National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Common Criteria Evaluation and Validation Scheme
Validation Report
Data ONTAP Version 7.0.3 and 7.0.4 Operating Systems
Report Number: CCEVS-VR-07-0015
Dated: 3 April 2007
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6740
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
ACKNOWLEDGEMENTS
Validation Team
Dr. Jerome Myers
The Aerospace Corporation
Columbia, Maryland
Common Criteria Testing Laboratory
COACT CAFÉ Laboratory
Columbia, Maryland 21046-2587
2
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
Table of Contents
1 EXECUTIVE SUMMARY__________________________________________________ 4
2 Identification ____________________________________________________________ 5
2.1 Applicable Interpretations _____________________________________________6
3 Security Policy ___________________________________________________________ 6
3.1 Administrative Security _______________________________________________7
3.2 Discretionary Access Control (DAC) Security _____________________________7
3.3 TOE Separation______________________________________________________8
3.4 Security Function Strength of Function Claim_____________________________8
3.5 Protection Profile Claim _______________________________________________8
4 Assumptions _____________________________________________________________ 8
4.1 Connectivity Assumptions _____________________________________________8
4.2 Personnel Assumptions ________________________________________________8
4.3 Physical Assumptions _________________________________________________8
4.4 Potential Threats _____________________________________________________9
5 Clarification of Scope _____________________________________________________ 9
6 Architecture Information__________________________________________________ 10
6.1 TOE Security Functions ______________________________________________10
6.2 IT Environment Security Functions ____________________________________10
6.3 Non-IT Environment Security Functions ________________________________10
6.4 Physical Boundary___________________________________________________11
6.5 Logical Boundary ___________________________________________________11
7 Product Delivery_________________________________________________________ 13
8 IT Product Testing _______________________________________________________ 15
8.1 Evaluator Functional Test Environment_________________________________15
8.2 Test Assumptions____________________________________________________16
8.3 Data ONTAP Evaluated Configuration Options __________________________16
8.4 Repeated Developer Tests to Confirm Developer Test Results _______________17
8.5 Functional Test Results_______________________________________________17
8.6 Evaluator Independent Testing ________________________________________17
8.6.1 Evaluator Independent Test Environment______________________________________________18
8.7 Evaluator Independent Test Results ____________________________________19
8.8 Evaluator Penetration Tests ___________________________________________19
8.8.1 Evaluator Assessment of Developer Analysis __________________________________________19
8.8.2 Additional Vulnerabilities__________________________________________________________20
3
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
8.9 Evaluator Penetration Test Identification________________________________20
8.10 Actual Penetration Test Results ________________________________________20
9 RESULTS OF THE EVALUATION ________________________________________ 20
10. VALIDATOR COMMENTS _____________________________________________ 21
11. Security Target___________________________________________________________ 21
12. Glossary ________________________________________________________________ 22
13. Bibliography ____________________________________________________________ 22
List of Tables
Table 1: Evaluation Identifiers....................................................................................................... 5
List of Figures
Figure 1: TOE's Internal Logical Boundaries.............................................................................. 12
Figure 2: DAC SFP Subjects and Objects.................................................................................... 13
Figure 3: Test Configuration Diagram......................................................................................... 15
1 EXECUTIVE SUMMARY
This report documents the NIAP Validators’ assessment of the CCEVS evaluation of the
Network Appliance Data ONTAP 7.0.3 and 7.0.4 Operating Systems at EAL2. It presents the
evaluation results, their justifications, and the conformance result.
The evaluation was performed by the CAFE Laboratory of COACT Incorporated, located in
Columbia, Maryland. The evaluation was completed on January 9, 2007. The information in this
report is largely derived from the Evaluation Technical Report (ETR) written by COACT and
submitted to the Validators. The evaluation determined the product conforms to the CC Version
2.2, Part 2 and Part 3 to meet the requirements of Evaluation Assurance Level (EAL) 2 resulting
in a “pass” in accordance with CC Part 1 paragraph 175.
The TOE is a pair of software modules that reside within several families of hardware storage
solutions developed by Network Appliance. All of the supporting platforms for the evaluated
TOE contain either the Data ONTAP Operating System Versions 7.0.3 or 7.0.4. Data ONTAP is
a proprietary microkernel operating system developed by Network Appliance. The TOE is
composed of only 2 modules: System Administration and Write Anywhere File Layout (WAFL).
The remainder of the OS and the supporting hardware platforms were treated as part of the IT
Environment for this evaluated TOE. The software is preinstalled in the distribution of the
NearStore, Virtual Filer, and Filer products developed by Network Appliance. The microkernel
software operates on an embedded processor within the storage hardware appliance. The
appliance also contains all the disk drives needed to store user data. The Data ONTAP TOE
provides data management functions that include secure data storage and multi-protocol
access. Secure storage is provided by Data ONTAP through implementation of strict access
4
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
control rules to obtain data managed by Data ONTAP. Multi-protocol access support is provided
by Data ONTAP through operation of both NFS and CIFS clients and providing transparent
access to all data including cross-protocol access requests.
A CCEVS validation team monitored the CCTL progress throughout the evaluation. The
validation team reviewed the evaluation team’s conclusions at major milestones in the
evaluation and provided feedback to the CCTL. The validation team confirmed that the CCTL
had performed an appropriate analysis and testing of the TOE and that the CCTL had properly
justified its conclusions.
