Nat
Common Criteria Eval tion Scheme
Va
Cisco Systems ACE X anager
Version 5.0.3
Re ort Number: CCEVS-VR-VID10076-2008
Dated: 12 August 2008
Version: 1.5
Nati Tech National Security Agency
Info Laboratory Information Assurance Directorate
100 9800 Savage Road STE 6757
Gai Fort George G. Meade, MD 20755-6757
ional Information Assurance Partnership
®
TM
uation and Valida
lidation Report
ML Gateway and M
p
onal Institute nology
rmation Tech
of Standards and
nology
Bureau Drive
ersburg, MD 20899
th
ii
ACKNOWLEDGEMENTS
Validation Team
Common Criteria Testing Laboratory
Te
Science Applica
Co
rrie Diaz, Lead Evaluator
tions International Corporation (SAIC)
lumbia, Maryland
iii
Table of Contents
1 Executive Summary.................................................................................................... 4
2 de
I ntification............................................................................................................... 6
3 Architectural Information ........................................................................................... 7
3.1 Architectural Overview.................................................................................... 7
3.2 Physical Boundaries.......................................................................................... 8
4 A pti
ssum ons................................................................................................................ 9
5 S ity P
ecur olicy.......................................................................................................... 10
5.1 Threats and Organizational Security Policies.............................................. 10
5 1 Threats........................................................................................................... 10
.1.
5 2 Organizational Security Policies................................................................... 10
.1.
5.2 ecu
S rity Functional Policies........................................................................... 11
5.2. u
1 Sec rity Audit............................................................................................... 11
5.2.2 User Data Protection..................................................................................... 11
5 Id
.2.3 entification and Authentication ................................................................. 11
5.2. u
4 Sec rity Management ................................................................................... 11
5.2.5 Protection of the TSF.................................................................................... 12
6 Doc t
umenta ion.......................................................................................................... 12
7 IT P T
roduct esting .................................................................................................... 14
7.1 Developer Testing............................................................................................ 14
7.2 a
Evalu tion Team Independent Testing......................................................... 14
7.3 Vulnerability Testing...................................................................................... 15
8 va
E luated Configuration........................................................................................... 15
9 Results of the Evaluation .......................................................................................... 16
9.1 valuation of the Security Target (ASE)...................................................... 17
E
9.2 Evaluation of the Configuration Management Capabilities (ACM).......... 17
9.3 va
E luation of the Delivery and Operation Documents (ADO)................... 17
9.4 Evaluation of the Development (ADV) ......................................................... 18
9.5 Evaluation of the Guidance Documents (AGD)........................................... 18
9.6 va
E luation of the Life Cycle Support Activities (ALC)............................... 18
9.7 va
E luation of the Test Documentation and the Test Activity (ATE)......... 18
9.8 ulnerability Assessment Activity (AVA)
V .................................................... 19
9.9 m
Su mary of Evaluation Results .................................................................... 19
10 Validator Comments/Recommendations .................................................................. 19
11 S ity T
ecur arget.......................................................................................................... 19
12 Glossary .................................................................................................................... 19
13 B gra
iblio phy ............................................................................................................. 22
4
1 Executive Summary
This rep on Assurance Partnership (NIAP) assessment
of
pre
Va
of
Th
per
Te
Th
Tec
ET
eva
me
not
are
Cri
Th
Inc
arc
con L Gateway, as a Cisco ACE XML Manager, or as
bot
con
XM
Int
bet
aut
adm
Gat
gen
eve
pro
me
and
aud
acti
Th
Co
lab
Va
Ma
the
ort documents the National Informati
the evaluation of the Cisco Systems ACE XML Gateway and Manager Version 5.03. It
sents the evaluation results, their justifications, and the conformance results. This
lidation Report is not an endorsement of the Target of Evaluation (TOE) by any agency
the U.S. Government and no warranty of the TOE is either expressed or implied.
e evaluation of Cisco Systems ACE XML Gateway and Manager Version 5.0.3 was
formed by Science Applications International Corporation (SAIC) Common Criteria
sting Laboratory in the United States and was completed on 26 March 2008.
e information in this report is largely derived from the Security Target (ST), Evaluation
hnical Report (ETR) and associated test report. The ST was written by SAIC. The
R and test report used in developing this validation report were written by SAIC. The
luation team determined the product to be Part 2 conformant and Part 3 conformant, and
ets the assurance requirements of EAL 3 augmented with ALC_FLR.2. The product is
conformant with any published Protection Profiles. All security functional requirements
derived from Part 2 of the Common Criteria or expressed in the form of Common
teria Part 2 requirements.
e TOE is ACE XML Gateway and Manager Version 5.03 provided by Cisco Systems,
. The TOE is an application and supporting operating system that is run on an x86
hitecture computer system. The TOE is a self-contained IT appliance that can be
figured to run as a Cisco ACE XM
h Gateway and Manager simultaneously. The evaluated configuration excludes the
figuration that runs both the Manager and the Gateway simultaneously on a single ACE
L appliance. The ACE XML Gateway stands between an untrusted network (the
ernet) and a trusted network (such as a restricted-access corporate intranet). All traffic
ween the two networks must pass through the Gateway. The Gateway allows only
horized traffic to pass from the untrusted network to the trusted network. Authorized
inistrators specify the criteria that traffic must meet in order to pass through the
eway. The Gateway blocks traffic that does not meet these criteria. The Gateway
erates an audit trail that documents the performance of the Gateway, the disposition of
ry message it processes, and other security-relevant events. The ACE XML Manager
vides a graphical user interface (GUI) that authorized administrators use to specify the
ssage-processing behavior of the Gateway, monitor the performance of the Gateway,
manage the Gateway remotely. The Manager GUI provides a means of viewing the
it trail generated by all Gateways in the scope of the Manager's control and the
vities of the users of the Manager.
