The Target of Evaluation (TOE) is a system of wireless LAN Access Point products that includes one or more 3e-525A-3, 3e-525A-3EP, 3e-525A-3MP, 3e-525-V-3, 3e-525VE-4, 3e-523-F2 and 3e-523-3 Access Points (APs) and the optional 3eTI Security Server.
\r\nThere are two evaluated configurations of the TOE:
\r\nThe Access Points require that a wireless client be authenticated before accessing the network and provides data encryption/decryption and integrity protection between the wireless link and the wired LAN. All Access Points are ruggedized devices intended for use in industrial and outdoor environments.
\r\nThe 3eTI Security Server performs the Authentication Server (AS) function identified by IEEE 802.1x. The role of the AS is to verify the credentials of a wireless client known as the supplicant before the client is granted access to the network.
\r\nAn Access Point only TOE relies upon an external RADIUS Authentication Server, an NTP Server and an Audit Server in its Operational Environment. The TOE may also be configured to interface with DHCP and SNMP Management Servers in the Operational Environment, but does not depend upon them to support its security functionality.
\r\nThe second configuration of the TOE includes the 3eTI Security Server. The 3eTI Security Server is installed on a Linux platform. The Security Server communicates with a Lightweight Directory Access Protocol (LDAP) Server to download CA certificates and Certificate Revocation Lists. If so configured, the Security Server can communicate with an Online Certificate Status Protocol (OCSP) Responder to determine if a user’s certificate is still valid. The TOE also relies upon a NTP Server and Audit Server in the Operational Environment. The TOE may also be configured to interface with DHCP and SNMP Management Servers in the Operational Environment, but does not depend upon them to support its security functionality.
","evaluation_configuration":"The TOE physical boundary defines all hardware and software that is required to support the TOE’s logical boundary and the TOE’s security functions.
\r\nThe TOE includes the following Access Points appliance models:
\r\nThe TOE also includes the software only 3eTI Security Server:
\r\nThe evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R3.
\r\nThe evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 R2.
\r\nCygnaCom Solutions has determined that the product meets the security criteria in the Security Target, which specifies an assurance level of Evaluation Assurance Level (EAL) 4 augmented with ALC_FLR.2.
\r\nA team of validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in July 2011.
","environmental_strengths":"The following security functions are in the scope of the evaluation:
\r\nThe TOE generates auditable events for actions on the APs with the capability of selective audit record generation. The records of these events can be viewed within the TOE Management Interface or they can be exported to audit systems in the Operational Environment. The TOE generates records for its own actions, containing information about the user/process associated with the event, the success or failure of the event, and the time that the event occurred. Additionally, all administrator actions relating to the management of TSF data and configuration data are logged by the TOE’s audit generation functionality.
\r\nThe TOE implements the following cryptographic algorithms: AES, RSA, SHA, HMAC, and a random number generator.
\r\nThe Access Point Component provides user data protection by encrypting/decrypting authenticated user data between the wireless client and the Access Point. The Security Server provides user data protection in the form of a certificate path validation capability that includes Certificate Revocation Lists checking and an Online Certificate Status Protocol client. The TOE provides X.509 public key certificate verification.
\r\nThe TOE provides Identification and Authentication security functionality to ensure that all wireless clients/users and administrators are properly identified and authenticated before accessing TOE functionality. The wireless user can be authenticated either by the TOE (via the Security Server) or via a trusted RADIUS server in the Operational Environment. The administrator is authenticated locally with a username and password.
\r\nThe Web Management Application of the TOE provides the capabilities for an authorized administrator to modify, edit, and delete security parameters such as audit data, configuration data, and user authentication data. The Web Management Application also offers an authorized administrator the capability to manage security functions; for example: enable/disable certain audit functions, query and set encryption/decryption algorithms for network packets, change cryptographic keys and allow/disallow the use of a remote authentication server. The Security Server is managed by the Remote Management GUI.
\r\nThe TOE protects the TSF by ensuring that no access is granted to TOE functions without authorization. By controlling a user session and the actions carried out during a user session, the TOE provides for non-bypassability and domain separation of functions. Internal testing of the TOE hardware and software against tampering ensures that all security functions are running and available before the TOE will accept any communications.
\r\nThe TOE provides the following TOE Access functionality:
\r\n