Gilian G-Server Version 2.5 Validation Report National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Gilian Technologies, Incorporated G-Server Version 2.5 Report Number: CCEVS-VR-03-0044 Dated: 11 August 2003 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 ® TM Gilian G-Server Version 2.5 Validation Report ACKNOWLEDGEMENTS Validation Team Paul Bicknell The MITRE Corporation Bedford, Massachusetts Common Criteria Testing Laboratory CygnaCom Solutions, an Entrust Company McLean, Virginia Gilian G-Server Version 2.5 Validation Report iii Table of Contents 1 EXECUTIVE SUMMARY.................................................................................................... 5 2 IDENTIFICATION................................................................................................................ 5 3 SECURITY POLICY............................................................................................................. 6 4 ASSUMPTIONS AND CLARIFICATION OF SCOPE...................................................... 7 4.1 USAGE ASSUMPTIONS 7 4.2 ENVIRONMENTAL ASSUMPTIONS 8 4.3 CLARIFICATION OF SCOPE 8 5 ARCHITECTURAL INFORMATION................................................................................ 8 5.1 TOE SECURITY FUNCTIONS 9 5.1.1 TSF Protection Function ........................................................................................... 9 5.1.2 ExitControl ................................................................................................................ 9 5.1.3 EntryControl............................................................................................................ 10 5.1.4 Security Management .............................................................................................. 10 5.1.5 Audit ........................................................................................................................ 10 5.1.6 Alerts........................................................................................................................ 10 5.1.7 Trusted Path/Channel.............................................................................................. 11 6 DOCUMENTATION........................................................................................................... 11 7 IT PRODUCT TESTING.................................................................................................... 12 7.1 EVALUATOR TESTING 12 8 EVALUATED CONFIGURATION................................................................................... 13 9 RESULTS OF THE EVALUATION.................................................................................. 13 9.1 EVALUATION OF THE GILIAN G-SERVER SECURITY TARGET (ST) (ASE) 13 9.2 EVALUATION OF THE CM CAPABILITIES (ACM) 13 9.3 EVALUATION OF THE DELIVERY AND OPERATION DOCUMENTS (ADO) 13 9.4 EVALUATION OF THE DEVELOPMENT (ADV) 14 9.5 EVALUATION OF THE GUIDANCE DOCUMENTS (AGD) 14 9.6 EVALUATION OF THE TEST DOCUMENTATION AND THE TEST ACTIVITY (ATE) 14 9.7 SUMMARY OF EVALUATION RESULTS 14 10 VALIDATOR COMMENTS........................................................................................... 14 11 SECURITY TARGET.......................................................................................................... 14 12 GLOSSARY...................................................................................................................... 14 13 BIBLIOGRAPHY............................................................................................................. 16 LIST OF FIGURES Figure 1: Traffic Mediation Architecture....................................................................................... .7 Gilian G-Server Version 2.5 Validation Report iv LIST OF TABLES Table 1: Evaluation Identifiers....................................................................................................... 6 Gilian G-Server Version 2.5 Validation Report 5 1 EXECUTIVE SUMMARY This report documents the NIAP validators’ assessment of the CCEVS evaluation of Gilian G- Server. It presents the evaluation results, their justifications, and the conformance result. The evaluation was performed by CygnaCom Solutions, an Entrust Company and was completed on August 11, 2003. The information in this report is largely derived from the Evaluation Technical Report (ETR) written by Cygncom and submitted to the validator. The evaluation determined the product conforms to the CC Version 2.1, Part 2 and Part 3 to meet the requirements of Evaluation Assurance Level (EAL) 1, resulting in a “pass” in accordance with CC Part 1 paragraph 175. The Gilian G-Server under evaluation is Version 2.5. The Target of Evaluation (TOE) includes the G-Server Series 200XL machine with no bypass card, running G-Server Version 2.5 software, including the Maintenance Tool, Administration Tool, Signing Tool, and also the G-Agent. The validation team monitored the activities of the evaluation team, observed evaluation testing activities, provided guidance on technical issues and evaluation processes, reviewed the individual work units and successive versions