Ärendetyp 5.3 Diarienummer: 24FMV2956-37
Dokument ID CSEC2024006
Enligt säkerhetsskyddslagen (2018:585)
SEKRETESS
Enligt offentlighets- och
Sekretesslagen (2009:400)
2025-02-27
Försvarets materielverk
Swedish Defence Material Administration
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
Issue: 1.0, 2025-feb-27
Authorisation: Jerry Johansson, Lead certifier , CSEC
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 2 (17)
Table of Contents
1 Executive Summary 3
2 Identification 4
3 Security Policy 5
3.1 Security Audit 5
3.2 Cryptographic Support 5
3.3 User Data Protection 5
3.4 Identification and Authentication 5
3.5 Security Management 6
3.6 Protection of the TOE Security Functions (TSF) 6
3.7 TOE Access 6
4 Assumptions and Clarification of Scope 7
4.1 Assumptions 7
4.2 Organisational Security Policies 7
4.3 Clarification of Scope 7
5 Architectural Information 9
6 Documentation 10
7 IT Product Testing 11
7.1 Developer Testing 11
7.2 Evaluator Testing 11
7.3 Penetration Testing 11
8 Evaluated Configuration 12
9 Results of the Evaluation 13
10 Evaluator Comments and Recommendations 14
11 Glossary 15
12 Bibliography 16
Appendix A Scheme Versions 17
A.1 Scheme/Quality Management System 17
A.2 Scheme Notes 17
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 3 (17)
1 Executive Summary
The Target of Evaluation, TOE, is a Next Generation Firewall software, offering state-
ful firewall and deep packet inspection functionality. The TOE, Clavister cOS Core
v15.00.00, consists of two versions:
Clavister cOS Core 15.00.00.10-39191 (Intel 64 architecture) tested on:
VMware ESXi v.6.5.0
VMware ESXi v.6.7.0
VMware ESXi v.7.0 u3
VMware ESXi v.8.0 u2
Clavister cOS Core 15.00.00.10-39192 (ARM architecture v8) tested on
KVM/QEMU v.2.11.1
KVM/QEMU v.8.2.2
The product is also available in versions running directly on hardware, but these con-
figurations are outside the scope of the evaluation.
The TOE can be downloaded from Clavister's web site.
The ST does not claim conformance to any Protection Profiles.
There are seven assumptions being made in the ST regarding the secure usage and en-
vironment of the TOE. The TOE relies on these to counter the seven threats and com-
ply with the two organisational security policy (OSP) in the ST. The assumptions, the
threat and the OSP are described in chapter 4 Assumptions and Clarification of Scope.
The evaluation has been performed by Combitech AB in their premises in Växjö and
Bromma, Sweden, to some extent in the developer's premises in Örnsköldsvik, Swe-
den and was completed on the 20th of February 2025.
The evaluation was conducted in accordance with the requirements of Common Crite-
ria, version 3.1, revision 5, and the Common Methodology for IT Security Evaluation,
version 3.1, revision 5. The evaluation was performed at the evaluation assurance lev-
el EAL 4, augmented by ALC_FLR.1 Flaw reporting procedures.
Combitech AB is a licensed evaluation facility for Common Criteria under the Swe-
dish Common Criteria Evaluation and Certification Scheme. Combitech AB is is also
accredited by the Swedish accreditation body SWEDAC according to ISO/IEC 17025
for Common Criteria evaluation.
The certifier monitored the activities of the evaluator by reviewing all successive ver-
sions of the evaluation reports. The certifier determined that the evaluation results
confirm the security claims in the Security Target [ST], and have been reached in
agreement with the requirements of the Common Criteria and the Common Methodol-
ogy for evaluation assurance level:
EAL 4 + ALC_FLR.1.
The certification results only apply to the version of the product indicated in the cer-
tificate, and on the condition that all the stipulations in the Security Target are met.