2 Identification
The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and
Technology (NIST) effort to establish commercial facilities to perform trusted product
evaluations. Under this program, security evaluations are conducted by commercial testing
laboratories called Common Criteria Testing Laboratories (CCTLs) using the Common
Evaluation Methodology (CEM) for Evaluation Assurance Level (EAL) 1 through EAL 4 in
accordance with National Voluntary Laboratory Assessment Program (NVLAP) accreditation.
The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and
consistency across evaluations. Developers of information technology products desire a security
evaluation contract with a CCTL and pay a fee for their product’s evaluation. Upon successful
completion of the evaluation, the product is added to NIAP CCEVS’ Validated Products List.
Table 1 provides information needed to completely identify the product, including:
• the Target of Evaluation (TOE): the fully qualified identifier of the product as evaluated,
• the Security Target (ST), describing the security features, claims, and assurances of the
product,
• the conformance result of the evaluation,
• The organizations and individuals participating in the evaluation.
Table 1: Evaluation Identifiers
Evaluation Identifiers for Data ONTAP Version 7.03 and 7.04 Operating Systems
Evaluation Scheme United States NIAP Common Criteria Evaluation and
Validation Scheme
TOE Network Appliance Data ONTAP 7.0.3 and 7.0.4
Operating Systems
Protection Profile N/A
Security Target Network Appliance Data ONTAP 7.0.3 and 7.0.4
Security Target, Version 1.0 dated March 28, 2007
Evaluation Technical Report Network Appliance Data ONTAP 7.0.3 / 7.0.4
Evaluation Technical Report, Document No. F2-0307-
007(1), Dated April 3, 2007
Conformance Result Part 2 conformant and EAL2 Part 3 conformant
Version of CC CC Version 2.2 [1], [2], [3], [4] and all applicable NIAP
and International Interpretations effective on January
9, 2006.
5
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
Evaluation Identifiers for Data ONTAP Version 7.03 and 7.04 Operating Systems
Version of CEM CEM Version 2.2 and all applicable NIAP and
International Interpretations effective on January 9,
2006
Sponsor Network Appliance
495 East Java Drive
Sunnyvale, CA 94089
Developer Network Appliance
495 East Java Drive
Sunnyvale, CA 94089
Evaluator(s) COACT Incorporated
Brian Pleffner
Anthony Busciglio
Ching Lee
Validator(s) NIAP CCEVS
Dr. Jerome Myers
Tom Murphy
2.1 Applicable Interpretations
The following NIAP and International Interpretations were determined to be applicable when the
evaluation started.
NIAP Interpretations
I-0405 – American English Is An Acceptable Refinement
I-0418 – Evaluation of the TOE Summary Specification: Part 1 vs. Part 3
I-0426 – Content of PP claims rationale
I-0427 – Identification Of Standards
International Interpretations
None
3 Security Policy
The TOE resides in an appliance that functions as a Network Attached Storage Device. The
TOE protects users’ files from access by any unauthorized user or groups of users. The TOE
also implements a security policy that restricts the management of the TOE to properly identified
and authenticated local administrators.
The TOE mediates access of subjects to objects. The subjects covered are NFS Clients and
CIFS Clients. The objects covered are files (user data). The TOE maintains files with either
NTFS-Style security attributes or UNIX-Style security attributes or both. The access modes
covered by the DAC SFP are: create, read, write, execute, change permission and change
owner. Since the rules governing file access are complex, interested parties should examine the
6
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
Administrator’s documentation to determine the specific Security Functions implemented by the
TOE in detail.
3.1 Administrative Security
The Administrative Security provides the necessary functions to allow an administrator to
manage and support the TOE Security Function (TSF). Included in this functionality are the
rules enforced by the TOE that defines access to TOE maintained TSF Data and TSF
Functions. The TSF Data includes both authentication data used to authenticate administrators,
security attribute data used for Direct Access Control SFP enforcement and other TSF data
used for DAC SFP subject security attribute resolution. The Command Line Interface (CLI)
provides the necessary Administrative operator functions to allow an administrator to manage
and support the TSF. The Administrator Guide provides information and guidance on the use of
CLI for Administrator functions.
The TOE maintains two roles for users: administrators and non-administrators. Administrators
are required to identify and authenticate themselves to the TOE before allowing any
modifications to TOE- managed TSF Data. The authentication data used for I&A, username
and password, is maintained locally by the TOE; Administrators are allowed to modify TOE-
managed TSF data including authentication data, security attributes and other TSF Data.
Non-administrators are users who access the TOE via a remote system using NFS or CIFS
client software. Non-administrators have access to TOE-managed user data, but do not have
authority to modify TOE-managed TSF data. Access to TOE-managed user data by non-
administrators is covered by the TOE’s DAC SFP.
The TOE’s TSF Data Management includes management of both authentication data and
security attributes
3.2 Discretionary Access Control (DAC) Security
The DAC mediates access of subjects to objects. The subjects are NFS Clients and CIFS
Clients. The objects covered are stored files (TSF user data). The TOE maintains files with
either NTFS-Style security attributes or UNIX-Style security attributes or both. The access
modes covered by the DAC SFP are: create, read, write, execute, change permission and
change owner. Each file style is assigned different security attributes that are used by the DAC
SFP to determine if access is granted for a subject.