of the ETR. The validation team found that the evaluation showed that the product satisfies all of the functional requirements and assurance requirements stated in the Security Target (ST). Therefore the validation team concludes that CygnaCom’s findings are accurate, the conclusions justified, and the conformance results correct. Disclaimers: The information contained in this Validation Report is not an endorsement of Gilian G-Server by any agency of the U.S. Government and no warranty of Gilian G-Server is either expressed or implied. In addition, the cryptography used in the Gilian G-Server has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor. 2 IDENTIFICATION The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and Technology (NIST) effort to establish commercial facilities to perform trusted product evaluations. Under this program, security evaluations are conducted by commercial testing laboratories called Common Criteria Testing Laboratories (CCTLs) using the Common Evaluation Methodology (CEM) for Evaluation Assurance Level (EAL) 1 through EAL 4 in accordance with National Voluntary Laboratory Assessment Program (NVLAP) accreditation. The NIAP Validation Body assigns validators to monitor the CCTLs to ensure quality and consistency across evaluations. Developers of information technology products who desire a security evaluation contract with a CCTL and pay a fee for their product’s evaluation. Upon successful completion of the evaluation, the product is added to NIAP’s Validated Products List. Table 1 provides information needed to completely identify the product, including: Gilian G-Server Version 2.5 Validation Report 6 · the Target of Evaluation (TOE): the fully qualified identifier of the product as evaluated, · the Security Target (ST), describing the security features, claims, and assurances of the product, · the conformance result of the evaluation, · the organizations and individuals participating in the evaluation. Table 1: Evaluation Identifiers Item Identifier Evaluation Scheme United States NIAP Common Criteria Evaluation and Validation Scheme Target of Evaluation Gilian G-Server Version 2.5 Protection Profile None Security Target Gilian G-Server Version 2.5 Security Target, Version 1.0, July 30, 2003 Evaluation Technical Report Evaluation Technical Report for Target of Evaluation Gilian G-Server Version 2.5, Version 1.3, August 7, 2003 Conformance Result Part 2 conformant, Part 3 conformant, and EAL 1 Version of CC CC Version 2.1 [1], [2], [3], [4] and all applicable National and International Interpretations effective on May 5, 2003 Version of CEM CEM Version 1.0 [5], [6] and all applicable National and International Interpretations effective on May 5, 2003 Sponsor Standards Institution of Israel Developer Gilian Technologies, Inc. Evaluators CygnaCom Solutions, an Entrust Company Ms. Robin Medlock Mr. Steve Brackin Validators Mr. Paul Bicknell (The MITRE Corporation) 3 SECURITY POLICY The Gilian G-Server is an appliance that is placed between one or more Web Servers and connections to external networks (see Figure 1). Its purpose is to detect and prevent invalid data from being sent out from Web Servers that have arranged to be protected by the G-Server. Requests for Web Server actions made by End-Users from the external network are intercepted by the G- Server, are inspected and if permitted, are forwarded to the Web Servers on the protected, internal, network. Server responses from the protected Web Servers are also inspected, and if determined to Gilian G-Server Version 2.5 Validation Report 7 be valid by the G-Server, are released onto the external network. In the event that invalid responses are issued by a protected Web Server, generic responses can be released to the external network in their place. To accomplish its functions, the Gilian G-Server recognizes three distinct groups of subjects: Protected-Sites, End-Users, and Administrators. The Protected-Sites are Web Server hosts on the internal network that attempt to send responses to End-Users on external networks in response to incoming HTTP requests. The End-Users are entities on external networks that send HTTP and HTTPS requests to Protected-Sites via the TOE. Administrators are privileged users that interact directly with the TOE, using specific administrative tools to configure and manage the TOE. Protected-Sites and End-Users are subject to information flow control and Administrators are subject to access control. The Gilian G-Server provides integrity validation services for static and dynamic web pages. Protections are established by the Administrator registering hashed and digitally signed records of static protected web pages in the TOE. Responses to requests from End-Users are compared against the signed records and if found to be valid are returned to the End-Users. Responses that are not valid, and which may indicate some sort of security breach at a protected Web Server, result in the creation of alarm messages and other alerts. However, a copy of the original web page is returned to the End-User without their being notified that anything out