The IT product identified in this certificate has been evaluated at an accredited testing laboratory using the Common Methodology for IT Security Evaluation (Version 3.1) for conformance to the Common Criteria for IT Security Evaluation (Version 3.1). This certificate applies only to the specific version and release of the product in its evaluated configuration. The product's functional and assurance security specifications are contained in its security target. The evaluation has been conducted in accordance with the provisions of the NIAP Common Criteria Evaluation and Validation Scheme and the conclusions of the testing laboratory in the evaluation technical report are consistent with the evidence adduced. This certificate is not an endorsement of the IT product by any agency of the U.S. Government and no warranty of the IT product is either expressed or implied. Date Issued: 2014-01-29 Validation Report Number: CCEVS-VR-VID10343-2014 CCTL: Leidos (formerly SAIC) Common Criteria Testing Laboratory Assurance Level: EAL2 with ALC_FLR.3 Protection Profile Identifier: None Original Signed By Acting Director, Common Criteria Evaluation and Validation Scheme National Information Assurance Partnership Original Signed By Information Assurance Director National Security Agency National Information Assurance Partnership Common Criteria Certificate is awarded to Check Point Software Technologies LTD for Check Point Endpoint Security E80.30 (Build 8.1.327) National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Check Point Endpoint Security E80.30 (build 8.1.327) Report Number: CCEVS-VR-VID10343-2014 Dated: 29 January 2014 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6940 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6940 ® TM VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) ii ACKNOWLEDGEMENTS Validation Team Ken Elliott Kenneth Stutterheim The Aerospace Corporation Columbia, Maryland Daniel P. Faigin The Aerospace Corporation El Segundo, California Common Criteria Testing Laboratory Dawn Campbell, Lead Evaluator Leidos Inc. Columbia, Maryland VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) iii Table of Contents 1 Executive Summary........................................................................................1 2 Identification...................................................................................................2 3 TOE Overview................................................................................................4 4 Assumptions, Threats, and Organizational Security Policies.........................5 4.1 Assumptions..............................................................................................5 4.2 Threats.......................................................................................................6 4.3 Organizational Security Policies...............................................................7 5 Clarification of Scope .....................................................................................8 6 Architectural Information ...............................................................................9 7 Security Policy..............................................................................................13 7.1 Security Audit.........................................................................................14 7.2 Security Management (Trusted path/channels) ......................................14 7.3 Blade Security.........................................................................................14 7.3.1 Full Disk Encryption (FDE).......................................................................... 14 7.3.2 Encryption Policy Manager (EPM) .............................................................. 15 7.3.3 Device Manager............................................................................................ 15 7.3.4 Removable Media Manager.......................................................................... 15 7.3.5 Firewall ......................................................................................................... 16 7.3.6 Application Control ...................................................................................... 16 7.3.7 Program Advisor........................................................................................... 16 7.3.8 Enforcement Rules (Protection of the TSF).................................................. 16 7.3.9 VPN Client (Trusted path/channels)............................................................. 17 8 Documentation..............................................................................................17 8.1 Product Guidance....................................................................................17 9 Product Testing.............................................................................................18 9.1 Developer Testing...................................................................................18 9.2 Evaluation Team Independent Testing ...................................................18 9.3 Vulnerability Testing ..............................................................................20 10 Evaluated Configuration...............................................................................20 11 Results of the Evaluation ..............................................................................22 12 Validator Comments/Recommendations ......................................................23 13 Security Target..............................................................................................23 14 Bibliography .................................................................................................24 VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 1 1 Executive Summary The evaluation of the Check Point Endpoint Security E80.30 (build 8.1.327) product was performed by Leidos, Inc. a Common Criteria Testing Laboratory (CCTL) in Columbia, Maryland, United States of America and was completed in December 2013. The evaluation was conducted in accordance with the requirements of the Common Criteria and Common Methodology for IT Security Evaluation (CEM), version 3.1 Revision 3. The evaluation was consistent with National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) policies and practices as described on their web site (www.niap-ccevs.org). The LEIDOS evaluation team determined that the product is Common Criteria Part 2 Conformant and Common Criteria Part 3 Conformant, and that the Evaluation Assurance Level (EAL) for the product is EAL 2 augmented with ALC_FLR.3. The information in this Validation Report is largely derived from the Evaluation Technical Report (ETR) and associated test reports produced by the LEIDOS evaluation team. This Validation Report is not an endorsement of the Target of Evaluation by any agency of the U.S. government, and no warranty is either expressed or implied. The TOE is Check Point Endpoint Security E80.30 (build 8.1.327) with the following software blades: Full Disk Encryption, Media Encryption & Port Protection, Firewall & Application Control, Compliance, and Virtual Private Networking (VPN). Check Point Endpoint Security is a workstation security software product that is installed on user desktop and laptop hosts in an enterprise setting. Supported operating systems include: Windows 7 Enterprise, Professional, Ultimate editions (32-bit and 64-bit). The product provides pre-boot user authentication, cryptographic protection for data stored on hard disks and removable media, enforces defined security policies on all host I/O interfaces (USB, serial, etc.), and provides information flow control for network traffic entering and departing the host. In addition, the product can be configured to invoke third-party components installed on the host that perform malware scanning and analysis. The product audits the security relevant actions it performs, and makes that audit available to authorized remote administrative users. Check Point Endpoint Security can be used to