The DAC SFP protects user data. The DAC SFP uses the subject type, subject’s security
attributes, the object, the object’s security attributes and the access mode (operation) to
determine if access is granted. The subjects that apply to the DAC SFP are administrators,
NFS Clients and CIFS Clients. The latter two subjects access the TOE via remote systems as a
process acting on behalf of a user. To determine if access is permitted for an object, the TOE
requires the security attributes associated with the client. Access controls are implemented
based upon the user identity and authentication data that is presented along with the access
request on the network interface.
7
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
The DAC SFP rules that apply depend on the subject, the operation, and the object. In addition,
the objects file type (directory, symbolic link and regular file) are used to determine access and
the type of qtree (directory) the file is stored in is considered for cross-protocol access requests.
The TOE does not support cross-protocol support of the Change Owner access request. Only
NFS Clients can change ownership of UNIX-Style files. Only CIFS Clients can change
ownership of NTFS-Style files.
3.3 TOE Separation
The TOE ensures that all functions are invoked and succeed before the next function may
proceed.
3.4 Security Function Strength of Function Claim
The only mechanism in the TOE for which an SOF claim is required is the Password
mechanism which is SOF-basic.
3.5 Protection Profile Claim
This Security Target does not claim conformance to any registered Protection Profile
4 Assumptions
The specific conditions listed in the following subsections are assumed to exist in the TOE’s IT
Environment. This includes information about the connectivity, personnel, and physical side of
the environment plus potential threats.
4.1 Connectivity Assumptions
The TOE is intended for use in areas that have physical control and monitoring. It is assumed
that:
• Any other systems with which the TOE communicates are under the same management
control and operate under the same security policy constraints.
4.2 Personnel Assumptions
The TOE is intended to be managed by competent non-hostile individuals. It is assumed that:
• There will be one or more competent individuals assigned to manage the TOE and the
security of the information it contains
• The system administrative personnel are not careless, willfully negligent or hostile and will
follow and abide by the instructions provided by the administrator documentation.
• Authorized users possess the necessary authorization to access at least some of the
information managed by the TOE and are expected to act in a cooperating manner in a
benign environment.
4.3 Physical Assumptions
The TOE is intended for use in areas that have physical control and monitoring. It is assumed
that:
• The processing resources of the TOE will be located within controlled access facilities that
will prevent unauthorized physical access.
• The processing resources of the TOE critical to the security policy enforcement will be
protected from unauthorized physical modification by potentially hostile outsiders.
• All devices on which the TOE resides and their connections will be housed within a
controlled access facility.
8
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
4.4 Potential Threats
Potential threats are:
• Improper administration may result in defeat of specific security features.
• Configuration data or other trusted data may be tampered with by unauthorized users due
to failure of the system to protect this data.
• An unauthorized user may attempt to access TOE data or Security Functions by bypassing
a security mechanism.
• User data may be tampered with by other users.
5 Clarification of Scope
The primary function of the TOE is to provide controlled access to files through its network
interface. Access controls are implemented based upon the user identity and authentication
data that are presented along with the access request on the network interface. The TOE relies
upon the requesting client in the IT Environment to deliver reponses from access requests to the
user associated with the request. The underlying Data ONTAP product has a configuration
option that permits the requesting clients to perform some of the authentication checks, but that
option is not covered by the scope of this evaluation. The TOE also performs identification and
authentication on a serial interface that is used to perform TOE administration.
The TOE is a subset of a proprietary microkernel operating system developed by Network
Appliance. The TOE consists of the System Administration and Write Anywhere File Layout
(WAFL ) modules. The TOE works in conjunction with a microprocessor card embedded in
storage products to control access to data stored within the storage product. The microkernel is
included in the distribution of several of Network Appliance’s storage solution hardware products
including NearStore, Virtual Filer, and Filer. As part of the evaluation, it was determined that
those three families of hardware platforms met the IT Environmental requirements necessary for
the TOE to meet its claims. The results of this evaluation are only valid for the TOE when it
resides in one of those three families of hardware appliances.
Since the TOE is only a subset of the entire appliance, there is some functionality of the
commercial product that was excluded from the scope of the evaluation. A detailed listing of all
of the components of the IT Environment and restrictions on the scope of the TOE is provided in
the ST. In particular, the evaluated configuration has the following limitations:
• Access Protocol Options- The IT Environment supports multiple protocol servers. The
evaluated configuration supports NFS and CIFS clients only. The evaluated configuration
also supports FCP and iSCSI access protocols. The following services are disabled: telnet,
tftp, ftp, snmp ,rsh, ndmp and http.
• Name Service Options - The evaluated configuration supports both local and remote
resolution (NIS or LDAP) of TSF Data used to support the DAC SFP, but does not support
remote resolution of authentication data (nsswitch.conf passwd file).
• The wafl.root_only_chown option for the evaluated configuration is disabled.
• Shared level ACLs are not evaluated.
• The password field in the /etc/groups file is not used (should be blank).
9
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
• The evaluated configuration will not include the bypass traverse checking option.
• The evaluated configuration does not support changing a qtrees style once the qtree is
configured.
