the first zone and protects itself against compromise by the first zone, in the sense that compromise of the TOE platform zone will not reduce the entropy of Cryptainer Keys or disclosure of SEP CSPs.</p>\r\n<p>The DataFort appliance supports reliable time stamps in conjunction with an NTP Server in the IT environment.</p>\r\n</ul>\r\n<li><strong>Trusted Channel</strong> - The TOE in conjunction with the IT environment protects TSF data from unauthorized disclosure or modification when it is being transmitted between distributed components of the TOE and copies of the TOE.  The TOE supports the following trusted channels between:</li>\r\n<ul>\r\n<li>The DataFort and the LKM Software running on the LKM Server using TLSv1,</li>\r\n<li>The DataFort and the Management Station running the WebUI using TLSv1, </li>\r\n<li>Two DataForts within a cluster using IPsec, and </li>\r\n<li>A DataFort and a DataFort trustee using ECCDH and AES.</li>\r\n</ul>","features":[]}