Certification Report EAL 4+ (ALC_FLR.2) Evaluation of Comodo Yazılım A.Ş. Korugan UTM v1.10 issued by Turkish Standards Institution Common Criteria Certification Scheme Certificate Number: 21.0.03/TSE-CCCS-38 BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 2/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21 TABLE OF CONTENTS TABLE OF CONTENTS .................................................................................................................................................2 DOCUMENT INFORMATION.......................................................................................................................................3 DOCUMENT CHANGE LOG .........................................................................................................................................3 DISCLAIMER..............................................................................................................................................................3 FOREWORD...............................................................................................................................................................4 RECOGNITION OF THE CERTIFICATE............................................................................................................................5 1 EXECUTIVE SUMMARY............................................................................................................................................6 1.1 REQUIRED NON-TOE HARDWARE/SOFTWARE/FIRMWARE………………....................................................................6 1.2 MAJOR SECURITY FEATURES……...........................................................................................................................7 1.3 MAJOR SECURITY FEATURES………………………………………………………………………………………………………………………………….7 2 CERTIFICATION RESULTS .........................................................................................................................................9 2.1 IDENTIFICATION OF TARGET OF EVALUATION.......................................................................................................9 2.2 SECURITY POLICY.................................................................................................................................................9 2.3 ASSUMPTIONS AND CLARIFICATION OF SCOPE ...................................................................................................10 2.4 ARCHITECTURAL INFORMATION.........................................................................................................................11 2.5 DOCUMENTATION.............................................................................................................................................12 2.6 IT PRODUCT TESTING.........................................................................................................................................12 2.6.1 DEVELOPER TESTING… ....................................................................................................................................12 2.6.2 EVALUATOR TESTING......................................................................................................................................12 2.7 EVALUATED CONFIGURATION............................................................................................................................13 2.8 RESULTS OF THE EVALUATION............................................................................................................................13 2.9 EVALUATOR COMMENTS / RECOMMENDATIONS ...............................................................................................14 3 SECURITY TARGET.................................................................................................................................................14 4 GLOSSARY............................................................................................................................................................15 5 BIBLIOGRAPHY .....................................................................................................................................................15 6 ANNEXES..............................................................................................................................................................15 BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 3/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21 Document Information Date of Issue 19.04.2017 Approval Date 20.04.2017 Certification Report Number 21.0.03/17-001 Sponsor and Developer Comodo Yazılım A.Ş. Evaluation Lab BEAM Teknoloji A.