• Primary and secondary UNIX primary GIDs are evaluated; Multiple client UNIX User
GIDs are included in the evaluated configuration.
• The evaluation configuration disables CIFS and NFS access to the /etc directory
6 Architecture Information
Data ONTAP is a proprietary microkernel operating system developed by Network Appliance.
The microkernel’s two modules are included in the distribution of several of Network Appliance’s
storage solution hardware products including NearStore, Virtual Filer, and Filer. The Data
ONTAP modules perform data management functions that include enforcing secure data
storage and multi-protocol access. Secure data storage is enforced by implementing strict
access control rules to obtain data managed by Data ONTAP. Multi-protocol access support is
provided by supporting both NFS and CIFS clients with transparent access to data including
cross-protocol support.
6.1 TOE Security Functions
The properties of the TOE necessary for the TOE to provide its security functionality are:
• The TOE will ensure that users gain only authorized access to the TOE and to the data the
TOE manages.
• The TOE will provide administrative roles to isolate administrative actions.
• The TOE will control access to user data based on the identity of users and groups of users.
• The TOE is designed and implemented in a manner that ensures the organizational policies
are enforced in the target environment.
• The TOE will require users to identify and authenticate themselves.
• The TSF will provide functions and facilities necessary to support the authorized
administrators that are responsible for the management of TOE security.
6.2 IT Environment Security Functions
The properties of the IT operational Environment of the TOE necessary for the TOE to be able
to provide its security functionality are:
• The IT Environment will ensure that users gain only authorized access to the data the IT
Environment manages.
• The IT Environment will provide administrative roles to isolate administrative actions.
• The IT Environment will support the TOE by providing mechanisms to ensure the TOE is
neither bypassed nor interfered with via mechanisms outside the TSC.
• The IT Environment must allow authorized users to access only appropriate TOE functions
and data.
• The IT Environment will provide the TOE with the appropriate subject security attributes.
6.3 Non-IT Environment Security Functions
The properties of the non- IT operational Environment of the TOE necessary for the TOE to be
able to provide its security functionality are:
• Those responsible for the TOE must ensure that all access credentials, such as passwords,
are protected by the users in a manner that maintains IT security objectives.
10
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
• Those responsible for the TOE and hardware required by the TOE, must ensure that the
TOE is delivered, installed, configured, managed, and operated in a manner which
maintains IT security objectives.
• Those responsible for the TOE must ensure that the TOE modules critical to security policy
are protected from physical attack that might compromise the IT security objectives.
• Those responsible for the TOE will be properly trained and provided the necessary
information that ensures secure management of the TOE and the IT Environment.
6.4 Physical Boundary
The TOE software is delivered preinstalled on one of Network Appliance’s storage solution
hardware products (see Section 7 for hardware product list) including NearStore, Virtual Filer,
and Filer. The TOE processor is on a card installed in the hardware filer with the TOE
preinstalled as part of the operating system for the processor. When purchasing a Network
Appliance storage product, users must ensure that Data ONTAP Version 7.0.3 or 7.0.4
Operating Systems are included as part of the product to ensure conformance with the validated
product as tested.
6.5 Logical Boundary
Data ONTAP is divided into two modules: System Administration and Write Anywhere File
Layout (WAFL). The WAFL module implements the DAC SFP. The DAC SFP includes enforcing
access rules to user data; based on client type, client security attributes, file types, file security
attributes and access request (create, read, write, execute, delete, change permission, and
change owner). The System Administration module includes an operator CLI interface
supporting administrator functions for enforcing identification and authentication, user roles and
user interface commands that enable an administrator to support the TOE’s security
functionality. The shaded areas in Figure 1 depict the TOE’s logical boundaries.
11
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
Figure 1: TOE's Internal Logical Boundaries
The logical boundaries of the TOE include DAC and Administrative functionality. The
Administrative functionality includes supporting operator functions for enforcing identification
and authentication, user roles and providing the necessary user interface commands that
enable an operator to support the TOE’s security functionality. The DAC logical boundary
includes enforcing access rules to data based on client type, client security attributes, file type,
file security attributes and operation. DAC is implemented by the TOE’s WAFL module. The
DAC SFP protects User data. The DAC SFP uses the subject, the subject’s security attributes,
the object, the object’s security attributes and the access mode to determine if access is
granted. Figure 2 depicts the DAC SFP relationships.
12
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
NFS
Client
CIFS
Client
UNIX-Style Subject Security Attributes:
• UNIX User UID
• Primary UNIX User GID
• Secondary UNIX User GID's
NTFS Style Subject Security Attributes:
• NT User SID
• NT User GID
UNIX-Style Object Security Attributes:
• UNIX File UID
• UNIX File GID
• Access Mode
NTFS Style Object Security Attributes:
• SD
• SID
UNIX Style File
File Type:
• Directory
• Symbolic Link
• Regular File
UNIX Style File
File Type:
• Directory
• Symbolic Link
• Regular File
NTFS or UNIX
Style File
File Type:
• Directory
• Regular File
NTFS Style File
File Type:
• Directory
• Regular File
• ACL
• ACEs
DAC Rules compare subject security attributes
against object security attributes.
The WAFL Layer supports
cross-protocol support.