e evaluation has been conducted in accordance with the provisions of the NIAP
mmon Criteria Evaluation and Validation Scheme and the conclusions of the testing
oratory in the evaluation technical report are consistent with the evidence adduced. This
lidation Report is not an endorsement of the Cisco Systems ACE XML Gateway and
nager Version 5.0.3 product by any agency of the US Government and no warranty of
product is either expressed or implied.
5
During this validation, the Validators reviewed successive versions of the Security Target,
rev
eva
and
sati
Sec
acc
iewed selected evaluation evidence, reviewed test plans, reviewed intermediate
luation results (i.e., the CEM work units), and reviewed successive versions of the ETR
test reports. The Validator determined that the evaluation showed that the product
sfies all of the functional requirements and assurance requirements defined in the
urity Target (ST). Therefore, the Validator concludes that the SAIC findings are
urate, the conclusions justified, and the conformance claims correct.
6
2 Identification
Th ecurity Agency (NSA) and National Institute of Standards
and
eva
Te
Ev
Vo
eva
Th
con evaluations. Developers of information technology products, desiring a
secu
Up
Pro
Ta
The Target of Evaluation (TOE): the fully qualified identifier of the product as
evaluated;
the product;
• e
• T e
•
Table 1: Evaluation Identifiers
e CCEVS is a joint National S
Technology (NIST) effort to establish commercial facilities to perform trusted product
luations. Under this program, commercial testing laboratories, called Common Criteria
sting Laboratories (CCTLs) and using the Common Evaluation Methodology (CEM) for
aluation Assurance Level (EAL) 1 through EAL 4, in accordance with National
luntary Laboratory Assessment Program (NVLAP) accreditation conduct security
luations.
e NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and
sistency across
rity evaluation, contract with a CCTL and pay a fee for their product’s evaluation.
on successful completion of the evaluation, the product is added to NIAP’s Validated
ducts List.
ble 1 provides information needed to completely identify the product, including:
•
• The Security Target (ST), describing the security features, claims, and assurances of
Th conformance result of the evaluation;
h Protection Profile to which the product is conformant; and
The organizations and individuals participating in the evaluation.
Item Identifier
Evalua n
Scheme
TOE: Cisco Systems r
Versio
Protection Pr Not appli
ST Cisco L Gateway and Manager
Version 5.0.3 Security Target, Version 1.0, 25 July 2008
Ev
Technical Report
Evalua
XML G ager Version 5.0.3, Part 1 (Non-
rie June 2008, Part 2
ri 25 July 2008
tio United States NIAP Common Criteria Evaluation and
Validation Scheme
ACE XML Gateway and Manage
n 5.0.3
ofile
:
cable.
Systems, Inc. ACE XM
aluation tion Technical Report for Cisco Systems ACE
ateway and Man
Prop
(Prop
tary), Version 2.5, 5
etary), Version 2.0,
7
Item Identifier
CC Version
Common Criteria for Information Technology Security Evaluation,
Versio
Conformance
Res
CC Pa rmant, EAL 3 augmented
with AL
Sp Cisco S
De Cisco S
Common
Te
(CCTL)
Science tion (SAIC),
Colum
CC e
John N rporation
3 f
This section provides a high ents as described
in the Security Target.
3.1
works using HTTP(S) protocols. XML is a flexible formal
m SGML and commonly used to define more specialized
a ing computer data. SGML is an ISO-standard
n mats, based on IBM's Generalized Markup
Lang
mea
depi
n 2.3, August 2005
rt 2 conformant and Part 3 confo
ult
onsor
C_FLR.2
ystems, Inc.
veloper ystems, Inc.
Criteria
sting Lab
Applications International Corpora
bia, MD
EVS Validator Kenn th Eggers, Orion Security Solutions, Inc. and
illes, Aerospace Co
Architectural In ormation
level description of the TOE and its compon
Architectural Overview
The TOE is an application-level proxy that processes XML and SOAP messages
sent across TCP/IP net
text format derived fro
m rkup languages for represent
la guage for describing data for
uage. SOAP is an XML-based protocol for making remote procedure calls by
ns of text messages, using HTTP(S) as the transport mechanism. The TOE is
cted in the figure below in the context of its location in the IT environment.
TOE cannot be bypassed; in order to reach the trusted network, traffic from the
trusted network must pass through the Gateway, subject to the rules the Web
rvices SFP defines.
The
un
Se
3.2 Physi
The e TOE are:
a utable. Subject to the rules of the Web Services SFP,
e d SOAP messages sent across TCP/IP networks using
HTTP(S) prot ontext of a custom
vers ewlett-Packard DL360 G5
server hardware appliance with nCipher nForce 1600 cryptographic module.
Man
auth
to d
appl
cont
DL360 G5 server hardware appliance with nCipher nForce 1600 cryptographic
mod
Tom
appl
She
adm
The
as c ork configuration.
