Compliant Product - Kemp LoadMaster
Certificate Date: 2023.01.27CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11280-2023
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
CC Testing Lab: Acumen Security
The TOE supports (sometimes optionally) secure connectivity with several other IT environment devices as described below.
Table 1 IT Environment Components
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Kemp LoadMaster was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1. The product, when delivered configured as identified in the AGD “Configuring LoadMaster for Common Criteria Conformance v0.2”, satisfies all the security functional requirements stated in the Kemp LoadMaster Security v0.8. The project underwent CCEVS Validator review. The evaluation was completed in January 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE provides the security functionality required by [NDcPP].
· Security Audit
· Cryptographic Support
· Identification and Authentication
· Security Management
· Protection of the TSF
· TOE Access
· Trusted Path/Channels
These features are described in more detail in the subsections below.
1.1.1 Security Audit
The TOE generates audit records for security relevant events. The audit events are associated with the administrator or processes. The audit records are transmitted over TLS to an external audit server.
1.1.2 Cryptographic Support
The TOE provides following cryptographic services described below.
Table 2 Cryptographic Services
Each of these cryptographic algorithms have been validated for conformance to the requirements specified in their respective standards, as identified below.
1.1.3 Identification and Authentication
The TOE provides password-based and X.509 certificate-based logon mechanisms. This password-based mechanism encores minimum length requirements. The TOE also validates and authenticates X.509 certificates when they are used to identify a remote TLS server or an administrator logging into the TOE.
1.1.4 Security Management
The TOE provides management capabilities via a Web-based GUI, accessed over HTTPS. Management functions allow the administrators to configure the system, install updates, and manage users.
1.1.5 Protection of the TSF
The TOE prevents the reading of plaintext passwords and keys. The TOE provides a reliable timestamp for its own use. The reliable timestamp can be set by a security administrator or authenticated NTP. To protect the integrity of its security functions, the TOE implements a suite of self-tests at startup and halts or disables affected functionality if a self-test fails. The TOE ensures that updates to the TOE are authenticated by verifying a digital signature prior to installing any update.
1.1.6 TOE access
The TOE monitors local and remote administrative sessions for inactivity and either locks or terminates the session when a threshold time period is reached. An advisory notice is displayed at the start of each session.
1.1.7 Trusted Path/Channels
The TOE initiates a TLS trusted channel with a syslog server and LDAP authentication server (as configured).
The TOE is a TLS/HTTPS server that allows remote administrators to establish a trusted path with the TOE.
Progress Software Corporation