Ş. TOE Korugan UTM v1.10 Pages 15 Prepared by Halime Eda BİTLİSLİ Reviewed by İbrahim Halil KIRMIZI This report has been prepared by the Certification Expert and reviewed by the Technical Responsible of which signatures are above. Document Change Log Release Date Pages Affected Remarks/Change Reference 1.0 19.04.2017 All First Release DISCLAIMER This certification report and the IT product/PP defined in the associated Common Criteria document has been evaluated at an accredited and licensed evaluation facility conformance to Common Criteria for IT Security Evaluation, version 3.1, revision 4, using Common Methodology for IT Products Evaluation, version 3.1, revision 4. This certification report and the associated Common Criteria document apply only to the identified version and release of the product in its evaluated configuration. Evaluation has been conducted in accordance with the provisions of the CCCS, and the conclusions of the evaluation facility in the evaluation report are consistent with the evidence adduced. This report and its associated Common Criteria document are not an endorsement of the product by the Turkish Standardization Institution, or any other organization that recognizes or gives effect to this report and its associated Common Criteria document, and no warranty is given for the product by the Turkish Standardization Institution, or any other organization that recognizes or gives effect to this report and its associated Common Criteria document. BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 4/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21 FOREWORD The Certification Report is drawn up to submit the Certification Commission the results and evaluation information upon the completion of a Common Criteria evaluation service performed under the Common Criteria Certification Scheme. Certification Report covers all non-confidential security and technical information related with a Common Criteria evaluation which is made under the ITCD Common Criteria Certification Scheme. This report is issued publicly to and made available to all relevant parties for reference and use. The Common Criteria Certification Scheme (CCSS) provides an evaluation and certification service to ensure the reliability of Information Security (IS) products. Evaluation and tests are conducted by a public or commercial Common Criteria Evaluation Facility (CCTL = Common Criteria Testing Laboratory) under CCCS’ supervision. CCEF is a facility, licensed as a result of inspections carried out by CCCS for performing tests and evaluations which will be the basis for Common Criteria certification. As a prerequisite for such certification, the CCEF has to fulfill the requirements of the standard ISO/IEC 17025 and should be accredited by accreditation bodies. The evaluation and tests related with the concerned product have been performed by BEAM Teknoloji A.Ş. which is a commercial CCTL. A Common Criteria Certificate given to a product means that such product meets the security requirements defined in its security target document that has been approved by the CCCS. The Security Target document is where requirements defining the scope of evaluation and test activities are set forth. Along with this certification report, the user of the IT product should also review the security target document in order to understand any assumptions made in the course of evaluations, the environment where the IT product will run, security requirements of the IT product and the level of assurance provided by the product. This certification report is associated with the Common Criteria Certificate issued by the CCCS for Korugan UTM v1.10 whose evaluation was completed on 19.04.2017 and whose evaluation technical report was drawn up by BEAM Teknoloji A.Ş. (as CCTL), and with the Security Target document with version no 1.2 of the relevant product. The certification report, certificate of product evaluation and security target document are posted on the ITCD Certified Products List at bilisim.tse.org.tr portal and the Common Criteria Portal (the official web site of the Common Criteria Project). BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 5/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21 RECOGNITION OF THE CERTIFICATE The Common Criteria Recognition Arrangement logo is printed on the certificate to indicate that this certificate is issued in accordance with the provisions of the CCRA. The CCRA has been signed by the Turkey in 2003 and provides mutual recognition of certificates based on the CC evaluation assurance levels up to and including EAL4. The current list of signatory nations and approved certification schemes can be found on: http://www.commoncriteriaportal.org BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 6/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21 1. EXECUTIVE SUMMARY Evaluated IT product name: Korugan UTM IT Product version: v1.10 Developer’s Name: Comodo Yazılım A.Ş. Name of CCTL: BEAM Teknoloji A.Ş. Assurance Package: EAL 4+ (ALC_FLR.2) Completion date of evaluation: 19.04.2017 TOE is a management software collection over a web interface that provides mechanisms for management and monitoring of packet filtering, authentication, authorization, access control management, data flow control and policy, web and shell based management user interface, and audit records generation and collection. 