The Target of Evaluation (TOE) consists of three classes of Hewlett-Packard 3PAR® InServ® Storage Systems along with the 3PAR command line interface (CLI) client and InForm Management Console (IMC) applications. 3PAR InServ Storage Systems are physical appliances that primarily serve to host disk drives and provide secure channels to configure an access policy to storage resources. The TOE enforces an access policy between content on disks and attached storage area network (SAN) hosts. The TOE exports storage resources as Virtual Volumes (VVs). A client host accesses VVs via attached Fiber Channel (FC) or Internet SCSI (iSCSI) storage area networks. The TOE provides network-accessible administrative interfaces through CLI client, IMC, and Secure Shell (SSH). The Virtual Domains feature of the TOE provides the capability restrict an administrative user to a domain, which is a defined set of storage resources and client hosts.
\r\nThis evaluation includes the T-Class, F-Class and P10000 (also known as V-Class) models. TOE software is common across the various TOE classes and models. The classes share a common architecture and hence implement the same security functions and policies. However, the classes and models differ in CPUs, memory, disk drive capacity, access ports, and overall performance characteristics.
","evaluation_configuration":"There are a number of software components that can be individually licensed for use with an InServ Storage System: 3PAR Virtual Domains, 3PAR Thin Provisioning, 3PAR Thin Conversion, 3PAR Thin Persistence, 3PAR Thin Copy Reclamation, 3PAR Virtual Copy, 3PAR Remote Copy, 3PAR Dynamic Optimization, 3PAR Adaptive Optimization, and 3PAR Virtual Lock. Any of these can be freely used in the evaluated configuration with the exception of 3PAR Remote Copy. Furthermore, the 3PAR Virtual Domains feature is required.
\r\nNote that the evaluated configuration specifically includes the use of 3PAR Virtual Domains because configurations excluding the use of the 3PAR Virtual Domains are addressed in an alternate evaluation; see Hewlett-Packard 3PAR® InServ® Storage Systems Security Target.
\r\nNote also that there are a number of 3PAR host-based applications available for use with an InServ Storage System. While these can be freely used, they do not have security ramifications and are excluded from the scope of evaluation since they run on client hosts rather than in the context of the InServ Storage System.
\r\nAs explained in the Security Target, the following product features were not subject to evaluation:
\r\nThe operational environment of the TOE does include a management workstation and may include time and authentication servers (Network Time Protocol and Lightweight Directory Access Protocol servers, respectively).
","security_evaluation_summary":"The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 3, July 2009. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 3, July 2009. Science Application International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the TOE is EAL 2 augmented with ALC_FLR.2. The TOE, configured as specified in the evaluated configuration guide, satisfies all of the security functional requirements stated in the Security Target.
\r\nA validation team on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in October 2012. Results of the evaluation can be found in the National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Hewlett-Packard 3PAR® InServ® Storage Systems with Virtual Domains.
","environmental_strengths":"Hewlett-Packard 3PAR® InServ® Storage Systems with Virtual Domains support the following security functions:
\r\nSecurity audit
\r\nThe TOE generates audit records that include date and time of the event, responsible subject identity, and outcome for security events. The TOE provides an interface for authorized users to view locally stored event logs and provides the ability to search the auditable events based on user ID.
\r\nCryptographic support
\r\nThe TOE includes implementations of OpenSSH and OpenSSL to facilitate encrypted communication with remote administrators. An administrator may connect securely to the TOE using the CLI or IMC clients distributed as part of the TOE or an SSHv2 client.
\r\nUser data protection
\r\nThe TOE enforces a policy which controls access to the available storage resources, which the TOE presents as Virtual Volumes. Access to VVs can be limited to:
\r\nThe association between VVs, hosts, and ports is configurable by an administrator subject to role and domain restrictions. Attached hosts cannot access or even perceive any VVs until access is explicitly granted by one of the methods identified above.
\r\nNote that the TOE enforces separation between its control functions and the data path (that is, control plane and data plane). Users logging in to manage the TOE have no access to the protected storage resources while client hosts connected to FC or iSCSI ports have no access to any TOE management functions.
