The Target of Evaluation (TOE) is the Fortress Mesh Point ES2440. The following models were evaluated:
\r\nHardware Versions:
\r\nES2440-3555: 810-00037-01
\r\nES2440-3444: 810-00038-01
\r\nES2440-35: 810-00051-01
\r\nES2440-34: 810-00050-01
\r\nSoftware Version: 5.4.3.1608
\r\nThe TOE, Mesh Point ES2440, is a WLAN device that provides secure wireless communications for their intended environment.
\r\nThe TOE is classified as a Wireless Local Area Network (WLAN) Access Device. The TOE employs Mesh networking, which allows multiple TOEs to network within the operational environment.
\r\nThe TOE brings secure wireless communications to environmentally challenging situations, including, outdoor locations, and across long distances through a self-forming, self-healing mesh network. Delivered in a form factor that is rugged, weatherized, and easy to set-up and operate the TOE functions as both a wireless access point and bridge, with up to four powerful radios for maximum range and performance.
","evaluation_configuration":"","security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Fortress Mesh Point ES2440 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 3. The product, when delivered configured as identified in the Fortress Common Criteria Operational Guidance, Version 1.18, December 2, 2014, satisfies all of the security functional requirements stated in the FORTRESS Mesh Point ES2440 Security Target, Version 1.9, December 2, 2014. The project underwent CCEVS Validator review. The evaluation was completed in November 2014. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10573-2014 dated December 2014 prepared by CCEVS.
","environmental_strengths":"The security functions that define the logical boundaries of the Fortress Mesh Point ES2440 TOE are summarized below. The following Security Functions are supported by the TOE:
\r\nAudit
\r\nThe TOE has the ability to audit events based on a variety of specified criteria. To protect the TSF from audit log overflow, the TOE uploads audit data to an external syslog server through an IPSEC tunnel. The audit record includes: the date and time of the event, the user who triggered the event (if event was user based and user is known), and event specific information. The types of events that are audited are seen in the ST. The TOE also protects all locally stored audit data from un-authorized modification and deletion. If the syslog server is unavailable, the TOE stops sending packets to the syslog server, and adds a “Communication error” message to the local log.
\r\nCryptography
\r\nThe TOE provides cryptographic functions to protect information, including mechanisms to encrypt, decrypt, hash, digitally sign, and perform cryptographic key agreement. The evaluated configuration uses a subset of the FIPS 140-2 compliant cryptographic implementations (listed in Section 12 of the ST) for all cryptographic purposes. The cryptographic algorithms used are those specified by the SFR’s and the associated FIPS compliance cert (if applicable) is listed in the ST. The following contains an overview of the protocols, which use the cryptography features:
\r\nUser Data Protection
\r\nThe TOE protects user data, (i.e., only that data exchanged with wireless client devices), using the IEEE 801.11i standard wireless security protocol, mediates the flow of information passing to and from the WAN port, and ensures that resources used to pass network packets through the TOE do not contain any residual information.
\r\nIdentification and Authentication
\r\nThe TOE requires the system administrators be authenticated before access to the TOE is granted; administrators may login to the TOE via a local RJ45 using a serial RS-232 connection, and remotely via SSH, HTTPS, or X/509 for TLS. Administrators may connect to the TOE remotely via the LAN, WAN, or 802.11a/b/g/n interfaces.
\r\nThe TOE displays a configurable access banner and enforces administrator password for administrative authentication. An external RADIUS server can be configured for authentication through an IPsec tunnel. Authentication can take place, either by user name and password (and hexadecimal device ID if applicable) and 802.1x EAPOL. For IPsec, the TOE also supports X.509 certificates. EAP-TLS is used for WPA2 wireless authentication via x.509 certificates.
\r\nSecurity Management
\r\nThe management of the security relevant parameters of the TOE is performed by the authorized administrator; the TOE provides the following management interfaces:
\r\nProtection of the TSF
\r\nThe TOE identification and authentication security functions allow only authenticated administrative users direct access to the TOE. If a wireless user does not authenticate as an administrative user then that user is a wireless client and can only pass traffic through the TOE and cannot execute commands on the TOE.
\r\nAdministrative users are allowed to login via the CLI and Web UI to access all management functions. The management interfaces do not allow administrative users access to the underlying operating system and there are no general-purpose computing or storage repository capabilities (e.g., compilers, editors, or user applications) available on the TOE. Any access to a management interface (CLI or GUI) is protected by a secure channel except via RS-232; as this is considered local administration.
\r\nThe TOE has the capability to obtain reliable time from a remote Network Time Protocol (NTP) Server to provide reliable time stamps for audit services. Additionally, the system administrator can manually set the time (maintained locally in the hardware Real Time Clock (RTC)) on the TOE using the Web UI or CLI management interfaces.
\r\nThe TOE runs a set of self-tests on power-on and on demand to verify the correct operation of the TOE’s underlying hardware, TOE software and cryptographic modules. Additional cryptographic tests are performed during normal operation. The security of network data is maintained by ensuring no residual information is included in network packets
\r\nTOE Access
\r\nThe TOE displays the access banner before establishing an administrative session. This is displayed prior to an administrator authenticating to the TOE. The TOE terminates an interactive session after an Authorized Administrator-configurable time interval of session inactivity. A wireless client session is defined as being allowed access to a particular port on the application layer. The TOE is able to deny establishment of a wireless client session based mac address and IP address.
\r\nTrusted Path/Channels
\r\nThe TOE uses 802.11-2007 and IPsec to provide a trusted communication channel between itself and any authorized IT entities that are logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data. In addition to IPsec, EAP-TLS is used for RADIUS.
\r\nThe TSF shall initiate communication via the trusted channel for RADIUS, NTP and Syslog. The TOE uses SSH and TLS/HTTPS to provide a trusted communication path between itself and remote administrators that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from disclosure and detection of modification of the communicated data.
","features":[]}