1.1 Required non-TOE hardware/software/firmware Software, hardware environment of the TOE are described below.  Software environment of TOE TOE runs on a customized operating system. Operating system is a customized version of open source Linux distribution Cent OS 6 or higher.  Hardware Environment of TOE TOE runs on all versions of KORUGAN compliant hardware and on virtual appliances, with the following minimum requirements and equivalent/more performant hardware.  Intel® AtomTM processor E3815 (Codenamed “Bay Trail”)  4GB CF Type 2 Storage  2 GB RAM  4 x Intel GbE LAN ports without Bypass The hardware must be compatible with the Linux distribution used for deployment  2 x USB 2.0 Port  1 x CF socket  1 x RJ-45 Port  100-240AC Power supply BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 7/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21 1.2 Main Security Features  ACCESS CONTROL MANAGEMENT The Korugan provides a role-based access control capability to ensure that only authorized administrators are able to administer the Korugan UTM unit.  AUTHENTICATION Korugan enables configuration and management over username and password mechanism for identification and authentication and authorization.  DATA FLOW CONTROL AND POLICY Korugan enables configuration of stateful traffic inspection firewall, i.e. inbound and outbound data flow is adherent to a arbitrarily set of rules defined by an authorized administrator over management interface. The default policy is default-deny unless configured to act else and can be configured.  LOGGING Korugan enables management of log generation and collection operations on both TOE and non-TOE components.  POLICY VIOLATION LOGS TOE collects and sends data for further processing in order to identify policy violation issues.  AUTHORIZATION The TOE verifies the identification information of an administrator provided by the environment (application) before any management function can be performed. 1.3 Threats  T.REPLAY An unauthorized person may use valid identification and authentication data obtained to access functions provided by the TOE.  T.REPEAT An unauthorized person may repeatedly try to guess authentication data in order to use this information to launch attacks on the TOE.  T.WEAKNESS A user might gain access to the TOE in order to read, modify or destroy TSF data by sending IP packets to the TOE and exploiting a weakness of the protocol used. This attack may happen from outside and inside the protected network. A user might also try to access sensitive data of the TOE via web management interface. BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 8/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21  T.AUDACC Persons may not be accountable for the actions that they conduct because the audit records are not reviewed, thus allowing an attacker to escape detection.  T.NOAUTH An unauthorized person may attempt to bypass the security of the TOE so as to access and use security function and/or non-security functions provided by the TOE.  T.SELPRO An unauthorized person may read, modify, or destroy security critical TOE configuration data.  T.BYPASS A user might attempt to bypass the security functions of the TOE in order to gain unauthorized access to resources in the protected networks. e. g., a user might send non-permissible data through the TOE in order to gain access to resources in protected networks by sending IP packets to circumvent filters. This attack may happen from outside the protected network.  T.USAGE The TOE may be inadvertently delivered, configured, used and administered in an insecure manner by authorized persons. BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 9/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21 2. CERTIFICATION RESULTS 2.1 Identification of Target of Evaluation Certificate Number 21.0.03/TSE-CCCS-38 TOE Name and Version Korugan UTM v1.10 Security Target Title Korugan UTM Security Target Security Target Version v1.2 Security Target Date 18.04.2017 Assurance Level EAL 4+ (ALC_FLR.2) Criteria  Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model; CCMB-2012-09-001, Version 3.1, Revision 4, September 2012  Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components; CCMB-2012-09-002, Version 3.1 Revision 4, September 2012  Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components; CCMB-2012-09-003, Version 3.1 Revision 4, September 2012 Methodology Common Criteria for Information Technology Security Evaluation, Evaluation Methodology; CCMB-2012-09-004, Version 3.1, Revision 4, September 2012 Protection Profile Conformance None Common Criteria Conformance   Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components; CCMB-2012-09-002, Version 3.1 Revision 4, September 2012, extended  Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components; CCMB-2012-09-003, Version 3.1 Revision 4, September 2012, conformant Sponsor and Developer Comodo Yazılım A.Ş. Evaluation Facility BEAM Teknoloji A.