of the ordinary has occurred. Dynamic web pages are also protected by registering hashed and digitally signed records of scripts or programs that generate dynamic Web Server responses. On receipt of a request for a dynamic web service protected Web Servers, via the G-Agent, send a signed image of the script or program to the TOE where it is validated against a pre-established image. Any differences will cause alerts to be created and a generic response to be sent to the End-User. Figure 1: Traffic Mediation Architecture 4 ASSUMPTIONS AND CLARIFICATION OF SCOPE 4.1 Usage Assumptions Gilian G-Server Version 2.5 Validation Report 8 The evaluation made the following assumptions concerning product usage: · Administrators may establish connections with the TOE either from a directly connected terminal or from an administration workstation located on either the internal or external networks and the administrative workstation is part of the TOE. · Authorized administrators are non-hostile and follow all administrator guidance; however, they are capable of error. · There is no general purpose computing capabilities (e.g., the ability to execute arbitrary code or applications) and storage repository capabilities on the TOE. · The TOE does not host public data other than pre-established generic response information. 4.2 Environmental Assumptions The evaluation made the following environmental assumptions: · The TOE is physically secure. · Information cannot flow among the internal and external networks unless it passes through the TOE. · Human users who are not authorized administrators cannot access the TOE remotely from the internal or external networks. 4.3 Clarification of Scope Gilian G-Server provides a level of protection that is appropriate for protecting the contents of requests for service that are submitted by external End-Users to protected internal Web Servers. G- Server is not designed to provide protection to Web Servers from End-Users located on the same, internal, network. Likewise, G-Server is not designed to provide any protection unless the network is configured so that all information flows that are controlled by TSP pass through the TOE. All TOE security objectives, categorized as either Security Objective for the TOE or Security Objectives for the Environment, reflect the stated intent to counter identified threats in light of specific assumptions. 5 ARCHITECTURAL INFORMATION This section provides a high level description of the TOE and its subsystems as described in the Gilian G-Server 2.5 design documentation. Gilian G-Server provides six security functional services in the TOE, TSF Protection, Exit Control, Entry Control, Security Management, Audit, Alerts, and Trusted Path Channel. Together these security functions provide the following protections: · Audit Generation, Review, and Protection · Information Flow Policy Enforcement · Identification and Authentication Gilian G-Server Version 2.5 Validation Report 9 · Management of Security Functions · Protection of TOE Security Functions 5.1 TOE Security Functions The following subsections describe the security functions of the TOE that provide the protections listed above. 5.1.1 TSF Protection Function The TSF Protection security function is provided by the operating system, and a proprietary networking subsystem that allows the G-Server to be transparently inserted between end-users and protected sites. The G-Server is an application-level service running on a Microsoft Windows 2000 server SP3. It uses the capabilities provided by Windows for file and process management services. No non-G-Server applications are allowed to run on the Windows system. The proprietary networking subsystem is logically and physically placed between internal protected Web Servers and the external network. The G-Server has two, physically distinct, network connections, one of the protected internal network and one for the unprotected external network. Every network packet received on the external interface is examined by the G-Server. Traffic is separated into three categories: Mediated; Fast-Forward; and Administrative. Mediated traffic consists of HTTP and HTTPS requests for services from protected Web Servers. Such traffic is processed for security policy enforcement by the G-Server. Fast-Forward traffic consists of traffic that is outside the TSC, i.e., HTTP/HTTPS that is not intended for a protected Web Server, or is other IP traffic. Fast-Forward traffic is directly sent to the internal network interface for release onto the internal network. Administrative traffic is traffic directed at the G-Server itself and can arrive from either the external or the internal network. It is distinguished by specific G-Server IP and port numbers and this traffic results in administrative services being initiated. 