Ope
Gate
cal Boundaries
components that make up th
G teway – The Gateway exec
th Gateway proxies XML an
ocols. The Gateway application runs in the c
ion of Linux installed on a 1U chassis, which is a H
ager – The Manager application. The Manager application provides a GUI that
orized administrators use to administer the Gateway application; in particular,
efine the Web Services SFP that the Gateway enforces. The Manager
ication runs in the context of an Apache Tomcat application, which runs in the
ext of a custom version of Linux installed on a 1U chassis (a Hewlett-Packard
ule).
cat – Each ACE XML appliance embeds an Apache Tomcat v. 5.0.16
ication server that the Manager uses to publish its Web-based GUI.
ll - A terminal-based program that runs automatically when an authorized
inistrator logs in to the console of an ACE XML Manager or Gateway machine.
Shell provides tools for low-level administration of ACE XML systems, such
hanging netw
rating system files – A number of operating system files are used by both the
way and the Manager for configuration and logging.
8
9
Operating System – Each ACE XML appliance embeds a custom, package-reduced
insta
hard
Man
Serv is – The ACE XML appliance is built on a Hewlett-Packard
DL360 G5 server hardware chassis. This chassis hosts the Operating System,
App
that
cons
the-s
72 G
The
keyb
4 Assum
The statement of TOE security environment describes the security aspects of the
env m ded that the TOE will be used and the manner in which it is
exp d atement of TOE security environment therefore identifies
the assumptions made on the operational environment and the intended method for the
pro
sec
Fo
unless it passes
• e
• The
n
• Tho nage the TOE are competent individuals, that only
h
l
TOE
llation of the Linux operating system. This operating system runs on the server
ware chassis, hosting the TOE software and the Web server that publishes the
ager GUI.
er Hardware chass
lication Server, TOE software/firmware and nCipher 1600 cryptomodule. Note
although the cryptomodule resides physically on the server chassis, the ST
iders this module to be provided by the IT environment because it is used “off-
helf” with no modifications. For local storage, the server chassis provides two
B hard drives configured as a RAID 1 array by the manufacturer of the chassis.
server chassis also has four physical Ethernet ports, and connections for a serial
oard and VGA monitor.
ptions
iron ent in which it is inten
ecte to be employed. The st
duct, defines the threats that the product is designed to counter and the organizational
urity policies which the product is designed to comply.
llowing are the assumptions identified in the Security Target:
• The TOE is appropriately scalable to the IT System the TOE monitors and has
access to all the IT System data it needs to perform its functions.
• Information cannot flow among the internal and external networks
through the TOE.
Th processing resources of the TOE will be located within controlled access
facilities, which will prevent unauthorized physical access and modifications.
TOE will be managed in a manner that allows it to appropriately address
cha ges in the IT System the TOE monitors.
se responsible to ma
aut orized users can gain access to the TOE, and that they are not careless, willfully
neg igent, or hostile, and will follow and abide by the instructions provided by the
documentation.
10
5
5.1 Threats and Organizational Security Policies
Th r to implement
organi
be
5.1
The TOE must protect itself against attempts by unauthorized users to bypass, deactivate,
or functions.
5.1
Th st be implemented by the TOE and its
environment as identified in the Security Target. With the exception of the threat identified
in ed from these organizational
sec
• The TOE
remo
• The identify and authenticate the claimed identity of all users,
• The les an authorized administrator or
user wi urity functions, and must
u
are a
• The against attempts by unauthorized users to bypass,
• The
limi
The TOE p ange and use of XML, providing
protection again f-service attacks, and providing
confide l
control for t figured to provide
persistent logging of rvices, and to
transfor m
Security Policy
e secu ity objectives to be met by the TOE are generally designed
zational security policies. However, self-protection and non-bypassability can only
described as a threat.
.1 Threats
tamper with TOE security
.2 Organizational Security Policies
e following organizational security policies mu
the preceding section, all of the security objectives are deriv
urity policies.
• The TOE must provide user accountability for information flows through the TOE
and for all use of security functions. The events are audited and presented in a
readable format.
must protect the confidentiality of its dialogue with an authorized
administrator through encryption, if the TOE allows administration to occur
tely from a connected network.
TOE must uniquely
before granting a user access to TOE functions or, for certain specified services, to
a connected network.
TOE must provide functionality that enab
th appropriate security roles to use the TOE sec
ens re that only authorized administrators or users with appropriate security roles
ble to access such functionality.
TOE must protect itself
deactivate, or tamper with TOE security functions.
TOE must provide the means for an authorized administrator to control and
t access to TOE security functions by an authorized external IT entity.
rovides a secure environment for the exch
st malicious content and denial-o
ntia ity and integrity of valuable and private messages, and appropriate access
hose services. In addition, the TOE may optionally be con
messages, to interact with external authorization se
m essages during processing.
11
ropriate security roles. The TOE provides authorized administrators with the ability to
nage Web services, to manage users, and to manage the audit trail using the Manager.
e TOE supports two types of users, authorized administrators and users. The single
5.2 Security Functional Policies
Th nted by the TOE are based on the set of
sec
aut
No d from the
Security Target.