enforce corporate security compliance policies. The client analyzes the host’s compliance status (e.g. patch levels, anti-virus updates, etc.) and can be configured to prevent a non-compliant workstation from gaining access to network resources. The Endpoint Connect VPN client capability supports establishment of a secure channel between the Check Point Endpoint Security client and a Check Point Security gateway, using the IKE/IPSec security protocols. Some of the cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. Such cryptography has only been asserted as tested by the vendor. Section 6.2 identifies the cryptographic functions that are provided by FIPS-assessed components, and the cryptographic functions that are only asserted as tested by the vendor. The TOE, when configured as specified in the guidance documentation, satisfies all of the security functional requirements stated in the Check Point Endpoint Security E80.30 Security Target (ST). VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 2 2 Identification The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and Technology (NIST) effort to establish commercial facilities to perform trusted product evaluations. Under this program, commercial testing laboratories called Common Criteria Testing Laboratories (CCTLs) using the Common Evaluation Methodology (CEM) for Evaluation Assurance Level (EAL) 1 through EAL 4 in accordance with National Voluntary Laboratory Assessment Program (NVLAP) accreditation. The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and consistency across evaluations. Developers of information technology products, desiring a security evaluation, contract with a CCTL and pay a fee for their product’s evaluation. Upon successful completion of the evaluation, the product is added to NIAP’s Validated Products List. Table 1 provides information needed to completely identify the product, including: • The Target of Evaluation (TOE): the fully qualified identifier of the product as evaluated; • The Security Target (ST), describing the security features, claims, and assurances of the product; • The conformance result of the evaluation; • The Protection Profile to which the product is conformant; and • The organizations and individuals participating in the evaluation. Table 1: Evaluation Identifiers Item Identifier Evaluation Scheme United States NIAP Common Criteria Evaluation and Validation Scheme TOE: Check Point Endpoint Security E80.30 (build 8.1.327) Protection Profile None ST: Check Point Endpoint Security E80.30 Security Target, Version 1.0, January 22, 2014 Evaluation Technical Report Evaluation Technical Report for Check Point Endpoint Security E80.30, Part 1 (Non-Proprietary), Version 0.2, 23 January 2014 Evaluation Technical Report for Check Point Endpoint Security E80.30, Part 2 (Proprietary), Version 0.2, 23 January 2014. CC Version Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 3, July 2009 Conformance Result CC Part 2 conformant and Part 3 conformant, EAL 2 augmented with ALC_FLR.3 Sponsor Check Point Software Technologies LTD VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 3 Item Identifier Developer Check Point Software Technologies LTD Common Criteria Testing Lab (CCTL) Leidos Inc., Columbia, MD CCEVS Validators Kenneth Elliott Kenneth B Stutterheim Daniel P. Faigin The Aerospace Corporation VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 4 3 TOE Overview The TOE is Check Point Endpoint Security E80.30 (build 8.1.327) with the following software blades: Full Disk Encryption, Media Encryption & Port Protection, Firewall & Application Control, Compliance, and VPN. Check Point Endpoint Security E80.30 (build 8.1.327) is a workstation security software product that is installed on user desktop and laptop hosts in an enterprise setting. Supported operating systems include: Windows 7 Enterprise, Professional, Ultimate editions (32-bit and 64-bit). The product provides pre-boot user authentication, cryptographic protection for data stored on hard disks and removable media, enforces defined security policies on all host I/O interfaces (USB, serial, etc.), and provides information flow control for network traffic entering and departing the host. In addition, the product can be configured to invoke third-party components installed on the host that perform malware scanning and analysis. The product audits the security relevant actions it performs, and makes that audit available to authorized remote administrative users. Check Point Endpoint Security E80.30 (build 8.1.327) can be used to enforce corporate security compliance policies. The client analyzes the host’s compliance status (e.g. patch levels, anti-virus updates, etc.) and can be configured to prevent a non-compliant workstation from gaining access to network resources. The included Endpoint Connect VPN client capability supports establishment of a secure channel between the Check Point Endpoint Security E80.30 (build 8.1.327) client and a Check Point Security gateway, using the IKE/IPSec security protocols. The TOE: Check Point Endpoint Security E80.30 (build 8.1.327) is comprised of the following Check Point software blades1 : • Full Disk Encryption Blade • Media Encryption & Port Protection Blade • Firewall & Application Control Blades • Compliance Blade • VPN Blade These components are installed on a workstation running one of the following Microsoft Windows operating systems: Windows 7 Enterprise, Professional, Ultimate editions (32-bit and 64-bit). The underlying hardware platform and operating system on which the TOE software is installed are considered to be in the TOE Operating Environment, and thus outside the TOE boundary. The vendor has tested TOE invocation of the following third party anti-virus software: McAfee VirusScan and Kaspersky Antivirus. Invocation of other anti-virus products were not covered by this evaluation; Check Point’s support website provides solution id sk68080 that provides a current list of AntiVirus products the vendor claims this product supports. New releases of those products are supported through the Flaw Remediation process. Due to the dynamic nature of AV products TOE users should contact Check Point Support for integration of new AV versions into 1 Software Blades are security modules purchased by customers independently or in pre-defined bundles. Note that not all software blades are covered by the evaluation. VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 5 the TOE. The anti-virus engines themselves are in the operational environment, and thus outside the TOE boundary. While some basic management capabilities are provided in the client software, Check Point Endpoint clients are designed to be centrally managed. However, management server products are separate products that are not required to effectively use the client. In the context of this ST, the management server is treated as a ‘remote user’ that can be authorized to perform identified TOE management operations. 4 Assumptions, Threats, and Organizational Security Policies The statement of TOE security environment describes the security aspects of the environment in which it is intended that the TOE will be used and the manner in which it is expected to be employed. The statement of TOE security environment therefore identifies the assumptions made on the operational environment and the intended method for the product and defines the threats that the product is designed to counter. The security environment is defined in terms of assumptions made by the TOE and threats to the TOE. There are no defined organizational policies. 