5.1.2 ExitControl The central security function provided by the G-Server is that of ExitControl, namely the control of information flow from protected sites on the internal network for release onto the external network. Protection is offered for both static and dynamic resources. Static resources are protected by the G- Server recording security attribute information about the resource, as well as recoverable instances of the resource itself. When a resource request is received from the external network a request identifier is recorded by the G-Server prior to forwarding the request to the internal network. Once the response from the protected Web Server is received, security attributes of that response are compared against attributes the G-Server previously stored (done at a prior time when protections were initialized). If the attributes compare and an open request identifier exists the response is released to the external network by the G-Server. In the event that the security attributes do not match then the recoverable instance of the resource is released to the external network in place of the response from the Web Server. Audit entries are also created and processed. In the case of a dynamic resource, similar processing takes place. However, a difference is that recoverable instances of dynamic resources cannot be stored on the G-Server. Also the security attributes of the resource have a different form and are not of the resource itself but are derived from the process or script that creates the resource. Whenever differences in the attributes of a resource Gilian G-Server Version 2.5 Validation Report 10 are detected by the G-Server, assisted by the G-Agent that is running on the protected server to create representations of processes or scripts for use in attribute checking by the G-Server, a default error response is returned to the requestor on the external network. Appropriate audit records and audit record processing also takes place. 5.1.3 EntryControl An additional security function provided by the G-Server is EntryControl where requests received from the external network can be examined for certain information that may indicate hostile intentions by users on the external network. When an HTTP request is received by the G-Server for a protected site, it can be tested against a set of predefined signature patterns. When an anomalous request is detected, the connection is closed, and audit record processing is performed. Administrators can define certain predefined request limits or constraints on request properties. EntryControl mechanisms can also analyze requests looking for predefined attack signatures coded as strings. These patterns can be matched to HTTP headers, the query, the content part of the HTTP request, or the URL (Universal Resource Locator). EntryControl provides the capability to detect known attacks that can be characterized by recurring string patterns in a request. 5.1.4 Security Management Security Management is provided in the G-Server with the establishment of three security roles: G- Master; Signer; and Viewer. The G-Master is the primary G-Server administrator, is responsible for initial setup and system management, and uses the G-Server Maintenance Tool on the G-Server console or the client-server G-Server Administration Tool running on a remote workstation. Using either of these tools the G-Master initializes the G-Server, establishes protected sites and resources, and configures protections. The Signer utilizes the G-Server Signing Tool to initialize security attributes of protected resources. This function can also be done by the G-Master with the Maintenance or Administration Tools. The third security role can only view settings and audit records, they have no ability to enter or change security-related information. Identification and Authentication is performed using user identifiers and passwords. Audit records of security role actions are captured. 5.1.5 Audit The G-Server maintains comprehensive audit trails composed of four different logs: · The System Log contains events related to G-Server functionality and a record of TOE administration events; · Site Signing Logs contain resource management events such as resource signing; · Site Verification Logs contain information flow events that match administrator- defined event logging patterns. · The Alerts Log contains Alerts that were triggered by the ExitControl and EntryControl mechanisms; The logs can be viewed, filtered, and sorted. The administrator can export the log to an external file, and can purge the log. Log sizes are configurable by the administrator. 5.1.6 Alerts The G-Server supports two levels of alerts: G-Server alerts, such as requested attempts to log in with a bad password; and site alerts, such as notifications about resource security attribute check failures. G-Server alerts include errors related to problems in the system itself. The three types of Alerts Gilian G-Server Version 2.5 Validation Report 11 mechanisms exist: Email Alerts; SNMP Alerts; and Execution of Preinstalled Executables. The E- mail Alert sends an e-mail alert to a predefined list of recipients when security attribute check failures are detected. The SNMP (Simple Network Management Protocol) G-Module sends alert messages to an external device, such as a Network Management System or a pager, when security attribute check failures are detected. The Executables Alert can trigger commands in other applications installed on the G-Server, such as an audible alarm or an instant messaging program, when a security attribute check failure is detected. This is determined by the exception and verification rules for the site. 5.1.7 Trusted Path/Channel When an administrator accesses the G-Server using the Administration Tool or the Signing Tool, the G-Server sets up a trusted channel between the client and the server. Integrity and confidentiality protection are achieved using the Secure Sockets Layer (SSL) protocol. Once the session has been established, the client signs a server challenge using the administrator’s password protected private key, authenticating the administrator. 