Certification Report EAL 2+ Evaluation of EMC® VoyenceControl™ v4.1.0 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification Scheme © Government of Canada, Communications Security Establishment Canada, 2009 Document number: 383-4-110-CR Version: 1.0 Date: 25 September 2009 Pagination: i to iv, 1 to 11 CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 ___________________________________________________________________________ Version 1.0 25 September 2009 - Page i of iv - DISCLAIMER The Information Technology (IT) product identified in this certification report, and its associated certificate, has been evaluated at an approved evaluation facility – established under the Canadian Common Criteria Evaluation and Certification Scheme (CCS) – using the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 2, for conformance to the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 2. This certification report, and its associated certificate, apply only to the identified version and release of the product in its evaluated configuration. The evaluation has been conducted in accordance with the provisions of the CCS, and the conclusions of the evaluation facility in the evaluation report are consistent with the evidence adduced. This report, and its associated certificate, are not an endorsement of the IT product by the Communications Security Establishment Canada, or any other organization that recognizes or gives effect to this report, and its associated certificate, and no warranty for the IT product by the Communications Security Establishment Canada, or any other organization that recognizes or gives effect to this report, and its associated certificate, is either expressed or implied. CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 FOREWORD The Canadian Common Criteria Evaluation and Certification Scheme (CCS) provides a third-party evaluation service for determining the trustworthiness of Information Technology (IT) security products. Evaluations are performed by a commercial Common Criteria Evaluation Facility (CCEF) under the oversight of the CCS Certification Body, which is managed by the Communications Security Establishment Canada. A CCEF is a commercial facility that has been approved by the CCS Certification Body to perform Common Criteria evaluations; a significant requirement for such approval is accreditation to the requirements of ISO/IEC 17025:2005, the General Requirements for the Competence of Testing and Calibration Laboratories. Accreditation is performed under the Program for the Accreditation of Laboratories - Canada (PALCAN), administered by the Standards Council of Canada. The CCEF that carried out this evaluation is Electronic Warfare Associates-Canada, Ltd. located in Ottawa, Ontario. By awarding a Common Criteria certificate, the CCS Certification Body asserts that the product complies with the security requirements specified in the associated security target. A security target is a requirements specification document that defines the scope of the evaluation activities. The consumer of certified IT products should review the security target, in addition to this certification report, in order to gain an understanding of any assumptions made during the evaluation, the IT product's intended environment, its security requirements, and the level of confidence (i.e., the evaluation assurance level) that the product satisfies the security requirements. This certification report is associated with the certificate of product evaluation dated 25 September 2009, and the security target identified in Section 4 of this report. The certification report, certificate of product evaluation and security target are posted on the CCS Certified Products List at: http://www.cse-cst.gc.ca/its-sti/services/cc/cp-pc-eng.html and http://www.commoncriteriaportal.org/. ___________________________________________________________________________ Version 1.0 25 September 2009 - Page ii of iv - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 This certification report makes reference to the following trademarked or registered trademarks: • EMC® is a registered trademark symbol of EMC Corporation; • VoyenceControl™ is a trademark symbol of EMC Corporation; • Microsoft, and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries; • JAVA and Java Runtime Environment (JRE) are registered trademarks of SUN Microsystems, Inc.; • Linux is a registered trademark of Linus Torvalds. Inc.; • Red Hat is a registered trademark of Red Hat, Inc.; and • Sun and Solaris are trademarks of Sun Microsystems, Inc. in the United States and other countries. Reproduction of this report is authorized provided the report is reproduced in its entirety. ___________________________________________________________________________ Version 1.0 25 September 2009 - Page iii of iv - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 TABLE OF CONTENTS Disclaimer..................................................................................................................................................... i Foreword..................................................................................................................................................... ii Executive Summary.....................................................................................................................................1 1 Identification of Target of Evaluation ..............................................................................................2 2 TOE Description .................................................................................................................................2 3 Evaluated Security Functionality......................................................................................................2 4 Security Target....................................................................................................................................2 