NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - VMware NSX-T Data Center 3.1

Certificate Date:  2022.07.22

Validation Report Number:  CCEVS-VR-VID11217-2022

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.2e

CC Testing Lab:  Acumen Security


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The Target of Evaluation (TOE) is VMware NSX-T Data Center 3.1, a VMware network device software product that provides and manages virtual networking components. The TOE is designed as a network virtualization platform, providing the ability to implement and virtualize networks across multiple ESXi nodes and virtual machines (VMs).

For the purpose of testing of the identified TOE, the evaluated TOE configuration is as followings: VMware NSX-T Data Center 3.1 on hypervisor VMware ESXi 6.7 running Ubuntu 18.04 on Dell Power Edge R740 with Intel Xeon Gold 6230R (Cascade Lake).

The TOE provides functionality to enforce and support auditing, cryptographic operations, network separation, encrypted channels, identification/authentication, security management, and protection of the TSF. Administrators can configure virtual network.

In VMware’s network virtualization solution, the following components are the essential building blocks that make up the virtualized computing environment:

·       NSX-T Unified Appliance is a virtual appliance configured to run NSX-T application roles (Manager, Policy, and Controller).

·       The NSX-T Edge is a virtual appliance that provides routing services and connectivity to networks that are external to the NSX-T deployment.

The components described above make a basic virtualized environment ready for virtualized networking. The NSX-T Unified Appliance provides a single API entry point to the system, persists user configuration, handles user queries, and performs operational tasks. The TOE is configured for a single instance of ESXi 6.7 Hypervisor which includes a single NSX-T Unified Appliance instance, single instance of the NSX-T Edge appliance, and does not contain non-TOE functionality.

Customers with a higher scale environment may use vCenter Server, but that is optional and is not included within the TOE.


Evaluated Configuration


Security Evaluation Summary

 

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the VMware NSX-T Data Center 3.1 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.  The product, when delivered configured as identified in the VMware NSX-T Data Center 3.1 Common Criteria Guidance Addendum, satisfies all of the security functional requirements stated in the VMware NSX-T Data Center 3.1 Common Criteria Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in July 2022.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

 


Environmental Strengths

Logical Boundary Rationale for Security Audit (FAU)

Security Function

Description

Security Audit (FAU)

The TOE generates audit records for all security-relevant events. For each audited events, the TOE records the date and time, the type of event, the subject identity, and the outcome of the event. The resulting records are stored on Unified Appliance and can be sent securely to a designated log server for archiving. Security Administrators, using the appropriate REST API commands, can also view audit records locally. The TOE provides a reliable timestamp relying on the appliance’s to built-in clock.

Logical Boundary Rationale for Cryptographic Support (FCS)

Security Function

Description

Cryptographic Support (FCS)

The TOE provides cryptography support for secure communications and protection of information. The cryptographic services provided by the TOE are listed in Table 3 - TOE Provided Cryptography below. The TOE implements the secure protocols - TLS/HTTPS on the server side and TLS on the client side. The TOE implements deletion procedures to mitigate the possibility of disclosure or modification of CSPs. 

The TOE uses two types of dedicated cryptographic modules to manage CSPs: VMware BC-FJA (Bouncy Castle FIPS Java API) module for Java based implementations of TLS/HTTPS, key stores, and trust stores; and VMware’s OpenSSL FIPS Object module for TLS/HTTPS, key stores, and trust stores. The algorithm certificate references are listed in the tables below (Table 4 – VMware’s OpenSSL FIPS Object Module Algorithm and Table 5 – VMware BC-FJA (Bouncy Castle FIPS Java API) Module Algorithm) described in the ST.

  

The following table lists all cryptography provided within TOE:

Cryptographic Method

Usage within the TOE

TLS Establishment

Used to establish initial TLS session

ECDH Key Agreement

Used in TLS session establishment

RSA Key Generation

Used to create key-pairs and X.509 certificates for use in TLS protocols

RSA Signature Services

Used in TLS session establishment.