Ş. Certification Scheme TSE-CCCS 2.2 Security Policy Organizational Security Policies are; BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 10/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21  P.GENPUR There shall be no use of general-purpose computing capabilities (e.g., the ability to execute arbitrary code or applications) and storage repository capabilities on platforms where TOE runs.  P.PUBLIC The platforms where TOE runs shall not host public data. Databases or other company related information that may be accessed from internal or external network, which is publicly available to remote applications, shall not be stored on platforms where TOE runs.  P.SINGEN Network infrastructure shall be configured such that all the information between internal networks, external networks and DMZ pass through the gateway configured by the TOE. 2.3 Assumptions and Clarification of Scope  A.CORRECT The platform, where management interface runs, correctly transmits the information to the administrator’s web browser and receives the information correctly, which is sent to it by the server.  A.NOEVIL All authorized administrators are non-hostile, well trained and knows and follow the existing documentation of the TOE. However administrators are capable of error. The administrator is responsible for the secure operation of the TOE.  A.PHYSEC TOE is physically secure and controlled environment. It is assumed that: • There are no physical attacks on platforms • Physical access right is granted only to authorized administrators. • TOE shall only be accessed and managed from a Secure Environment using a computer system without known malware infection. • The administrator handles the authentication secrets with care, specifically that he will keep them secret and can use it in a way that nobody else can read it.  A.SECINIT The TOE is securely initialized, i.e. that the initialization is done according the procedure described in the documentation.  A.INFLOW No information can flow between internal, DMZ and external networks unless it passes through the TOE.  A.CONFW The network components (TOE and application) are configured in a secure manner. Specifically it is assumed that no incoming connections are accepted except protected data (e. g. SSL) from the management interface. BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 11/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21  A.TSP The IT environment provides reliable timestamps (NTP server).  A.PROT The data flow between the management machine and the network components is protected by cryptographic transforms (e. g. SSL authorization and SSL transport protection).  A.AUDIT The IT environment provides a Syslog server and a means to present a readable view of the audit data or an external log application is available as a means to present human readable view of audit data 2.4 Architectural Information TOE is used for monitoring and managing the network traffic policies between two different networks. TOE functions by configuring the information flow policy, network address translation and routing mechanisms of the security gateway of the network. According to policy specified by TOE, packet filter component of TOE denies or accepts the transmitted data to guard internal network. Figure 1: Physical and Logical scope of the TOE BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 12/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21 Korugan UTM consists of three main subsystems which are Firewall (Netfilter), Web Management Interface and Audit / System Logging (syslog-ng). Physical and Logical scope of the TOE is shown in Figure 1. 2.5 Documentation Name of Document Version Number Date COMODO KORUGAN UTM Security Target v.1.2 18.04.2017 Comodo Korugan UTM Admin Guide v1.10 18.04.2017 2.6 IT Product Testing During the evaluation, all evaluation evidences of TOE were delivered and transferred completely to CCTL by the developers. All the delivered evaluation evidences which include software, documents, etc. are mapped to the assurance families Common Criteria and Common Methodology; so the connections between the assurance families and the evaluation evidences has been established. The evaluation results are available in the final Evaluation Technical Report (ETR) of Korugan UTM v1.10 It is concluded that the TOE supports EAL 4+ (ALC_FLR.2). There are 25 assurance families which are all evaluated with the methods detailed in the ETR. IT Product Testing is mainly described in two parts: 2.6.1 Developer Testing Developer has done total of 147 functional tests via Testrail test scenario management software tool. Test scenarios provided by developer covers all TSFI’s of the TOE. Also Korugan Test Plan document includes required information about developer’s testing strategy, test environment, used testing tools, etc 2.6.2 Evaluator Testing Independent Testing: Evaluator has done total of 29 test. 12 of them were selected from developer’s tests. The other 17 of them were evaluator’s independent tests. Penetration Testing: Evaluator has done 38 penetration tests to find out TOE’s vulnerabilities that can be used for malicious purposes. Potential