5 Common Criteria Conformance........................................................................................................3 6 Security Policy.....................................................................................................................................3 7 Assumptions and Clarification of Scope...........................................................................................3 7.1 SECURE USAGE ASSUMPTIONS .............................................................................................3 7.2 ENVIRONMENTAL ASSUMPTIONS..........................................................................................4 7.3 CLARIFICATION OF SCOPE.....................................................................................................4 8 Architectural Information .................................................................................................................4 9 Evaluated Configuration....................................................................................................................5 10 Documentation....................................................................................................................................5 11 Evaluation Analysis Activities ...........................................................................................................7 12 ITS Product Testing ...........................................................................................................................8 12.1 ASSESSMENT OF DEVELOPER TESTS.....................................................................................8 12.2 INDEPENDENT FUNCTIONAL TESTING...................................................................................8 12.3 INDEPENDENT PENETRATION TESTING .................................................................................9 12.4 CONDUCT OF TESTING ..........................................................................................................9 12.5 TESTING RESULTS .................................................................................................................9 13 Results of the Evaluation....................................................................................................................9 14 Evaluator Comments, Observations and Recommendations .........................................................9 15 Acronyms, Abbreviations and Initializations.................................................................................10 16 References..........................................................................................................................................10 ___________________________________________________________________________ Version 1.0 25 September 2009 - Page iv of iv - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 ___________________________________________________________________________ Version 1.0 25 September 2009 - Page 1 of 11 - Executive Summary EMC® VoyenceControl™ v4.1.0 (hereafter referred to as EMC VoyenceControl), from EMC Corporation, is the Target of Evaluation (TOE) for this Evaluation Assurance Level (EAL) 2 augmented evaluation. EMC VoyenceControl is an automated compliance management, change management, and configuration management solution. EMC VoyenceControl allows administrators to collaboratively manage their network infrastructure while enforcing control over change processes. End-users (both administrative and non-privileged) use EMC VoyenceControl as the central management “hub” for their Information Technology (IT) infrastructure – all changes to infrastructure devices are made via EMC VoyenceControl, which performs auditing of every change and pushes the changes out to the managed devices. Electronic Warfare Associates-Canada, Ltd. is the Common Criteria Evaluation Facility that conducted the evaluation. This evaluation was completed on 31 August 2009 and was carried out in accordance with the rules of the Canadian Common Criteria Evaluation and Certification Scheme (CCS). The scope of the evaluation is defined by the security target, which identifies assumptions made during the evaluation, the intended environment for EMC VoyenceControl, the security requirements, and the level of confidence (evaluation assurance level) at which the product is intended to satisfy the security requirements. Consumers are advised to verify that their operating environment is consistent with that specified in the security target, and to give due consideration to the comments, observations and recommendations in this certification report. The results documented in the Evaluation Technical Report (ETR)1 for this product provide sufficient evidence that it meets the EAL 2 augmented assurance requirements for the evaluated security functionality. The evaluation was conducted using the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 2, for conformance to the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 2. The following augmentation is claimed: ALC_FLR.1 – Basic Flaw Remediation. Communications Security Establishment Canada, as the CCS Certification Body, declares that the EMC VoyenceControl evaluation meets all the conditions of the Arrangement on the Recognition of Common Criteria Certificates and that the product will be listed on the CCS Certified Products list (CPL) and the Common Criteria portal (the official website of the Common Criteria Project). 1 The ETR is a CCS document that contains information proprietary to the developer and/or the evaluator, and is not releasable for public review. CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 1 Identification of Target of Evaluation The Target of Evaluation (TOE) for this Evaluation Assurance Level (EAL) 2 augmented evaluation is EMC® VoyenceControl™ v4.1.0 (hereafter referred to as EMC VoyenceControl), from EMC Corporation. 