{"product_id":11055,"v_id":11055,"product_name":"MMA10G EXE Series","certification_status":"Certified","certification_date":"2020-06-02T00:00:00Z","tech_type":"Network Device","vendor_id":{"name":"Evertz Microsystems","website":"https://www.evertz.com"},"vendor_poc":"Naveed Afzal","vendor_phone":"190533537003431","vendor_email":"nafzal@evertz.com","assigned_lab":{"cctl_name":"Acumen Security"},"product_description":"<p>The MMA10G-EXE switches are 10 Gigabit (Gb) Internet Protocol (IP) switches optimized for video-over-IP traffic (compressed or uncompressed), while the EXE2.0 switches are 25Gb IP switches optimized for video-over-IP traffic. The ten models of the EXE included in the evaluation provide identical functionality. The only differences between them are the supported speed, the physical size, and the number of physical interfaces supported.&nbsp;</p>","evaluation_configuration":"<p style=\"mso-layout-grid-align: none; text-autospace: none;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">The TOE is classified as a network device (a generic infrastructure device that can be connected to a network). The TOE hardware devices are the Evertz MMA10G-EXE16, MMA10G-EXE26, MMA10G-EXE36, MMA10G-IPX128, EXE2.0-16-10G-A1, EXE2.0-16-25G-A, EXE2.0-26-10G-A1, EXE2.0-26-25G-A1, EXE2.0-36-10G-A1, and EXE2.0-36-25G-A1 running EXE v1.2.</span></p>","security_evaluation_summary":"<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target (ST).<span style=\"mso-spacerun: yes;\">&nbsp; </span>The criteria against which the MMA10G-EXE Series was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.<span style=\"mso-spacerun: yes;\">&nbsp; </span>The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.<span style=\"mso-spacerun: yes;\">&nbsp;&nbsp; </span>The product, when delivered configured as identified in the EXE/IPX CC Security Guide, satisfies all of the security functional requirements stated in the <span style=\"mso-bidi-font-size: 12.0pt; line-height: 106%; mso-bidi-font-family: 'Times New Roman';\">MMA10G-EXE Series Security Target v1.1, May 5, 2020</span><span style=\"mso-bidi-font-family: 'Times New Roman';\">.</span> The project underwent CCEVS Validator review.<span style=\"mso-spacerun: yes;\">&nbsp; </span>The evaluation was completed in June 2020.<span style=\"mso-spacerun: yes;\">&nbsp; </span>Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11055-2020) prepared by CCEVS.</span></p>","environmental_strengths":"<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><strong>Security Audit</strong></span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">The TOE&rsquo;s Audit security function supports audit record generation and review.<span style=\"mso-spacerun: yes;\">&nbsp;&nbsp; </span>The TOE provides date and time information that is used in audit timestamps.<span style=\"mso-spacerun: yes;\">&nbsp;&nbsp; </span>The Audit events generated by the TOE include:</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Establishment of a Trusted Path or Channel Session</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Failure to Establish a Trusted Path or Channel Session</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Termination of a Trusted Path or Channel Session</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Failure of Trusted Channel Functions</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Identification and Authentication</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Unsuccessful attempt to validate a certificate</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Changes to trust anchors in the TOE&rsquo;s trust store</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Any update attempts</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Result of the update attempt</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Management of TSF data</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Changes to time</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Session termination for inactivity</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Power-on self tests verification</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Changes to audit server configuration</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l0 level1 lfo1;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Users locked out due to failed authentication attempts</span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">The TOE can store the generated audit data on itself and it can be configured to send syslog events to a syslog server, using a TLS protected collection method.<span style=\"mso-spacerun: yes;\">&nbsp; </span>Logs are classified into various predefined categories.<span style=\"mso-spacerun: yes;\">&nbsp;&nbsp; </span>The logging categories help describe the content of the messages that they contain.<span style=\"mso-spacerun: yes;\">&nbsp; </span>Access to the logs is restricted to only Security Administrators, who are authorized to edit them, copy or delete (clear) them.<span style=\"mso-spacerun: yes;\">&nbsp;&nbsp; </span>Audit records are protected from unauthorized modifications and deletions. The previous audit records are overwritten when the allocated space for these records reaches the threshold on a FIFO basis.</span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><strong>Cryptographic Support</strong></span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">The TOE includes an EXE Cryptographic Module that implements CAVP validated cryptographic algorithms.<span style=\"mso-spacerun: yes;\">&nbsp; </span>The TOE provides cryptography support for secure communications and protection of information.<span style=\"mso-spacerun: yes;\">&nbsp; </span>The cryptographic services provided include:<span style=\"mso-spacerun: yes;\">&nbsp; </span>symmetric encryption and decryption using AES; asymmetric key generation; cryptographic key establishment using ECDH key establishment; digital signature using RSA; cryptographic hashing using SHA-256; random bit generation using DRBG and keyed-hash message authentication using HMAC-SHA (SHA-256).<span style=\"mso-spacerun: yes;\">&nbsp;&nbsp; </span>The TOE implements the secure protocols TLS/HTTPS on the server side and TLS on the client side.<span style=\"mso-spacerun: yes;\">&nbsp;</span></span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><strong>Identification and Authentication</strong></span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">All Administrators wanting to use TOE services are identified and authenticated prior to being allowed access to any of the services other than the display of the warning banner.<span style=\"mso-spacerun: yes;\">&nbsp; </span>(&ldquo;Regular&rdquo; EXE users do not access EXE directly; they control IP video switching through the EXE using a switch control system, such as Evertz&rsquo;s Magnum.<span style=\"mso-spacerun: yes;\">&nbsp; </span>The switching of those IP video transport stream is outside the scope of the TOE.)