1 of 18 National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Vormetric Data Security Manager V6000, Version 5.3 Report Number: CCEVS-VR-VID10737-2016 Dated: April 5, 2016 Version: 0.6 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6940 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6940 2 of 18 ACKNOWLEDGEMENTS Validation Team Daniel Faigin The Aerospace Corporation Kenneth Stutterheim The Aerospace Corporation Common Criteria Testing Laboratory Dayanandini Pathmanathan CygnaCom Solutions McLean, Virginia Much of the material in this report was extracted from evaluation material prepared by the CCTL. Many of the product descriptions in this report were extracted from the Vormetric Data Security Manager Version 5.3 Security Target. 3 of 18 Table of Contents 1. Executive Summary .............................................................................................. 5 1.1. Secure Usage Assumptions................................................................................... 5 1.2. Threats ......................................................................................................................... 6 2. Identification............................................................................................................ 7 3. Security Policy........................................................................................................ 8 3.1. System Monitoring.................................................................................................... 8 3.2. Robust TOE Access ................................................................................................. 8 3.3. Authorized Management ......................................................................................... 8 3.4. Policy Definition ........................................................................................................ 8 3.5. Dependent Product Configuration........................................................................ 8 3.6. Confidential Communications............................................................................... 8 3.7. Access Bannering..................................................................................................... 9 3.8. Cryptographic Services........................................................................................... 9 4. Architectural Information................................................................................... 10 4.1. TOE Overview .......................................................................................................... 10 4.2. Vormetric Data Security Manager Software..................................................... 10 4.3. Vormetric Data Security Manager Hardware.................................................... 11 4.4. The Scope of the TOE............................................................................................ 12 5. Documentation ..................................................................................................... 13 5.1. Documentation......................................................................................................... 13 6. IT Product Testing ............................................................................................... 14 6.1. Developer Testing................................................................................................... 14 6.2. Evaluator Independent Testing ........................................................................... 14 7. Results of Evaluation.......................................................................................... 15 8. Validator Comments/Recommendations....................................................... 16 9. Glossary ................................................................................................................. 17 9.1. Acronyms.................................................................................................................. 17 10. Bibliography...................................................................................................... 18 4 of 18 List of Figures and Tables Figure 1-1: TOE Operational Environment ................................................................ 