DAC Subjects
DAC Subject
Attributes
DAC Object
Attributes
DAC Objects
UNIX Qtree Mixed Qtree NTFS Qtree
Figure 2: DAC SFP Subjects and Objects
The resolution of subject security attributes is processed differently by the TOE for each type of
client because the two protocols are different. Cross-protocol access requires additional TSF
data (usernames) to resolve the appropriate subject security attributes. UNIX User UIDs and NT
User UIDs (NT User SIDs) are not directly mapped by the TOE. Instead, UIDs are mapped to
the username associated with the UID, the username is then mapped to the other protocol’s
username and then this new username is used to find the new protocol’s UID.
7 Product Delivery
As stated previously the software is delivered installed on one of Network Appliance’s storage
solution hardware products including NearStore, Virtual Filer, and Filer. The vendor considers
all delivered embedded processors to have identical attributes, instruction sets and operation.
The TOE as tested was delivered pre-installed on a hardware filer system tied to a standard
size-shipping palette. The delivered box contains the installed TOE and two additional boxes
with mounting brackets, power cables, and start up documentation. The TOE processor is on a
card installed in the hardware filer with the TOE preinstalled as part of the operating system for
the processor. The main difference between specific hardware models are the microprocessor
speed and size of the disk storage available. Only a product with the Data ONTAP Version 7.03
or 7.0.4 Operating Systems installed meets the conformance requirements of the TOE as
tested. Therefore purchasers of the product must specify that the Data ONTAP Version 7.03 or
13
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
7.0.4 Operating System is preinstalled on their hardware product. Product Documentation
should explicitly state that the Data ONTAP Version 7.03 or 7.0.4 Operating System is installed
on the delivered product.
The full range of Network Appliance storage appliances products that support the TOE are listed
below:
FAS250
FAS270
FAS270C
FAS270HA
FAS920
FAS920C
FAS940
FAS940C
FAS940HA
FAS960
FAS960C
FAS960HA
FAS980
FAS980C
FAS980HA
FAS3020
FAS3020C
FAS3020HA
FAS3050
FAS3050HA
NearStore R200
GF270HA
GF920HA
GF940
GF940HA
GF960
GF960HA
GF980
GF980HA
The delivered TOE documentation included Installation Instructions for NetApp FAS3000
Storage Appliances, Software License Key and Download Instructions, and Instructions for Rail
Kit setup. A serial number identification was labeled on all of the materials and parts that came
with the TOE packaging. The Filer system (FAS 3020) was also identified with an individual
serial number.
To retrieve the documentation from the website the user must have the TOE serial number to
show actual purchase of the product and the website verifies such before allowing access to the
documentation pages. The website clearly states the version of the TOE is described in each
document. Only Data ONTAP Version 7.0.3 or 7.0.4 Operating System conforms to the TOE as
tested. Each document can be downloaded in HTML format and PDF format.
Documentation online pertaining to the TOE:
• Installation, Generation, and Start-Up Procedures
14
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
• Data ONTAP 7.0 Software Set Up Guide
• Data ONTAP 7.0 System Administration Storage Management Guide
Data ONTAP 7.0.3 System Administration File Access Management Guide
• Administrator and User Guidance for Data ONTAP Common Criteria Deployments For Data
ONTAP 7.0.3 and 7.0.4
• Commands Manual Page Reference
8 IT Product Testing
Testing was performed on Thursday, November 29, 2007 at the COACT Laboratory in
Columbia, MD.
Two COACT employees performed the tests in the presence of a Vendor’s Representative. All
test configurations operated properly and tests were completed in an expeditious manner.
8.1 Evaluator Functional Test Environment
The functional test configuration included four major components, a PC with the necessary
software (listed below) installed for use as the TOE management console/CIFS client, the TOE
factory installed on a Network Appliance Filer series 3020 appliance, a Hub, and a Solaris
Workstation for use as the NFS client.
• The Network Appliance Data ONTAP Version 7.0.3 (i.e., the TOE) was installed on the
Network Appliance Series 3020 Filer for some tests
• The Network Appliance Data ONTAP Version 7.0.4 (i.e., the TOE) was installed on the
Network Appliance Series 3020 Filer for some tests
• CIFS Client/Management Console (PC) with the following software installed, Windows 2000,
HyperTerminal, Ethereal version 0.10.11 & Nmap version 4.0
• Serial Cable
• Linksys 5-Port Hub (model: EW5HUB)
• NFS Client (Sun Blade Workstation) with the following software installed: Solaris 8 patch
117350-21
• (3) Ethernet cables
Figure 3 graphically displays the test configuration used for functional testing.
Figure 3: Test Configuration Diagram
CIFS Client
/Management Console
(Windows 2000 Server)
192.168.0.1
Serial
Cable
Network
Appliance Filer
(Data OnTap
version
7.0.3/7.0.4)
192.168.0.100
NFS Client
(Solaris Workstation)
192.168.0.2
Hub
15
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
8.2 Test Assumptions
The functional test environment/configuration requires no test specific assumptions outside of
those identified in the ST. The test bed setup used for this set of tests is the same as that used
for the functional test suite. Two users are established and four groups are established.
The evaluated configuration includes three Network Appliance products: Virtual Filer, Filer, and
NearStore. All evaluation testing was performed on a single hardware platform. The vendor
and evaluation team provided an equivalency argument based upon vendor documentation of
the differences between the platforms that justifies the extrapolation of the test results to those
other platforms. All three products are distributed with Data ONTAP 7.0.3/7.0.4 and are
described below.