4.1 Assumptions The following are the assumptions identified in the Security Target: • The workstation hardware and operating system will be installed and maintained in a manner that cooperates with the TOE and does not actively seek to disable or otherwise impair or bypass any of the security functions of the TOE. Notes: The TOE depends on the underlying platform to ensure that its security functions are protected from tampering, deactivation, interference and bypass. TOE components hook into published operating system interfaces in order to intercept application requests, and TOE security functions depend on the correctness of implementation of these operating system interfaces. While the TOE provides self-protection mechanisms intended to prevent users from tampering with its security functions or with overall system integrity, it is also expected that the operating system shall be installed and maintained such that users receive restricted permissions in support of these security objectives. For example, it is expected that users cannot run kernel-level software that might bypass operating system drivers and interacts directly with hardware devices. The TOE also relies on the operating system to provide reliable timestamps in support of audit and information flow control functionality. System administrators are expected to follow operating system Common Criteria evaluated configuration guidance for operating system installation. • Authorized users will keep authentication credentials private. VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 6 Notes: Users must keep their passwords and PINs secret, and will not let others use their authentication tokens. When entering offline removable media device passwords into EPM Explorer in order to access encrypted data on the removable media on a host outside of the TOE, the user must ensure that the host environment can be trusted not to compromise the password’s secrecy. • When a one-time Remote Help password is generated, the authorized help desk representative will first authenticate the presumed authorized user by means outside of the TOE, and will communicate the password using secure delivery procedures. • The owners of the TOE must ensure that the private keys used by management servers or security gateways to communicate with the TOE are maintained in a manner that maintains adequate security. It is advised to follow Common Criteria evaluated configuration guidance for other Check Point product installations that interoperate with the TOE to ensure their secure operation. 4.2 Threats The following are the threats levied against the TOE and its environment as identified in the Security Target. The threats that are identified are mitigated by the TOE and its environment. All of the threats identified in the ST are addressed. • An unauthorized user with physical access to the workstation may access information stored on the workstation’s disk drive. Notes: The unauthorized user might attempt to impersonate an authorized user by entering spoofed authentication credentials, or remove the hard drive from the workstation to attempt to extract information stored on the drive. • An unauthorized user with physical access to the workstation may subvert the workstation’s system software or normal boot process. Notes: The unauthorized user might attempt to modify the boot record or boot up the workstation from a different device (e.g. floppy disk) in an attempt to subvert authentication mechanisms, or attempt to install spyware by writing it directly to the drive, in order to compromise workstation system integrity. • An authorized user may circumvent security policy by installing inappropriate software, connecting unauthorized devices to the workstation, or disabling security mechanisms. Notes: The user might attempt to install inappropriate software (e.g. unlicensed software or recreational software), connect unauthorized devices (e.g. unencrypted media devices, modems, wireless LAN adapters), or attempt to disable security mechanisms such as anti- virus software or cancel system security updates, thus modifying the system in an unauthorized manner. • User and system applications may leak inappropriate information. • Non-malicious applications and services might utilize network services that are not in- line with security policy, leaking inappropriate information to unauthorized entities. For example, some applications connect to software vendor update servers, providing information on workstation configuration. • Spyware applications installed on the workstation may leak information to external entities. VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 7 Notes: Spyware is software that has a hidden, malicious intent to leak information from the workstation to external entities, usually by connecting over the network to subverted servers. Spyware can infect the workstation via various vectors, e.g. in the guise of “freeware”, or even as part of purchased software packages. Spyware may sometimes remain undetected for long periods of time, because it tends not to have visible impact on system behavior. • Malicious code may be injected into the workstation via workstation device ports, compromising system integrity. Notes: This statement is intended to describe the threat of malicious software that attempts to inject itself into the workstation, modifying system or application files as a means of replicating itself and spreading to other hosts. Viral spread vectors may include removable media devices, removable media, or executable content downloaded over the network. Virii are often distinguished from Trojans which spread with the inadvertent help of the authorized user, and from Worms that spread by exploiting network-exposed vulnerabilities or characteristics. • Malicious code may run on the workstation, attempting to spread to other hosts over the network. Notes: The most common worm spread vector is email, a ubiquitous service that is available on most workstations and is allowed to traverse corporate networks and perimeter security devices, both because of the complexity of the common mail application (complexity breeding vulnerabilities), and because of the naivety of users that often inadvertently aid the worm in spreading to others. The worm typically impacts the system adversely in terms of increased network load and decreased availability. • An unauthorized entity on a connected network may exploit network-exposed vulnerabilities to subvert the workstation. Notes: Applications and services might expose vulnerabilities to the network by connecting to external servers over insecure connections, or by listening to network ports and processing network input in an insecure manner, thus allowing the attacker to exploit these vulnerabilities in order to compromise the integrity of the system. • An unauthorized entity may intercept or modify information in transit between the workstation and remote IT entity. Notes: The attacker gains access to the network path between the workstation and another host, and intercepts the information in transit between the two network peers, gaining unauthorized access to the information or maliciously modifying it. • A program may write information to a removable media device or removable media, and the media might later fall into the hands of an unauthorized user that gains access to the information. Notes: The threat agent here is defined as the program that leaks the information, not the unauthorized user, because the latter does not take an active role in the information leakage 4.3 Organizational Security Policies None. VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 8 5 Clarification of Scope All evaluations (and all products) have limitations, as well as potential misconceptions that need clarifying. This text covers some of the more important limitations and clarifications of this evaluation. Note that: • As with any evaluation, this evaluation only shows that the evaluated configuration meets the security claims made, with a certain level of assurance (EAL 2 extended in this case). • As with all EAL 2 evaluations, this evaluation did not specifically search for, nor seriously attempt to counter, vulnerabilities that were not “obvious” or vulnerabilities to objectives not claimed in the ST. The CEM defines an “obvious” vulnerability as one that is easily exploited with a minimum of understanding of the TOE, technical sophistication and resources. • The third-party anti-virus product bundled