5.2 it
The TOE generates audit events for the minimum level of audit. The TOE provides
Ma used to read the audit trail. The TOE restricts access to
the
5.2
Th
traffic sent through the TOE from one consumer (subject) to another. The TOE enforces the
WE s” to verify the user and group identity of a
con
pas
tra
con
me
We
aut
me
5.2
Th
Ma
aut le information. The TOE offers no TSF-mediated
functi ed. The TOE requires username/password for all user
acc ctions until the user is
ide
5.2
Th
Th
SE
val
aut nistrators. The TOE restricts the ability to modify and reset an account’s
own password to authorized administrators and users. The TOE restricts the ability to view
or strators or users that have been assigned
app
ma
Th
e Security Functional Policies (SFPs) impleme
urity policies that support security audit, user data protection, identification and
hentication, security management, and protection of the TSF.
te: Much of the description of the TOE security policy has been extracte
.1 Security Aud
nager GUI interfaces that can be
audit trail, requiring authentication using its local account authentication mechanism.
.2 User Data Protection
e TOE enforces the WEB SERVICES SFP on SOAP or HTTP(S) destination service
B SERVICES SFP, using “authenticator
sumer of a service, using “handlers” to validate incoming messages, using “routes” to
s accepted message to “service descriptors,” and using “service descriptors” to manage
ffic with SOAP or HTTP(S) destination services according to the WEB SERVICES SFP
figuration for a given Web service. The TOE supports multiple message-filtering
chanisms for use by the WEB SERVICES SFP depending on configuration for a given
b service. The TOE includes pluggable authentication modules that can call external
hentication servers to verify the user and group identity of a consumer of a service for
ssage-filtering purposes.
.3 Identification and Authentication
e TOE disables user or administrator accounts after three failed login attempts to the
nager. The TOE maintains user identities, authentication data for supported
hentication mechanisms, and ro
ons until the user is authenticat
esses to the Manager. The TOE offers no TSF-mediated fun
ntified.
.4 Security Management
e TOE restricts the ability to specify the Web Services SFP to authorized administrators.
e TOE provides restrictive default values for security attributes used to enforce the WEB
RVICE SFP. The TOE also allows authorized administrators to specify alternative initial
ues. The TOE restricts the ability to initialize and set user authentication data to
horized admi
query audit records to authorized admini
12
factory-configured administrator account always has all security roles (in particular, the
Co
adm
zer
Co
adm
adm
Po
5.2
The ps for its own use. The TOE can send handler test
me ct operation of a configured handler, route,
ser
net
wh
TO
con
rej
can
res
Up
the
sec
the anager, and
the
aut
6
Fo
(an
Design doc
nsoleAdmin role), cannot be modified or deleted, and is considered an “authorized
inistrator”. The second category of administrative user is a user that has been assigned
o or more system-defined roles. The system-defined roles are “Operations”, “Access
ntrol”, MTL (message traffic log), or “Routing” is considered an “authorized
inistrator” and any other user accounts are considered simply “users.” The non-
inistrative or user category comprises view-only accounts (External Developer and
licy View) on the Manager.
.5 Protection of the TSF
TOE can generate reliable time stam
ssages in order to demonstrate the corre
vice descriptor, Web service, and the underlying network. The TOE can also test its
work configuration in order to demonstrate its correct configuration. The TOE uses SSL
en managing the Gateway using the Manager to protect TSF data from disclosure. The
E protects against denial-of-service attacks by blocking traffic after administratively-
figurable thresholds are met. The TOE protects against content-based attacks by
ecting messages that contain content marked as blocked. The WEB SERVICES SFP
not be bypassed by consumers. Similarly, both Gateway and Manager interfaces are
tricted to authorized administrators and user account-holders.
on startup, the TOE enters a restrictive default state in which no users are logged in, and
n resumes normal operation. Because the TOE cannot be bypassed, this default state is
ure: the Gateway enforces the current Web Services SFP independently of the Manager,
ateway accepts changes to the current Web Services SFP only from its M
G
user interface to the Manager provides no access to TSFs until the user identifies and
henticates successfully.
Documentation
llowing is a list of the evaluation evidence, each of which was issued by the developer
d sponsor).
umentation
Document Version Date
Cisco Systems, Inc. ACE XML Gateway and Manager 0.14 June 4, 2008
Version 5.0.3 Functional Specification Document
Cisco Systems, Inc. ACE XML Gateway and Manager
Version 5.0.3 High L
0.11 May 23, 2008
evel Design Document
mentation
Guidance docu
Document Version Date
Usin
Man
Vers
g the Cisco Systems ACE XML Gateway and 5.0.3.200807090224
ager Version 5.0.3, Technical Documentation,
ion 5.0.3
13
Configuration Management documentation
Document Version Date
Cisc sco ACE XML Configuration
Management Procedures
Version 1.0
o Systems, Inc. Ci
Delivery a on
nd Operation documentati
Document Version Date
Cisco Systems ACE XML Gateway and Manager Version
5.0.3 livery Procedures
Version 2.0 July 30, 2007
Cisco ACE XML De
Using the ACE XML Gateway and
Man
Vers
200807090224
Cisco Systems
ager Version 5.0.3, Technical Documentation,
ion 5.0.3
Life Cycle Support documentation
Document Version Date
Cisco Systems ACE XML Development Security and Flaw 0.81 08/22/07
Remediation Procedures
Test documentation
Document Version Date
Cisc way and Manger
Version 5.0.3 Common Criteria Specific Functional Tests:
Version 0.6 March 23,
2008
o System, Inc. ACE XML Gate
Coverage Analysis
Cisco System, Inc. ACE XML Gateway and Manger
Version 5.0.3 Common Criteria Specific nal Tests:
Test Plan
Version 0.7 March 25,
2008
Functio
Cisc
Vers
Test
.7
o System, Inc. ACE XML Gateway and Manger
ion 5.0.3 Common Criteria Specific Functional Tests:
Plan Part 1 of 3
Version 0 March 24,
2008
Cisco
Vers
Test
0.7
System, Inc. ACE XML Gateway and Manger
ion 5.0.3 Common Criteria Specific Functional Tests:
Plan Part 2 of 3
Version March 24,
2008
Cisc ACE XML Gateway and Manger
Vers
Test
Version 0.7 March 24,
o System, Inc.