12 5 of 18 1. Executive Summary This Validation Report (VR) documents the evaluation and validation of the Vormetric Data Security Manager as defined in Vormetric Data Security Manager, Version 5.3 Security Target (ST). This VR applies only to the specific version and configuration of the product as evaluated and documented in the ST. It presents the evaluation results, their justifications, and the conformance results. End-users should review the ST and VR to better understand the security claims and how those claims were evaluated. The scope of this evaluation was limited to the functionality and assurances covered in the ST and specified by the ESM PM Protection Profile. All other functionality included in the product was not evaluated. The Target of Evaluation (TOE), the Data Security Manager, is a Policy Management product that serves as a trusted source for policy information that is ultimately consumed by the compatible Access Control product as defined by the claims to the Protection Profile for Enterprise Security Management Policy Management, 24 October 2013, Version 2.1 [ESM PP PM]. Note: The Transparent Encryption Agent (the Access Control product) is outside the scope of this evaluation. Testing conducted during this evaluation was limited to the Transparent Encryption Agent successfully receiving and loading the policy. The correctness of the enforcement of any given policy was not tested. The evaluation was performed by the CygnaCom Common Criteria Testing Laboratory (CCTL), and was completed in March 2016. The information in this report is derived from the Evaluation Technical Report (ETR) and associated test reports authored by the CCTL and as summarized in the Assurance Activity Report for Vormetric Data Security Manager Version 5.3 Version 1.4, March 28, 2016. The evaluation team determined that the product is:  Common Criteria Version 3.1 Revision 4 Part 2 and Part 3 conformant  Demonstrates exact conformance to the Protection Profile for Enterprise Security Management Policy Management, 24 October 2013, Version 2.1 [ESM PM]. The evaluation and validation were consistent with National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) policies and practices as described on their web site www.niap-ccevs.org. 1.1.Secure Usage Assumptions The ST identifies the following assumptions about the use of the product: 1. The TOE will be able to establish connectivity to other products in order to share security data. 2. The Operational Environment will provide mechanisms that reduce the ability of an attacker to impersonate a legitimate user during authentication. 3. The TOE will receive reliable time data from the Operational Environment. 4. The TOE will receive identity data from the Operational Environment. 6 of 18 5. There will be one or more competent individuals assigned to install, configure, and operate the TOE. 1.2. Threats The ST identifies the following threats:  An administrator may unintentionally install or configure the TOE incorrectly, resulting in ineffective security mechanisms.  A careless administrator may create a policy that contains contradictory rules for access control enforcement.  A malicious user could eavesdrop on network traffic to gain unauthorized access to data.  A malicious user may exploit a weak or nonexistent ability for the TOE to provide proof of its own identity in order to send forged policies to an Access Control product.  A malicious user may attempt to mask their actions, causing audit data to be incorrectly recorded or never recorded.  A malicious user could bypass the TOE’s identification, authentication, or authorization mechanisms in order to illicitly use the TOE’s management functions.  A malicious user could be illicitly authenticated by the TSF through brute-force guessing of authentication credentials.  A Policy Administrator may be incapable of using the TOE to define policies in sufficient detail to facilitate robust access control, causing an Access Control product to behave in a manner that allows illegitimate activity or prohibits legitimate activity. 7 of 18 2. Identification Target of Evaluation: Vormetric Data Security Manager V6000, Version 5.3 Build 1667 ST Title: Vormetric Data Security Manager, Version 5.3 Security Target TOE Developer: Vormetric, Inc. CCTL: CygnaCom Solutions 7925 Jones Branch Dr, Suite 5400 McLean, VA 22102-3321 Evaluators: Dayanandini Pathmanathan Validation Scheme: National Information Assurance Partnership CCEVS Validators: Daniel Faigin Kenneth Stutterheim CC Identification: Common Criteria for Information Technology Security Evaluation, Version 3.1 R4, Sept 2012 CEM Identification: Common Methodology for Information Technology Security Evaluation, Version 3.1 R4, Sept 2012 PP Identification: Protection Profile for Enterprise Security Management Policy Management, 24 October 2013, Version 2.1 [ESM PM]. 8 of 18 3. Security Policy The Target of Evaluation (TOE) enforces the following security policies as described in the ST:  System Monitoring  Robust TOE Access  Authorized Management  Policy Definition  Dependent Product Configuration  Confidential Communications  Access Bannering  Cryptographic Services 3.1. System Monitoring The TOE provides the ability to generate audit events in order to identify unauthorized TOE configuration changes and attempted malicious activity against protected objects. The audit trail identifies changes to subject data and usage of the authentication function. The audit data can be stored in an external repository. 