with the TOE is considered to be outside the boundaries of the TOE. However, the TOE supports a variety of anti-virus products that may be installed on the workstation by the user, independently of the TOE. All Check Point Endpoint Security E80.30 (build 8.1.327) product functionality is not included in the Target of Evaluation. The following features have not been evaluated as to their correctness: • Advanced Password Functionality. Specifically, although the product supports password complexity requirements and a password history, these capabilities were not covered by the evaluation. • Login banners. • Bundled Third-party Anti-Virus Product. The third-party anti-virus product bundled with the TOE is considered to be outside the boundaries of the TOE. However, the TOE supports a variety of anti-virus products that may be installed on the workstation by the user, independently of the TOE. • Smart Cards. Although authentication using smartcards was included in the evaluation, the capability of the smartcards and the smartcard readers themselves were not. • Underlying Hardware and Software Environment. The TOE components are installed on a workstation running a Microsoft Windows operating system. The underlying hardware platform and operating system on which the TOE software is installed are considered to be outside the TOE. • Audit Log Protection. The TOE protects audit logs when stored locally. Audit logs are stored on the encrypted part of the disk and thus the TOE requires user authentication prior to granting access to local audit logs. Also, the TOE does not provide interfaces to delete audit data. Since there are no SFRs related to local audit storage, the TOE behavior regarding the storage, integrity and overwriting of local audit storage has not be evaluated. • Local Audit Review. Only the remote transmission audit mechanism has been evaluated, including the remote review of audit. Local review of audit does not satisfy the Common Criteria audit requirements; therefore, the local review of audit data was not evaluated and was not tested. Some Check Point Endpoint Security functionality is specifically excluded and thus its use is NOT permitted in an evaluated configuration: VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 9 • Software Blades. The TOE is comprised of the following Check Point software blades: Full Disk Encryption, Media Encryption & Port Protection, Firewall & Application Control, Compliance, and Virtual Private Networking (VPN). The Check Point Endpoint Security also provides two additional blades: the Check Point WebCheck Blade and the Check Point Anti-malware blades. These blades have not been evaluated. They are not permitted, and must not be installed, in an evaluated configuration. • Legacy VPN Clients. The TOE includes the Endpoint Connect VPN, however, the command line option for endpoint connect is not permitted to be used in the evaluated configuration. Additionally, the use of the Check Point Legacy VPN is not permitted in the evaluated configuration. • Virtual Keyboard/Character Map. The Virtual keyboard and character map function of the TOE are NOT permitted in the evaluated configuration. Lastly, note that the TOE relies on the hardware and the operating system in the environment for reliable timestamps used in audit and cryptography. 6 Architectural Information 6.1 High-Level Architectural Description This section provides a high level description of the TOE and its components as described in the Security Target. The TOE, Check Point Endpoint Security E80.30 (build 8.1.327), is a software product that is installed on a single workstation in an enterprise setting. Check Point Endpoint Security E80.30 (build 8.1.327) protects the workstation from unauthorized access by physical, network-based, and external device-based threats. The workstation, its operating system, applications running on the workstation, external devices and media (including authentication tokens if used), and any network-based services (such as a Windows Domain Controller) are all outside of the TOE boundary. The product is a part of the comprehensive Check Point unified security architecture, and as such is typically centrally-managed using other Check Point security management products. Management servers support remote management, log review, and can serve as a centralized key storage repository for removable media encryption. Local user management and log review interfaces are also available. The product also interacts with Check Point security gateways for remote access VPN. In the context of this security target, the TOE includes only the Check Point Endpoint Security E80.30 (build 8.1.327) software installed on the workstation—other Check Point components are evaluated separately. The TOE, Check Point Endpoint Security E80.30 (build 8.1.327) includes the following components: Full Disk Encryption Full Disk Encryption Controls access to the workstation though pre-boot authentication and user- transparent full disk encryption. This feature prevents unauthorized users with physical access from gaining access to any data on the disk. VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 10 Media Encryption & Port Protection Port Protection Controls access to devices through all workstation ports. This feature prevents users from connecting unauthorized devices to client machine ports, providing On/Off/Read Only access control levels. Removable Media Manager Restricts the workstation to using only authorized removable media. Removable Media Encryption (EPM) Encrypts and protects information stored on removable media devices such as USB disks and external disk drives, and on CDs, and DVDs. Access to data stored on the media is thus restricted to authorized users. Includes the EPM Explorer utility for offline access to the encrypted media. Note that when use of removable encrypted media is required, audio CDs cannot be read or written. Firewall & Application Control Firewall Personal Firewall for network traffic flowing in and out of the workstation. Application Control Controls network information flow permissions on a per-application basis. Compliance Enforcement Rules Constrains network communication for workstations that do not comply with defined configuration rules, e.g. correct anti-virus version installed. VPN VPN Client Provides an encrypted and authenticated trusted channel for remote access users connecting through a VPN gateway to internal resources. VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 11 Check Point Endpoint Security is a software product produced by Check Point. The product is installed on a workstation hardware platform that is running a Microsoft Windows operating system (Windows 7 Enterprise, Professional, Ultimate editions (32-bit and 64-bit). The following diagram is a representation of the physical boundaries of the TOE and its components. Figure 1. TOE Scope and Physical Boundaries Pre-Boot Environment Physical Computer Casing Hardware Hard Disk Full Disk Encryption USB Serial Parallel Firewire NIC IrDA Removable Media Device Media Manager / Media Encryption Device Manager VPN Client Firewall EPM Explorer (utility) Operating System User Space Drivers Application Services LAN Key TOE components Storage encrypted by TOE Anti-Malware User Applications VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 12 In addition to kernel-level drivers, the product installs services that are responsible for communication with peer IT entities, management, logging, and compliance testing. A task bar application provides a Graphical User Interface (GUI) that allows the local user to perform security management and log review operations. A Media Import Wizard for encrypting removable optical media is integrated into the operating system’s optical media burn interaction, and can also be launched directly from the task bar application. The different parts of the TOE are depicted in red in Figure 1. The TOE encrypts data stored on the workstation hard disk, and can be configured to encrypt storage on removable media