ion 5.0.3 Common Criteria Specific Functional Tests:
Plan Part 3 of 3
2008
App e,
March 18,
2008
endix: Test Code Referenc
The s, PDFs,
.d, .i
Vulnerabil
actual test results have been submitted to the evaluation team in various text file
, and .s file types. Section 11 of the Test Plan describes how to correlate the log files to t
screenshots, and
he test cases.
ity Assessment documentation
14
Document Version Date
Cisco Systems ACE XML Gatew r Version
5.0.3
Proc
Version 1.8 Jul
ay and Manage
Cisco ACE XML Vulnerability Assessment
edures
y 15, 2007
Security Target
Document Version Date
Cisco Systems, Inc. ACE XML ger
Version 5.0.3 Security Target
1.0
Gateway and Mana 25 July 2008
7 IT P
This section describes the testing efforts of the developer and the Evaluation Team.
7.1
Th
eac
TS security functional requirements in the ST including:
Sec tection, Identification and authentication, Security
ma
beh
res
7.2
Th
ma
set
add did not seem completely clear.
All were r
In
we
Th
com
Th reate the test configuration:
y Version 5.0.3 and
roduct Testing
Developer Testing
e developer tested the interfaces identified in the functional specification and mapped
h test to the security function tested. The scope of the developer tests included all the
FI. The testing covered the
urity audit, User data pro
nagement, and Protection of the TSF. All security functions were tested and the TOE
aved as expected. The evaluation team determined that the developer’s actual test
ults matched the vendor’s expected results.
Evaluation Team Independent Testing
e evaluation team re-ran the entire automated test suite and a subset of the vendor’s
nual tests. In addition to rerunning the vendor’s tests, the evaluation team developed a
of independent team tests to address areas of the ST that did not seem completely
ressed by the vendor’s test suite, or areas where the ST
un as manual tests.
addition to developer testing, the evaluation team conducted its own suite of tests, which
re developed independently of the sponsor. These also completed successfully.
e vendor provided the ACE XML Gateway, ACE XML Manager, and the necessary
puters for the test environment.
e following hardware is necessary to c
• Two ACE XML Gateway and Manager (AXG) appliances consisting of a Hewlett-
Packard DL360 G5 chassis configured at the Cisco Systems factory with the
operating system, hardware cryptomodule, TOE software, firmware, and local
storage required to function as instances of:
o Cisco Systems ACE XML Gatewa
o Cisco Systems ACE XML Manager Version 5.0.3,
15
rsion 5.0.3,” Version 5.0.3.200807090224,
e following features are not included in the evaluated configuration:
• Cryptography: Cryptographic functionalities are provided by the environment in the
evaluated configuration.
• External serial console – for installation, generation, and startup of TOE and for
c
• Com r's Web browser runs
r
• Buil omputer configured to provide HTTPUnit,
CVS, te code,
Backen
Tomcat to p ccess only through the
Gat
cabling, and
• d
e
The foll i e installed on the machines used for the test:
• E
• Test pr
•
• tomated test harness by Meterware, Inc.
7.3 Vulne
The ev t ecurity
function, as well
team b ons
provided by the TOE.
8
Th
app
at ML appliance that runs as a dedicated Gateway only (the
"Gateway appliance"). To use the product in the evaluated configuration, the Manager
applianc ed as specified in the section “Creating
the m arting at page 627 of “Using the Cisco
Systems ACE XML Gateway and Manager Version 5.0.3, Technical Documentation,
Ve
Th
spe ified administrative maintenance activities,
puter/Workstation on which the authorized administrato
to p esent the Manager GUI,
d machine that is a Linux-based c
st scripts, and ACE XML source
d machine that is a Linux-based computer that utilizes an instance of Apache
rovide HTTP(S) and SOAP services that SOATest can a
eway,
• Windows machine that runs the SOATest tool, and Ethernet router,
• CAT 5e
Ad itional items required to create a functional gigabyte Ethernet network
nvironment.
ow ng software is required to b
AC XML Gateway and Manager (AXG) version 5.0.3 (TOE software),
ograms,
• Test utility programs,
SOATest v. 5.1.1—Automated test harness by Parasoft, and
HTTPUnit v. 1.5.4—au
rability Testing
alua ors developed vulnerability tests to address the Protection of the TSF s
as expanding upon the public search for vulnerabilities provided to the
y the sponsor. These tests identified no vulnerabilities in the specific functi
Evaluated Configuration
e evaluated configuration, as defined in the Security Target, requires one ACE XML
liance that runs as a dedicated ACE XML Manager only (the "Manager appliance"), and
least one additional ACE X
e and Gateway appliances must be configur
Co mon Criteria Evaluated Configuration,” st
16
rt; Final Evaluation Technical Report for the Cisco Systems ACE XML Gateway and
• LDAP Support for Message Authentication and Authorization: In the Common
and
• Java evaluated configuration Java SDK
t
• Mes
trans allowed.