Filer: NetApps Filer systems offer seamless access to a full range of enterprise data
for users on a variety of platforms. Filer systems support NFS and CIFS for file
access, as well as FCP and iSCSI for block-storage access.
Virtual Filer: The Virtual Filer product family (V-Series) provides unified NAS and SAN access
to data stored in Fibre Channel SAN storage arrays enabling data centered
storage deployment.
NearStore: NearStore is a disk-based nearline storage solution and offers additional
functionality including simplified backup, accelerated recovery and robust remote
disaster recovery.
8.3 Data ONTAP Evaluated Configuration Options
Configuration options were set to conform with the evaluated configuration. Hence, they were
set as follows:
• Access Protocol Options- The IT Environment supports multiple protocol servers. The
evaluated configuration supports NFS and CIFS clients only. The following services are
disabled: telnet, tftp, ftp, snmp ,rsh, ndmp and http.
• Name Service Options - The evaluated configuration supports both local and remote
resolution (NIS or LDAP) of TSF Data used to support the DAC SFP, but does not support
remote resolution of authentication data (nsswitch.conf passwd file).
• Test Conditions – In addition to the disabled servers:
• The wafl.root_only_chown option for the evaluated configuration is disabled.
• Shared level ACLs are not evaluated.
• The password field in the /etc/groups file is not used (should be blank).
• The evaluated configuration will not include the bypass traverse checking option.
• The evaluated configuration does not support changing a qtrees style once the qtree is
configured.
• Primary and secondary UNIX primary GIDs are evaluated; Multiple client UNIX User
GIDs are included in the evaluated configuration.
16
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
• The evaluated configuration does not support changing a qtrees style once the qtree is
configured.
• The evaluation configuration disables CIFS and NFS access to the /etc directory
8.4 Repeated Developer Tests to Confirm Developer Test Results
This section lists tests performed to confirm the developer test results. The evaluation team
selected all of the vendor tests to be reproduced due to the dependencies they have on one
another. The following list presents the tests:
• NFS.01 Create Dir in UNIX Qtree
• NFS.02 Create Dir in NTFS Qtree
• NFS.03 Create Dir in Mixed Qtree
• NFS.04 NFS Change Ownership
• NFS.05 Create u1 and u2 Files
• NFS.06 Multiprotocol Success
• NFS.07 NFS Multiprotocol Failure
• NFS.08 NFS access from unauthorized NFS client system
• CIFS.01 Set up directories with ACLs
• CIFS.02 Set up CIFS user files with ACLs.
• CIFS.03 CIFS Multiprotocol Success
• CIFS.04 CIFS Multiprotocol Failure
• CIFS.05 CIFS Login
• SM.01 CLI Login
• SM.02 User Admin Command
• SM.03 Create Qtrees and Shares
• SM.04 Change type of ntfsqt
8.5 Functional Test Results
All tests were performed satisfactorily and the results were as expected. The TOE passed all
tests. The procedures followed to execute these tests and detailed results are presented in the
Data ONTAP 7.0.3 and 7.0.4 Test Documentation for Common Criteria EAL2 Evaluation.
8.6 Evaluator Independent Testing
The tests chosen for independent testing allow the evaluation team to exercise the TOE in a
different manner than that of the developer’s testing. The intent of the independent tests is to
give the evaluation team confidence that the TOE operates correctly in a wider range of
conditions than would be possible purely using the developer’s own efforts, given a fixed level of
resource. The selected independent tests allow for a finer level of granularity of testing
compared to the developer’s testing, or provide additional testing of functions that were not
exhaustively tested by the developer. The tests allow specific functions and functionality to be
tested. The tests reflect knowledge of the TOE gained from performing other work units in the
evaluation. For example, specific TSFI behaviors were identified while performing the ADV
work units, and tests have been developed to test specific behaviors.
To determine the independent testing to be performed, the evaluators first assessed the level of
developer testing corresponding to all TSFIs. The Independent Tests performed were:
17
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
• Test the ability to modify the file wafl.default_unix_user by users and administrators.
• Test the ability to modify the file wafl.default_nt_user by users and administrators.
• Test the ability to modify the file /etc/passwd by users and administrators.
• Test the ability to modify the file /etc/groups by users and administrators.
• Test the ability to modify the file usermap.cfg by users and administrators.
• Test different administrator identification and authentication combinations to verify SFR
claims.
• Test the ability to turn the NFS module on and off and verify users are identified correctly by
the operating system.
• Test the ability to terminate and restart the CIFS module and verify users are identified
correctly by the operating system.
• Test the ability to modify the file wafl.default_unix_user by users and administrators on
DataONTAP 7.0.4.
• Test the ability to modify the file wafl.default_nt_user by users and administrators on
DataONTAP 7.0.4.