This certificate is not an endorsement of the IT product by CSEC or any other organ-
isation that recognises or gives effect to this certificate, and no warranty of the IT
product by CSEC or any other organisation that recognises or gives effect to this
certificate is either expressed or implied.
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 4 (17)
2 Identification
Certification Identification
Certification ID CSEC2024006
Name and version of the
certified IT product
Clavister cOS Core v.15.00.00.10-39191 (Intel 64)
tested on:
VMware ESXi v.6.5.0
VMware ESXi v.6.7.0
VMware ESXi v.7.0 u3
VMware ESXi v.8.0 u2
Clavister cOS Core v.15.00.00.10-39192 (ARM v8)
tested on:
KVM/QEMU v.2.11.1
KVM/QEMU v.8.2.2
Security Target Identification Security Target Clavister cOS Core v.15.00,
document version G
EAL EAL 4 + ALC_FLR.1
Sponsor Clavister AB
Developer Clavister AB
ITSEF Combitech AB
Common Criteria version 3.1 revision 5
CEM version 3.1 revision 5
QMS version 2.5.2
Scheme Notes Release 22.0
Recognition Scope CCRA, SOGIS, EA/MLA
Certification date 2025-02-27
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 5 (17)
3 Security Policy
The TOE provides the following security services:
- Security Audit
- Cryptographic Support
- User Data Protection
- Identification and Authentication
- Security Management
- Protection of the TOE Security Functions (TSF)
- TOE Access
3.1 Security Audit
The TOE generates audit records for start-up and shutdown of the audit functions,
blocked traffic, administrator account activity, firewall activity, firewall rule modifica-
tion, network access, login attempts, etc.
Audit records are stored locally in memory and are exported to a Syslog server.
Administrators can select the severity level to be logged and include/exclude specific
events.
The oldest record in the local memory-based audit trail is overwritten when the trail
space is full.
3.2 Cryptographic Support
The TOE provides TLS functionality for HTTPS communication to the Management
Web interface. The library WolfSSL is used for cryptographic operations. The library
is included in the TOE.
Hardware cryptographic acceleration may be enabled on the Clavister appliances or in
the virtual machine environment hosting the TOE. Hardware cryptographic accelera-
tion is not included in the TOE.
Keys and key material will be zeroized when no longer needed.
3.3 User Data Protection
The TOE controls network traffic via Information Flow Control Security Functional
Policies (SFPs). The Access Rule SFP filter network traffic based on IP addressed and
network interfaces. The IP Policy SFP filter network traffic based on source and desti-
nation network interfaces, source and destination IP networks and the Service (proto-
col) by stateful inspection. The Authenticated Information Flow SFP requires users to
be authenticated to send information from specified source network addresses and/or
access resources on destination network addresses.
3.4 Identification and Authentication
Authentication without identification is required for management through the local
Console port. The Management Web interface and the Management CLI interface re-
quire identification and authentication using username and password. The Authenti-
cated Information Flow SFP requires the user to identify and authenticate through
username and password.
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 6 (17)
3.5 Security Management
The TSF recognizes three roles: Admin, Audit and Authenticated User. The Admin
and Audit roles have management privileges while the Authenticated User only has
privileges related to the Authenticated Information Flow SFP. The Admin may query,
modify, and delete attributes associated to the Information Flow SFPs, query and mod-
ify the TOE configuration and the set of events to be audited. The Audit may query
the same entities. Both Admin and Audit may query TOE and device status infor-
mation. The Admin may also restart the TOE.
3.6 Protection of the TOE Security Functions (TSF)
The TOE shall perform self-tests during initial start-up and tests of the operation of
underlying device entities may be initiated by administrators.
A secure state shall be preserved when failures occur and are discovered by self-tests
or tests of external entities.
3.7 TOE Access
Only one Admin may be authenticated at the same time. Subsequent administrator au-
thentications will grant Audit privileges only. More than one Audit may be authenti-
cated concurrently.