devices and removable media2 (outside the TOE). As depicted in Figure 1, the TOE includes an EPM Explorer utility that can be written on encrypted removable media devices. When the encrypted removable media device is inserted into a trusted host outside of the TOE that does not include an installation of Check Point Endpoint Security, the EPM Explorer utility can be used to provide access to the encrypted storage. The security of the data on the removable media device is derived from the fact that it was encrypted by the TOE, using an offline password bound to the TOE’s password selection constraints. The TOE assumes that the operational environment is benign with respect to the execution environment of the EPM Explorer utility and to any possible modification of the utility while stored on the device, to prevent compromise of the offline password used to protect the data. The vendor has tested TOE invocation of the following third party anti-virus software: McAfee VirusScan and Kaspersky Antivirus. Invocation of other anti-virus products were not covered by this evaluation; Check Point’s support website provides solution id sk68080 that provides a current list of AntiVirus products the vendor claims this product supports. New releases of those products are supported through the Flaw Remediation process. Due to the dynamic nature of AV products TOE users should contact Check Point Support for integration of new AV versions into the TOE. The anti-virus engines themselves are in the operational environment, and thus outside the TOE boundary. 6.2 Usage of Cryptography The subject of criteria for the assessment of the inherent qualities of cryptographic algorithms is not covered in the CC. The SFRs in the Cryptographic Support (FCS) class stated in the ST therefore reference external standards that the implementation must meet when providing the required capabilities. Table 1 summarizes the standards compliance claims made in the ST and states for each the method used to determine compliance (aside from development assurances). The method may be an applicable NIST certificate number or a vendor assertion. 2 Note that ‘removable media device’ is a subset of ‘removable I/O device’, both of which are distinct from ‘removable media’. Removable I/O devices are any devices that can be attached and detached, in its entirety, from a host workstation. Removable media devices are those removable I/O devices capable of storing data (e.g., the contents can potentially be written). Removable media includes floppy disks, CDs, and DVDs where the media itself is removable from a device attached to a host workstation. VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 13 Table 1. Cryptographic Standards and Method of Determining Compliance Standard claimed Cryptographic SFRs Method of determining compliance ANSI X9.31-based DRNG FCS_CKM.1 RNG certs. #90, #222, #250 FIPS 140-2 Level 1 FCS_CKM.1, FCS_CKM.4 Vendor assertion3 IKE per RFC 2409 FCS_CKM.2 Vendor assertion TLS v1.0 per RFC 2246 FCS_CKM.2 Vendor assertion AES in CBC mode per FIPS PUB 197 FCS_COP.1 AES certs. #257, #430, #466 SHA-1 per NIST PUB FIPS 180-2 FCS_COP.1 SHS certs. #332, #499, #534 MD5 per RFC 1321 FCS_COP.1 Vendor assertion Triple DES in CBC mode per FIPS PUB 46-3 FCS_COP.1 Triple DES certs. #338, #459 HMAC-SHA-1 and HMAC-SHA-256 per RFC 2104, FIPS PUB 198 FCS_COP.1 HMAC cert. #67, #202 RSA per PKCS#1 FCS_COP.1, FCS_CKM.3 RSA certs. #66, #132, #162 Key wrap per PKCS#5 FCS_CKM.3 Vendor assertion 7 Security Policy The TOE supports the following security functions: • Security Audit • Security Management (Trusted path/channels) • Blade Security (Cryptographic Support, User Data Protection, Identification and Authentication, Protection of the TSF, Trusted Path/Channels) o FDE o EPM o Device Manager 3 The Check Point Endpoint Security components identified in the ST each use embedded cryptographic code modules: Full Disk Encryption incorporates the Check Point Crypto Module, FIPS 140-2 certificate #770; Media Encryption & Port Protection incorporates the Reflex Magnetics Cryptographic Library, FIPS 140-2 certificate #784; and VPN is derived from a version of the VPN-1 cryptographic module (FIPS 140-2 certificate #1219). The method of determining compliance is given as ‘vendor assertion’ because the product as a whole has not undergone FIPS 140-2 validation. Also note that while these FIPS 140-2 validations were performed on a subset of the operating systems supported by the TOE, FIPS 140-2 Implementation Guidance G.5 allows vendor porting and re-compilation of a validated software cryptographic module to a compatible operating system that was not included as part of the validation testing, when this does not require source code modifications, as is the case here. The validation status is maintained in this case without re-testing. VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 14 o Removable Media Manager o Firewall o Application Control o Program Advisor o Enforcement Rules (Protection of the TSF) o VPN Client (Trusted path/channels) 7.1 Security Audit Security-relevant events from all Check Point Endpoint Security suite components (except for VPN) can be logged in the local audit trail. The audit events are sent to an external central administrative location where they are stored and can be viewed by remote authorized administrators. Although the system permits authorized local users to review the audit trail, the interface provided does not meet the requirements of the Common Criteria, and thus its use was not covered by the evaluation. 7.2 Security Management (Trusted path/channels) The TOE provides a management application that allows the local user to access and modify product security settings for all Check Point Endpoint Security E80.30 (build 8.1.327) suite components, and to review the audit trail. Remote users are authenticated by their certificates in the context of the establishment of the IKE or TLS secure channel. In addition, Check Point Endpoint Security provides interfaces for remote users to perform management operations from remote management servers (outside of the TOE) after being identified and authenticated by Check Point Endpoint Security. Audit log records are sent to the remote host, and security policy settings downloaded from the management server update the locally-defined policy. 7.3 Blade Security 7.3.1 Full Disk Encryption (FDE) Full Disk Encryption (FDE) encrypts the entire hard disk, including all operating system and user areas. Because encryption is performed on a sector by sector basis instead of on the basis of file and directory encryption, all disk contents are protected, including, in addition to normal data files, system files, swap files, temporary files, deleted files, and unused space. This ensures that an unauthorized user that gains physical access to the disk (e.g. in the case of a stolen laptop) cannot access or modify any information. Users are authenticated by the Pre-Boot Environment, using fixed passwords or smartcards. In addition, a remote help feature allows the user to receive a one-time password that allows the user to login in the case of mislaid authentication credentials, as well as changing a fixed password that has been forgotten. The Pre-Boot Environment maintains an authentication failure counter. When the administrator-configurable threshold is exceeded, the TOE marks the user’s account record as locked, so that further login attempts to this account are denied until the account is unlocked by an authorized administrator or until a preset time interval has passed. Once authenticated, Check Point Endpoint Security boots up the operating system normally, installing a kernel driver that decrypts disk contents on the fly, transparently to the user, as well as transparently encrypting any updated disk sectors. Encryption is performed using encryption VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 15 keys that are derived from user credentials. This ensures that Full Disk Encryption is maintained at all times, even when the workstation powers down unexpectedly. It also obviates the need to do a full disk overwrite on discarded disks – the data on the disk is unreadable without the user credentials. FIPS 140-2 validated cryptography (FIPS 140-2 certificate #770) is used for Full Disk Encryption, using either 256 bit AES or Triple DES as encryption algorithms. 