2 TOE Description EMC VoyenceControl is an automated compliance management, change management, and configuration management solution. EMC VoyenceControl allows administrators to collaboratively manage their network infrastructure while enforcing control over change processes. End-users (both administrative and non-privileged) use EMC VoyenceControl as the central management “hub” for their IT infrastructure – all changes to infrastructure devices are made via EMC VoyenceControl, which performs auditing of every change and pushes the changes out to the managed devices. 3 Evaluated Security Functionality The complete list of evaluated security functionality for EMC VoyenceControl is identified in Section 6 (Security Requirements) and Section 7 (TOE Summary Specification) of the Security Target (ST). 4 Security Target The ST associated with this Certification Report is identified by the following nomenclature: Title: EMC Corporation EMC® VoyenceControl™ v4.1.0 Security Target, Evaluation Assurance Level: EAL2+ Version: 0.6 Date: 6 August 2009 ___________________________________________________________________________ Version 1.0 25 September 2009 - Page 2 of 11 - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 5 Common Criteria Conformance The evaluation was conducted using the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 2, for conformance to the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 2. EMC VoyenceControl version 4.1.0 is: a. Common Criteria Part 2 conformant, with security functional requirements based only upon functional components in Part 2; b. Common Criteria Part 3 conformant, with security assurance requirements based only upon assurance components in Part 3; and c. Common Criteria EAL 2 augmented, with all security the assurance requirements in the EAL 2 package, as well as the following: ALC_FLR.1 – Basic Flaw Remediation. 6 Security Policy EMC VoyenceControl enforces access and flow control security policies that control access to TOE functionality and resources. The policies are: • A Management Access Control policy for TOE users and managed devices that controls their access to audit data and TOE configuration data; • An Identification and Authentication (I&A) Access Control policy for TOE users and groups that controls their access to TOE user credentials and permissions; and • A Device Information Flow Control policy for TOE users and managed devices that controls the flow of management data between TOE users and managed devices. In addition, EMC VoyenceControl implements policies pertaining to security audit, identification and authentication, security management, protection of the TOE Security Functionality (TSF), and TOE access. Further details on these security policies may be found in Section 6 of the ST. 7 Assumptions and Clarification of Scope Consumers of EMC VoyenceControl should consider assumptions about usage and environmental settings as requirements for the product’s installation and its operational environment. This will ensure the proper and secure operation of the TOE. 7.1 Secure Usage Assumptions The following Secure Usage Assumptions are listed in the ST: • TOE users and administrators are non-hostile, appropriately trained, and follow all user guidance. ___________________________________________________________________________ Version 1.0 25 September 2009 - Page 3 of 11 - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 • Physical security will be provided for the TOE and its environment. 7.2 Environmental Assumptions The following Environmental Assumptions are listed in the ST: • The TOE operational environment must be able to identify and authenticate users prior to allowing access to TOE administrative functions and data. • The TOE operational environment will protect the TOE from external interference or tampering. • The TOE operational environment will provide reliable timestamps for the TOE’s use. 7.3 Clarification of Scope The EMC VoyenceControl v4.1.0 is intended for use by a non-hostile and well-managed user community. It relies on the environment to provide it physical and logical protection. 8 Architectural Information EMC VoyenceControl is a software-only network management tool. EMC VoyenceControl is designed to allow administrators to manage network devices from a central point on the network. Configuration changes for managed network devices are made on the EMC VoyenceControl and then pushed out to managed devices. EMC VoyenceControl embodies a client-server architecture and consists of four (4) main components: Application and Database Server. The Application and Database Server is the central network management “hub” of the product. It stores the data gathered and generated by the product which includes device configuration data and audit data; Advisor Server. The Advisor Server hosts the report generators that analyze the device data stored by the product; Device Server(s). The Device Server(s) communicates with the managed devices on the network on behalf of the Application Server; and Management Client. The Management Client provides the primary administrative user interface for the product. Each of these components is modular, and can be installed on a server by itself, or together with other components on the same server. EMC VoyenceControl is installed and deployed ___________________________________________________________________________ Version 1.0 25 September 2009 - Page 4 of 11 - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 on general-purpose server hardware running a general-purpose operating system as identified in the evaluated configuration. 