3.2. Robust TOE Access The TOE implements mechanisms via a configurable password policy that improve security relative to the attempts of unsophisticated attackers to authenticate to the TOE using repeated guesses. The TOE can also enforce an externally-defined LDAP authentication policy. The TOE provides capabilities to terminate established sessions. 3.3. Authorized Management Policy Administrators are designated by the TSF and given various responsibilities for managing the TOE and creating policies. The TSF has its own internal method of enforcing controlled access so that no actions can be performed against it unless the subject is identified, authenticated, and authorized. 3.4. Policy Definition The TSF is able to manage policy attributes that are consistent with the corresponding technology type(s) described in the User Data Protection requirements in the Standard Protection Profile for Enterprise Security Management Access Control. In addition, the TSF is able to detect or prevent inconsistencies in the application of policies so that policies are unambiguously defined. Finally, the TOE is able to uniquely identify policies it created so that those identifiers can be used to determine what policies are being implemented by remote products. 3.5. Dependent Product Configuration The TOE is able to configure the behavior of the functions of the Access Control products that consume the policies it provides. This includes the configuration of what events to audit, what policies to enforce, and how to react in the event of a failure state or lack of connectivity. 3.6. Confidential Communications The TOE uses sufficiently strong and sufficiently trusted encryption algorithms to protect data in transit to and from the TOE. The TOE implements cryptographic protocol to protect these data in transit. 9 of 18 3.7. Access Bannering The TOE displays a banner prior to authentication that defines its acceptable use. This banner provides legal notification for monitoring that allows audit data to be admissible in the event of any legal investigations. 3.8. Cryptographic Services The TOE uses cryptographic primitives (encryption, decryption, random bit generation, etc.) in order to ensure the confidentiality and integrity of the policy data it transmits and to provide trusted communications between itself and the Operational Environment where necessary. 10 of 18 4. Architectural Information 4.1. TOE Overview The TOE is the appliance-based Vormetric Data Security Manager (DSM). The TOE includes all DSM appliance hardware and all software installed on the appliance. The TOE hardware appliance model is V6000. The DSM is the Policy Management product that serves as a trusted source for policy information that is ultimately consumed by the Transparent Encryption Agent (the Access Control product). Note however, that the Transparent Encryption Agent (the Access Control product) is outside the scope of this evaluation. Testing conducted during this evaluation was limited to observing the Transparent Encryption Agent successfully receiving and loading the policy. The correctness of the enforcement of that policy was not tested. 4.2. Vormetric Data Security Manager Software The Vormetric Data Security Manager (DSM) comprises a policy engine and a central key and policy manager, which provides security, performance, and scalability. The policies and keys are defined on the DSM and downloaded to the Transparent Encryption Agent through a secure network connection. The requests are evaluated by using agent-system parameters and administrator-defined policy constraints. Transparent Encryption Agents that run on Vormetric- protected hosts can log every attempt to access protected data and either permit or deny the access attempt according to policies set by the administrator. TLS authentication is used to encrypt all communications between the agents and DSM. Vormetric Data Security employs X.509 digital certificates for agent/server communication and optionally can be used for communications to a LDAP server and syslog server. The DSM administrator configures policies comprised of sets of security rules that must be satisfied in order to allow or deny access. Each security rule evaluates who, what, when, and how protected data is accessed and, if the criteria match, the DSM either permits or denies access, and optionally, can encrypt data. The security rules specify:  Data being accessed: Administrators can configure a mix of files and directories by specifying them individually or by using variables.  Applications that are authorized: Administrators can specify which executables and tools are permitted to access data.  The user attempting to access the protected data: Administrators can configure one or more users. Users can be identified by user name, identification number, group, or group number.  When the data is being accessed: Administrators can configure a range of hours and days of the week to allow access.  