• s
spec
•
mon
•
• Acce e Common Criteria evaluated configuration does
conf
• c
f
• Acce tion Mechanisms: LDAP: LDAP
authentication of Manage not allowed in the Common Criteria
l
• Mes
l
• Prot
SMT sage protocols for use with handlers and service
c
All commu
on the truste over a secure, encrypted connection.
9 Re
The evaluat ted based upon the Common Criteria (CC), Version 2.3, dated
Au
200
eva er Version
5.0.3 product is compliant with the Common Criteria Version 2.3, functional requirements
(Pa ), ents (Part 3) for EAL3 augmented with
AL L ded in the CCTL’s evaluation technical
repo
Criteria evaluated configuration LDAP Support is not allowed for authentication
authorization of messages.
SDK: In the Common Criteria
cus omization or authorization logic is not allowed.
sage Transformation: In the Common Criteria evaluated configuration
formations specified in the XSL language to messages are not
Me sage Caching: In the Common Criteria evaluated configuration end-user
ified message caching is not allowed.
SNMP Monitoring: In the Common Criteria evaluated configuration SNMP
itoring is excluded.
System Snapshot diagnostic tool: The use of the system snapshot functionality is
not allowed in the Common Criteria evaluated configuration.
ss Control: Sub-policies: Th
not allow the creation of and excludes the use of sub-policies other than the factory-
igured "Shared" sub-policy.
Ac ess Control: Approval-Based Deployment: The Common Criteria evaluated
con iguration does not allow the approval-based deployment feature to be enabled.
ss Control: Alternate Authentica
r user accounts is
eva uated configuration.
sage Routing: Fast path Engine: The Common Criteria evaluated configuration
exc udes use of the “Reactor” (also known as the Fast Path) message-processing
engine.
ocols: The Common Criteria evaluated configuration excludes the use of the
P, JMS, MQ or TIBCO mes
des riptors.
nications between Manager and Gateway instances must take place exclusively
d network
sults of the Evaluation
ion was conduc
gust 2005; the Common Evaluation Methodology (CEM), Version 2.3, dated August
5; and all applicable International Interpretations in effect on March 2005. The
luation confirmed that the Cisco Systems ACE XML Gateway and Manag
rt 2 Part 2 conformant, and assurance requirem
C_F R.2. The details of the evaluation are recor
17
8 and the Using the Cisco Systems ACE XML Gateway and Manager Version 5.0.3,
hnical Documentation, Version 5.0.3.200807090224 to test the installation procedures
nsure the procedures result in the evaluated configuration.
Manager Version 5.0.3, Part 1 (Non-Proprietary) and Part 2 (Proprietary). The product was
eva
Ga
Th
Sch
Va
the
Va
Th
Tec
9.1
Th t. The ST evaluation ensured the ST
con a policies, and assumptions, a
sta t Cisco Systems ACE XML
Ga
and
9.2
Th
uni o
identify the evaluated TOE. The evaluation team ensured the adequacy of the procedures
use
im
gui
eva
cha
fla
eva
Cis
9.3
Th
uni
con
det modification, the discrepancy between the developer master copy and the
versi ved, and the detection of attempts to masquerade as the developer. The
eva n ger
Version 5 rch
200
Tec
to e
luated and tested against the claims presented in the Cisco Systems, Inc. ACE XML
teway and Manager Version 5.0.3 Security Target, Version 1.0, 25 July 2008.
e Validator followed the procedures outlined in the Common Criteria Evaluation
eme publication number 3 for Technical Oversight and Validation Procedures. The
lidator has observed that the evaluation and all of its activities were in accordance with
Common Criteria, the Common Evaluation Methodology, and the CCEVS. The
lidator therefore concludes that the evaluation team’s results are correct and complete.
e following evaluation results are extracted from the non-proprietary Evaluation
hnical Report provided by the CCTL.
Evaluation of the Security Target (ASE)
e evaluation team applied each ASE CEM work uni
tains description of the environment in terms of threats,
temen of security requirements claimed to be met by the
teway and Manager Version 5.0.3 product that are consistent with the Common Criteria,
product security function descriptions that support the requirements.
Evaluation of the Configuration Management Capabilities (ACM)
e evaluation team applied each EAL 3 augmented with ALC_FLR.2 ACM CEM work
t. The ACM evaluation ensured the TOE is identified such that the consumer is able t
d by the developer to accept, control, and track changes made to the TOE
plementation, design documentation, test documentation, user and administrator
dance, delivery and installation documentation and the CM documentation. The
luation team ensured the procedure included automated support to control and track
nges to the implementation representation. The procedures reduce the risk that security
ws exist in the TOE implementation or TOE documentation. To support the ACM
luation, the evaluation team received Configuration Management (CM) records from
co.
Evaluation of the Delivery and Operation Documents (ADO)
e evaluation team applied each EAL 3 augmented with ALC_FLR.2 ADO CEM work
t. The ADO evaluation ensured the adequacy of the procedures to deliver, install, and
figure the TOE securely. The evaluation team ensured the procedures addressed the
ection of
on recei
luatio team followed the Cisco Systems, Inc. ACE XML Gateway and Mana
.0.3 Common Criteria Specific Functional Tests Test Plan, Version 0.7, 24 Ma
18
nual test suite. In addition, the Evaluation Team devised an independent set of team test
penetration tests. The vendor tests, team tests, and penetration tests substantiated the
urity functional requirements in the ST.