9 Evaluated Configuration The evaluated configuration for EMC VoyenceControl version 4.1.0.863 TOE comprises the following software components: • Application Server Version 4.1.0.863; • Device Server Release 12.0.863; • Advisor Server Release 2.2.0.561 running the Report Advisor; and • Thick Client. EMC VoyenceControl was evaluated on the following operating systems (OS): • Windows Server 2003 Enterprise Edition Service Pack 1; • Red Hat Enterprise Linux 5 Server (update 3, x86_64); • Red Hat Enterprise Linux 5 Advanced Platform (update 3, x86_64); and • Solaris 10 Release 6/06 EMC VoyenceControl guidance on how to put the TOE in the evaluated configuration is: • EMC Corporation VoyenceControl v4.1 Guidance Supplement, 0.1, 15 May 2009. The guidance documentation is available online to registered customers from the EMC Powerlink site (https://powerlink.emc.com). 10 Documentation The EMC Corporation documents provided to the consumer are as follows: • EMC VoyenceControl 4.1.0 Installing VoyenceControl on Solaris 10 P/N9 300-008- 397 Rev A01; • EMC VoyenceControl 4.1.0 Installing VoyenceControl on Red Hat Enterprise Linux 4 and 5 P/N 300-008-392 Rev A01; • EMC VoyenceControl 4.1.0 Installing VoyenceControl on Windows Server 2003 P/N 300-008-395 Rev A01; ___________________________________________________________________________ Version 1.0 25 September 2009 - Page 5 of 11 - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 • EMC VoyenceControl 4.1.0 Release Notes P/N 300-008-381 Rev A01; • EMC VoyenceControl 4.1.0 Cluster Installation Guide P/N 300-008-399 Rev A01; • EMC VoyenceControl 4.1.0 GEO Diverse Installation Guide P/N 300-008-400 Rev A01; • EMC VoyenceControl 4.1.0 Installing and Configuring the RSA Token Service on Windows Server 2003 P/N 300-008-636 Rev A01; • EMC VoyenceControl 4.1.0 System Management Console Guide P/N 300-008-441 Rev A01; • EMC VoyenceControl 4.1.0 Common Administration Guide for Integration Modules P/N 300-008-442 Rev A01; • EMC VoyenceControl 4.1.0 Using Regular Expressions (RegEx) in VoyenceControl P/N 300-008-443 Rev A01; • EMC VoyenceControl 4.1.0 Device Access Scripting Language (DASL) Specifications Guide P/N 300-008-444 Rev A01; • EMC VoyenceControl 4.1.0 Backup and Recovery Guide P/N 300-008-445 Rev A01, • EMC VoyenceControl Application Program Interface (API) 4.1.0 Programmer’s Guide P/N 300-008-447 Rev A01; • EMC VoyenceControl 4.1.0 Troubleshooting Guide P/N 300-008-449 Rev A01; • EMC VoyenceControl 4.1.0 Online User’s Guide P/N 300-008-449 Rev A01; and • Various migration guides and integration modules documentation. ___________________________________________________________________________ Version 1.0 25 September 2009 - Page 6 of 11 - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 11 Evaluation Analysis Activities The evaluation analysis activities involved a structured evaluation of EMC VoyenceControl, including the following areas: Development: The evaluators analyzed the EMC VoyenceControl functional specification and design documentation; they determined that the design completely and accurately describes the TOE security functionality (TSF) interfaces (TSFI), the TSF subsystems and how the TSF implements the security functional requirements (SFRs). The evaluators analyzed the EMC VoyenceControl security architectural description and determined that the initialization process was secure, that the security functions are protected against tamper and bypass, and that security domains are maintained. The evaluators also independently verified that the correspondence mappings between the design documents were correct. Guidance Documents: The evaluators examined the EMC VoyenceControl preparative procedures and operational user guidance and determined that it sufficiently and unambiguously described how to securely transform the TOE into its evaluated configuration and how to use and administer the product. The evaluators examined and tested the preparative procedures and operational user guidance, and determined that they were complete and sufficiently detailed to result in a secure configuration. Life-cycle support: An analysis of the EMC VoyenceControl configuration management system and associated documentation was performed. The evaluators found that the EMC VoyenceControl configuration items were clearly marked. The developer’s configuration management system was observed during a site visit, and it was found to be mature and well developed. The evaluators examined the delivery documentation and determined that it described all of the procedures required to maintain the integrity of EMC VoyenceControl during distribution to the consumer. The evaluators reviewed the flaw remediation procedures used by EMC Corporation for EMC VoyenceControl. During a site visit, the evaluators also examined the evidence generated by adherence to the procedures. The evaluators concluded that the procedures are adequate to track and correct security flaws, and distribute the flaw information and corrections to consumers of the product. Vulnerability assessment: The evaluators conducted an independent vulnerability analysis of EMC VoyenceControl. Additionally, the evaluators conducted a independent review of public domain vulnerability databases and all evaluation deliverables to identify EMC VoyenceControl potential vulnerabilities. The evaluators penetration testing did not expose any vulnerabilities that would be exploitable in the intended operational environment. All these evaluation activities resulted in PASS verdicts. ___________________________________________________________________________ Version 1.0 25 September 2009 - Page 7 of 11 - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 12 ITS Product Testing Testing at EAL 2 consists of the following three steps: assessing developer tests, performing independent functional tests, and performing penetration tests. 12.1 Assessment of Developer Tests The evaluators verified that the developer has met their testing responsibilities by examining their test evidence, and reviewing their test results, as documented in the ETR2 . The evaluators analyzed the developer’s test coverage analysis and found it to be complete and accurate. The correspondence between the tests identified in the developer’s test documentation and the functional specification was complete. 