How the data is being accessed: Administrators can configure a security rule that considers how files and directories, and their attributes, are being accessed. The security rule can note attempts to read, write, delete, rename, create, and more. When the conditions specified in a security rule match, the policy dictates whether to permit or deny access. If encryption is used, the policy can be configured to permit read access but without 11 of 18 including the key to decrypt encrypted data. This way the underlying encrypted (unintelligible) data can be backed up. The DSM also provides auditing capabilities. The Transparent Encryption Agent notifies security administrators of policy violations in near real time. The DSM records all context attributes of an access attempt, enabling traceability of host intrusion and data access events at the application and user level, and maintains an extensive log for detailed forensic analysis. In addition, the DSM provides audit logging to monitor all activities and transactions. 4.3. Vormetric Data Security Manager Hardware The V6000 DSM Appliance is a 1u, rack-mountable chassis. Its dimensions are 17”x20.5”x1.75”. Network connectors, a serial console connector, and IPMI connector are on the back. It comes with two auto-switching, 100-240V power supplies. Power connectors are on the back while the power switch is on the front. There are four storage bays on the front but only two bays are populated with disks. 12 of 18 4.4. The Scope of the TOE The physical boundary of the TOE is the Vormetric Data Security Manager (DSM), which includes:  The DSM Appliance hardware  All software installed on the DSM Appliance o Remote Administrative Management Interface Required external access control product components:  One or more Vormetric Transparent Encryption Agents The Operational Environment of the TOE includes:  The web browser that is used for the Remote Administrative Management  The workstation that hosts the Remote Administrative Management web browser  The host platforms for the Vormetric Transparent Encryption Agents  Optional external servers o NTP Server (use of an external NTP Server is highly recommended) o SMTP Server o The DNS server that provides host name resolution service o LDAP Authentication Server o Syslog Server for external storage of the audit log o RSA Authentication Manager and an RSA SecurID device for each administrator o External Certificate Authority (CA) Figure 1: TOE Boundary 1 U Management workstation Servers with Vormetric Agents LDAP server Network switch Vormetric Data Security Manager TOE Syslog server Internet firewall HTTPS/TLS TLS TLS SNMP server NTP server DNS server TLS TLS Router Management workstation Local CLI IPMI Eth0, Eth1 Serial Management Data Note: The Access Control products (Servers with Vormetric Agents) are outside the scope of this evaluation. 13 of 18 5. Documentation The following documents were available for the evaluation. These document were developed and are maintained by Vormetric Inc.: 5.1. Documentation Reference Title Vormetric Data Security Manager DSM Common Criteria Addendum Document Version 1.0 Vormetric Data Security Manager Verison 5.3 Security Target Vormetric Data Security Manager Version 5.3 Functional Specification (FSP) 14 of 18 6. IT Product Testing This section describes the testing efforts of the Evaluation Team. The information is derived from the Evaluator Test Report for Vormetric Data Security Manager Version 5.3 document and was summarized in the Assurance Activity Report for Vormetric Data Security Manager Version 5.3 Version 1.4, March 28, 2016. The purpose of this activity was to confirm that the TOE behaves in accordance with security functional requirements specified in the ST. 6.1. Developer Testing ESM PP evaluations do not require developer testing evidence for assurance activities. 6.2. Evaluator Independent Testing A test plan was developed in accordance with the Testing Assurance Activities specified in the ESM PP PM. Testing was conducted on December 1 st – December 4 th , 2015 at the vendor’s facility at 2545 N. 1st Street, San Jose, CA 95131, with follow on testing taking place in February 2016. The Evaluator successfully performed the following activities during independent testing:  Placed TOE into evaluated configuration by executing the preparative procedures  Successfully executed the ESM EM Assurance-defined tests including the optional TLS tests  Planned and executed a series of vulnerability/penetration tests It was determined after examining the Test Report and full set of test results provided by the evaluators the testing requirements for ESM EM are fulfilled. 