User sessions may automatically be terminated after a configurable time of inactivity
and/or total session lifetime.
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 7 (17)
4 Assumptions and Clarification of Scope
4.1 Assumptions
The Security Target [ST] makes seven assumptions on the usage and the operational
environment of the TOE.
A.NO_GENERAL_PURPOSE
The TOE underlying platform is assumed not to provide general purpose computing
capabilities.
A.TRUSTED_ ADMINISTRATOR
Authorized administrators are assumed to be non-hostile and to act in the best interest
of security for the organization. This includes being appropriately trained, following
given policies, and adhering to guidance documentation. However, they are capable of
making mistakes.
A.PHYSICAL_SECURE
The TOE is operated in a physically secure environment, i.e., no unauthorized person
has physical access to the TOE or its underlying platform.
A.SINGLE_CONNECTION
Information cannot flow among the internal and external networks unless it passes
through the TOE.
A.AUDIT_SERVER
It is assumed that an external audit server can receive and store audit events from the
TOE.
A.TIME
The TOE environment provides the TOE with a reliable time stamp.
A.VIRTUAL_DEPLOYMENT
Only one instance of the TOE is executing as a guest in the virtual deployment.
No other applications are running as guests in the TOE virtual deployment.
4.2 Organisational Security Policies
The Security Target [ST] places two organizational Security Policies on the TOE.
P.MANAGE
The TOE shall be manageable only by authorized administrators.
P.ACCOUNTABLE
The TOE shall provide audit records to hold administrators accountable for their
actions.
4.3 Clarification of Scope
The Security Target [ST] contains seven threats, which have been considered during
the evaluation.
T.NETWORK_ACCESS
An Attacker on an external or internal network may attempt to bypass the information
flow control policy by sending information through the TOE, which results in exploi-
tation and/or compromise of protected resources on the internal network.
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 8 (17)
T.UNDETECTED
An Attacker on an external or internal network may attempt to compromise the assets
without being detected. This threat includes the Attacker causing audit records to be
lost or prevent future records from being recorded by taking actions to exhaust audit
storage capacity, thus masking the Attacker’s actions. An exhaustion attack can for
example be done by sending a large number of packets over a long time period, caus-
ing generation of audit records.
T.ADMIN_ACCESS
The Attacker may attempt to gain administrator access to the TOE web management
interface through illicit authentication.
T.ADMIN_COMMUNICATION
The Attacker may be able to view, modify, and/or delete security related information
sent between a remotely located authorized administrator and the TOE. The Attacker
may for example insert himself between the administrator and the TOE and acting as a
man in the middle without the administrator’s knowledge.
T.BYPASS
The Attacker on an external or internal network may attempt to bypass, deactivate, or
tamper with TOE security functions to cause unauthorized access to TOE functions,
user or TSF data, or to deny access to legitimate users.
T.HALT
The Attacker on an external or internal network may attempt to compromise the conti-
nuity of the TOE functionality by halting execution of the TOE.
T.FAILURE
A component of the TOE or in TOE operational environment may fail during start-up
or during operations, or a TOE User may involuntarily cause a compromise or failure
in the security functionality and leave the TOE susceptible to attackers.
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 9 (17)
5 Architectural Information
The TOE is the base software engine that drives and controls a virtual deployment in a
virtual machine environment. The TOE binary is downloaded from Clavister’s web
site.
The TOE relies on the following IT equipment in the operational environment:
- Local management console
General purpose computer with serial interface (COM-port)
- Remote administration computer
General purpose computer with web browser for remote administration over HTTPS
- Syslog server
General purpose computer with Syslog server compliant with RFC 5424.
