The TOE consists of a single instance of virtual Berryville device running the Warden software v1.2 on a physical device running Ubuntu 22.04’s KVM hypervisor.
\r\nThe TOE is assumed to be installed and operated within a physically protected environment, administered by trusted and trained administrators. The TOE can be remotely administered via SSH or via a local console.
\r\nThe VM leverages the physical hardware’s ethernet interface or additional USB interfaces to create virtual interfaces. The TOE is able to filter connections to/from external IT entities using its stateful firewall/IP traffic filtering capabilities. In addition to packet filtering, the TOE can also provide Intrusion prevention via anomaly or signature-based detection.
\r\nThe TOE provides VPN gateway capabilities, allowing the Engine to use IKE/IPsec to protect traffic exchanged with remote peer gateways (for a site-to-site VPN configuration) and with VPN clients. Site-to-site configuration can be used to protect data between the TOE and a remote syslog server or NTP server.
","evaluation_configuration":"The TOE consists of a single instance of virtual Berryville device running the Warden software v1.2 on a physical device running Ubuntu 22.04’s KVM hypervisor
","security_evaluation_summary":"The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Berryville Holdings LLC, Warden v1.2 CC Administrator Guide, July 3, 2025 document, satisfies all of the security functional requirements stated in the Berryville Holdings, LLC Warden v1.2 Security Target, Version 0.6, July 3, 2025 . The project underwent CCEVS Validator review. The evaluation was completed in July 2025. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11522-2025) prepared by CCEVS.
\r\n","environmental_strengths":"
The logical boundaries of the Warden are realized in the security functions that it implements. Each of these security functions is summarized below.
\r\n\r\n
Security audit:
\r\nThe TOE provides auditing capabilities to provide a secure and reliable record of all security relevant events, including administrative changes to the TOE. Any security relevant event is audited internally and then transmitted externally over a secure communication channel to an audit server via IPsec in real-time. All audited events have the necessary details like timestamp, event log, event code, and identity of the party involved to provide a comprehensive audit trail. Depending on the context of the audit, the identity may be the relevant user id, or remote IT entity involved in the event. All audits are protected from unauthorized deletion. The TOE’s logd will rotate logs and once out of space, delete the oldest logs in order to make room for newer logs. The administrator may configure IPS auditing to limit the number of audits generated for similar events.
\r\n\r\n
Cryptographic support:
\r\nThe TOE leverages OpenSSL library (version 3.0.10) executing on the TOE’s Intel Core i7-1165G7 Processor library to provide cryptographic functions supporting secure administration access (via SSH), secure network traffic with VPN peers (via IKE/IPsec), and for secure communication to external systems such as audit log servers and NTP servers (also via IPsec). Functions include Key generation, key establishment, key distribution, key destruction, and cryptographic operations.
\r\n\r\n
User data protection:
\r\nThe TOE has been designed to ensure that no residual information exists in network packets. When the TOE allocates a new buffer for either an incoming or outgoing network packet, the new packet data will be used to overwrite any previous data in the buffer. If an allocated buffer exceeds the size of the packet, any additional space will be overwritten (padded) with zeros before the packet is forwarded (to the external network or delivered to the appropriate, internal application).
\r\n\r\n
Firewall:
\r\nThe VM bridges the physical hardware’s ethernet interface or additional USB interfaces to create virtual interfaces. Using these virtual interfaces, the TOE supports many protocols for packet filtering including icmpv4, icmpv6, ipv4, ipv6, tcp and udp. The firewall rules implement the SPD rules (permit, deny, bypass). Each rule can be configured to log status of packets pertaining to the rule. All codes under each protocol are implemented. The TOE supports FTP for stateful filtering.
\r\nRouted packets are forwarded to a TOE interface with the interface’s MAC address as the layer-2 destination address. The TOE routes the packets using the presumed destination address in the IP header, in accordance with route tables maintained by the TOE.
\r\nIP packets are processed by the software, which associates them with application-level connections, using the IP packet header fields: source and destination IP address and port, as well as IP protocol. Fragmented packets are reassembled before they are processed.
\r\nThe TOE mediates the information flows according to an administrator-defined policy. Some of the traffic may be either silently dropped or rejected (with notification to the presumed source).
\r\nThe TOE's firewall and packet filtering capabilities are controlled by defining an ordered set of iptables rules. The rule specifies what communication will be allowed to pass and what will be blocked. It specifies the source and destination of the communication, what services can be used, and whether to log the connection.
\r\n\r\n
Identification and authentication:
\r\nThe TOE maintains a single security administrator role. While the TOE allows unique users, each created user has the security administrator role. The TOE provides secure password-based for local administrators and password or public key based authentication for remote SSH administrators. The only functionality available to an administrator prior to authentication is viewing the warning banner. The TOE, supports passwords of varying lengths and allows an administrator to specify a minimum password length between 15 and 32 characters long. The password composition can contain all special characters as required by FIA_PMG_EXT.1.1.
