Ärendetyp: 6 Diarienummer: 20FMV3893-45:1 Dokument ID 7DFAYPHQVZ4V- 1834444990-3162 Enligt säkerhetsskyddslagen (2018:585) SEKRETESS Enligt offentlighets- och Sekretesslagen (2009:400) 2021-12-08 Försvarets materielverk Swedish Defence Material Administration Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 Issue: 1.0, 2021-dec-08 Authorisation: Ulf Noring, Lead Certifier , CSEC Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 2 (18) Table of Contents 1 Executive Summary 3 2 Identification 5 3 Security Policy 6 3.1 Security Audit 6 3.2 Cryptographic Support 6 3.3 User Data Protection 6 3.4 Identification and Authentication 6 3.5 Security Management 6 3.6 Protection of the TSF 6 4 Assumptions and Clarification of Scope 7 4.1 Usage Assumptions 7 4.2 Environmental Assumptions 7 4.3 Clarification of Scope 7 5 Architectural Information 9 6 Documentation 10 7 IT Product Testing 11 7.1 Developer Testing 11 7.2 Evaluator Testing 11 7.3 Penetration Testing 11 8 Evaluated Configuration 12 9 Results of the Evaluation 14 10 Evaluator Comments and Recommendations 15 11 Glossary 16 12 Bibliography 17 12.1 General 17 12.2 Documentation 17 Appendix A Scheme Versions 18 A.1 Scheme/Quality Management System 18 A.2 Scheme Notes 18 Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 3 (18) 1 Executive Summary The Target of Evaluation (TOE) is NetMotion Mobility 12.14, a client/server‐based software Virtual Private Network (VPN) that secures communications between the en- terprise network and the mobile environment. The TOE consists of the following software components: • NetMotion Mobility Server 12.14.09178 • NetMotion Mobility 12.12 Client for Windows (12.12.16943) • NetMotion Mobility 12.12 Client for Android (12.12.16943) • NetMotion Mobility 12.13 Client for macOS (12.13.23250) • NetMotion Mobility 12.13 Client for iOS (12.13.05677) The main security features of the TOE are:  Security Audit  Cryptographic Support  User Data Protection  Identification and Authentication  Security Management  Protection of the TSF The Windows components are obtained from the NetMotion Software portal at http://www.netmotionwireless.com/customerportal. The Android, macOS and iOS cli- ents are obtained from their respective app stores. The TOE guidance documentation is provided in Hypertext Markup Language (HTML) format and is available to customers at: https://help.netmotionsoftware.com/support/docs/MobilityXG/1210/help/mobilityhelp. htm The following Common Criteria Guidance Supplement is also available to customers, in Portable Document Format (PDF), upon request: • NetMotion Mobility® 12.14 Common Criteria Guidance Supplement  NetMotion_Mobility_12_EAL4_AGD0.6.pdf The TOE claims conformance to the EAL4 package of security assurance require- ments, augmented with ALC_FLR.2. It does not claim conformance to any Protection Profile (PP). Four threats and eight assumptions are specified in chapter three in the security target [ST]. No organizational security policies (OSP) are included. The evaluation has been performed by Intertek EWA-Canada in Kista, Sweden. The evaluation was completed on 2021-10-29. The evaluation was conducted in accord- ance with the requirements of Common Criteria (CC), version. 3.1 release 5. Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 4 (18) Intertek EWA-Canada is accredited in accordance with ISO/IEC 17025 to perform evaluations against the Common Criteria standard. Accreditation was issued by the Standards Council of Canada, and has been accepted by SWEDAC, the Swedish ac- creditation body. This evaluation was performed as a trial evaluation for licensing with the Swedish Certification Body for IT Security (CSEC). The certifier monitored the activities of the evaluator by reviewing all successive ver- sions of the evaluation reports and by observing a site visit and performing testing oversight. The certifier determined that the evaluation results confirm the security claims in the Security Target (ST) and the Common Methodology for evaluation as- surance level EAL 4 augmented by ALC_FLR.2. The technical information in this re- port is based on the Security Target [ST] and the Final Evaluation Report (FER) pro- duced by Intertek EWA-Canada. The certification results only apply to the version of the product indicated in the cer- tificate, and on the condition that all the stipulations in the Security Target are met. This certificate is not an endorsement of the IT product by CSEC or any other organ- isation that recognises or gives effect to this certificate, and no warranty of the IT product by CSEC or any other organisation that recognises or gives effect to this certificate is either expressed or implied. As specified in the security target of this evaluation, the invocation of cryptographic primitives has been included in the TOE, while the implementation of these primi- tives has been located in TOE environment. Therefore the invocation of cryptograph- ic primitives has been in the scope of this evaluation, while correctness of implemen- tation of cryptographic primitives been excluded from the TOE. Correctness of im- plementation is done through third party certification using the CAVP certificates referred to in tables 11, 12 and 13 of the Security Target. Users of this product are advised to consider their acceptance of this third party af- firmation regarding the correctness of implementation of the cryptographic primi- tives. Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 5 (18) 2 Identification Certification Identification Certification ID CSEC2020018 Name and version of the certified IT product NetMotion Mobility 12.14 Security Target Identification NetMotion Mobility 12.14 Security Target, NetMo- tion Software Inc., 2021-10-15, document version 0.15 EAL EAL 4 + ALC_FLR.2 Sponsor NetMotion Software, Inc. Developer NetMotion Software, Inc. ITSEF Intertek EWA-Canada Common Criteria version 3.1 revision 5 CEM version 3.1 revision 5 QMS version 2.0 Scheme Notes Release 18.0 Recognition Scope CCRA, SOGIS and EA/MLA Certification date 2021-12-10 Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 6 (18) 3 Security Policy The main security features of the TOE are: • Security Audit • Cryptographic Support • User Data Protection • Identification and Authentication • Security Management • Protection of the TSF A brief description of these features is provided below. A more detailed description can be found in chapter 7 in the [ST]. 3.1 Security Audit The TOE generates audit records for security events. Only those roles that have been granted specific access to the audit trail are able to view the audit records. For the pur- pose of this evaluation, only users in the Administrator role have been granted this ac- cess. 3.2 Cryptographic Support The TOE supports secure communications between TOE components. This encrypted traffic prevents modification and disclosure of user information. Cryptographic func- tionality is provided by FIPS 140‐2 validated modules in the operating systems of the server and client components. Cryptography is also supported for the authentication of users. 3.3 User Data Protection The TOE provides an information flow security policy. The security policy limits ac- cess to internal protected resources based on policy settings. The TOE provides a se- cure connection between mobile users and the internal network. Traffic is protected from disclosure and modification. 3.4 Identification and Authentication The TOE verifies that users are identified and authenticated before permitting access. Additionally, administrators must be identified and authenticated before access to ad- ministrative functions is permitted. 3.5 Security Management The TOE provides security management functions through the Mobility Console. Administrators manage users, information flow policies, and audit records. 3.6 Protection of the TSF Reliable timestamps are provided on the Mobility Server in support of TOE functions, including the generation of audit records. Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 7 (18) 4 Assumptions and Clarification of Scope 4.1 Usage Assumptions The Security Target [ST] makes two assumptions on the usage of the TOE: A.MANAGE A management console computer is available on the internal protected network for the purposes of managing the TOE. Administrators will access the Mobility Console only from a management console computer on the internal network. A.NOEVIL Authorized administrators are non-hostile and follow all administrative guidance. 4.2 Environmental Assumptions The Security Target [ST] makes six assumptions on the operational environment of the TOE. A.AUTH The operational environment provides authentication services to the TOE. A.CERTIFICATE A PKI is available to issue certificates to users and servers. Root trust exists for the certificate chain. A.INTERNAL The internal network and its assets are protected from unauthorized access. A firewall must be in place to ensure that only authorized connections from Mobility Clients to the Mobility Server are permitted. A.OS The services, including cryptographic services, provided by the underlying operating system work correctly, and the operating system does not introduce any negative side effects to the TSF. A.PHYSICAL The server resources of the TOE will be located within controlled access facilities, which will prevent unauthorized physical access. A.SECCOM The communications between the TOE’s Mobility Server and the authentication ser- vices, and between the TOE’s Mobility Server and the management console computer are secured on an internal network. 