The TOE is classified as a network device (a generic infrastructure device that can be connected to a network). The TOE hardware device is the Evertz MAGNUM-SC-CC2 which includes the MAGNUM-SC-CC2 (1 RU) with an AMD EPYC 7313P (16C/32T) in a Gigabyte E152-ZE1, running MAGNUM-OS firmware v24.11.8. The MAGNUM-OS firmware is based on Ubuntu version 24.04 LTS (Noble). The MAGNUM-OS serves as the primary user and network interface device for the MAGNUM control application.
\r\nEvertz MAGNUM software (v24.11.8) is a custom-developed application written primarily in python. MAGNUM-SC-CC2 operates as a combination of an application layer and as part of the integrated Linux platform stack, using a customized Ubuntu operating system. The TOE version of MAGNUM (MAGNUM-SC-CC2) is only operable on Evertz provided platforms and hardware.
\r\nThe TOE is an infrastructure network device that provides secure remote management, auditing, and updating capabilities. The TOE provides secure remote management using an HTTPS/TLS web interface and an SSH command line interface. The TOE generates audit logs and transmits the audit logs to a remote syslog server over a mutually authenticated Syslog over TLS channel. The TOE verifies the authenticity of software updates by verifying the digital signature prior to installing any update.
\r\nThe scope of the evaluated functionality includes the following,
\r\nThe IT Testing Environment Components used to test the TOE are shown in Table 2 in the security target document. No other functionality is included within the scope of this evaluation.
","evaluation_configuration":"The IT Testing Environment Components used to test the TOE are shown in Table below:
\r\n| \r\n\r\n | \r\n\r\n Required \r\n | \r\n\r\n Purpose/Description \r\n | \r\n
| \r\n Syslog server \r\n | \r\n\r\n Yes \r\n\r\n | \r\n\r\n
| \r\n
| \r\n IPX Video Switch \r\n | \r\n\r\n Yes \r\n | \r\n\r\n
| \r\n
| \r\n Management workstation with web browser \r\n | \r\n\r\n Yes \r\n | \r\n\r\n
| \r\n
| \r\n Management workstation with remote CLI \r\n | \r\n\r\n Yes \r\n | \r\n\r\n
| \r\n
| \r\n Local Management Workstation \r\n | \r\n\r\n Yes \r\n | \r\n\r\n
| \r\n
| \r\n CRL Server \r\n | \r\n\r\n Yes \r\n | \r\n\r\n
| \r\n
| \r\n DNS Server \r\n | \r\n\r\n Yes \r\n | \r\n\r\n
| \r\n
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the MAGNUM-SC-CC2 V24.11.8 was evaluated is described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. The product, when delivered and configured as identified in the Common Criteria Administrator Guidance, satisfies all of the security functional requirements stated in the MAGNUM-SC-CC2 v24.11.8 Security Target. The project underwent CCEVS Validator review. The evaluation was completed in December 2025. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS
","environmental_strengths":"The TOE provides the security functions required by the Collaborative Protection Profile for Network Devices, hereafter referred to as NDcPP v3.0e or NDcPP and Functional Package for SSH, Version 1.0, hereafter referred to as PKG_SSH_v1.0.
\r\n\r\n
The TOE generates audit records for security relevant events. Audit data are stored internally and are only accessible to privileged administrators. The TOE supports access to TSF using administrator accounts for authentication and authorization to management and security functions.
\r\n\r\n
The TOE also supports sending audit records to a remote Syslog server. Audit records sent to the remote server are protected by a TLS connection. Each audit record includes identity (username, IP address, or process), date and time of the event, type of event, and the outcome of the event.
