Compliant Product - Fortra’s GoAnywhere Managed File Transfer v6.8
Certificate Date: 2023.04.07CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11216-2023
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Functional Package for TLS Version 1.1
Protection Profile for Application Software Version 1.3
Extended Package for Secure Shell (SSH) Version 1.0
CC Testing Lab: Acumen Security
The Target of Evaluation (TOE) is the Fortra’s GoAnywhere Managed File Transfer v6.8 (MFT). The TOE is a software application that provides secure file transfer services over HTTPS, TLS, and SSH. GoAnywhere MFT is a secure managed file transfer solution that streamlines the exchange of data between systems, employees, customers, and trading partners. It provides centralized control with extensive security settings, detailed audit trails, and helps process information from files into XML, CSV, and JSON databases.
The TOE has been evaluated on the following host platforms:
· CentOS 7 on ESXi 6.7 with Intel Xeon E5-4620v4 (Broadwell)
· Windows Server 2016 on ESXi 6.7 with Intel Xeon E5-4620v4 (Broadwell)
Note: The TOE is the application software only. The host platforms are not part of the evaluation.
The TOE supports (sometimes optionally) secure connectivity with several other IT environment devices as described below.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Fortra’s GoAnywhere Managed File Transfer v6.8 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1.The product, when configured as identified in the Fortra’s GoAnywhere Managed File Transfer v6.8 AGD, satisfies all of the security functional requirements stated in the Common Criteria Configuration Guide for Fortra’s GoAnywhere Managed File Transfer v6.8 Security Target. The project underwent CCEVS Validator review.The evaluation was completed in April 2023.Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE utilizes the GoAnywhere MFT Bouncy Castle FIPS Java API cryptographic library version 1.0.2. This library implements all of the cryptographic algorithms required for SSH and TLS, drawing entropy from the platform RBG.
The cryptographic services provided by the TOE are described below:
Table 3 TOE Provided Cryptography
Each of these cryptographic algorithms have been validated for conformance to the requirements specified in their respective standards, as identified below.
User Data Protection
The TOE relies on the underlying platform to encrypt sensitive data at rest.
Identification and Authentication
The TOE uses X.509v3 certificates as defined by RFC 5280 to authenticate the TLS connection to the external TLS servers. The TOE validates the X.509 certificates using the certificate path validation algorithm defined in RFC 5280.
The TOE authenticates users using a username/password combination or X.509 TLS Client Certificates.
The TOE allows the configuration of users, file servers, file transfer services, keys and certificates, and cryptographic protocols.
The TOE does not transmit Personally Identifiable Information (PII) over the network.
Protection of the TSF
The TOE employs several mechanisms to ensure that it is secure on the host platform. The TOE only allocates a limited amount of memory with both write and execute permission to support just-in-time compiling. The TOE supports ASLR, stack-based overflow protections, and platform security mechanisms (Windows Defender and SELinux).
The TOE is distributed as a Microsoft .EXE file (Windows) or a RPM (CentOS). The installers are signed by Fortra so their integrity can be verified by the platform.
The TOE protects all data in transit using TLSv1.2 or SSHv2.