4.3 Clarification of Scope The Security Target contains four threats which have been considered during the eval- uation. T.ACCESS Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 8 (18) An unauthorized individual on an external network may access and exploit protected application data resources on an internal network. T.NOAUTH An unauthorized individual may gain access to the TOE security management func- tions and use this to allow unauthorized access to application data protected by the TOE. T.SENSDATA An unauthorized individual may be able to view or alter sensitive application data passed between a client and a server. T.UNAUTH An unauthorized user may gain access to the TOE and exploit system privileges to gain access to TOE security functions and application data. The Security Target does not include Organizational Security Policies. Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 9 (18) 5 Architectural Information The TOE is a VPN solution that consists of a server and client architecture. Clients from various platforms connect to the NetMotion Mobility Server to establish a secure encrypted tunnel to the enterprise network. The below diagram shows the TOE architecture and required hardware and software. Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 10 (18) 6 Documentation The following documentation comprise the TOE guidance: HELP NetMotion Mobility 12.1X Help CCGS NetMotion Mobility® 12.14 Common Criteria Guidance Supplement Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 11 (18) 7 IT Product Testing 7.1 Developer Testing The developer tested the TSF with full coverage and depth for all TOE components. All cryptographic components have been CAVP certified. For more information on the CAVP testing, see tables 11, 12 and 13 as well as section 7.2 in the [ST] 7.2 Evaluator Testing The evaluators repeated all of the developer test cases. The evaluators devised five in- dependent test cases. The Windows, iOS and macOS clients were used for independ- ent testing. This is because the Android client was used extensively for developer test- ing. Independent testing was performed at the Intertek EWA-Canada Common Crite- ria lab in Kista, Sweden during September and October 2021. 7.3 Penetration Testing An internet search of potential vulnerabilities and scanning of the TOE using several tools was used to determine potential vulnerabilities. Penetration testing was per- formed to verify that these vulnerabilities were not exploitable in the evaluated con- figuration. Penetration testing focused on the Mobility Server component. Penetration testing was performed at the Intertek EWA-Canada Common Criteria lab in Kista, Sweden during September and October 2021. Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 12 (18) 8 Evaluated Configuration The following hardware and software components are required to support the opera- tion of the TOE in the evaluated configuration: TOE Component Required Software Required Hardware NetMotion Mobility 12.14 Server, version 1809 Windows Server 2019 General Purpose Compu- ting Platform with x64‐compatible dual‐core processor, 2.0 GHz, 16 GB RAM NetMotion Mobility 12.12 Windows Client, version 1909 Windows 10 General Purpose Compu- ting Platform NetMotion Mobility 12.13 iOS Client iOS 13.6.1 iPad, iPhone (Apple devic- es with Apple A8 to A12X CPUs) NetMotion Mobility 12.13 macOS Client macOS 10.15 Mac mini, iMac, MacPro or MacBook hardware (Intel CPUs) NetMotion Mobility 12.12 Android Client Android 11 General Purpose Android device The following environmental components are required for operation of the TOE in the evaluated configuration: Component Required Software Required Hardware Management Console Windows 10 with Mi- crosoft Edge 52 or later General Purpose Compu- ting Platform RADIUS Authentication Server (provided as a ser- vice to the TOE) Software supporting PEAP MS-CHAPv2 and EAP- TLS General Purpose Compu- ting hardware that meets the requirements of the authentication server Public Key Infrastructure (provided as a service to the TOE) Dependent upon the au- thentication server General Purpose Compu- ting hardware that meets the requirements of the authentication server Firewall Dependent on the selected appliance General Purpose Firewall appliance For more information, see chapter 1.4 in the [ST]. For even more detail, see the evalu- ated configuration guidance supplement [CCGS]. The following features are excluded from this evaluation: • The data publisher Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 13 (18) • NetMotion Republication Services • Web Services API • Unattended authentication mode • Mobility Client API • Mobility Event Viewer (on the Mobility Client) • Mobility Network Access Control