7.3.2 Encryption Policy Manager (EPM) The Encryption Policy Manager (EPM) provides a configurable Removable Media Encryption capability that extends cryptographic protection to removable media devices. When a removable media device is inserted into a protected workstation, Check Point Endpoint Security can be configured to restrict access only to an encrypted storage area on the device, or conversely to allow only read-only access to prevent information from leaking onto an insecure device. The Device Encryption Key (DEK) is generated randomly and stored in encrypted form, wrapped by a Key Encryption Key (KEK) that is generated and stored on the management server (outside the TOE), or stored on the media encrypted in a password-based encryption format with a user- entered password, for supporting offline access to the data when the management server is not available. Encryption and decryption are performed transparently when data is written to or read from the removable device. FIPS 140-2 validated 256 bit AES (FIPS 140-2 certificate #784) is used for data encryption. Check Point Endpoint Security can also be configured to encrypt information written to CD and DVD removable media, when using the operating system’s built-in CD/DVD writing software. 7.3.3 Device Manager Device Manager controls user access to devices connected to various ports on the workstation, including USB, COM, LPT, PCMCIA, IrDA, Firewire and Bluetooth ports, as well as other devices such as modems, network adaptors, and storage devices. The administrator can determine for each device whether access is enabled for full access (Read/Write), disabled or set to Read Only, and for removable media and removable media devices, whether the workstation may execute programs from the removable media. 7.3.4 Removable Media Manager Unauthorized media inserted into a protected workstation may contain malware that might infect the workstation. Check Point Endpoint Security can be configured to reject access to unauthorized removable media devices and floppy disks, or to invoke a content scanner installed in the operational environment of the workstation (e.g. anti-virus software) to authorize the device. Note that the content scanners are not covered by the evaluation. Check Point Endpoint Security stores a computed permutational hash on the device that represents the data written to the device from authorized Check Point Endpoint Security workstations. When a removable media device or floppy disk is inserted into a protected workstation that does not contain a hash, the Removable Media Manager concludes that this is the first time that the media is imported into Check Point Endpoint Security. When the hash on the device does not match the media contents, it has been modified on an external workstation. In either case, the media requires re-authorization for access to be allowed. VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 16 7.3.5 Firewall Check Point Endpoint Security implements information flow control rules representing a Personal Firewall Policy that mediates all inbound and outbound network traffic from the protected workstation. Traffic can be allowed or blocked based on source and destination addresses, protocols and ports. 7.3.6 Application Control In addition to the information flow control defined by Firewall Rules, Check Point Endpoint Security implements network access control for programs on the workstation. Each program can be allowed or blocked from establishing network connections, on the basis of the presumed identity of the peer host (trusted or otherwise), on the basis of whether the program is initiating the connection or listening for one (acting as a server), and the requested protocols and ports. Programs that violate the Application Control rules may also be automatically terminated. Programs are authenticated on execution and when attempting to connect to network resources by calculating a MD5 hash of the program’s components and comparing it to the hash stored in the program list. This feature can provide mitigation for Trojans and spyware that attempt to connect to malicious servers. It can also mitigate viruses that attempt to modify programs on the workstation. Application Control will detect a new or modified program and will prevent it from accessing the network. The application control blade also provides the capability to invoke third-party anti-virus software. The vendor has tested TOE invocation of the following third party anti-virus software: McAfee VirusScan and Kaspersky Antivirus. Invocation of other anti-virus products were not covered by this evaluation; Check Point’s support website provides solution id sk68080 that provides a current list of AntiVirus products the vendor claims this product supports. New releases of those products are supported through the Flaw Remediation process. Due to the dynamic nature of AV products TOE users should contact Check Point Support for integration of new AV versions into the TOE. The anti-virus engines themselves are in the operational environment, and thus outside the TOE boundary. 7.3.7 Program Advisor Smart Defense Program Advisor is a Check Point service that provides recommendations for Application Control. It can be used to reduce administrative workload by incorporating recommendations from Check Point security professionals about which permissions to assign to common programs. Customers download Program Advisor recommendations from Check Point into the management server, and may choose to either accept these permission settings or override them with custom settings. This interaction is entirely outside the TOE boundary. 7.3.8 Enforcement Rules (Protection of the TSF) Check Point Endpoint Security can be configured to monitor the protected workstation for compliance with policy restrictions defined as Enforcement Rules. Enforcement Rules may require a certain anti-virus application to be active, a minimum version of the Check Point Endpoint Security client itself, or the presence or absence of defined registry keys, files, or VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 17 programs indicating the presence or absence, respectively of a security-relevant component on the workstation. When an Enforcement Rule is found to be in non-compliance, the user or administrator may receive a notification, or the workstation may be restricted from accessing the network and/or other defined I/O devices, except for a defined “sandbox” area from which the user may download remediation resources. 7.3.9 VPN Client (Trusted path/channels) Check Point Endpoint Security can be configured to establish VPN trusted channels to Check Point gateway products, using the IKE/IPSec protocols. The gateways’ Encryption Domain (the set of addresses located behind the gateways) is downloaded from the gateway after it is authenticated by its public key certificate. Once the trusted channel is connected, all traffic to and from the gateway’s Encryption Domain is protected from disclosure and modification while traversing the network. The client can also be configured to route all traffic through the VPN tunnel to the gateway (Hub Mode), so that all traffic is filtered by the gateway. The TOE includes the Endpoint Connect VPN; this is the only VPN usable in the evaluated configuration. 