CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

The Citrix Application Delivery Controllers (ADC) are purpose-built networking appliances whose function is to improve the performance, security and resiliency of applications delivered over the web. The ADC intelligently distributes, optimizes application performance, enhances application availability with advanced Layer 4 – Layer 7 load balancing, secures applications from attacks, and lowers server expenses by offloading computationally intensive tasks. The TOE comprises Citrix ADC 12.1 software running on the following:

- Physical Platforms 

o   MPX 8900 FIPS

o   MPX 15000-50G FIPS

- Virtual Platforms

o VPX FIPS on ESXi 6.5 running on a Dell PowerEdge R630 Server 

Citrix ADC MPX FIPS and Citrix ADC VPX FIPS are network devices and virtual network devices that combine Layer 4 - Layer 7 load balancing and content switching with application acceleration, data compression, static and dynamic content caching, SSL acceleration, network optimization, application performance monitoring, application visibility, and robust application security via an application firewall. The Citrix ADC MPX FIPS & Citrix ADC VPX FIPS appliances support all the NIST-approved FIPS 140-2 algorithms.

The TOE evaluated configuration consists of the physical platforms, MPX 8900 FIPS and MPX 15000-50G FIPS. Both, the MPX 8900 FIPS and the MPX 15000-50G FIPS, operate using the Intel® Xeon E5-2620 v4 (Broadwell) processor. Additionally, the evaluated configuration includes the VPX FIPS virtual platform. This virtual platform is hosted within a Dell PowerEdge R630 Server running an instance of VMware ESXi 6.5 hypervisor. The VPX is hosted on a server which operates on an Intel® Xeon E5-2680 v4 (Broadwell) processor.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Citrix ADC (MPX FIPS and VPX FIPS) Version 12.1 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5, April 2017.  The product, when delivered configured as identified in the Citrix ADC (MPX FIPS and VPX FIPS) Version 12.1 Common Criteria Configuration Guide, Version 1.4, January 24, 2022, satisfies all of the security functional requirements stated in the Citrix ADC (MPX FIPS and VPX FIPS) Version 12.1 Security Target, Version 1.6, 1/24/2022. The project underwent CCEVS Validator review.  The evaluation was completed in January 2022.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11225-2022) prepared by CCEVS.

The TOE provides the security functions required by NDcPP v2.2e, as identified below.

- Security Audit - The TOE keeps local and remote audit records of security relevant events. Remote audit records are transferred via TLS to the external audit server.

- Cryptographic Support - The TOE provides cryptographic support for the SSH for remote administrative access and TLS connections to external IT devices.The cryptography for the TOE is provided by Citrix ADC CP Cryptographic Library v3.0 and Citrix ADC CP Cryptographic Library v4.0 running on FreeBSD 8.4. This is the underlying OS of the TOE on which the firmware runs.

- Identification and Authentication - The TOE provides two types of authentication to provide a trusted means for Security Administrators and remote endpoints to interact:

o   Password-based or public-key authentication for Security Administrators

o X.509v3 certificate-based authentication for remote devices

Device-level authentication allows the TOE to establish a secure communication channel with a remote endpoint. Security Administrators can set a minimum length for passwords (between 4 and 127 characters). Additionally, the TOE detects and tracks consecutive unsuccessful remote authentication attempts and will prevent the offending attempts from authenticating when a Security Administrator defined threshold is reached.

- Security Management - The TOE enables secure local and remote management of its security functions, including:

o  Local console CLI administration

o   Remote CLI administration via SSHv2

o   Administrator authentication using a local database

o   Timed user lockout after multiple failed authentication attempts

o   Password complexity enforcement

o   Role Based Access Control - the TOE supports several types of administrative user roles. Collectively these sub-roles comprise the “Security Administrator”

o   Configurable banners to be displayed at login

o   Timeouts to terminate administrative sessions after a set period of inactivity

o Protection of secret keys and passwords

- Protection of the TSF - The TOE ensures the authenticity and integrity of software updates through hash comparison and requires administrative intervention prior to the software updates being installed.

- TOE Access - Prior to login, the TOE displays a banner with a message configurable by the Security Administrator. The TOE terminates user connections after an Authorized Administrator configurable amount of inactivity time.

- Trusted path/channels - The TOE uses TLS to provide a trusted channel between itself and remote syslog and LDAP servers. The TOE uses SSH to provide a trusted path between itself and remote administrators.

Vendor Information