The Boeing Secure Network Server (SNS) provided by The Boeing Company is a weapons-grade network appliance, more specifically a guard that serves to control the flow of information between attached subscriber devices. It is capable of controlling information flows based on information in packet headers, packet contents, and security labels associated with packets and the subscribers. Each subscriber is configured with a sensitivity label range and compartments that limit (via Mandatory Access Controls (MAC)) the labels that can be associated with information that can come from or go to a given subscriber. In addition to MAC, the SNS can be configured to limit the flow of information based on packet attributes (e.g., addresses), contents (e.g., verification of pronounceable text or content matching filter criteria), and other datagram characteristics as well as to constrain the flow of information to mitigate the potential for covert channels. SNS administrators can configure subscriber devices and policy rules to affect an information flow policy suitable for their specific application.
\r\nThe Boeing SNS is a network appliance built on a high-robustness custom kernel and infrastructure that runs on COTS hardware (with a custom bootloader) based on the Intel Pentium 4 processor. The SNS utilizes the Intel Pentium 4 ring architecture to separate its own functions resulting in a well-layered design that implements a least privilege principle. Each appliance supports serial devices (management consoles) and network devices (subscriber devices).
","evaluation_configuration":"The evaluated configuration consists of hardware and firmware, comprising one or more Boeing SNS appliances with one acting as a Network Management (NM) appliance. The distributed components are always synchronized with the NM and are managed from the central NM appliance. Also, the connections among the distributed Target-Of-Evaluation (TOE) components are distinct from the connections to the subscriber devices since the entire SNS connection network must be protected to protect sensitive TOE communications.
","security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Boeing SNS TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3 and International Interpretations effective on November 19, 2003. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. The National Information Assurance Partnership (NIAP), the National Security Agency (NSA), and Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 5 augmented with ACM_AUT.2, ACM_CAP.5, ADO_DEL.3, ADV_HLD.4, ADV_IMP.3, ADV_INT.3, ADV_LLD.2, ADV_RCR.3, ALC_DVS.2, ALC_FLR.2, ALC_LCD.3, ALC_TAT.3, ATE_COV.3, ATE_DPT.3, ATE_FUN.2, AVA_CCA.2, and AVA_MSU.3. The product, when configured as specified in the following documents:
\r\nsatisfies all of the security functional requirements stated in the Boeing Secure Network Server (SNS-3010, SNS-3110, and SNS-3210) Security Target (Version 2.5). The evaluation was completed in February 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10292-2011, dated 18 April 2011) prepared by CCEVS.
","environmental_strengths":"The SNS provides five security functions. Each is summarized below.
\r\nSecurity Audit: The Boeing SNS generates audit events for security relevant events, including covert channel indicators. The audit events are stored and protected, and forwarded to the NM for review and archival purposes. The SNS sends a warning when the audit storage capacity is nearing or has exceeded its capacity, and it can be configured to automatically overwrite events or to stop operations altogether until the situation is remedied.
\r\nUser Data Protection: The Boeing SNS is designed primarily to control the flow of information between subscriber devices. It enforces a rich set of information flow policies including mandatory access controls based on subscriber sensitivity labels, packet filtering, and content filtering of fixed format messages. It also provides routing and processing functionality to offer static routing, multicast support, and ICMP.
\r\nIdentification and Authentication: While all users (administrators) and subscriber devices are identified by the SNS, it also requires that administrators are authenticated at an appropriate management console prior to offering management functions. This is accomplished by managing user definitions, including user identities, roles, and associated authentication data (i.e., passwords).
\r\nIn order to help mitigate attempts to bypass the authentication mechanisms, the Boeing SNS informs users each time they log in of the last time they successfully logged in, the number of unsuccessful logins that have occurred since the last successful login, and the time of the last unsuccessful login attempt.
\r\nSecurity management: The Boeing SNS offers command line interfaces for the management of the TOE Security Functions. There are three defined roles: Network Administrator (NA), Security Administrator (SA), and Super-SA. The Super-SA primarily manages the administrator accounts, the SA primarily manages the security functions, and the NA primarily manages the general operational capabilities of the TOE. Each administrator must log into the appropriate console before applicable functions can be accessed.
\r\nProtection of the TOE Security Functions: The Boeing SNS is designed around a high-robustness, custom operating kernel that makes use of the ring architecture offered by Intel Pentium 4 processors to protect itself and to separate itself to implement a least privilege principle. All traffic flowing through the TOE is subject to its security policies. Furthermore, the TOE includes self tests that run at initial start-up and also periodically when the TOE is operational. The TOE also includes failure detection and recovery features to ensure that it continues to operate correctly when recoverable failures occur and to ensure that it shuts down when manual recovery becomes necessary.
\r\nThe Boeing SNS is designed so that a given part of a distributed SNS system can continue to operate properly when some other system components (i.e., other SNSs) fail. It is also designed to limit the throughput of a given device to protect itself and other network components as may be necessary.
","features":[]}