Module Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 14 (18) 9 Results of the Evaluation The evaluators applied each work unit of the Common Methodology [CEM] within the scope of the evaluation, and concluded that the TOE meets the security objectives stated in the Security Target [ST] for an attack potential of Enhanced Basic. The certifier reviewed the work of the evaluator and determined that the evaluation was conducted in accordance with the Common Criteria [CC]. The evaluators overall verdict is PASS. The verdicts for the assurance classes and components are summarised in the follow- ing table: Assurance Class Name / Assurance Family Name Short name (includ- ing component iden- tifier for assurance families) Verdict Security Target Evaluation ST Introduction Conformance claims Security Problem Definition Security objectives Extended components definition Derived security requirements TOE summary specification ASE ASE_INT.1 ASE_CCL.1 ASE_SPD.1 ASE_OBJ.2 ASE_ECD.1 ASE_REQ.2 ASE_TSS.1 PASS PASS PASS PASS PASS PASS PASS PASS Life-cycle support Use of a CM system Parts of the TOE CM Coverage Delivery procedures Developer Security Flaw reporting procedures Life-cycle definition Tools and Techniques ALC ALC_CMC.4 ALC_CMS.4 ALC_DEL.1 ALC_DVS.1 ALC_FLR.2 ALC_LCD.1 ALC_TAT.1 PASS PASS PASS PASS PASS PASS PASS PASS Development Security architecture description Security-enforcing functional specification Implementation representation Basic design ADV ADV_ARC.1 ADV_FSP.4 ADV_IMP.1 ADV_TDS.3 PASS PASS PASS PASS PASS Guidance documents Operational user guidance Preparative procedures AGD AGD_OPE.1 AGD_PRE.1 PASS PASS PASS Tests Evidence of coverage Depth Functional testing Independent testing - sample ATE ATE_COV.2 ATE_DPT.1 ATE_FUN.1 ATE_IND.2 PASS PASS PASS PASS PASS Vulnerability Assessment Vulnerability analysis AVA AVA_VAN.3 PASS PASS Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 15 (18) 10 Evaluator Comments and Recommendations None. Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 16 (18) 11 Glossary CEM Common Methodology for Information Technology Security, document describing the methodology used in Common Cri- teria evaluations ITSEF IT Security Evaluation Facility, test laboratory licensed to operate within a evaluation and certification scheme ST Security Target, document containing security requirements and specifications , used as the basis of a TOE evaluation TOE Target of Evaluation VPN Virtual Private Network CAVP Cryptographic Algorithm Validation Program Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 17 (18) 12 Bibliography 12.1 General CC Combination of CCp1, CCp2, CCp3, and CEM (see below) CCp1 Common Criteria for Information Technology Security Evaluation, Part 1, version 3.1, revision 5, April 2017, CCMB-2017-04-001 CCp2 Common Criteria for Information Technology Security Evaluation, Part 2, version 3.1, revision 5, April 2017, CCMB-2017-04-002 CCp3 Common Criteria for Information Technology Security Evaluation, Part 3:, version 3.1, revision 5, April 2017, CCMB-2017-04-003 CEM Common Methodology for Information Technology Security Evaluation, version 3.1, revision 5, April 2017, CCMB-2017-04-004 ST NetMotion Mobility 12.14 Security Target, NetMotion Software Inc., 2021-10-15, document version 0.15 EP-002 EP-002 Evaluation and Certification, CSEC, 2021-10-26, document ver- sion 34.0 EP-188 SP-188 Scheme Crypto Policy, CSEC, 2021-10-26, document version 12.0 12.2 Documentation HELP NetMotion Mobility 12.1X Help, NetMotion Software Inc., 2021 CCGS NetMotion Mobility® 12.14 Common Criteria Guidance Supplement, NetMotion Software Inc., 2021-10-12, document version 0.6 Swedish Certification Body for IT Security Certification Report - NetMotion Mobility 12.14 20FMV3893-45:1 1.0 2021-12-08 7DFAYPHQVZ4V- 1834444990-3162 18 (18) Appendix A Scheme Versions During the certification the following versions of the Swedish Common Criteria Eval- uation and Certification scheme have been used. A.1 Scheme/Quality Management System Version Introduced Impact of changes 2.0 2021-11-24 None 1.25 2021-06-17 None 1.24 2020-11-19 None 1.23.2 Application Original version A.2 Scheme Notes Scheme Note Version Title Applicability SN-15 3.0 Demonstration of test coverage Clarify demonstration of test cover- age at EAL4. SN-18 3.0 Highlighted Re- quirements on the Security Tar- get Clarifications on the content of the ST. SN-22 3.0 Vulnerability Assessment Vulnerability assessment needs to be redone if 30 days or more has passed between AVA and the final version of the final evaluation report. SN-28 1.0 Updated proce- dures application, evaluation and certification Evaluator reports should be received in two batches. SN-31 1.0 New procedures for site visit oversight and testing oversight Site visit performed remotely.