8 Documentation 8.1 Product Guidance The following is list of the guidance documentation, each of which was issued by the developer (and sponsor) and can be obtained on their website and with the product download: • Endpoint Security CC Evaluated Configuration Administrator Guide Version E80.30, January 2014 • Endpoint Security CC Evaluated Configuration User Guide Version E80.30, September 2013 • Endpoint Security Client E80.30 User Guide, 2 November 2011 Additionally the following proprietary evidence was used in the evaluation. It is not generally available to the public. • Check Point Endpoint Security Life Cycle Version 0.5, November 15, 2013 • Check Point Endpoint Security Test Documentation Version 1.6, November 18, 2013 • Actual Test Results (screenshots) • Check Point Endpoint Security E80.30 Security Target, Version 1.0, January 22, 2014 • Check Point Endpoint Security Functional Specification Version 0.8, November 19, 2013 • Check Point Endpoint Security TOE Design Specification Version 0.4, November 15, 2013 • Check Point Endpoint Security Architecture Version 0.4, April 14, 2013 • Check Point Endpoint Security Supplementary Evidence: • Check Point Endpoint Security Ben Gurion Management Client Interface Protocol Specification Version 2.11, not dated VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 18 • Check Point Endpoint Security R7x Functional Specification Version 0.22, December 29, 2011 • ZoneLabs Product Architecture Document Zonelabs Protected Document Specification (K2_zpdoc), Version 1.0 September 19, 2013 9 Product Testing This section describes the testing efforts of the developer and the Evaluation Team. Some of the cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. Such cryptography has only been asserted as tested by the vendor. Section 6.2 identifies the cryptographic functions that are provided by FIPS-assessed components, and the cryptographic functions that are only asserted as tested by the vendor. 9.1 Developer Testing The developer tested the interfaces identified in the functional specification and mapped each test to the security function, more specifically to the security functional requirements tested. The scope of the developer tests included all the TSFI. The testing covered the security functional requirements in the ST including: Security Audit, Security Management, Cryptographic Support, User Data Protection, Identification and Authentication, Protection of the TSF, Trusted Path/Channels. All security functions were tested and the TOE behaved as expected. The evaluation team determined that the developer’s actual test results matched the vendor’s expected results. 9.2 Evaluation Team Independent Testing The evaluation team used a sampling approach versus exercising the entire set of manual tests provided as evidence for the evaluation. The vender test suite is comprised of 66 Test Procedures each containing multiple test cases comprising a total of 190 manual test cases which are directly related and mapped to satisfy the TOE security functions. The vendor’s test coverage is quite exhaustive in many cases and provides numerous examples of coverage of the same aspect of a particular security function. Therefore, the test sampling approach was not based on a percentage of test cases as this would not be necessary, nor time and cost efficient. The tests were run on the on Windows 7 Enterprise SP1 32-bit test configuration described in the developer’s test documentation. The documentation describes the configurations that were used in the test configurations. The evaluation team performed the following sampling approach when determining the sample size: VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 19 • Exercise 18 test procedures, which represent a sample size of 27%. • Test cases include tests from each of the claimed security functions, security audit, cryptographic support, identification and authentication, User data protection, security management, protection of the TSF. • Test cases included tests covering all TSFI. The following hardware was used to create the test configurations: • ESM Machine – Windows 2003 Server • Domain Controller Machine – Windows 2003 Server • Internet machine – Windows 2003 • Endpoint PC – Dell E6510 laptop • Non-Endpoint PC – Lenovo T500 laptop These machines were configured as follows. All machines were connected to a network switch or hub in accordance with the test setup instructions: • ESXi Server Version 5.0 – running the following machine images: o ESM Machine (EMS PC) – Windows 2003 Server  Endpoint Management Server E80.30  SmartConsole E80.30 (UEPM Console etc)  SmartConsole R75.20  Network Share Folder o Domain Controller Machine (EAL.com PC) – Windows 2003 Server  Active Directory  DNS Server o Internet Machine (Internet_External PC) – Windows 2003  Web Server  FTP server o VPN Management and GW Machine (FW_GW PC) – Open Server Splat R75.20 o FW Host (FW_Host PC) -- Windows XP  Web Server  FTP server • Endpoint PC – Windows 7 64 bit SP1 installed on Dell E6510 laptop o Member of DC Windows domain o Endpoint client E80.30 o USB-connected scanner and printer device (HP OfficeJet 4500) o CD-ROM R/W drive o Internal Bluetooth Radio Driver (for built-in laptop BT h/w) o FileZilla FTP Server v0.9.41 o Smart Card: Aladdin eToken 32k (eToken #1 and #2) VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 20 o Aladdin PKI RTE V 5.1 SP1 Windows 7 64-bit eToken middleware and smart card driver • Endpoint PC2 – Same content as EndpointPC but running Windows 7 32 bit OS on a Lenovo T400 instead • Non-Endpoint PC –Windows 7 installed on a Lenovo T500 laptop o SmartConsole E80.30 (UEPM console etc) o SmartConsole R75.2 The following additional items were required for testing: • USB-connected scanner and printer device (HP OfficeJet 4500) • CD-ROM R/W drive • Internal Bluetooth Radio Driver (for built-in laptop BT h/w) • FileZilla FTP Server v0.9.41 • Smart Card: Aladdin eToken 32k (eToken #1 and #2) • Aladdin PKI RTE V 5.1 SP1 Windows 7 64-bit eToken middleware and smart card driver • Blank CDs and DVDs –a CD/DVD burn uses up the media, i.e. the media cannot be reused once written. • CD with executable content. • USB removable media device – at least three devices are needed for testing: o USB#1 – FAT32 formatted o USB#2 – FAT32 formatted. o USB#3 – encrypted in site “Black”. o USB#4- NTFS formatted o USB#5- USB 3.0 o USB#6 – FAT 32 formatted In addition to developer testing, the evaluation team conducted its own suite of tests, which were developed independently of the sponsor. These also completed successfully. 9.3 Vulnerability Testing The evaluation team conducted an open source search for vulnerabilities in the TOE, identifying a number of vulnerabilities reported against components that are not included in the TOE or otherwise addressed by fixes. Fixes were issued for the two vulnerabilities could potentially apply to the TOE: CVE-2011-4838 and CVE-2012-2753. CVE-2012-2753 was tracked through the bug tracking system to ensure procedures were followed for fixes to the TOE verifying the fix was included in the TOE release. Additionally, the evaluators developed vulnerability tests to address the Protection of the TSF and TOE access security functions. 10 Evaluated Configuration The TOE is Check Point Endpoint Security E80.30 (build 8.1.327) with the following software blades: Full Disk Encryption, Media Encryption & Port Protection, Firewall & Application VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 21 Control, Compliance, and VPN. Check Point Endpoint Security is a workstation security software product that is installed on user desktop and laptop hosts in an enterprise setting. Supported operating systems include: Windows 7 Enterprise, Professional, Ultimate editions (32- bit and 64-bit). These components are installed on a workstation running a Microsoft Windows operating system. The underlying hardware platform and operating system on which the TOE software is installed are considered to be in the operational environment, and thus outside the TOE. The vendor has tested TOE invocation of the following third party anti-virus software: McAfee VirusScan and Kaspersky Antivirus. Invocation of other anti-virus products was not covered by this evaluation; Check Point’s support website provides solution id sk68080 that provides a current list of AntiVirus products the vendor claims this product supports. New releases of those products are supported