{"product_id":10076,"v_id":10076,"product_name":"Cisco ACE XML Gateway and Manager Version 5.0.3","certification_status":"Not Certified","certification_date":"2008-08-12T00:08:00Z","tech_type":"Firewall","vendor_id":{"name":"Cisco Systems, Inc.","website":"https://www.cisco.com"},"vendor_poc":null,"vendor_phone":"+1 410 309 4862","vendor_email":"certteam@cisco.com","assigned_lab":{"cctl_name":"Leidos Common Criteria Testing Laboratory"},"product_description":"

 

\r\n
The Cisco Systems, Inc. ACE XML Gateway and Manager Version 5.0.3 is a self-contained IT appliance that can be configured to run as a Cisco ACE XML Gateway, as a Cisco ACE XML Manager, or as both Gateway and Manager simultaneously. The evaluated configuration excludes the configuration that runs both the Manager and the Gateway simultaneously on a single ACE XML appliance.
\r\n
·         The ACE XML Gateway stands between an untrusted network (the Internet) and a trusted network (such as a restricted-access corporate intranet). All traffic between the two networks must pass through the Gateway. The Gateway allows only authorized traffic to pass from the untrusted network to the trusted network. Authorized administrators specify the criteria that traffic must meet in order to pass through the Gateway. The Gateway blocks traffic that does not meet these criteria.   The Gateway generates an audit trail that documents the performance of the Gateway, the disposition of every message it processes, and other security-relevant events.
\r\n
·         The ACE XML Manager provides a graphical user interface (GUI) that authorized administrators use to specify the message-processing behavior of the Gateway, monitor the performance of the Gateway, and manage the Gateway remotely. The Manager GUI provides a means of viewing the audit trail generated by all Gateways in the scope of the Manager's control and the activities of the users of the Manager.
\r\n
The TOE processes XML and SOAP messages sent across TCP/IP networks using HTTP(S) protocols. XML is a flexible formal text format derived from SGML and commonly used to define more specialized markup languages for representing computer data. SGML is an ISO-standard language for describing data formats, based on IBM's Generalized Markup Language. SOAP is an XML-based protocol for making remote procedure calls by means of text messages, using HTTP(S) as the transport mechanism.
","evaluation_configuration":null,"security_evaluation_summary":"

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Cisco Systems ACE XML Gateway and Manager Version 5.0.3 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 3 augmented with ALC_FLR.2 family of assurance requirements. The product, when configured as specified in the Using the Cisco Systems ACE XML Gateway and Manager Version 5.0.3, Technical Documentation, Version 5.0.3. 200807090224, satisfies all of the security functional requirements stated in the Cisco Systems, Inc. ACE XML Gateway and Manager Version 5.0.3 Security Target, Version 1.0. Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in July 2008. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10076-2008, dated 12 August 2008) prepared by CCEVS.

","environmental_strengths":"

 

\r\n
The TOE is a commercial product whose users require a low to moderate level of independently assured security. Cisco Systems ACE XML Gateway and Manager Version 5.0.3 is targeted at a relatively benign environment with good physical access security and competent TOE administrators and users. Within such environments, it is assumed that attackers will have a low attack potential. In addition, ALC_FLR.2 is selected as an appropriate augmentation because flaw remediation procedures provide greater assurance that security-related bugs will be fixed in a widely distributed commercial product. 
\r\n
Cisco Systems ACE XML Gateway and Manager Version 5.0.3 supports the following five security functions:
\r\n
 
\r\n
Security Audit
\r\n
The TOE generates audit events for the minimum level of audit. The TOE provides Manager GUI interfaces that can be used to read the audit trail. The TOE restricts access to the audit trail, requiring authentication using its local account authentication mechanism.
\r\n
User Data Protection
\r\n
The TOE enforces the WEB SERVICES SFP on SOAP or HTTP(S) destination service traffic sent through the TOE from one consumer (subject) to another. The TOE enforces the WEB SERVICES SFP, using “authenticators” to verify the user and group identity of a consumer of a service, using “handlers” to validate incoming messages, using “routes” to pass accepted message to “service descriptors,” and using “service descriptors” to manage traffic with SOAP or HTTP(S) destination services according to the WEB SERVICES SFP configuration for a given Web service. The TOE supports multiple message-filtering mechanisms for use by the WEB SERVICES SFP depending on configuration for a given Web service. The TOE includes pluggable authentication modules that can call external authentication servers to verify the user and group identity of a consumer of a service for message-filtering purposes.
\r\n
Identification and Authentication
\r\n
The TOE disables user or administrator accounts after an administrator configurable setting of failed login attempts to the Manager. The default is three failed login attempts and is the recommended setting for the evaluated configuration. The TOE maintains user identities, authentication data for supported authentication mechanisms, and role information. The TOE offers no TSF-mediated functions until the user is authenticated. The TOE requires username/password for all user accesses to the Manager. The TOE offers no TSF-mediated functions until the user is identified.
\r\n
 
\r\n
Security Management
\r\n
The TOE restricts the ability to specify the Web Services SFP to authorized administrators. The TOE provides restrictive default values for security attributes used to enforce the WEB SERVICE SFP. The TOE also allows authorized administrators to specify alternative initial values. The TOE restricts the ability to initialize and set user authentication data to authorized administrators. The TOE restricts the ability to modify and reset an account's own password to authorized administrators and users. The TOE restricts the ability to view or query audit records to authorized administrators or users that have been assigned appropriate security roles. The TOE provides authorized administrators with the ability to manage Web services, to manage users, and to manage the audit trail using the Manager. The TOE defines a login account of type Privileged User that can be assigned zero or more system-defined roles. Any Privileged User account that is assigned one or more of the system-defined roles “Operations”, “Access Control”, or “Routing” is considered an “authorized administrator” and any other user accounts are considered simply “users.” The single factory-configured administrator account always has all security roles (in particular, the ConsoleAdmin role), cannot be modified or deleted, and is considered an “authorized administrator.”
\r\n
Protection of the TSF
\r\n
The TOE can generate reliable time stamps for its own use. The TOE can send handler test messages in order to demonstrate the correct operation of a configured handler, route, service descriptor, Web service, and the underlying network. The TOE can also test its network configuration in order to demonstrate its correct configuration. The TOE uses SSL when managing the Gateway using the Manager to protect TSF data from disclosure. The TOE protects against denial-of-service attacks by blocking traffic after administratively-configurable thresholds are met. The TOE protects against content-based attacks by rejecting messages that contain content marked as blocked. The WEB SERVICES SFP cannot be bypassed by consumers. Similarly, both Gateway and Manager interfaces are restricted to authorized administrators and user account-holders.
\r\n
Upon startup, the TOE enters a restrictive default state in which no users are logged in, and then resumes normal operation. Because the TOE cannot be bypassed, this default state is secure: the Gateway enforces the current Web Services SFP independently of the Manager, the Gateway accepts changes to the current Web Services SFP only from its Manager, and the user interface to the Manager provides no access to TSFs until the user identifies and authenticates successfully.
","features":[]}