The Target of Evaluation [TOE] is a Network Device as defined by the collaborative Protection Profile for Network Devices v2.2e [NDcPP]: “A network device in the context of this cPP is a device composed of both hardware and software that is connected to the network and has an infrastructure role within the network”.
\r\n\r\n
The TOE name is SonicWall Secure Mobile Access (SMA) v12.4, and the evaluated version of the TOE is 12.4.3. In the evaluated configuration it includes SMA 6210, SMA 7210 appliances and SMA 8200v virtual appliance. SonicWall SMA is a unified secure access gateway that enables organizations to provide anytime, anywhere and any device access to corporate resources.
\r\n\r\n
All SMA hardware appliances are shipped ready for immediate access through a Command Line Interface (CLI) and after basic network configuration through a web-based Appliance Management Console (AMC). Virtual appliance requires installation into hypervisor environment and supports configuration through AMC. To ensure secure use of the product, it must be appropriately configured prior to being put into a production environment as specified in the user guidance.
","evaluation_configuration":"The TOE is a hardware and software solution composed of the Cisco Catalyst Industrial Ethernet IE3x00 Rugged Series Switches running IOS-XE 17.12.
\r\nThe evaluated configuration consists of the following devices:
\r\n| \r\n Catalyst IE3200 Hardware Models \r\n | \r\n\r\n IE-3200-8T2S, IE-3200-8P2S \r\n\r\n | \r\n
| \r\n Catalyst IE3300 Hardware Models \r\n | \r\n\r\n IE-3300-8T2S, IE-3300-8P2S, IE-3300- 8T2X, IE-3300- 8U2X \r\n | \r\n
| \r\n Catalyst IE3400 Hardware Models \r\n | \r\n\r\n IE-3400-8T2S, IE-3400-8P2S \r\n | \r\n
| \r\n Catalyst IE3400H Hardware Models \r\n | \r\n\r\n IE-3400H-8FT, IE-3400H-8T, IE-3400H-16FT, IE-3400H-16T, IE-3400H-24FT, IE-3400H-24T \r\n | \r\n
| \r\n Software Version \r\n | \r\n\r\n IOS-XE 17.12 \r\n | \r\n
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R5.
\r\n\r\n
The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 R5.
\r\n\r\n
Dekra Certification has determined that the product meets the security criteria in the Security Target, which specifies compliance with collaborative Protection Profile for Network Devices v2.2e.
\r\n\r\n
A team of validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in August 2024.
","environmental_strengths":"Security Audit
\r\n\r\n
The TOE generates audit records for all security-relevant events. For each event, the TOE records the date and time, the type of event, the subject identity, and the outcome of the recoded event. The resulting records can be stored locally or securely sent to a designated audit server for archiving. Security Administrators using the appropriate AMC menu can also view audit records locally. The TOE also implements timestamps based on a local system clock to ensure reliable audit information produced.
\r\n\r\n
Cryptographic Support
\r\n\r\n
The TOE performs the following cryptographic functionality:
\r\nEncryption, decryption, hashing, keyed-hash message authentication, random number generation, signature generation and verification utilizing dedicated cryptographic library.
\r\nCryptographic functionality is utilized to implement secure channels.
\r\nTLSv1.2
\r\nEntropy is collected from multiple entropy sources and used to support PRNG seeding with full entropy.
\r\nCritical Security Parameters (CSPs) internally stored and cleared when no longer in use.
\r\nX.509v3 certificate-based authentication integrated with TLS protocol.
\r\n\r\n
The TOE is certified as a FIPS 140-2 level 2 cryptographic module, it internally manages CSPs and implements deletion procedures to mitigate the possibility of disclosure or modification of CSPs. Additionally, the TOE provides functionality to manually clear CSPs (e.g. host RSA keys), that can be invoked by a Security Administrator with appropriate permissions.
\r\n\r\n
Identification and Authentication
\r\n\r\n
The TOE supports Role-Based Access Control (RBAC) managed by an AAA module that stores and manages permissions of all users and their roles. Before any other action, each user is identified with a login name and authenticated with a password. Each authorized user is associated with assigned role and specific permissions that determine access to TOE features.
\r\n\r\n
Security Management
\r\n\r\n
The TOE allows remote administration using a TLS session over an internal management Ethernet port and local administration using a console adapter via a separate RJ-45 running RS-232 signaling. Remote administration is conducted over web-based interface (AMC) and local administration conducted over CLI.
\r\nAll of the management functionality is restricted to the Security Administrators of the TOE. The Security Administrators are authorized to perform configuration and management of the TOE. The term “Security Administrator” is used to refer to any user with an administrative role and sufficient permissions.
\r\n\r\n
Protection of the TSF
\r\nThe TOE implements a number of measures to protect the integrity of its security features. The TOE protects CSPs, including stored passwords and cryptographic keys, so they are not directly viewable in plaintext. The TOE also ensures that reliable time information is available for both log accountability and synchronization with the operating environment.
\r\n\r\n
The TOE employs both dedicated communication channels as well as cryptographic means to protect the communication between itself and the other components in the operational environment.
\r\n\r\n
The TOE performs self-tests to detect internal failures and to protect itself from malicious updates.
\r\n\r\n
TOE Access
\r\n\r\n
The TOE will display a customizable banner when an administrator initiates an interactive local or remote session. The TOE also enforces an administrator-defined inactivity timeout after which the inactive session is automatically terminated. Once a session (local or remote) has been terminated, the TOE requires the user to re-authenticate.
\r\n\r\n
Trusted Path/Channels
\r\n\r\n
The TOE protects remote sessions by establishing a trusted path secured with TLS between itself and the administrator. The TOE prevents disclosure or modification of audit records by establishing a trusted channel secured with TLS between itself and the audit server.
\r\n","features":[{"id":3103,"feature_name":"Asymmetric Key Generation"},{"id":3099,"feature_name":"Auditing"},{"id":3113,"feature_name":"Certificate Authentication"},{"id":3109,"feature_name":"Certificate Validation"},{"id":3107,"feature_name":"Cryptographic Hashing"},{"id":3104,"feature_name":"Cryptographic Key Establishment"},{"id":3106,"feature_name":"Cryptographic Signature Verification"},{"id":3101,"feature_name":"DRBG"},{"id":3100,"feature_name":"Key Destruction"},{"id":3108,"feature_name":"Keyed-hash message authentication"},{"id":3116,"feature_name":"TLS 1.2"},{"id":3112,"feature_name":"TLS Client"},{"id":3111,"feature_name":"TLS Server with Mutual Authentication"},{"id":3102,"feature_name":"Virtual Network Device"}]}