through the Flaw Remediation process. Due to the dynamic nature of AV products TOE users should contact Check Point Support for integration of new AV versions into the TOE. The anti-virus engines themselves are in the operational environment, and thus outside the TOE boundary. While some basic management capabilities are provided in the client software, Check Point Endpoint Security clients are designed to be centrally managed. However, management server products are separate products that are not required to effectively use the client. In the context of this ST, the management server is treated as a ‘remote user’ that can be authorized to perform identified TOE management operations All Check Point Endpoint Security E80.30 (build 8.1.327) product functionality is not included in the Target of Evaluation. The following features have not been evaluated as to their correctness: • Advanced Password Functionality. Specifically, although the product supports password complexity requirements and a password history, these capabilities were not covered by the evaluation. • Login banners. • Bundled Third-party Anti-Virus Product. The third-party anti-virus product bundled with the TOE is considered to be outside the boundaries of the TOE. However, the TOE supports a variety of anti-virus products that may be installed on the workstation by the user, independently of the TOE. • Smart Cards. Although authentication using smartcards was included in the evaluation, the capability of the smartcards and the smartcard readers themselves were not. • Underlying Hardware and Software Environment. The TOE components are installed on a workstation running a Microsoft Windows operating system. The underlying hardware platform and operating system on which the TOE software is installed are considered to be outside the TOE. • Audit Log Protection. The TOE protects audit logs when stored locally. Audit logs are stored on the encrypted part of the disk and thus the TOE requires user authentication prior to granting access to local audit logs. Also, the TOE does not provide interfaces to delete audit data. Since there are no SFRs related to local audit storage, the TOE behavior regarding the storage, integrity and overwriting of local audit storage has not be evaluated. • Local Audit Review. Only the remote transmission audit mechanism has been evaluated, including the remote review of audit. Local review of audit does not satisfy the Common VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 22 Criteria audit requirements; therefore, the local review of audit data was not evaluated and was not tested. Some Check Point Endpoint Security functionality is specifically excluded and thus its use is NOT permitted in an evaluated configuration: • Software Blades. The TOE is comprised of the following Check Point software blades: Full Disk Encryption, Media Encryption & Port Protection, Firewall & Application Control, Compliance, and Virtual Private Networking (VPN). The Check Point Endpoint Security also provides two additional blades: the Check Point WebCheck Blade and the Check Point Anti-malware blades. These blades have not been evaluated. They are not permitted, and must not be installed, in an evaluated configuration. • Legacy VPN Clients. The TOE includes the Endpoint Connect VPN, however, the command line option for endpoint connect is not permitted to be used in the evaluated configuration. Additionally, the use of the Check Point Legacy VPN is not permitted in the evaluated configuration. • Virtual Keyboard/Character Map. The Virtual keyboard and character map function of the TOE are NOT permitted in the evaluated configuration. 11 Results of the Evaluation The evaluation was conducted based upon version 3.1 Revision 3 of the CC and the CEM. A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding evaluator action elements. The evaluation team assigned a Pass, Fail, or Inconclusive verdict to each work unit of each assurance component. For Fail or Inconclusive work unit verdicts, the evaluation team advised the developer of issues requiring resolution or clarification within the evaluation evidence. In this way, the evaluation team assigned an overall Pass verdict to the assurance component only when all of the work units for that component had been assigned a Pass verdict. The product was evaluated and tested against the claims presented in the Check Point Endpoint Security E80.30 Security Target, Version 1.0, dated January 23, 2014. The Validator followed the procedures outlined in the Common Criteria Evaluation Scheme publication number 3 for Technical Oversight and Validation Procedures. The Validator has observed that the evaluation and all of its activities were in accordance with the Common Criteria, the Common Evaluation Methodology, and the CCEVS. The Validator therefore concludes that the evaluation team’s results are correct and complete. The validation team agreed with the conclusion of the evaluation team, and recommended to CCEVS management that an “EAL2 augmented with ALC_FLR.3” certificate rating be issued for Check Point Endpoint Security E80.30 (build 8.1.327). The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled by the LEIDOS CCTL. The security assurance requirements are listed in the following table. VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 23 12 Validator Comments/Recommendations The following comments highlight specific concerns or recommendations from the Validator that may be of interest to consumers of this product: 1. Some of the cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. Such cryptography has only been asserted as tested by the vendor. Section 6.2 identifies the cryptographic functions that are provided by FIPS-assessed components, and the cryptographic functions that are only asserted as tested by the vendor. 2. The efficacy of the Anti-Virus scanning was not covered by this evaluation. The vendor only tested the invocation of a subset of the supported virus scanners in accordance with policy. 3. The local audit display mechanism does not display the identity of the subject as part of the audit record (although that information is stored in the record). Due to this, the local audit display mechanism does not satisfy the Common Criteria audit mechanism and thus was not covered by the evaluation. To review audit in accordance with Common Criteria requirements, the remote audit review interface must be used. 4. Although the product appears to provide many mechanisms that would support NIST 800-53 controls related to authenticator management (IA-5), the only evaluated capabilities are those enumerated in the ST. The additional capabilities provided were not covered by the evaluation. 5. The product does not include SFRs related to protecting against audit data loss. It is the administrator’s responsibility to ensure that audit is archived to a safe location on a regular basis in order to prevent audit loss. 13 Security Target The ST for this product’s evaluation is Check Point Endpoint Security E80.30 Security Target, Version 1.0, dated January 22, 2014. The document identifies the security functional requirements (SFRs) that are levied on the TOE, which are necessary to implement the TOE security policies. Additionally, the Security Target specifies the security assurance requirements necessary for EAL 2 augmented with ALC_FLR.3. VALIDATION REPORT Check Point Endpoint E80.30 (build 8.1.327) 24 14 Bibliography 1. Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and general model, Version 3.1, Revision 3, July 2009. 2. Common Criteria for Information Technology Security Evaluation – Part 2: Security functional components, Version 3.1, Revision 3, July 2009. 3. Common Criteria for Information Technology Security Evaluation – Part 3: Security assurance components, Version 3.1, Revision 3, July 2009. 4. Common Methodology for Information Technology Security: Evaluation methodology, Version 3.1, Revision 3, July 2009. 5. Check Point Endpoint Security E80.30 Security Target, Version 1.0, dated January 22, 2014.