15 of 18 7. Results of Evaluation The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding evaluator action elements. The evaluation was conducted based upon version 3.1 R4 of the CC and the CEM. Additionally the evaluators performed the assurance activities specified in the Protection Profile for Enterprise Security Management Policy Management, 24 October 2013, Version 2.1 [ESM PP PM]. The evaluation determined the TOE meets the SARs contained the PP. The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled by CygnaCom CCTL (proprietary). Below is a list of the assurance requirements for the TOE. All assurance activities and work units received a passing verdict. The following components are taken from CC part 3: • ADV_FSP.1 Basic functional specification • AGD_OPE.1 Operational user guidance • AGD_PRE.1 Preparative procedures • ALC_CMC.1 Labelling of the TOE • ALC_CMS.1 TOE CM coverage • ASE_CCL.1 Conformance claims • ASE_ECD.1 Extended components definition • ASE_INT.1 ST Introduction • ASE_OBJ.1 Security objectives • ASE_REQ.1 Derived security requirements • ASE_TSS.1 TOE summary specification • ATE_IND.1 Independent testing – conformance • AVA_VAN.1 Vulnerability survey The evaluators concluded that the overall evaluation result for the target of evaluation is PASS. The validators reviewed the findings of the evaluation team, and have concurred that the evidence and documentation of the work performed support the assigned rating. 16 of 18 8. Validator Comments/Recommendations All evaluations (and all products) have limitations, as well as potential misconceptions that need clarifying. This text covers some of the more important limitations and clarifications of this evaluation. Note that: 1. As with any evaluation, this evaluation only shows that the evaluated configuration meets the security claims made, with a certain level of assurance (the assurance activities specified in the claimed PPs and performed by the evaluation team). 2. The functionality evaluated is scoped exclusively to the security functional requirements specified in the Protection Profile for Enterprise Security Management Policy Management. Any additional security related functional capabilities of the TOE are not covered by this evaluation. 3. This evaluation covers only the specific software version identified in this document, and not any earlier or later versions released or in process. 4. Any non-security related additional functionality that may be provided by the product was not evaluated and no claims can be made as to their effectiveness or correct operation. 5. This evaluation did not specifically search for, nor attempt to exploit, vulnerabilities that were not “obvious” or vulnerabilities to objectives not claimed in the ST. The CEM defines an “obvious” vulnerability as one that is easily exploited with a minimum of understanding of the TOE, technical sophistication and resources. 6. The TOE can be configured to rely on and utilize a number of other components in its operational environment. Those products were not evaluated as part of this evaluation. 7. The use of a remote syslog server connected via TLS is highly recommended; the directions for the configuration of a syslog server are contained in Chapter 3 of the Vormetric Data Security Manager (DSM) DSM Common Criteria Addendum, Version 1.0 17 of 18 9. Glossary 9.1. Acronyms The following are product specific and CC specific acronyms. Not all of these acronyms are used in this document. BGP Border Gateway Protocol DNS Domain Name System FTP File Transfer Protocol GUI Graphical User Interface HTTP HyperText Transmission Protocol HTTPS HyperText Transmission Protocol, Secure IP Internet Protocol IPS Intrusion Protection System LAN Local Area Network LDAP Lightweight Directory Access Protocol NTP Network Time Protocol PDF Portable Document Format SNMP Simple Network Management Protocol SSL Secure Sockets Layer, ST Security Target TCP Transmission Control Protocol TCP/IP Transmission Control Protocol/Internet Protocol TLS Transport Layer Security, UDP User Datagram Protocol WAN Wide Area Network 18 of 18 10. Bibliography URLs [1] Common Criteria Evaluation and Validation Scheme (CCEVS): (http://www.niap- ccevs.org/cc-scheme). [2] CygnaCom Solutions CCTL (http://www.cygnacom.com). CCEVS Documents [1] Common Criteria for Information Technology Security Evaluation - Part 1: Introduction and general model, July 2009 Version 3.1 Revision 4 Final, CCMB-2012-09-001. [2] Common Criteria for Information Technology Security Evaluation - Part 2: Security functional components, July 2009 Version 3.1 Revision 4 Final, CCMB-2012-09-002. [3] Common Criteria for Information Technology Security Evaluation - Part 3: Security assurance components, July 2009, Version 3.1 Revision 4 Final, CCMB-2012-09-003. [4] Common Methodology for Information Technology Security Evaluation - Evaluation methodology, July 2009, Version 3.1 Revision 4 Final, CCMB-2012-09-004. Vormetric Documents [1] Vormetric Inc., Vormetric Data Security Manager (DSM) DSM Common Criteria Addendum, Document version 1.0, February 10, 2016. [2] Vormetric Inc., Security Vormetric Data Security Manager Version 5.3 Security Target, Document version 2.3, March 20, 2016 [3] CygnaCom Solutions, Assurance Activity Report for Vormetric Data Security Manager Version 5.3, Document version 1.4, March 28, 2016 [4] CygnaCom Solutions Evaluator Test Report for Vormetric Data Security Manager Version 5.3, March 28, 2016 (Evaluation Sensitive)