6 DOCUMENTATION This section provides a complete listing of the documentation that was issued by the developer (and sponsor). Design documentation: 1) Introduction, Version 1.03, July 15, 2003. 2) Alert Log Functional Specifications, Version 1.04, July 15, 2003. 3) Application Protection G-Module Functional Specifications, Version 1.03, July 15, 2003. 4) Email G-Module Functional Specifications, Version 1.03, July 15, 2003. 5) Executables G-Module Functional Specifications, Version 1.03, July 15, 2003. 6) G-Agent Functional Specifications, Version 1.04, July 13, 2003. 7) GHTTP & Management Module Functional Specifications, Version 1.05, July 13, 2003. 8) G-Server G-Modules Functional Specifications, Version 1.03, July 15, 2003. 9) HTTP[S] Session Management Functional Specifications, Version 1.04, July 13, 2003. 10) Logging G-Module Functional Specifications, Version 1.04, July 15, 2003. 11) Management Sessions and Authentication Functional Specifications, Version 1.04, July 15, 2003. 12) Platform Functional Specifications, Version 1.03, July 21, 2003. 13) Recovery G-Module Functional Specifications, Version 1.03, July 15, 2003. 14) Redirect G-Module Functional Specifications, Version 1.03, July 15, 2003. 15) Signature Management Functional Specifications, Version 1.06, July 15, 2003. 16) SNMP G-Module Functional Specifications, Version 1.03, July 15, 2003. 17) Transparency Envelope Functional Specifications, Version 1.04, July 13, 2003. 18) User Management Functional Specifications, Version 1.03, July 15, 2003. Guidance documentation: 1) G-Server User Guide, Version 2.5, August 2003. Gilian G-Server Version 2.5 Validation Report 12 Delivery and Operation documentation: 1) G-Server Installation and Getting Started Guide, Version 2.5, April 2003. Security Target: 1) Gilian G-Server Version 2.5 Security Target, Version 1.0, July 30, 2003. 7 IT PRODUCT TESTING 7.1 Evaluator Testing The evaluators performed testing based on a test suite developed to cover the Security Functional Requirements and Security Functions as documented in the Gilian G-Server Version 2.5 Security Target, Version 1.0, and to test the Target of Evaluation (TOE) to the degree that was consistent with the EAL 1 level of assurance. The objective was to demonstrate that the TOE security functions perform as specified and to confirm that the TOE security functional requirements are met. The testing involved the Gilian G-Server appliance, G-Server 200XL, with no bypass card and the following tools pre-installed. (G-Server was configured in Single Mode as part of testing.) It included: § Maintenance Tool, § Administration Tool, § Signing Tool, and § CCTL provided resources: o Monitor, o Keyboard, and o Mouse It also utilized two CCTL-provided Web Servers: § An Apache version 1.3 website running on Red Hat Linux 6.2, installed on a Dell Optiplex GX110, with G-Agent software installed, and configured to support the HTTP protocol. § An IIS version 5.0 website running on Windows 2000 Server, installed on a Dell Optiplex GX1, configured to support the HTTPS protocol, and § A Dell Latitude C600 laptop computer running Windows NT Workstation 4.0 with Internet Explorer version 5.5. (The following G-Server software was installed as part of testing: Administration Tool, Signing Tool.) Tests were created to cover most, but not necessarily all, of the security functions identified in the Security Target TOE Summary Specification. During the ADO evaluation activities, it was Gilian G-Server Version 2.5 Validation Report 13 concluded that most of the security functions could be tested by following the instructions described in the Installation, Generation, and Start-up documentation. However, additional tests were developed to augment these tests; for example, tests were added to verify role separation and entry control functions, to verify areas that were not were not otherwise adequately covered. Together these two test suites were considered to be sufficient for the evaluation assurance level. The cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor. 8 EVALUATED CONFIGURATION The evaluated configuration consists of a G-Server Series 200XL machine with no bypass card, running G-Server Version 2.5 software, including the Maintenance Tool, Administration Tool, Signing Tool, and with the G-Agent running on protected Web Server machines. 