8.6.1 Evaluator Independent Test Environment
The test environment used to conduct these tests consisted of:
• A Network Appliance FAS3020 Filer, running Data ONTAP 7.0.3 and 7.0.4 as described in
the Security Target documentation. (Note that an equivalency argument was used to show
that any NetApp Filer, Virtual Filer, or NearStore system may be used to duplicate these
tests, as none of the TSF behavior is dependent on the underlying hardware platform
selected.)
o The TOE was configured as described in the Delivery and Installation, and
Administrator Guidance documentation.
o In particular, to match the specifications in the Security Target documentation the
TOE was configured with NFS and CIFS enabled, but with all other optional
services and protocols disabled. Disabled services included FTP, Telnet, TFTP,
HTTP, SNMP, RSH, and NDMP.
o Data ONTAP is capable of enabling additional software components to provide
data backup and recovery services, storage virtualization, and other functions.
These additional software components (for example SnapMirror, SnapVault,
MultiStore, SnapDrive, etc.) are enabled through the installation of license keys
for each component. No such license keys were installed, and none of these
additional software components were enabled.
• A PC running Microsoft Windows 2000 Server installed.
o This device was used both as the CIFS client for testing, and was used to
connect to the Filer’s serial port for access to the command line interface (CLI).
(Note that the version of Windows selected for use as a CIFS client is
unimportant for this test process. The TSF behavior does not depend on the
version of Windows being used on the remote client system, as changes in TSF
behavior based on client version would simply allow an attacker to select the
client version with the worst security attributes when performing an attack. While
Data ONTAP does have provisions for configuring authentication behavior for
support of older client systems, this behavior is configured by an administrator on
the TOE, rather than being specified by the CIFS client. Furthermore, these
configuration options do not change the overall behavior of the TSP/TSF from
that tested below.)
18
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
• A Sun Workstation running Solaris 8 (SunOS 5.8) with kernel patch 117350-21.
o This system was used as the authorized NFS client for the bulk of the testing.
• Test Conditions
o The following services are disabled: telnet, tftp, ftp, ndmp and http.
o The wafl.root_only_chown option for the evaluated configuration is disabled.
o Shared level ACLs are not evaluated.
o The password field in the /etc/groups file is not used (should be blank).
o The evaluated configuration will not include the bypass traverse checking option.
o The evaluated configuration does not support changing a qtrees style once the
qtree is configured.
o The evaluation configuration disables CIFS and NFS access to the /etc directory
8.7 Evaluator Independent Test Results
All tests were performed satisfactorily and the results were as expected. The TOE passed all
tests. The procedures followed to execute these tests and detailed results are presented in the:
• Data ONTAP 7.0.3 and 7.0.4 Test Documentation for Common Criteria EAL2 Evaluation.
8.8 Evaluator Penetration Tests
8.8.1 Evaluator Assessment of Developer Analysis
The evaluator examined each of the obvious vulnerabilities identified during the developer’s
vulnerability analysis. After consulting the sources identified by the developer used during the
initial vulnerability analysis, the evaluator consulted other vulnerability relevant sources of
information to verify that the developer considered all available information when developing the
non-exploitation rationale. These additional sources include:
• https://cirdb.cerias.purdue.edu/coopvdb/public/
• http://www.securityfocus.com
• http://www.osvdb.org/
• http://xforce.iss.net/
• http://icat.nist.gov/icat.cfm
After verifying that the developer’s analysis approach sufficiently included all of the necessary
available information regarding the identified vulnerabilities, the evaluator made an assessment
of the rationales provided by the developer indicating that the vulnerability is non-exploitable in
the intended environment of the TOE. Any possible vulnerability that requires further evaluator
analysis, such as, an Attack Potential Calculation is identified as suspect.
The evaluator found two of the developer rationales describing why a particular possibly
relevant vulnerability of the TOE was not exploitable to be suspect. Therefore the evaluator
tested the TOE to ensure the TOE was properly resistant to the relevant vulnerabilities.
19
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
8.8.2 Additional Vulnerabilities
While verifying the information found in the developer’s vulnerability assessment the evaluator
conducted a search to verify if additional obvious vulnerabilities exist for the TOE. This search
included examining the websites identified in section 8.8.1 of this document. Additionally, the
evaluator examined the provided design documentation and procedures to attempt to identify
any additional vulnerabilities. The additional analysis conducted by the evaluator identified
several additional vulnerabilities that may possibly be relevant to the TOE. Therefore the
evaluator tested the TOE to ensure the TOE was properly resistant to the additional identified
vulnerabilities. The successful completion of the evaluator penetration tests demonstrated that
the TOE was properly resistant to all the potential vulnerabilities identified by the evaluator.
8.9 Evaluator Penetration Test Identification
As a result of the evaluator’s examination of the developer’s vulnerability analysis and the
independent search for obvious TOE vulnerabilities, the evaluator devised a test plan and a set
of test procedures to test the TOE’s mitigation of the vulnerabilities. The following Penetration
tests were performed by the evaluator:
• The TOE restricts access to NFS filesystems by maintaining a list of authorized NFS client
IP addresses, or hostnames (which may be translated to IP addresses for this purpose). As
described in the high-level design documentation, the TOE compares the IP address of the
requesting NFS client system to the list of authorized IP addresses to confirm that the
connection is being made from an authorized system. This prevents unauthorized NFS
client systems from connecting to NFS filesystems exported by the TOE.
• The ST identifies several services as being disabled in the evaluated configuration. These
services include TFTP, FTP, NDMP, and HTTP. It is possible that although the installation
instructions are follow accurately that these services are not truly disabled. Test that the
services do not respond.
