The Target of Evaluation (TOE) is Veeam ONE v12. The TOE provides a monitoring and analytics solution for backup, virtual and physical environments, providing support for Veeam Backup & Replication™ and Veeam Agents, as well as VMware, Hyper-V and Nutanix AHV.
\r\nVeeam ONE v12 is a software application. In its evaluated configuration, it is installed on an instance of Microsoft Windows Server 2019 executing on an x86-64 processor with the following additional software components, which are included in the Veeam ONE setup package:
\r\n• Microsoft .NET Framework 4.7.2 or later
\r\n• Microsoft .NET Core Runtime 3.1.16
\r\n• Microsoft Visual C++ 2015-2019 Redistributable (x64)
\r\n• Microsoft System CLR Types for SQL Server 2014
\r\n• Microsoft SQL Native Client 2012
\r\n• Microsoft SQL Server 2014 Management Objects
\r\n• Microsoft SQL Server 2012 Management Objects
\r\n• Microsoft OLE DB Driver for SQL Server
\r\n• Microsoft XML 6.0 Parser and SDK
\r\n• Microsoft ASP.NET Core Shared Framework 3.1.16
\r\n• Microsoft Universal C Runtime
\r\n• Microsoft SQL Server 2016 (Microsoft SQL Server 2016 Express edition is included in Veeam ONE setup).
\r\nThe TOE additionally requires Microsoft SQL Server installed on the same host platform and a workstation with a web browser to connect to the TOE’s user interface.
\r\nThe TOE connects to an instance of the separately evaluated Veeam Backup and Replication (VBR) software to retrieve event logs of backup and recovery tasks performed by VBR and infrastructure information of the hosts to which VBR connects.
","evaluation_configuration":"","security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the Veeam ONE v12 Security Target, Version 1.6, 9 July 2023. The evaluation was completed in August 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11371-2023) prepared by CCEVS.
","environmental_strengths":"Cryptographic Support
\r\nThe TOE invokes platform-provided cryptography to protect data at rest and in transit.
\r\nUser Data Protection
\r\nThe TOE accesses the minimum amount of Windows Server hardware and data in order to perform its function. The TOE stores database connectivity information in the Windows Registry and stores other TOE configuration information in the SQL Server database.
\r\nSecurity Management
\r\nBoth the TOE binary components themselves and the configuration settings they use are stored in locations recommended for Microsoft Windows Server.
\r\nThe TOE includes a console user interface (UI). Users must login to Windows and have permissions to access the UI in order to access the TOE.
\r\nAdministrators may configure which VBR instances have their Event Logs analyzed by the TOE, and access reports resulting from that analysis.
\r\nPrivacy
\r\nThe TOE does not process any personally identifiable information (PII).
\r\nProtection of the TSF
\r\nThe TOE enforces various mechanisms to prevent itself from being used as an attack vector to its Windows platform. The TOE implements address space layout randomization (ASLR), does not allocate any memory with both write and execute permissions, does not write user-modifiable files to directories that contain executable files, and is compatible with the Windows Defender security features of its host platform.
\r\nThe TOE contains libraries and invokes system APIs that are well known and explicitly identified.
\r\nThe TOE has a mechanism to display its current software version. The TOE can be used to determine if software updates for it are available. If so, an administrator uses out of band mechanisms to acquire, validate, and install the update securely.
\r\nThe TOE developer provides a secure mechanism for receiving reports of security flaws. Product vulnerabilities are tracked and addressed. Availability of updates is announced via email sent to customers as well as via the Veeam website.
\r\n\r\n
Trusted Path/Channels
\r\nThe TOE protects data in transit with remote administrators by invoking the platform-provided IIS.
","features":[{"id":1516,"feature_name":"Certificate Authentication"},{"id":1517,"feature_name":"Certificate Validation"},{"id":1518,"feature_name":"Credential Storage"},{"id":1519,"feature_name":"DRBG"},{"id":1520,"feature_name":"HTTPS Client"},{"id":1521,"feature_name":"HTTPS Server with Mutual Authentication"},{"id":1522,"feature_name":"PBKDF"}]}