Compliant Product - MMA10G-IPX Series v3.3
Certificate Date: 2023.02.10CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11277-2023
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
CC Testing Lab: Acumen Security
Administrative Guide: IPX MMA10G-IPX v3.3 Security Administrative Guide Addendum for Common Criteria
Administrative Guide: IPX MMA10G-IPX Security Administration Manual
The TOE (Internet Protocol Crosspoint (IPX) switch) is a network-based audio video distribution system and is classified as a network device (a generic infrastructure device that can be connected to a network). It is a 10 Gigabit (Gb) Internet Protocol (IP) switch optimized for video-over-IP traffic (compressed or uncompressed). For the MMA10G and 3080 models, each IPX card occupies two (2) slots (16- and 32-port IPX cards) or four (4) slots (64-port IPX cards) in an Evertz Modular Crosspoint (EMX) frame. The 9080 models include the IPX cards and frame in a 1RU form factor. All IPX-compatible cards may be inserted into any IPX frame configuration provided there are sufficient contiguous free slots available.
Since video by nature has a unidirectional flow, and multiple copies of a single incoming video stream are often sent to multiple output destinations, the IPX exclusively uses multicast IP addressing. Equipment to prepare video for IP transport, or to convert it into other video formats, is outside the scope of this TOE. Such equipment includes, but is not limited to, cameras, KVMs, codecs, video servers and video displays. Equipment to perform functions such as embedding audio and/or other information within the video stream is also outside the scope of this TOE.
The TOE provides secure remote management using an HTTPS/TLS web interface. Administrators only may access IPX via a dedicated management workstation operating over an Out-of-Band Management (OOBM) network. Sites may close this OOBM network or may operate IPX within an existing OOBM, as long as the topology is compliant with the security parameters listed below. Users and administrators may also access IPX software via direct connection using a terminal session.
The TOE generates audit logs and transmits the audit logs to a remote syslog server over a mutually authenticated TLS channel. The TOE verifies the authenticity of software updates by verifying the digital signature prior to installing any update.
The summary of the evaluated functionality provided by the TOE includes the following,
• Secure connectivity with remote audit servers and secure retention of audit logs locally
• Identification and authentication of the administrator of the TOE
• Secure remote administration of the TOE via TLS and secure Local administration of the TOE
• Secure access to the management functionality of the TOE
• Secure software updates
• Secure communication with the non-TOE ‘video switch control systems’ via TLS
The TOE hardware devices are the Evertz:
· MMA10G-IPX-16 running MMA10G-IPX-16-CC v3.3,
· MMA10G-IPX-32 running MMA10G-IPX-32-CC v3.3,
· MMA10G-IPX-64 running MMA10G-IPX-64-CC v3.3,
· 3080IPX-16-G3-CC running MMA10G-IPX-16-CC v3.3,
· 3080IPX-32-G3-CC running MMA10G-IPX-32-CC v3.3,
· 3080IPX-64-G6-CC running MMA10G-IPX-64-CC v3.3,
· 3080IPX-16-10G-CC running MMA10G-IPX-16-CC v3.3,
· 3080IPX-32-10G-CC running MMA10G-IPX-32-CC v3.3,
· 3080IPX-64-10G-CC running MMA10G-IPX-64-CC v3.3,
· 3080IPX-16-10G-HW-CC running MMA10G-IPX-16-CC v3.3,
· 3080IPX-32-10G-HW-CC running MMA10G-IPX-32-CC v3.3,
· 3080IPX-64-10G-HW-CC running MMA10G-IPX-64-CC v3.3,
· 3080IPX-16GE-CC running MMA10G-IPX-16-CC v3.3,
· 3080IPX-32GE-CC running MMA10G-IPX-32-CC v3.3,
· 3080IPX-64GE-CC running MMA10G-IPX-64-CC v3.3,
· 3080IPX-16GE-RJ45-CC running MMA10G-IPX-16-CC v3.3,
· 3080IPX-32GE-RJ45-CC running MMA10G-IPX-32-CC v3.3,
· 3080IPX-64GE-RJ45-CC running MMA10G-IPX-64-CC v3.3,
· 9080IPX-16-12RJ45-4SFP10GE-CC running MMA10G-IPX-16-CC v3.3,
· 9080IPX-16GE-12RJ45-4SFP-CC running MMA10G-IPX-16-CC v3.3,
· 9080IPX-32-28RJ45-4SFP10GE-CC running MMA10G-IPX-32-CC v3.3,
· 9080IPX-32-28RJ45-4SFP-CC running MMA10G-IPX-32-CC v3.3
The IPX appliances are Ethernet switches optimized for video content.
NOTE: All the devices listed above run on the same Freescale MPC8377E PowerQUICC II processor and use the same microarchitecture
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Evertz MMA10G-IPX Series was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1. The product, when delivered configured as identified in the MAGNUM-HW-CC Security Administration Manual for Common Criteria, Revision 02, satisfies all of the security functional requirements stated in the Evertz MMA10G-IPX Series v3.3 Security Target, version 1.1,February 06, 2023. The project underwent CCEVS Validator review. The evaluation was completed in February 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below.
· Security Audit
· Cryptographic Support
· Identification and Authentication
· Security Management
· Protection of the TSF
· TOE Access
· Trusted Path/Channels
The TOE provides the security functions required by the Collaborative Protection Profile for Network Devices, hereafter referred to as NDcPP v2.2e or NDcPP.
