{"product_id":4034,"v_id":4034,"product_name":"Nexor MMHS Security","certification_status":"Not Certified","certification_date":"2005-03-14T00:03:00Z","tech_type":"Secure Messaging","vendor_id":{"name":"Nexor Ltd.","website":"http://www.nexor.com"},"vendor_poc":"Tony Roadknight","vendor_phone":"+44 115 952 0500","vendor_email":"tony.roadknight@nexor.com","assigned_lab":{"cctl_name":"Leidos Common Criteria Testing Laboratory"},"product_description":"<p>The set of software products that form the TOE include: Nexor Defender for Outlook, with the support of Nexor S/MIME Security; Nexor Directory Administrator, with the support of Nexor Strong Authentication; and Nexor Overseer, with the support of Nexor Security Server.</p>\r\n<p>The Nexor Defender for Outlook component is a user agent designed to extend the functionality of Microsoft Outlook 2000. The component enables users to send and receive X.400 military messages. It includes an LDAP Address Book provider to provide integrated directory services into Microsoft Outlook 2000, such as support for multiple servers to allow for redundancy and consolidation of searches across multiple directories to access email addresses and security objects, and directory browsing to allow the user to navigate through the directory information to find the appropriate recipient. Additionally, Nexor Defender for Outlook includes the S/MIME Security Plug-in to provide the ability to attach a label to a message and verify recipient and originator clearance before sending a message. </p>\r\n<p>The Nexor Directory Administrator component is an administrative directory user agent (ADUA) designed to enhance the functionality of Windows 2000 Explorer. The component facilitates browsing and modification of an X.500 directory using the Directory Access Protocol (DAP). It introduces an &ldquo;X.500 Neighborhood&rdquo; that allows access to multiple directory servers and allows administrators to manage sensitive directory objects, such as objects that contain security information and role information. The Nexor Directory Administrator component is closely integrated into Windows Explorer and offers email integration, which enhances the functionality offered by the Nexor LDAP Address book; for example, users can use Nexor Directory Administrator to search and browse the directory to locate appropriate information, including address information, which can then be passed to Microsoft Outlook. Additionally, the Nexor Strong Authentication module allows the DAP operations used by the Nexor Directory Administrator to be signed and verified. This ensures both integrity and authentication services are enforced on both the operations and the results. </p>\r\n<p>The Nexor Overseer component is an email manager. It handles the notification of arrival and the re-routing of email messages without the need for user intervention. Nexor Overseer works alongside Microsoft&rsquo;s Exchange Server 2000, monitoring mail as it is placed in mailboxes stored on the Exchange Server. The two main capabilities provided by this component are that it can send an automatic message alert to a designated individual if messages are received when the intended recipient is not logged in and it can automatically forward messages to an alternate address if they have not been read within a pre-determined period of time. Additionally, the Nexor Security Server allows the Nexor Overseer to sign and label the alert and redirect messages that it generates.</p>\r\n<p>The evaluated TOE components are add-on packages to Microsoft Outlook 2000, Windows Explorer, and Microsoft Exchange 2000, which are not within the scope of the TOE. Similarly, the underlying hardware and operating system platforms (Microsoft Windows 2000 Professional and Microsoft Windows 2000 Advanced Server) are not included in the evaluation. Moreover, the TOE relies upon the following products to be present in the IT environment to perform some of its security functions:</p>\r\n<ul>\r\n    <li>Nexor Directory </li>\r\n    <li>A Certificate Authority </li>\r\n    <li>DigitalNet Secure Message Protocol (SMP) Libraries: </li>\r\n</ul>\r\n<ul>\r\n    <li>S/Mime Freeware Library </li>\r\n    <li>Certificate Management Library </li>\r\n    <li>Access Control Library </li>\r\n</ul>\r\n<p>These products are also outside the scope of the TOE.</p>","evaluation_configuration":null,"security_evaluation_summary":"<p>The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Nexor MMHS Security TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 family of assurance requirements. The product, when configured as specified in the Installing and Configuring Nexor MMHS Security, Nexor Defender for Outlook 4.1 Administrator Guide, Nexor Defender for Outlook 4.1 User Guide, Nexor S/MIME Security Administrator&rsquo;s Guide, Nexor S/MIME Security User&rsquo;s Guide, Nexor Directory Administrator 2.0, Nexor Overseer 2.0 Administrator Guide, and Release Notes, satisfies all of the security functional requirements stated in the Nexor MMHS Security Security Target (Version 1.0). One validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in February 2005. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-05-0095, dated 14 March 2005) prepared by CCEVS.</p>","environmental_strengths":"<p>The Nexor TOE includes a set of services that provide secure enhancements to email services of Microsoft Outlook 2000 and Exchange, and to the browsing capabilities of Windows Explorer. These features require a level of protection that is subject to an information flow control policy, so that the data flow can remain protected and access is controlled. The assurance requirements, EAL2, and the minimum strength of function, SOF-basic, were chosen to be consistent with those environments. Nexor MMHS Security supports the following security functions: </p>\r\n<p><strong>Communication</strong> &mdash; The TOE ensures non-repudiation of messages with proof of origin and non-repudiation with proof of receipt.</p>\r\n<p><strong>User Data Protection</strong> &mdash; The TOE implements access control rules to ensure that only authorized users can access the addresses and security information stored in the available directories. Additionally, the TOE ensures that messages can only be sent at a classification level the user is authorized to send messages at as well as ensuring messages can only be sent to users authorized to read messages of the classification being sent to them. </p>\r\n<p><strong>Identification</strong> &mdash; All users must be identified by the TOE and authenticated by the IT environment before they are allowed to access the specific security services of the TOE.<strong></strong></p>\r\n<p><strong>Security Management</strong> &mdash; The TOE provides administrators with the capabilities to specify the labels that can be associated with messages.</p>","features":[]}