{"product_id":10245,"v_id":10245,"product_name":"Juniper Networks Odyssey Access Client (FIPS Edition), Version 4.56","certification_status":"Not Certified","certification_date":"2008-09-23T00:09:00Z","tech_type":"Wireless LAN","vendor_id":{"name":"HPE Juniper Networking","website":"https://www.juniper.net"},"vendor_poc":"Robert Smith","vendor_phone":"617-949-4067","vendor_email":"robertsmith@juniper.net","assigned_lab":{"cctl_name":"Leidos Common Criteria Testing Laboratory"},"product_description":"

Odyssey Access Client (FIPS Edition) configured according to Odyssey Client, Administration Guide, Enterprise Edition/FIPS Edition, Release 4.56, April 2008

\r\n

The Target of Evaluation (TOE) is Odyssey Access Client (FIPS Edition), Version 4.56, provided by Juniper Networks. Odyssey Access Client (OAC) is a software-only access client for wireless and wired 802.1X networks. It provides IEEE 802.1X access client software that supports Wireless Local Area Network (WLAN) security protocols required for wireless access to LANs. In conjunction with an 802.1X-compatible authentication server (not part of the TOE), OAC supports mutual authentication between the user and the network, protects the confidentiality of user data between the client node and the trusted network, and maintains data privacy over the wireless link. OAC also supports wired 802.1X network connections. OAC includes a FIPS 140-2 Level 1 validated cryptographic module.

\r\n

The TOE supports the following security functions: Security Audit, Cryptographic Support, User Data Protection, Security Management, Protection of the TSF.

\r\n
The TOE is able to generate audit records for errors detected during cryptographic functions. For each audit record, the TOE records date and time of the event, type of the event, subject identity (if it is applicable) and success or failure of the event. The TOE relies on the IT environment to supply a reliable time stamp from which it can obtain the date and time recorded in the audit record
\r\n
 
\r\n
The TOE incorporates the Odyssey Security Component, which is a FIPS 140-2 Level 1 validated cryptographic module. It supports secure wireless communications in the evaluated configuration:
\r\n
The TOE enforces the Wireless Client Encryption Policy between the WLAN client and the WLAN access point or system. The Wireless Client Encryption Policy requires the encryption of user data between the client and the access point. In implementing the Wireless Client Encryption Policy, the TOE in its evaluated configuration supports authentication protocols that require the network to authenticate to the TOE (as well as authenticating the TOE user to the network) before establishing secure communication between the WLAN client and the WLAN access point or system.
\r\n
The TOE provides GUI tools to support management and administration of the access client. The management functions available include enabling and disabling security audit, configuring the TOE in FIPS mode to support communication in conformance with the Wireless Client Encryption Policy, and managing the functions of the FIPS 140 validated cryptographic module. The TOE relies on the IT environment to define an Administrator security management role and to enforce restrictions on access to management functions to the Administrator.
\r\n
The TOE protects TOE Security Function (TSF) data by providing cryptographic functions to verify the integrity of all TOE data and stored TOE executable code. The TOE runs the suite of self-tests provided by its FIPS validated module during the initial start up, after manual entry of master key material and upon the administrator’s request. The self-tests demonstrate the correctness of the TOE’s cryptographic operations.
\r\n
The TOE comprises wireless network client software installed as part of a larger system operating within a Basic Robustness environment. As such, many of the functions normally required in such an environment are not expected to be provided by the TOE. Instead, the IT environment is required to provide functions in support of the following:
\r\n
·         Security Audit – association of auditable events with the user identity that caused the event; monitoring of audited events to detect potential violations of the TSP; capabilities to allow the Administrator, and only the Administrator, to search, sort, order and review the audited events; capabilities to select which auditable events are actually audited; secure storage of the audited events; and alerting of the Administrator if the audit trail exceeds an Administrator-set percentage of audit storage capacity
\r\n
·         Cryptographic Support – generation of DSA and RSA key pairs associated with user certificates
\r\n
·         Identification and Authentication – binding of users with subjects acting on behalf of the user
\r\n
·         User Data Protection – removal of information content of a resource when the resource is allocated to a network packet
\r\n
·         Security Management – association of a user with an Administrator role; restriction of use of the TOE security management functions to the Administrator; restriction of setting the IT environment system time to the Administrator
\r\n
·         Protection of the TSF – protection of the TOE and the IT environment from tampering; protection of the TOE and the IT environment from bypass; provision of a reliable time stamp.
","evaluation_configuration":"

The TOE can be installed on a client running:

\r\n
·         Windows 2000 Professional or Server
\r\n
·         Windows XP Home or Professional.
\r\n
In order to connect to a WLAN, the computer on which the TOE is installed must be equipped with a wireless adapter card and a driver that supports Microsoft-defined 802.11 OIDs (Object Identifiers). In addition, the wireless network must include at least one 802.1X-compliant access point.
\r\n
The TOE relies on the following operating system components:
\r\n\r\n
In addition, the IT environment must include the following:
\r\n
·         To use wireless capabilities, the computer on which the TOE is installed must be equipped with a wireless adapter card and a driver that supports the Microsoft-defined 802.11 OIDs and is 802.1X compliant
\r\n
·         To authenticate to a network using a wired connection, the computer on which the TOE is installed must be equipped with a network card adapted for a wired connection
\r\n
·         To use FIPS 140-2 compliant encryption with WPA2, an adapter driver that is compatible with the Odyssey Security Component must be installed on the computer on which the TOE is installed. Juniper Networks has made a driver available that works with the Atheros 5000 family of chipsets, which are used in many wireless adapters. Juniper has verified operation with: Cisco Aironet CB21 a/b/g Wireless CardBus Adapter; Netgear WAG511 802.11a/b/g Dual Band PC Card; and 3Com 3CRPAG175B Wireless 802.11 a/b/g PC card
\r\n
·         To support wireless network authentication, the network must include at least one 802.1X-compliant access point
\r\n
·         To support wired network authentication, the network must include at least one 802.1X-compliant switch or hub
\r\n
·         To associate to a network using xSec, the network must include xSec-compliant hardware capable of implementing the xSec protocol
\r\n
·         To support mutual authentication, the network must include at least one 802.1X-compatible authentication server – e.g., a RADIUS server such as Steel-Belted RADIUS version 5.4.
\r\n
·         To support the EAP-TLS authentication protocol, the TOE must be able to access a client user certificate, either from the user’s personal certificate store, or from a smartcard
\r\n

The computer on which the TOE is installed must be running Microsoft Internet Explorer 5.5 or later. The TOE makes use of Microsoft’s Enhanced Cryptographic Support Provider (ECSP), which is bundled as part of Internet Explorer 5.5 and later, in order to access the certificate store.

","security_evaluation_summary":"

 The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the   TOEmeets the security requirements contained in the Security Target. The criteria against which the Odyssey Access Client (FIPS Edition)  TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. Science Application International Corporation (SAIC) determined that the evaluation assurance level (EAL) for Odyssey Access Client (FIPS Edition) acheived EAL 3 augmented with ALC_FLR.2. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target. Several validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in July 2008. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report for Odyssey Access Client (FIPS Edition)  prepared by CCEVS.

","environmental_strengths":"

The Odyssey Access Client (FIPS Edition) TOE is a commercial product that supports audit, cryptography, user data protection, security management, and protection of the TOE security functions. The Odyssey Access Client (FIPS Edition)   TOE provides a level of protection that is appropriate for IT environments where the Odyssey Access Client (FIPS Edition)   TOE and the platform upon which is installed can be appropriately protected from physical attacks.  

","features":[]}