Compliant Product - Gigamon GigaVUE Version 6.0
Certificate Date: 2023.02.14CC Certificate Security Target * Validation Report
Validation Report Number: CCEVS-VR-VID11314-2023
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
* This is the Security Target (ST) associated with the latest Maintenance Release. To view previous STs for this TOE, click here.
The GigaVUE's primary functionality is to use the Gigamon Forwarding Policy to receive out-of-band (data plane) copied network data from external sources (TAP or SPAN port) and forward that copied network data to one or many tool ports for packet capture or analyzing tools based on user selected criteria.
The TOE is the Gigamon GigaVUE Version 6.0 family of products, which includes the following appliance models:
HC1: GVS-HC101 (AC power), GVS-HC102 (DC power)
HC2: GVS-HC2A1 (AC power), GVS-HC2A2 (DC power)
HC3: GVS-HC301 (AC power), GVS-HC302 (DC power)
TA25: GVS-TAX21-HW (AC power), GVS-TAX22-HW (DC power),
GVS-TAX21A-HW (AC power), GVS-TAX22A-HW (DC power)
TA200: GVS-TAC21 (AC power), GVS-TAC22 (DC power)
GTAP: GTP-ATX21 (AC power), GTP-ASF21 (AC power)
Each of these devices runs the Gigamon GigaVUE software release 6.0 and provides identical NDcPP defined security functionality to one another.
The following lists components and applications in the environment that the TOE relies upon in order to function properly:
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Gigamon GigaVUE Release 6.0 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Gigamon GigaVUE Security Target Version 1.0 as scoped by the NDcPP2.2E. The evaluation underwent CCEVS Validator review. The evaluation was completed in February 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID11314-2023 prepared by CCEVS.
Audit records are generated for various types of management activities and events. The audit records include the date and time stamp of the event, the event type and subject identity. In the evaluated configuration, the TSF is configured to transmit audit data to a remote audit server using SSHv2, but audit data is also stored locally to ensure availability of the data if communications with the audit server are unavailable. Local audit records are stored in “message” files which are rotated to ensure a maximum limit of disk usage is enforced. Only users with the Admin privilege can access or delete the log files. Users with the Admin privilege are considered trusted users and are therefore not expected to delete or modify the audit records.
The TOE uses sufficient security measures to protect its data in transmission by implementing cryptographic methods and trusted channels. The TOE uses SSH to secure the remote CLI and audit server trusted channels. The TOE also uses TLS to secure the trusted channel for the LDAP server.
Cryptographic keys are generated using the CTR_DRBG provided by this module. The TOE erases all plaintext secret and private keys that reside in both RAM and non-volatile storage with zeroes. In the evaluated configuration, the TOE operates in “Secure Cryptography Mode” which is used to restrict algorithms to meet the PP requirements.
Identification and Authentication
All users must be identified and authenticated to the TOE before being allowed to perform any actions on the TOE. This is true of users accessing the TOE via the local console or the protected path using the remote CLI via SSH. Users authenticate to the TOE using one of the following methods:
· Username/password (defined on the TOE)
· LDAP authentication
· Username/public key (SSH only)
The TSF provides a configurable number of maximum consecutive authentication failures that are permitted by a user. Once this number has been met, the account is locked for a configurable time interval. Passwords that are maintained by the TSF can be composed of upper case, lower case, numbers and special characters. The Security Administrator can define the minimum password length between 8 and 30 characters. Password information is never revealed during the authentication process including during login failures. Before a user authenticates to the device, a configurable warning banner is displayed.
As part of establishing trusted remote communications, the TOE provides X.509 certificate functionality. In addition to verifying the validity of certificates, the TSF can check their revocation status using a certificate revocation list (CRL).
The TOE defines two roles: Admin and Monitor. Each of these roles has varying levels of fixed privilege to interact with the TSF. The Admin role is able to perform all security-relevant management functionality (such as user management, password policy configuration, application of software updates, and configuration of cryptographic settings). The Monitor role provides view-only access to ports and configurations. Therefore, the term “Admin”, used throughout this document, is considered to be a Security Administrator of the TSF. Management functions can be performed using the local console or remote CLI. All software updates to the TOE are performed manually.
Protection of the TSF
The TOE stores usernames and passwords in a password file that cannot be viewed by any user on the TOE regardless of the user's role. The passwords are hashed using SHA-512. Public keys are stored in the configuration database which is integrity checked at boot time. Key data is stored in plaintext on the hard drive but cannot be accessed by any user. The TOE has an underlying hardware clock that is used for keeping time. The time can be manually set by the administrator. Power-on self-tests are executed automatically when the cryptographic module is loaded into memory. All binaries (e.g., executables, libraries), are located on a read-only partition and cannot be modified. In addition, the TOE has a configuration database that is integrity checked at boot time.
The version of the TOE (both the currently executing version and the installed/updated version, if different) can be verified from any of the administrative interfaces provided by the TSF. The updated image is verified via a digital signature.
The TOE can terminate inactive local console or remote CLI sessions after a specified time period. The default setting is 15 minutes. Users can also terminate their own interactive sessions. Once a session has been terminated, the TOE requires the user to re-authenticate to establish a new session. The TOE displays an administratively configured banner on the local console or remote CLI prior to allowing any administrative access to the TOE.
The TOE connects and sends data to IT entities that reside in the Operational Environment via trusted channels. In the evaluated configuration, the TOE connects with an audit server using SSH to encrypt the audit data that traverses the channel. The TOE also connects with an LDAP server using TLS. When accessing the TOE remotely, administrators interface with the TSF using a trusted path. The remote CLI is protected via SSH.