Used in secure software update

SP 800-90 DRBG

Used in TLS session establishment

SHS

Used in secure software update

HMAC-SHS

Used to provide TLS traffic integrity verification

AES

Used to encrypt TLS traffic

Table 3 – TOE Provided Cryptography

 

Algorithms under VMware’s OpenSSL FIPS Object Module cryptography module are listed in the table:

Algorithm

Description

Mode Supported

CAVP Cert. #

Standards

AES

Used for symmetric encryption/decryption

GCM (128 and 256 bits)
CBC (128 and 256 bits)

A1292

SP 800-38D

SP 800-38A

SHS (SHA)

Cryptographic hashing services

Byte Oriented
SHA-1,
SHA-256,
SHA-384

 A1292

FIPS 180-4

HMAC

Keyed hashing services and software integrity test

Byte Oriented
HMAC-SHA-1,
HMAC-SHA-256,
HMAC-SHA-384

 A1292

FIPS 198

DRBG

Deterministic random bit generation services in accordance with ISO/IEC 18031:2011

Hash_DRBG (512)
CTR_DRBG (AES-256)

 A1292

SP 800-90A

RSA

Signature Generation and Verification

FIPS PUB 186-4 Key Generation
(2048-bit, 3072 bit key)

 A1292

FIPS 186-4

CVL – KAS-ECC

Key Agreement

NIST Special PUB 800-56A

 A1292

 

SP 800-56Ar3

Table 4 – VMware’s OpenSSL FIPS Object Module Algorithm

 

­­Algorithm

Description

Mode Supported

CAVP Cert. #

Standards

AES

Used for symmetric encryption/decryption

GCM (128 and 256 bits)
CBC (128 and 256 bits)

C2174

SP 800-38D

SP 800-38A

SHS (SHA)

Cryptographic hashing services

Byte Oriented
SHA-1,
SHA-256,
SHA-384

C2174

FIPS 180-4

HMAC

Keyed hashing services and software integrity test

Byte Oriented
HMAC-SHA-1,
HMAC-SHA-256,
HMAC-SHA-384

C2174

FIPS 198

DRBG

Deterministic random bit generation services in accordance with ISO/IEC 18031:2011

Hash_DRBG (512)
CTR_DRBG (AES-256)

C2174

SP 800-90A

RSA

Signature Generation and Verification

FIPS PUB 186-4 Key Generation (2048-bit, 3072 bit key)

C2174

FIPS 186-4

CVL – KAS-ECC

Key Agreement

NIST Special Publication 800-56A

 C2174

SP 800-56Ar3

Table 5 – VMware BC-FJA (Bouncy Castle FIPS Java API) Module Algorithm 

 

Logical Boundary Rationale for Identification and Authentication (FIA)

Security Function

Description

Identification and Authentication (FIA)

Security Administrators are identified and authenticated prior to being allowed access to any of the services other than the display of the warning banner. The REST API requires user name and password for authentication. The identification and authentication credentials are confirmed against a local user database. The TOE uses X.509v3 certificates as defined by RFC 5280 to support authentication for TLS/HTTPS connections.

The TOE provides the capability to set password minimum length rules to ensure the use of strong passwords in attempts to protect against brute force attacks. The TOE also accepts passwords composed of a variety of characters to support complex password composition. During authentication, no indication is given of the characters composing the password.

 

Logical Boundary Rationale for Security Management (FMT)

Security Function

Description

Security Management (FMT)

The TOE provides secure administrative services for management of general TOE configuration and TOE security functionality. There are two types of administrative users within the system: Security Administrator and Auditor (read only). All of the management functions are restricted to Security Administrators. The TOE administration occurs through REST API. The TOE provides the ability to perform the following actions:

·       Administer the TOE locally and remotely

·       Configure the access banner

·       Configure the cryptographic services

·       Update the TOE and verify the updates using digital signature capability prior to installing those updates

·       Specify the time limits of session inactivity

 

 

Logical Boundary Rationale for Protection of the TSF (FPT)

Security Function

Description

Protection of the TSF (FPT)

The TOE implements a number of measures to protect the integrity of its security features:

·       The TOE protects CSPs, including stored passwords and cryptographic keys, so they are not directly viewable or accessible in plaintext.

·       The TOE ensures that reliable time information is available for log accountability. The time can be configured through the REST API.

The TOE performs self-tests to detect internal failures and protect itself from malicious updates.

 

Logical Boundary Rationale for TOE Access (FTA)

Security Function

Description

TOE Access (FTA)

The TOE will display a customizable banner when an administrator initiates a session. The TOE also enforces an administrator-defined inactivity timeout after which any inactive session is automatically terminated. Once a session has been terminated, the TOE requires the user to re-authenticate.

 

Logical Boundary Rationale for Trusted Path/Channels (FTP)

Security Function

Description

Trusted Path/Channels (FTP)

The TOE establishes a trusted path between the Unified Appliance and the administrative REST API using TLS/HTTPS. The TOE establishes a secure connection using TLS for:

·       Sending syslog data to a log server.

Vendor Information


VMware
Paul Dul
1-650-427-1430
1-650-475-5001
pdul@vmware.com

https://www.vmware.com
Site Map              Contact Us              Home