• Test that a non-administrative user may not mount a file containing information that is
identified as only available to an administrative user (e.g., /etc)
• Perform multiple incorrect login attempts to verify that the TOE presents a 3-second delay
each time three consecutive failed login attempts are detected.
• Attempt to circumvent the DAC policy by changing the user’s access permissions while the
user is accessing the file using a NFS client.
• Attempt to circumvent the DAC policy by changing the user’s access permissions while the
user is accessing the file using a CIFS client.
8.10 Actual Penetration Test Results
The end result of the testing activities was that all tests gave expected (correct) results. The
successful completion of the evaluator penetration tests demonstrated that the TOE was
properly resistant to the all the potential vulnerabilities identified by the evaluator. The testing
found that the product was implemented as described in the functional specification and did not
uncover any undocumented interfaces or other security vulnerabilities. The evaluation team
tests and vulnerability tests substantiated the security functional requirements in the ST.
9 RESULTS OF THE EVALUATION
A verdict for an assurance component is determined by the resulting verdicts assigned to the
corresponding evaluator action elements. The Evaluation Team assigned a Pass, Fail, or
Inconclusive verdict to each work unit of each EAL 2 assurance component. For Fail or
20
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
Inconclusive work unit verdicts, the Evaluation Team advised the developer of issues requiring
resolution or clarification within the evaluation evidence.
In this way, the Evaluation Team assigned an overall Pass verdict to the assurance component
only when all of the work units for that component had been assigned a Pass verdict. Section 4,
Results of Evaluation, from the document Evaluation Technical Report for the Network
Appliance Data ONTAP 7.0.3/ 7.0.4 contains the verdicts of “PASS” for all the work units.
The evaluation determined the product to meet the requirements for EAL 2. The details of the
evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled by
COACT Inc.
10. VALIDATOR COMMENTS
This evaluated TOE consists of a portion of a software product that is delivered with the network
hardware storage appliance. The TOE does not operate separately from the network hardware
storage appliance but only as an integral part of the data storage device. The security
performance of the TOE is dependent on the rules and restrictions entered by the system
administrator during initial set-up and during registration of users. Access to data is controlled
by the permissions and constraints developed and created by the system administrator. The
administrative functions are directly entered into the TOE by a Command Line Interface from a
connected Windows server.
The evaluation results depended upon the fact that all of the evaluation platforms operated
identically from the perspective of the TOE. This conclusion was reached by analysis. Each of
the two versions of the TOE was only tested on one hardware platform. The specific
NetAppliance hardware used during the evaluation functioned properly. Any differences among
the hardware appliance microprocessors due to future changes in the appliance environment
may compromise the result. Such changes would require retest and re-evaluation.
Another version of Data ONTAP was previously evaluated by CCEVS. The current evaluation
was very similar to the previously evaluated product. At the start of the evaluation the vendor
stated that most of the changes between the two evaluations were not security relevant.
However, rather than try the relatively new “Assurance Continuity” process and submit the
analysis for each of the individual changes, the vendor decided to resubmit the product for a
new evaluation and have the CCTL perform a new evaluation. The new evaluation was
performed by the same evaluation team and for most of the evaluation had the original
validation team. The evaluation team had to redo all of its analysis and reconsider all of its
testing based upon the changes to the previous evaluation. Most of the evaluation evidence
and conclusions presented to the validators had only minor modification from the previous
evidence. In this manner the evaluation team and the validators confirmed that most of the
changes were not security relevant and the conclusions of the previous evaluation were still
valid for the new TOE.
11. Security Target
The Security Target document, Network Appliance Data ONTAP Versions 7.0.3 and 7.0.4
Security Target, dated March 28, 2007 is incorporated here by reference.
21
Data ONTAP Version 7.03 and 7.04 Operating System Validation Report
12. Glossary
CC _______________________________________________ Common Criteria
EAL2 ___________________________________ Evaluation Assurance Level 2
IT ___________________________________________ Information Technology
NIAP_________________________ National Information Assurance Partnership
NIC__________________________________________ Network Interface Card
PP _______________________________________________ Protection Profile
SF________________________________________________ Security Function
SFP _________________________________________Security Function Policy
SOF ____________________________________________Strength of Function
ST__________________________________________________Security Target
TOE ____________________________________________Target of Evaluation
TSC __________________________________________ TSF Scope of Control
TSF _________________________________________ TOE Security Functions
TSFI _________________________________________________ TSF Interface
TSP ____________________________________________ TOE Security Policy
13. Bibliography
The following standards were used in the evaluation of the Network Appliance Data ONTAP
6.5.2R1:
• Common Criteria for Information Technology Security Evaluation, Part 1 Introduction and
General Model, Version 2.2, dated January 2004
• Common Criteria for Information Technology Security Evaluation, Part 2 Security Functional
Requirements, Version 2.2, dated January 2004
• Common Criteria for Information Technology Security Evaluation, Part 3 Security Assurance
Requirements, Version 2.2, dated January 2004
• Common Methodology for Information Technology Security Evaluation, Part 1, Version 2.2,
dated January 2004
• Common Methodology for Information Technology Security Evaluation, Part 2, Version 2.2,
dated January 2004
• Guide for the Production of PPs and STs, Version 0.9, dated January 2000
22