9 RESULTS OF THE EVALUATION A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding evaluator action elements. The evaluation was conducted based upon CC version 2.1 [1], [2], [3], [4] and CEM version 1.0 [5], [6] and all applicable National and International Interpretations in effect on May 5, 2003. The evaluation determined the product to be Part 2 conformant, and to meet the Part 3 EAL 1 requirements. The details of the evaluation are recorded in the Evaluation Technical Report [8] that is controlled by CygnaCom. 9.1 Evaluation of the Gilian G-Server Security Target (ST) (ASE) The evaluation team applied each EAL 1 ASE CEM work unit. The ST evaluation ensured that the ST contains description of the environment in terms of policies and assumptions, a statement of security requirements claimed to be met by the Gilian product that are consistent with the Common Criteria, and product security function descriptions that support the requirements. 9.2 Evaluation of the CM capabilities (ACM) The evaluation team applied each EAL 1 ACM CEM work unit. The ACM evaluation ensured the TOE is identified such that the consumer is able to identify the evaluated TOE. 9.3 Evaluation of the Delivery and Operation documents (ADO) The evaluation team applied each EAL 1 ADO CEM work unit. The ADO evaluation ensured the adequacy of the procedures to install, and configure the TOE securely. Gilian G-Server Version 2.5 Validation Report 14 9.4 Evaluation of the Development (ADV) The evaluation team applied each EAL 1 ADV CEM work unit. The evaluation team assessed the design documentation and found it adequate to aid in understanding how the TSF provides the security functions. The design documentation consists of a set of functional specification documents. The evaluation team also ensured that the correspondence analysis between the design abstractions correctly demonstrated that the lower abstraction was a correct and complete representation of the higher abstraction. 9.5 Evaluation of the guidance documents (AGD) The evaluation team applied each EAL 1 AGD CEM work unit. The evaluation team ensured the adequacy of the administrator guidance in describing how to securely administer the TOE. 9.6 Evaluation of the Test Documentation and the Test Activity (ATE) The evaluation team applied each EAL 1 ATE CEM work unit. The evaluation team ensured that the TOE performed as described in the functional specification and as stated in the TOE security functional requirements. The team tests substantiated the security functional requirements in the ST. 9.7 Summary of Evaluation Results The evaluation team’s assessment of the evaluation evidence demonstrates that the claims in the ST are met. Additionally, the evaluation team’s performance of independent tests also demonstrates the accuracy (or veracity) of the claims in the ST. 10 VALIDATOR COMMENTS The Gilian G-Server TOE satisfies the Gilian G-Server Version 2.5 Security Target Revision 1.0, when configured according to the Installation Guides listed in Section 8, and the Gilian G-Server ST is a CC compliant ST. The cryptography used in the Gilian G-Server has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor. 11 SECURITY TARGET The Security Target, "Gilian G-Server Version 2.5 Security Target Revision 1.0", July 30, 2003 is included here by reference. 12 GLOSSARY CC Common Criteria Gilian G-Server Version 2.5 Validation Report 15 CCEVS Common Criteria Evaluation and Validation Scheme CCTL Common Criteria Testing Laboratory CEM Common Evaluation Methodology EAL Evaluation Assurance Level ETR Evaluation Technical Report I&A Identification and Authentication I/O Input/Output IP Internet Protocol NIAP National Information Assurance Program NIST National Institute of Standards & Technology NSA National Security Agency NVLAP National Voluntary Laboratory Assessment Program PP Protection Profile SFR Security Functional Requirements SNMP Simple Network Management Protocol ST Security Target TOE Target of Evaluation Gilian G-Server Version 2.5 Validation Report 16 13 BIBLIOGRAPHY [1] Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and general model, dated August 1999, Version 2.1. [2] Common Criteria for Information Technology Security Evaluation – Part 2: Security functional requirements, dated August 1999, Version 2.1. [3] Common Criteria for Information Technology Security Evaluation – Part 2: Annexes, dated August 1999, Version 2.1. [4] Common Criteria for Information Technology Security Evaluation – Part 3: Security assurance requirements, dated August 1999, Version 2.1. [5] Common Evaluation Methodology for Information Technology Security – Part 1: Introduction and general model, dated 1 November 1998, version 0.6. [6] Common Evaluation Methodology for Information Technology Security – Part 2: Evaluation Methodology, dated August 1999, version 1.0. [7] NIAP Common Criteria Evaluation and Validation Scheme for IT Security, Guidance to Common Criteria Testing Laboratories, Version 1.0, March 20, 2001. [8] Evaluation Technical Report for a Target of Evaluation Gilian G-Server 2.5, Version 1.3, August 7, 2003. [9] Gilian G-Server Version 2.5 Security Target Revision 1.0, July 30, 2003.