12.2 Independent Functional Testing During this evaluation, the evaluators developed independent functional tests by examining design and guidance documentation, examining the developer's test documentation, executing a sample of the developer's test cases, and creating test cases that augmented the developer tests. All testing was planned and documented to a sufficient level of detail to allow repeatability of the testing procedures and results. Resulting from this test coverage approach was the following list of Electronic Warfare Associates-Canada test goals: • Initialization: The objective of this test goal is to confirm that the TOE can be installed and configured into the evaluated configuration, as identified in the TOE Description of the Security Target, by following all instructions in the developer’s Installation and Administrative guidance. • Repeat of Developer's Tests: The objective of this test goal is to repeat a subset of the developer's tests to gain confidence in the developer’s testing process and results. • TOE Access: The objective of this test goal is to verify the user access security features of the TOE. • Identification and Authentication: The objective of this test goal is to verify the TOE security functionality requires users be successfully identified and authenticated. • Security Management: The objective of this test is to verify the TOE’s management of user and group permissions. ___________________________________________________________________________ 2 The ETR is a CCS document that contains information proprietary to the developer and/or the evaluator, and is not releasable for public review. Version 1.0 25 September 2009 - Page 8 of 11 - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 • User Data Protection: The objective of this test is to verify the flow of configuration data from the TOE to a managed device. 12.3 Independent Penetration Testing Subsequent to the independent review of public domain vulnerability databases and all evaluation deliverables, limited independent evaluator penetration testing was conducted. The penetration tests focused on: • Generic vulnerabilities; o The objective of this test is to check the robustness of the product in dealing with unexpected events. o The objective of this test is to verify the server on which the TOE operates has the expected ports open and the expected services available. The independent penetration testing did not uncover any exploitable vulnerabilities in the intended operational environment. 12.4 Conduct of Testing EMC VoyenceControl was subjected to a comprehensive suite of formally documented, independent functional and penetration tests. The testing took place at the Information Technology Security Evaluation and Testing (ITSET) Facility at Electronic Warfare Associates-Canada. The CCS Certification Body witnessed a portion of the independent testing. The detailed testing activities, including configurations, procedures, test cases, expected results and observed results are documented in a separate Test Results document. 12.5 Testing Results The developer’s tests and the independent functional tests yielded the expected results, giving assurance that EMC VoyenceControl behaves as specified in its ST and functional specification. 13 Results of the Evaluation This evaluation has provided the basis for an EAL 2+ level of assurance. The overall verdict for the evaluation is PASS. These results are supported by evidence in the ETR. 14 Evaluator Comments, Observations and Recommendations The EMC VoyenceControl documentation set includes comprehensive installation, administration, deployment, development, user, and reference guides. The developer also provides a complete solution with on-site system engineer to help the customer integrate the TOE into a corporate network. 24/7 support is also an available option. ___________________________________________________________________________ Version 1.0 25 September 2009 - Page 9 of 11 - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 EMC Support was used by the evaluator to report a documentation issue and found to provide a timely response and solution. 15 Acronyms, Abbreviations and Initializations Acronym/Abbreviation/ Initialization Description CCEF Common Criteria Evaluation Facility CCS Canadian Common Criteria Evaluation and Certification Scheme CPL Certified Products list CM Configuration Management EAL Evaluation Assurance Level ETR Evaluation Technical Report I&A Identification and Authentication IT Information Technology ITSET Information Technology Security Evaluation and Testing JRE Java Runtime Environment OS Operating System PALCAN Program for the Accreditation of Laboratories - Canada QA Quality Assurance ST Security Target TOE Target of Evaluation TSF TOE Security Functionality TSFI TSF interfaces 16 References This section lists all documentation used as source material for this report: a. CCS Publication #4, Technical Oversight, Version 1.1, August 2005. b. Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 2, September 2007. c. Common Methodology for Information Technology Security Evaluation, CEM, Version 3.1 Revision 2, September 2007. d. EMC Corporation EMC® VoyenceControl™ v4.1.0 Security Target, Evaluation Assurance Level: EAL2+, Version 0.6, 6 August 2009 ___________________________________________________________________________ Version 1.0 25 September 2009 - Page 10 of 11 - CCS Certification Report EMC Corporation EMC® VoyenceControl™ v4.1.0 ___________________________________________________________________________ Version 1.0 25 September 2009 - Page 11 of 11 - e. Evaluation Technical Report for EAL 2+ Common Criteria Evaluation of EMC Corporation EMC® VoyenceControl™ v4.1.0, Document No. 1614-000-D002, Version 1.3, 31 August 2009