\r\nThe TOE supports thinly-provisioned VVs. When a VV is thinly provisioned, the TOE allocates physical storage resources to the VV as the storage is needed (for example, as a result of write operations). Administrators may configure warning and limit levels for a VV and its underlying physical storage resources. The TOE will notify an administrator when storage allocated to a VV reaches the configured allocation warning level. When storage allocated to a VV reaches the configured limit level, the TOE will both notify administrators and prevent any further allocation of physical storage to the VV. These limits serve to bound the resources a given VV can consume, thereby protecting resources needed for other purposes.
\r\nIdentification and authentication
\r\nThe TOE requires administrative users to provide unique identification and authentication data before any access to the system is granted, including access to administrative functions. The TOE maintains the following security attributes belonging to locally-defined, individual administrative users: user identity, domain, class (permissions), password, and optionally a public key. An administrative user can be assigned to the browse, edit, service, or super class. Browse and edit users may be assigned to specific Virtual Domains. The TOE uses these attributes to determine access to available functions. The TOE protects the locally stored user authentication attributes using MD5 hashes. The TOE also provides obscured feedback when the password is entered.
\r\nIn addition, the TOE can be configured to use an external LDAP server (for example, Active Directory) for authentication. If an administrative user is not defined locally, the provided user identity and password are forwarded to the configured LDAP server. If the LDAP authentication is successful, the TOE will determine an administrative user’s class and domain associations using information retrieved from the LDAP server. Note that the TOE does not provide functions to manage users defined in an LDAP server.
\r\nIn addition to administrative users, the TOE identifies client host users using iSCSI names and Fiber Channel WWNs. Client host users are only identified and are not authenticated, except when an administrator configures iSCSI Challenge-Handshake Authentication protocol (CHAP).
\r\nSecurity management
\r\nAs identified above, the TOE supports four user classes (browse, edit, service, and super) that can be assigned to individual users for each domain defined. Users in the super class can perform any function (that is, all security functions of the TOE including managing audit events, local user accounts, managing domains, and access control) while other users have more limited access, although still security relevant, to security management functions.
\r\nAdministrator can assign users to domains (with browse or edit user class in each domain) using the Virtual Domains feature. Domains are not directly relevant to users in the service or super classes since those classes transcend domains. However, users in the browse or edit class in a given domain are limited to managing client hosts and storage resources in that domain.
\r\nVirtual domains are used to organize users, storage resources, and client hosts. A virtual domain limits the administrative functions a user can perform. For example, an edit user in a domain can only export Virtual Volumes that belong to the domain and can only export them to client hosts in the same domain. Hosts do not perceive and are not directly subject to domain constraints, but rather are subject to domain constraints only indirectly. An administrator cannot configure host accessible resources in violation of the domain constraints. As such, this enforcement is not considered access control since none of the access checks involve domain-related checks.
\r\nThe security functions of the TOE are managed by authorized users using either command line or graphical user interfaces. The command line interface is accessible via SSHv2 sessions or the CLI client HP provides with the TOE. The graphical user interface is accessible using the IMC client.
\r\nProtection of the TSF
\r\nThe TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its security features. First and foremost, the TOE is a stand-alone physical device, with the exception of some optional client software. The TOE does not host or execute untrusted applications. The TOE appliance is designed with separate physical connections so that administrative and supporting service network communications are physically isolated from client host communications. Each of the physical interfaces is associated with a well-defined set of standards-based services that have been carefully designed to comply with the applicable standards and to implement and enforce the security and other access policies of the TOE without offering any functions that might serve to bypass or allow any of those policies to be subverted in some way. The TOE clients are applications designed to provide administrative interfaces. They are carefully designed to provide functions to administrators correctly, but necessarily must be used in conjunction with hosts that will protect them from potential tampering.
\r\nInternally, the TOE protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides an internal real-time clock in each node to ensure that reliable time information is available (for example, for log accountability). The TOE can be configured to synchronize time with an external NTP server.
\r\nTrusted path/channels
\r\nThe TOE protects interactive communication with remote administrators using SSHv2 (for user-provided SSH clients) or SSL/TLS (for HP-provided CLI and IMC clients). In each case, both integrity and disclosure protection is ensured. Note that communication with a configured LDAP server can also be protected using TLS.
","features":[]}