\r\nThe TOE includes an OpenSSL library (openssl version 3.0.13-0ubuntu3.5, openssl_fips version 3.0.9et2 and linux-image-generic_6.8.0.71) that implements CAVP validated cryptographic algorithms for random bit generation, encryption/decryption, authentication, and integrity protection/verification. These algorithms are used to provide security for the TLS, HTTPs, and SSH connections for secure management and secure connections to a syslog and authentication servers. TLS and HTTPs are also used to verify firmware updates. The cryptographic services provided by the TOE are described below:
\r\n\r\n
\r\n
| \r\n Cryptographic Protocol \r\n | \r\n\r\n Use within the TOE \r\n | \r\n
| \r\n HTTPS/TLS (client) \r\n | \r\n\r\n Secure connection to syslog | \r\n
| \r\n HTTPS/TLS (server) \r\n | \r\n\r\n Remote management | \r\n
| \r\n SSH (server) \r\n | \r\n\r\n Remote management | \r\n
| \r\n AES \r\n | \r\n\r\n Provides encryption/decryption in support of the TLS and SSH protocol. | \r\n
| \r\n DRBG \r\n | \r\n\r\n Deterministic random bit generation use to generate keys. | \r\n
| \r\n Secure hash \r\n | \r\n\r\n Used as part of digital signatures and firmware integrity checks. | \r\n
| \r\n HMAC \r\n | \r\n\r\n Provides keyed hashing services in support of TLS. | \r\n
| \r\n EC-DH \r\n | \r\n\r\n Provides key establishment for TLS. | \r\n
| \r\n ECDSA \r\n | \r\n\r\n Used to generate EC-DH components for key establishment for TLS. | \r\n
| \r\n RSA \r\n | \r\n\r\n Provide key generation and signature generation and verification (PKCS1_V1.5) in support of TLS. | \r\n
\r\n
Each of these cryptographic algorithms have been validated for conformance to the requirements specified in their respective standards (refer to Table 15) in the ST.
\r\nThe TOE authenticates administrative users using a username/password combination. The TOE does not allow access to any administrative functions prior to successful authentication. The TOE validates and authenticates X.509 certificates for all certificate uses.
\r\n\r\n
The TOE supports passwords consisting of alphanumeric and special characters and enforces minimum password lengths. The TSF supports certificates using RSA signature algorithms. Certificates are used to authenticate trusted channels, not administrators. The TOE only allows users to view the login warning banner prior to authentication. Remote administrators are locked out after a configurable number of unsuccessful authentication attempts.
\r\nThe TOE allows users with the Security Administrator role to administer the TOE over a remote web UI, remote CLI, or a local CLI. These interfaces do not allow the Security Administrator to execute arbitrary commands or executables on the TOE. Security Administrators can manage connections to an external Syslog server, as well as determine the size of local audit storage.
\r\nThe TOE implements several self-protection mechanisms. This protection includes self-tests to ensure the correct operations of cryptographic functions. Firmware upgrades, performed by a Security Administrator, must pass two authentication tests. The TOE does not provide an interface for the reading of secret or private keys. The TOE ensures timestamps, timeouts, and certificate checks are accurate by maintaining a real-time clock.
\r\nThe TOE can be configured to display a warning and consent banner when an administrator attempts to establish an interactive session over the CLI (local or remote) or remote web UI. The TOE also enforces a configurable inactivity timeout for remote administrative sessions.
\r\nThe TOE uses TLS to provide a trusted communication channel between itself and remote audit server and MAGNUM server. The trusted channels utilize X.509 certificates to perform mutual authentication. The TOE initiates the Syslog over TLS trusted channel with the remote audit server.
\r\nThe TOE uses HTTPS/TLS and SSH to provide a trusted path between itself and remote administrative users. The TOE does not implement any additional methods of remote administration. The remote administrative users are responsible for initiating the trusted path when they wish to communicate with the TOE.
","features":[{"id":997,"feature_name":"Asymmetric Key Generation"},{"id":994,"feature_name":"Auditing"},{"id":1009,"feature_name":"Certificate Authentication"},{"id":1002,"feature_name":"Certificate Validation"},{"id":1000,"feature_name":"Cryptographic Hashing"},{"id":998,"feature_name":"Cryptographic Key Establishment"},{"id":999,"feature_name":"Cryptographic Signature Verification"},{"id":996,"feature_name":"DRBG"},{"id":993,"feature_name":"Flaw Remediation"},{"id":1006,"feature_name":"HTTPS Client"},{"id":1007,"feature_name":"HTTPS Server without Mutual Authentication"},{"id":1008,"feature_name":"IPsec"},{"id":1001,"feature_name":"Keyed-hash message authentication"},{"id":1005,"feature_name":"SSH Server"},{"id":1011,"feature_name":"TLS 1.1"},{"id":1010,"feature_name":"TLS 1.2"},{"id":1003,"feature_name":"TLS Client"},{"id":1004,"feature_name":"TLS Server without Mutual Authentication"}]}