9.4 Evaluation of the Development (ADV)
Th LR.2 ADV CEM work
uni
in
con
tea
cor
of
9.5
The evaluation team applied each EAL 3 augmented with ALC_FLR.2 AGD CEM work
uni ments in describing
how t e E XML Gateway
and
ass
9.6
Th
uni
TOE and reduce the
risk pment and
ma
and
Ev
Te
sam
In
AL
eva
TO
9.7 TE)
Th
uni
doc
req ts. Specifically, the Evaluation Team ensured that the vendor test
docu on sufficiently addresses the security functions as described in the functional
spe
set e
ma
and
sec
e evaluation team applied each EAL 3 augmented with ALC_F
t. The evaluation team assessed the design documentation and found it adequate to aid
understanding how the TSF provides the security functions. The design documentation
sists of a functional specification and high-level design documents. The evaluation
m also ensured that the correspondence analysis between the design abstractions
rectly demonstrated that the lower abstraction was a correct and complete representation
the higher abstraction.
Evaluation of the Guidance Documents (AGD)
t. The evaluation team ensured the adequacy of the guidance docu
o s curely administer the TOE. The Using the Cisco Systems AC
Manager Version 5.0.3, Technical Documentation, Version 5.0.3.200807090224 was
essed during the design and testing phases of the evaluation to ensure it was complete.
Evaluation of the Life Cycle Support Activities (ALC)
e Evaluation Team applied each EAL 3 augmented with ALC_FLR.2 ALC CEM work
t. The Evaluation Team ensured the adequacy of the developer procedures to protect the
the TOE documentation during TOE development and maintenance to
of the introduction of TOE exploitable vulnerabilities during TOE develo
intenance. The Evaluation Team ensured the procedures described the life-cycle model
tools used to develop and maintain the TOE. To support the ALC evaluation, the
aluation Team performed a Life Cycle (LC) audit. During the audit, the Evaluation
am witnessed the use of the security measures as described in the LC documentation and
pled records created by using the security procedures.
addition to the EAL 3 ALC CEM work units, the Evaluation Team applied the
C_FLR.2 work units from the CEM supplement. The flaw remediation procedures were
luated to ensure that systematic procedures exist for managing flaws discovered in the
E.
Evaluation of the Test Documentation and the Test Activity (A
e Evaluation Team applied each EAL 3 augmented with ALC_FLR.2 ATE CEM work
t. The Evaluation Team ensured that the TOE performed as described in the design
umentation and demonstrated that the TOE enforces the TOE security functional
uiremen
mentati
cification and high level design specification. The Evaluation Team exercised the entire
of th vendor automated test suite and performed a sampling (30%) of the vendor’s
19
Gateway. Authenticators are not user accounts and a
er who sends a message to a service the ACE XML
y protects has not logged on to the TOE.
sentation of a group composed of authenticators and
s. Authenticators in an authorization group can access a
n set of handlers that route messages to protected
9.8 Vulnerability Assessment Activity (AVA)
Th lu C_FLR.2 AVA CEM work
uni
we
dev
vul
9.9
The Evaluat evidence demonstrates that the claims
in t ’s performance of the entire set of the
ven
ind
the
10
All Validator concerns with respect to the evaluation have been addressed. No issues are
out
11
Th et is identified as Systems, Inc. ACE XML Gateway and Manager
Version 5.0.3 Security Target, Version 1.0, dated 25 July 2008. The document identifies
the s (SFRs) necessary to implement the TOE security
pol ronment SFRs. Additionally, the Security
Target specifies the security assurance requirements necessary for EAL 3 augmented with
AL
12
Th
A security policy component that specifies a collection of subject
security attributes and values that positively identifies a message
sender to the Web Services SFP. An incoming message must
satisfy all of the requirements of a defined authenticator as a
prerequisite to further processing by a handler in the same
ticator filters
incoming
to the
consum
Gatewa
Authorization Group A repre
handler
commo
e Eva ation Team applied each EAL 3 augmented with AL
t. The Evaluation Team ensured that the TOE does not contain exploitable flaws or
aknesses in the TOE based upon the developer strength of function analysis, the
eloper vulnerability analysis, and the Evaluation Team’s misuse analysis and
nerability analysis, and the Evaluation Team’s performance of penetration tests.
Summary of Evaluation Results
ion Team’s assessment of the evaluation
he ST are met. Additionally, the Evaluation Team
dor’s automated test suite, a sampling (30%) of the vendor’s manual test cases, the
ependent tests, and the penetration test also demonstrated the accuracy of the claims in
ST.
Validator Comments/Recommendations
standing.
Security Target
e Security Targ
security functional requirement
icies. These include TOE SFRs and IT Envi
C_FLR.2.