\r\nConsecutive unsuccessful authentication attempts beyond a configurable limit will result in locking of the user for a specified duration of time.
\r\nThe TOE provides secure connectivity between itself and a remote VPN peer, syslog server, or NTP server using IPsec with X.509 certificate-based authentication. X.509v3 certificates are stored internally and the store is protected by file permissions. X.509 certificates are manually loaded by the authorized administrator onto the TOE by an administrator. The TOE checks the revocations status of peer certificates via CRL. The TOE can generate certificate signing requests (CSRs) and accept the upload of the signed certificates.
\r\n\r\n
Security management:
\r\nThe TOE maintains a single security administrator role that allows both local and remote administration for management of the TOE’s security functions. TOE administrators manage the security functions of the TOE through a local console or SSH CLI. The security administrator is able to perform all management functions, including, but not limited to, modifying audit behavior, performing updates, managing crypto keys, managing firewall, IPS, and packet filtering rules.
\r\n\r\n
Packet filtering:
\r\nThe TOE provides packet filtering and secure IPsec tunneling. The TOE’s netfilter kernel process bears responsibility for processing network packets and processes each packet against the netfilter rules governing each input and output chain. The tunnels can be established with
trusted VPN peers. More accurately, these tunnels are sets of security associations (SAs). The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying material to be used.
SAs are unidirectional and are established per the ESP security protocol. An authorized administrator can
define the traffic that needs to be protected via IPsec by configuring access lists (permit, deny, log) and
applying these access lists to interfaces using crypto map sets. The TOE processes incoming packets in netfilter’s chain applying the administrator defined rulesets in order. See Section 1.4.1.2.4 above for more details.
\r\n
Protection of the TSF:
\r\nThe TOE includes capabilities to protect itself from unwanted modification as well as protecting its persistent data.
\r\nThe TOE does not store passwords in plaintext; they are obfuscated. The TOE does not support any command line capability to view any cryptographic keys generated or used by the TOE.
\r\nThe TOE provides image integrity verification using a digital signature to validate the authenticity of the images before loading them. Upon every boot up, power on self-tests is conducted to validate the integrity of the software components as well as perform cryptographic known answer tests for the supported cryptographic algorithms. If power-up self-tests fail, the TOE halts boot. The TOE also allows administrator to manually configure of the TOE’s clock or configuration of an NTP server, with which the TOE will synchronize its time. The TOE provides a timestamp for use with audit records, timing elements of cryptographic functions, and inactivity timeouts.
\r\n\r\n
TOE access:
\r\nThe TOE offers a login banner which provides the administrator to ability to display a custom warning/access policy message as per the organization needs. The TOE provides the ability to configure an inactivity timeout which terminates the session beyond the inactivity period configured. An administrator can also terminate their own session.
\r\n\r\n
Trusted path/channels:
\r\nThe TOE communicates to external components in a secure manner using IPsec for VPN peers, syslog servers, or NTP servers. The TOE also employs SSH to secure remote administrative sessions.
\r\n\r\n
Intrusion Prevention:
\r\nThe TOE supports IPS functionality by leveraging the Suricata service. The TOE’s intrusion detection and prevention system provides real-time monitoring and analysis of network traffic. The IPS will detect and respond to various types of network-based threats and attacks. IPS logs are generated and forwarded to Rsyslog. The IPS logs alert, drop, and reject actions to the syslog for traffic that matches a given rule. The TOE supports in-line and passive inspection modes using both anomaly and signature-based detection along with IP filtering based on blacklists & white-lists. Anomaly-based detection can be determined by thresholds. Signature-based detection can be determined by packet headers, string-based pattern-matching, attacks. and/or patterns.
\r\n","features":[{"id":3216,"feature_name":"Asymmetric Key Generation"},{"id":3328,"feature_name":"Auditing"},{"id":3225,"feature_name":"Certificate Authentication"},{"id":3226,"feature_name":"Certificate Validation"},{"id":3219,"feature_name":"Cryptograhic Hashing"},{"id":3217,"feature_name":"Cryptographic Key Establishment"},{"id":3218,"feature_name":"Cryptographic Signature Verification"},{"id":3215,"feature_name":"DRBG"},{"id":3221,"feature_name":"Firewall"},{"id":3327,"feature_name":"Flaw Remediation"},{"id":3222,"feature_name":"Intrusion Prevention"},{"id":3224,"feature_name":"IPsec"},{"id":3220,"feature_name":"Keyed-hash message authentication"},{"id":3223,"feature_name":"VPN Gateway"}]}