<span style=\"mso-spacerun: yes;\">&nbsp; </span>Once an Administrator attempts to access the management functionality of the TOE, the TOE prompts the Administrator for a username and password for password-based authentication.<span style=\"mso-spacerun: yes;\">&nbsp; </span>The identification and authentication credentials are confirmed against a local user database. Only after the Administrator presents the correct identification and authentication credentials will access to the TOE functionality be granted.<span style=\"mso-spacerun: yes;\">&nbsp; </span>If the user fails to provide the correct authentication credentials, the user will be locked out after a configurable threshold until the user is manually unlocked by an Administrator.</span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">The TOE provides the capability to set password minimum length rules.<span style=\"mso-spacerun: yes;\">&nbsp; </span>This is to ensure the use of strong passwords in attempts to protect against brute force attacks. The TOE also accepts passwords composed of a variety of characters to support complex password composition.<span style=\"mso-spacerun: yes;\">&nbsp; </span>During authentication, no indication is given of the characters composing the password.</span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">The TOE uses X.509v3 certificates as defined by RFC 5280 to support authentication for TLS/HTTPS connections.</span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><strong>Security Management</strong></span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.<span style=\"mso-spacerun: yes;\">&nbsp; </span>All TOE administration occurs either through a secure session or a local console connection.<span style=\"mso-spacerun: yes;\">&nbsp; </span>The TOE provides the ability to perform the following actions:</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l1 level1 lfo2;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Administer the TOE locally and remotely</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l1 level1 lfo2;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Configure the access banner</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l1 level1 lfo2;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Configure the cryptographic services</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l1 level1 lfo2;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Update the TOE and verify the updates using digital signature capability prior to installing those updates</span></p>\r\n<p style=\"text-indent: -.25in; mso-list: l1 level1 lfo2;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><span style=\"mso-list: Ignore;\">&middot;<span style=\"line-height: normal; font-style: normal; font-variant: normal; font-weight: normal; font-size-adjust: none; font-stretch: normal;\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span>Specify the time limits of session inactivity</span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">All of these management functions are restricted to an Administrator, which covers all administrator roles.<span style=\"mso-spacerun: yes;\">&nbsp; </span>Administrators are individuals who manage specific type of administrative tasks.<span style=\"mso-spacerun: yes;\">&nbsp; </span>In EXE only the admin role exists, since there is no provision for &ldquo;regular&rdquo; users to access EXE directly (as described above), and the portion of EXE they access and control are outside the scope of the TOE.</span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">Primary management is done using the web-based interface using HTTPS. This provides a network administration console from which one can manage various identity services. These services include authentication, authorization and reporting.<span style=\"mso-spacerun: yes;\">&nbsp; </span>All of these services can be managed from the web browser, which uses a menu-driven navigation system.<span style=\"mso-spacerun: yes;\">&nbsp; </span></span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">There is also a very simple serial-based connection (RS-232) that provides a simple menu interface.<span style=\"mso-spacerun: yes;\">&nbsp; </span>This is used to configure the IP interface (IP address, etc.).<span style=\"mso-spacerun: yes;\">&nbsp; </span>It is password-protected.</span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><strong>Protection of the TSF</strong></span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">The TOE will terminate inactive sessions after an Administrator-configurable time period.<span style=\"mso-spacerun: yes;\">&nbsp; </span>Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.<span style=\"mso-spacerun: yes;\">&nbsp; </span>The TOE provides protection of TSF data (authentication data and cryptographic keys).<span style=\"mso-spacerun: yes;\">&nbsp; </span>In addition, the TOE internally maintains the date and time. This date and time is used as the time stamp that is applied to TOE generated audit records. The TOE also ensures firmware updates are from a reliable source.<span style=\"mso-spacerun: yes;\">&nbsp; </span>Finally, the TOE performs testing to verify correct operation.</span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">An administrator initiates update processes from the web interface for all update installation.<span style=\"mso-spacerun: yes;\">&nbsp; </span>EXE automatically uses the RSA digital signature mechanism to confirm the integrity of the product before installing the update.</span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><strong>TOE Access</strong></span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">Aside from the automatic Administrators session termination due to inactivity describes above, the TOE also allows Administrators to terminate their own interactive session.<span style=\"mso-spacerun: yes;\">&nbsp; </span>Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.<span style=\"mso-spacerun: yes;\">&nbsp; </span></span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">The TOE will display an Administrator-specified banner on the web browser management interface prior to allowing any administrative access to the TOE.</span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\"><strong>Trusted Path/Channels</strong></span></p>\r\n<p style=\"margin-bottom: .0001pt;\"><span style=\"font-family: 'times new roman',times,serif; font-size: 12pt;\">The TOE allows the establishment of a trusted channel between a video control system (such as Evertz&rsquo; Magnum) and the EXE.<span style=\"mso-spacerun: yes;\">&nbsp; </span>The TOE also establishes a secure connection for sending syslog data to a syslog server using TLS. The TOE also provides a trusted path to Security Admi<span style=\"mso-bidi-font-size: 12.0pt; line-height: 106%; mso-fareast-font-family: 'Times New Roman'; mso-fareast-theme-font: minor-fareast; mso-bidi-font-family: 'Times New Roman';\">nistrators via HTTPS/TLS.</span></span></p>","features":[]}