Glossary
e following definitions are used throughout this document:
Authenticator
authorization group as the authenticator. An authen
messages (FDP) on values in the headers of a message
20
ll requirements imposed by an authenticator, the message
le for further processing by a handler that is a member of
henticator's authorization group. The message is not
services. Satisfying the requirements of an authenticator in the
group m
by one
to hand
provide
permiss
CC Commo
Clie a server; for
sender of a
ssag
ca
value to
establis
the mes
CM Control
Consumer A clien
gain ac ted services. Clients do not log into the
CPU Central
Cry A hardw
generat
Denial-of-service attack An oded with so many requests
that
Den
inco
particular IP address exceeds a policy-specified threshold, the
DO Delivery Op
EAL Evaluation A
GUI Graphical U
functions to t the user can manipulate by
means of a pointing device to perform tasks. Contrast with
command-line interface, which requires the user to type text-
Han The co SFP that manages
commu an incoming message
meets a
is eligib
the aut
akes an incoming message eligible for further processing
of the handlers in the group. The message is not available
lers outside of the authorization group. The TOE
s authorization groups to ease management of access
ions and to organize authenticators for convenience.
n Criteria
nt Certificate The X.509 certificate that authenticates a client to
example, the certificate that authenticates the
me e to the Gateway. Administrators of the Web services
SFP n specify that the Gateway use the Distinguished Name
authenticate the sender of a message for purposes of
hing an SSL connection to the Gateway for processing
sage.
Management
t that connects to the ACE XML Gateway in an attempt to
cess to its protec
TOE.
Processing Unit
ptomodule are module that includes a processor specialized for
ing, storing and using keys for cryptographic operations.
attack in which a service is flo
it becomes unavailable to legitimate users. To prevent
ial-of-Service attacks, the TOE monitors the frequency of
ming requests; when the rate of requests from a
TOE blocks requests from that address for a policy-specified
amount of time.
eration
ssurance Level
ser Interface; a human interface that maps computer
graphical objects tha
based commands to perform tasks.
dler mponent of the Web Services
nication with consumers. When
21
available to handlers outside of the authorization group. A
handler
endpoin
well as
to be el
handler
the cons
requirem
GUI pr
Web Se
Manage
policy o
HTTP header A text
messag
the clie
rowse
required
the HT
messag
that ma
may co
request
HTTP(S) A typo
docume
HTTPS
Secure)
manage as SSL or TLS.
I/O
PP Protecti
SF Security
SFR Security
SSL ed to validate the
reate an encrypted
.
SOA andard for
ages, using
ST Security
TOE Target o
TSF TOE Se
TSP TOE Se
specifies the message protocol and network
t/port on which the Gateway accepts message traffic, as
various criteria the incoming message must meet in order
igible for further processing by the Web Services SFP. A
also passes a response from a protected service back to
umer that made the original request, again subject to all
ents of the Web Services SFP. The ACE XML Manager
ovides a graphical representation of each handler in the
rvices SFP. Authorized administrators interact with the
r GUI to create, delete, or modify handlers or other
bjects that define the Web Services SFP.
record sent at the beginning of an HTTP or HTTPS
e. Request message headers provide information about
nt to the server receiving the request, such as the type of
b r being used. In addition to information the header is
to provide, it may also include optional values such as
TP Basic username and password of the sender. Response
e headers provide information from the sever to the client
de the original request; for example, a response message
ntain an error code that attempts to explain the reason a
did not succeed.
graphical convention the TOE user interface and
ntation uses to indicate use of either of the HTTP or
protocols. The HTTPS (HyperText Transfer Protocol
protocol is the HTTP protocol conducted in a session
d by a security protocol, such
Input/Output
on Profile
Functions
Functional Requirement(s)
Secure Sockets Layer, a secure protocol us
identities of participants in a transaction and c
connection over which the transaction can take place
P Simple Object Access Protocol, an XML-based st
making remote procedure calls by means of text mess
HTTP(S) as the transport mechanism.
Target
f Evaluation
curity Functions
curity Policy
22
TSC TSF Scope of Control
XM Extensi flexible formal text format
derived
speciali
XML Schema Validation The
the structure or
XML Signature Verification A
d ret (key)
r
onte
sender pr
document
13 Bibliography
The Validation Team used the following docum
or Information Technology Security Evaluation - Part 1:
neral model, Version 2.3, August 2005.
[3] m
Secur
[4] m
Evalu
[5] 2
[6] o Sy
[7] Cisco FINAL
[8] Cisco 5.0.3 Security
[9]
Guida Laboratories, Version 1.0, March 20,
L ble Markup Language, a
from SGML that is commonly used to define more
zed markup languages for representing structured data.
use of an XML schema document to test the validity of
content of an XML document of the type the
schema describes. See also Schema.
method of establishing the authenticity of a
ocument or its sender by using a shared sec
to recompute a cryptog aphic digest computed from
the c nts of the document or the certificate the
esents. If the two signatures match, the
or sender is authentic..
ents to produce this Validation Report:
[1] Common Criteria f
Introduction and ge
[2] Common Criteria for Information Technology Security Evaluation - Part 2:
Security Functional Requirements, Version 2.3, August 2005.
Com on Criteria for Information Technology Security Evaluation - Part 3:
ity Assurance Requirements, Version 2.3, August 2005.
Com on Methodology for Information Technology Security Evaluation,
ation Methodology, Version 2.3, August 2005.
Part : Evaluation Methodology, Supplement: ALC_FLR - Flaw Remediation,
Version 1.1, February 2002, CEM-2001/0015R.
Cisc stems ACE XML Gateway and Manager Version 5.0.3 FINAL Non-
Proprietary ETR – Part 1.
Systems ACE XML Gateway and Manager Version 5.0.3
Proprietary ETR – Part 2 and Supplemental Team Test Plan.
Systems, Inc. ACE XML Gateway and Manager Version
Target, Version 1.0, 25 July 2008.
NIAP Common Criteria Evaluation and Validation Scheme for IT Security,
nce to Common Criteria Testing
2001.