Compliant Product - MAGNUM-HW-CC
Certificate Date: 2023.02.13CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11276-2023
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
CC Testing Lab: Acumen Security
Administrative Guide: MAGNUM-HW-CC Security Administration Manual for Common Criteria
Administrative Guide: MAGNUM-HW 1RU Enterprise Class Server for MAGNUM User Manual
The TOE is classified as a network device (a generic infrastructure device that can be connected to a network). The TOE hardware device is the Evertz MAGNUM-HW-CC which includes the MAGNUM-HW-CC (1 RU) with an Intel Xeon Silver 4309Y processor, running MAGNUM-SDVN firmware v21.10.4. The SDVN firmware is based on Ubuntu 20.04 TLS (Focal). The MAGNUM-HW-CC serves as the primary user and network interface device for the MAGNUM control application.
Evertz MAGNUM software (MAGNUM-SDVN 21.10.4) is a custom-developed application written primarily in python. MAGNUM-HW operates as a combination of an application layer and as part of the integrated Linux platform stack, using a customized Ubuntu operating system. The TOE version of MAGNUM (MAGNUM-HW-CC) is only operable on Evertz provided platforms and hardware.
The TOE is an infrastructure network device that provides secure remote management, auditing, and updating capabilities. The TOE provides secure remote management using an HTTPS/TLS web interface and an SSH command line interface. The TOE generates audit logs and transmits the audit logs to a remote syslog server over a mutually authenticated TLS channel. The TOE verifies the authenticity of software updates by verifying the digital signature prior to installing any update.
The scope of the evaluated functionality includes the following,
• Secure remote administration of the TOE via TLS and SSH
• Secure Local administration of the TOE
• Secure connectivity with remote audit servers
• Secure access to the management functionality of the TOE
• Identification and authentication of the administrator of the TOE
No other functionality is included within the scope of this evaluation.
The MAGNUM is a software module that unifies control and interfacing to Evertz and 3rd party media steaming devices. As a unified controller, the MAGNUM supports the following functionalities that are outside of the scope of this evaluation:
· MAGNUM serves as the control interface for Evertz’s proprietary IPX media streaming switch fabric that allows the general user to establish, change, and tear down multicast IP video streams. MAGNUM may also serve as a general control interface for similar Evertz and third-party systems and devices.
· Equipment to prepare video for IP transport, or to convert it into other video formats, is outside the scope of this TOE. Such equipment includes, but is not limited to, cameras, KVMs, codecs, video servers and video displays. Equipment to perform functions such as embedding audio and/or other information within the video stream is also outside the scope of this TOE.
· MAGNUM issues commands (via dedicated internal API) to Evertz’s proprietary IPX switching fabric and other production endpoints for the purpose of initiating, maintaining, and tearing down virtual routing paths. The MAGNUM-HW-CC device serves as the primary operational and administrative management interface to the closed multicast switching environment.
· MAGNUM provides Out-of-Band Management (OOBM) of Evertz IPX, EXE, and other 3rd party devices. To perform primary operational and administrative management functions on the closed multicast switching environment, Security Administrators may access MAGNUM software via direct connection using a terminal session. Security Administrators may also access MAGNUM via a dedicated management workstation operating over an OOBM network to perform these OOB management functions. In addition to Security Administrators, general users may also access the MAGNUM software via a dedicated management workstation over an OOBM network.
Note: Sites may close this OOBM network or may operate MAGNUM within an existing OOBM, if the topology is compliant with the security parameters listed in the sections below.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the MAGNUM-HW-CC was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1. The product, when delivered configured as identified in the MAGNUM-HW-CC Security Administration Manual for Common Criteria, Revision 03, satisfies all of the security functional requirements stated in the MAGNUM-HW-CC Security Target v1.3. The project underwent CCEVS Validator review. The evaluation was completed in February/2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below.
· Security Audit
· Cryptographic Support
· Identification and Authentication
· Security Management
· Protection of the TSF
· TOE Access
· Trusted Path/Channel
The TOE generates audit records for security relevant events. Audit data are stored internally and are only accessible to privileged administrators. The TOE supports access to the TSF using administrator accounts for authentication and authorization to management and security functions.
The TOE also supports sending audit records to a remote Syslog server. Audit records sent to the remoteserver are protected by a TLS connection. Each audit record includes identity (username, IP address, orprocess), date and time of the event, type of event, and the outcome of the event.
The TOE includes an OpenSSL library (Version 1.1.1k with Fedora Core 33 Patches) that implements CAVP validated cryptographic algorithms for random bit generation, encryption/decryption, authentication, and integrity protection/verification. These algorithms are used to provide security for the TLS, HTTPs, and SSH connections for secure management and secure connections to a syslog and authentication servers. TLS and HTTPs are also used to verify firmware updates. The cryptographic services provided by the TOE are described below:
Table 3 – TOE Cryptographic Protocols
Each of these cryptographic algorithms have been validated for conformance to the requirements
Table 4 – CAVP Algorithm Testing References
Identification and Authentication
The TOE authenticates administrative users using a username/password combination. The TOE does not allow access to any administrative functions prior to successful authentication. The TOE validates and authenticates X.509 certificates for all certificate uses.
The TOE supports passwords consisting of alphanumeric and special characters and enforces minimum password lengths. The TSF supports certificates using RSA signature algorithms. Certificates are used to authenticate trusted channels, not administrators. The TOE only allows users to view the login warning banner prior to authentication. Remote administrators are locked out after a configurable number of unsuccessful authentication attempts.
The TOE allows users with the Security Administrator role to administer the TOE over a remote web UI, remote CLI, or a local CLI. These interfaces do not allow the Security Administrator to execute arbitrary commands or executables on the TOE. Security Administrators can manage connections to an external Syslog server, as well as determine the size of local audit storage.
Protection of the TSF
The TOE implements several self-protection mechanisms. This protection includes self-tests to ensure the correct operations of cryptographic functions. Firmware upgrades, performed by a Security Administrator, must pass two authentication tests. The TOE does not provide an interface for the reading of secret or private keys. The TOE ensures timestamps, timeouts, and certificate checks are accurate by maintaining a real-time clock.
The TOE can be configured to display a warning and consent banner when an administrator attempts to establish an interactive session over the CLI (local or remote) or remote web UI. The TOE also enforces a configurable inactivity timeout for remote administrative sessions.
The TOE uses TLS to provide a trusted communication channel between itself and remote. The trusted channels utilize X.509 certificates to perform mutual authentication. The TOE initiates the TLS trusted channel with the remote server.
The TOE uses HTTPS/TLS and SSH to provide a trusted path between itself and remote administrative users. The TOE does not implement any additional methods of remote administration. The remote administrative users are responsible for initiating the trusted path when they wish to communicate with the TOE.