The TOE’s Audit security function supports audit record generation and review. The TOE provides date and time information that is used in audit timestamps. Very broadly, the Audit events generated by the TOE include:
· Establishment of a trusted path or channel session
· Failure to Establish a trusted path or channel session
· Termination of a trusted path or channel session
· Failure of trusted channel functions
· Identification and Authentication
· Unsuccessful attempt to validate a certificate
· Lockouts due to unsuccessful authentication attempts
· Any update attempt
· Result of the update attempt
· Management of TSF data
· Changes to Time
· Session timeouts
The TOE stores generated audit data on itself and sends audit events to a syslog server, using a TLS protected collection method. Logs are classified into various predefined categories. The logging categories help describe the content of the messages that they contain. Access to the logs is restricted to only Security Administrators, who has no access to edit them, only to copy or delete (clear) them. Audit records are protected from unauthorized modifications and deletions.
The TSF provides the capability to view audit data by using the Syslog tab in the web browser. The log records the time, host name, facility, application, and “message” (the log details). The previous audit records are overwritten when the allocated space for these records reaches the threshold on a FIFO basis.
The TOE includes an OpenSSL library (Version 1.1.1k with Fedora Patches) that implements CAVP validated cryptographic algorithms for random bit generation, encryption/decryption, authentication, and integrity protection/verification. These algorithms are used to provide security for the TLS/HTTPs connections for secure management and secure connections to a syslog and authentication servers. TLS and HTTPs are also used to verify firmware updates. The cryptographic services provided by the TOE are described below:
Table 3 – TOE Cryptographic Protocols
Each of these cryptographic algorithms have been validated for conformance to the requirements
Table 4 – CAVP Algorithm Testing References
Identification and Authentication
All Administrators wanting to use TOE services are identified and authenticated prior to being allowed access to any of the services other than the display of the warning banner. (“Regular” IPX users do not access IPX directly; they control IP video switching through the IPX using a switch control system, such as Evertz’ Magnum. The switching of those IP video transport stream is outside the scope of the TOE.)
Once an Administrator attempts to access the management functionality of the TOE, the TOE prompts the Administrator for a username and password for password-based authentication. The identification and authentication credentials are confirmed against a local user database. Only after the Administrator presents the correct identification and authentication credentials will access to the TOE functionality be granted. The TOE uses X.509v3 certificates as defined by RFC 5280 to support authentication for TLS/HTTPS connections.
The TOE provides the capability to set password minimum length rules. This is to ensure the use of strong passwords in attempts to protect against brute force attacks. The TOE also accepts passwords composed of a variety of characters to support complex password composition. During authentication, no indication is given of the characters composing the password.
Remote administrators are locked out after a configurable number of unsuccessful authentication attempts.
The IPX requires a password-protected serial connection to perform initial configuration of the system IP address(es). Once each address is established, administrators use IP connectivity for all further administrative actions, including configuration, operations, and monitoring.
The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs either through a secure session or a local console connection. The TOE provides the ability to perform the following actions:
• Administer the TOE locally and remotely
• Configure the access banner
• Configure the cryptographic services
• Configure number of unsuccessful login attempts that trigger a lockout
• Update the TOE and verify the updates using digital signature capability prior to installing those updates
• Specify the time limits of session inactivity
All of these management functions are restricted to an Administrator, which covers all administrator roles. Administrators are individuals who manage specific type of administrative tasks. In IPX, only the only admin role exists, since there is no provision for “regular” users to access IPX directly (as described above), and the portion of IPX they access and control are outside the scope of the TOE.
Primary management is done using the Webeasy web-based interface using HTTPS. This provides a network administration console from which one can manage various identity services. These services include authentication, authorization, and reporting. All of these services can be managed from the web browser, which uses a menu-driven navigation system.
There is also a very simple serial-based connection (RS-232) that provides a simple menu interface. This is used to configure the IP interface (IP address, etc.). It is password-protected, and is typically only used once, for initial set-up.
Protection of the TSF
The TOE will terminate inactive sessions after an Administrator-configurable time period. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. The TOE provides protection of TSF data (authentication data and cryptographic keys). In addition, the TOE internally maintains the date and time. This date and time are used as the time stamp that is applied to TOE generated audit records. The TOE also ensures firmware updates are from a reliable source. Finally, the TOE performs testing to verify correct operation.
In order for updates to be installed on the TOE, an administrator initiates the process from the web interface. IPX automatically uses the digital signature mechanism to confirm the integrity of the product before installing the update.
Aside from the automatic Administrators session termination due to inactivity describes above, the TOE also allows Administrators to terminate their own interactive session. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.
The TOE will display an Administrator-specified banner on the web browser management interface prior to allowing any administrative access to the TOE.
The TOE allows the establishment of a trusted path between a video control system (such as Evertz’ Magnum) and the IPX. The TOE also establishes a secure connection for sending audit data to a syslog server using TLS and other external authentication stores using TLS-protected communications.
The TOE uses HTTPS/TLS to provide a trusted path between itself and remote administrative users. The TOE does not implement any additional methods of remote administration. The remote administrative users are responsible for initiating the trusted path when they wish to communicate with the TOE.