vulnerabilities and penetration tests are defined in “Vulnerability Analysis Report”. BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 13/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21 2.7 Evaluated Configuration Name of Document Version Number Publication Date COMODO KORUGAN Security Target 1.2 18.04.2017 GL423-COMODO-ANK-DEV- Functional Specifications 1.8 13.02.2017 GL427-COMODO-ANK-DEV- Security Architecture- 1.5 08.09.2016 GL425-COMODO-ANK-DEV-Low Level Design 1.5 28.12.2016 CUTM_Admin_Guide 1.10 18.04.2017 GL003-COMODO-ANK - CMP@Comodo TR - Configuration Management Process 1.1 07.10.2013 Comodo Korugan Test Planı 1.4 18.04.2017 Comodo Korugan Test Dokümantasyonu 1.9 26.12.2016 BTTM-CCE-002 ZAR 1.2 03.03.2017 2.8 Results of the Evaluation Table 2 above provides a complete listing of the Security Assurance Requirements for the TOE. These requirements consists of the Evaluation Assurance Level 4 (EAL 4) components as specified in Part 3 of the Common Criteria, augmented with ALC_FLR.2 Assurance Class Component Component Title Development ADV_ARC.1 Security Architecture Description ADV_FSP.4 Complete Functional Specification ADV_IMP.1 Implementation Representation of the TSF ADV_TDS.3 Basic Modular Design Guidance Documents AGD_OPE.1 Operational User Guidance AGD_PRE.1 Preparative Procedures Life-Cycle Support ALC_CMC.4 Production Support, Acceptance Procedures and Automation ALC_CMS.4 Problem Tracking CM Coverage ALC_DEL.1 Delivery Procedures ALC_DVS.1 Sufficiency of Security Measures BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 14/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21 ALC_FLR.2 Flaw Reporting Procedures ALC_LCD.1 Developer Defined Life-Cycle Model ALC_TAT.1 Well-defined Development Tools Security Target Evaluation ASE_CCL.1 Conformance Claims ASE_ECD.1 Extended Components Definition ASE_INT.1 ST Introduction ASE_OBJ.2 Security Objectives ASE_REQ.2 Derived Security Requirements ASE_SPD.1 Security Problem Definition ASE_TSS.1 TOE Summary Specification Tests ATE_COV.2 Analysis of Coverage ATE_DPT.1 Testing: Security Enforcing Modules ATE_FUN.1 Functional Testing ATE_IND.2 Independent Testing Vulnerability Analysis AVA_VAN.3 Focused vulnerability analysis Table 2 – Security Assurance Requirements of TOE The Evaluation Team assigned a Pass, Fail, or Inconclusive verdict to each work unit of each EAL 4 assurance component. For Fail or Inconclusive work unit verdicts, the Evaluation Team advised the developer about the issues requiring resolution or clarification within the evaluation evidence. In this way, the Evaluation Team assigned an overall Pass verdict to the assurance component only when all of the work units for that component had been assigned a Pass verdict. So for TOE “Korugan UTM v1.10” the results of the assessment of all evaluation tasks are “Pass”. 2.9 Evaluator Comments / Recommendations No recommendations or comments have been communicated to CCCS by the evaluators related to the evaluation process of “Korugan UTM v1.10” product, result of the evaluation, or the ETR. 3 SECURITY TARGET The Security Target associated with this Certification Report is identified by the following terminology: Title: Korugan UTM Security Target Version: 1.2 Date of Document: 18.04.2017 BİLİŞİM TEKNOLOJİLERİ TEST VE BELGELENDİRME DAİRESİ BAŞKANLIĞI / INFORMATION TECHNOLOGIES TEST AND CERTIFICATION DEPARTMENT Doküman No BTBD-03-01-FR-01 CCCS CERTIFICATION REPORT Yayın Tarihi 30/07/2015 RevizyonTarihi 29/04/2016 No 05 Sayfa 15/15 Bu dokümanın güncelliği, elektronik ortamda TSE Doküman Yönetim Sisteminden takip edilmelidir. Basım tarih ve saati: 20.11.2017 11:21 A public version has been created and verified according to ST-Santizing: Title: Korugan UTM Security Target Lite Version: 1.2L2F Date of Document: 18.04.2017 4 GLOSSARY ADV : Assurance of Development AGD : Assurance of Guidance Documents ALC : Assurance of Life Cycle ASE : Assurance of Security Target Evaluation ATE : Assurance of Tests Evaluation AVA : Assurance of Vulnerability Analysis CC : Common Criteria (Ortak Kriterler) CCCS : Common Criteria Certification Scheme (TSE) CCRA : Common Criteria Recognition Arrangement CCTL : Common Criteria Test Laboratory CEM :Common Evaluation Methodology CMC : Configuration Management Capability CMS : Configuration Management Scope DEL : Delivery EAL : Evaluation Assurance Level OPE : Opretaional User Guidance OSP : Organisational Security Policy PP : Protection Profile PRE : Preperative Procedures SAR : Security Assurance Requirements SFR : Security Functional Requirements ST : Security Target TOE : Target of Evaluation TSF : TOE Secırity Functionality TSFI : TSF Interface 5 BIBLIOGRAPHY [1] Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4, September 2012 [2] Common Methodology for Information Technology Security Evaluation, CEM, Version 3.1 Revision 4, September 2012 [3] BTTM-CCE-002 DTR v.2.0.3 [4] COMODO KORUGAN Security Target v.1.2 6 ANNEXES There is no additional information which is inappropriate for reference in other sections