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 10 (17)
6 Documentation
The guidance documents below are part of the TOE:
- Clavister cOS Core Administration Guide, Version: 15.00.00
- Clavister cOS Core CLI Reference Guide, Version: 15.00.00
- Clavister cOS Core Log Reference Guide, Version: 15.00.00
- Guidance Documentation - Clavister cOS Core, Version 15.00.00
The guides are available in PDF format to download from Clavister’s web site, or as
HTML pages directly on Clavister´s web site.
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 11 (17)
7 IT Product Testing
7.1 Developer Testing
The developer tested both binaries with full TSFI coverage:
Clavister cOS Core 15.00.00.10-39191 running on
VMware ESXi v.6.5.0 (Intel 64)
VMware ESXi v.6.7.0 (Intel 64)
VMware ESXi v.8.0 u2 (Intel 64)
Clavister cOS Core 15.00.00.10-39192 running on
KVM/QEMU v.2.11.1 (ARM v8)
KVM/QEMU v.8.2.2 (ARM v8)
The tests were performed in the developer's premises in Örnsköldsvik, Sweden.
7.2 Evaluator Testing
The evaluators repeated a large subset of the developer's test cases, and some addi-
tional independent test cases cases on:
Clavister cOS Core 15.00.00.10-39191 running on VMWare ESXi 7.0 u3 (Intel 64).
The tests were performed in the evaluator's premises in Bromma, Stockholm Sweden.
7.3 Penetration Testing
The evaluators performed vulnerability scans (Nessus), port scans (NMAP), and fuzz-
ing with crafted network packages (Scapy/Wireshark).
The tests were performed in the evaluator's premises in Bromma, Stockholm Sweden
on Clavister cOS Core 15.00.00.10-39191 running on VMWare ESXi 7.0 u3 (Intel
64)..
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 12 (17)
8 Evaluated Configuration
The following features are NOT part of the evaluated configuration:
- Authentication using other methods than local username and password validation
- SSH based Management CLI interface
- Secure Copy, SCP
- Clavister InControl management interface
- SMTP and InControl log receivers, SNMP traps
- SNMP
- Software update
- High Availability (HA) configuration
- VPN
- Intrusion Detection & Prevention
- Anti-Virus
- Anti-Spam
- Application Control
- Traffic/Bandwidth Management
- Hardware crypto accelerator
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 13 (17)
9 Results of the Evaluation
The evaluators applied each work unit of the Common Methodology [CEM] within
the scope of the evaluation, and concluded that the TOE meets the security objectives
stated in the Security Target [ST] for an attack potential of Enhanced-Basic.
The certifier reviewed the work of the evaluators and determined that the evaluation
was conducted in accordance with the Common Criteria [CC].
The evaluators' overall verdict is PASS.
The verdicts for the assurance classes and components are summarised in the follow-
ing table:
Assurance Class/Family Short name Verdict
Development ADV PASS
Security Architecture ADV_ARC.1 PASS
Functional Specification ADV_FSP.4 PASS
TOE Design ADV_TDS.3 PASS
Implementation Representation ADV_IMP.1 PASS
Guidance Documents AGD PASS
Operational User Guidance AGD_OPE.1 PASS
Preparative Procedures AGD_PRE.1 PASS
Life-cycle Support ALC PASS
CM Capabilities ALC_CMC.4 PASS
CM Scope ALC_CMS.4 PASS
Delivery ALC_DEL.1 PASS
Development Security ALC_DVS.1 PASS
Life-cycle Definition ALC_LCD.1 PASS
Flaw Remediation ALC_FLR.1 PASS
Tools and Techniques ALC_TAT.1 PASS
Security Target Evaluation ASE PASS
ST Introduction ASE_INT.1 PASS
Conformance Claims ASE_CCL.1 PASS
Security Problem Definition ASE_SPD.1 PASS
Security Objectives ASE_OBJ.2 PASS
Extended Components Definition ASE_ECD.1 PASS
Security Requirements ASE_REQ.2 PASS
TOE Summary Specification ASE_TSS.1 PASS
Tests ATE PASS
Coverage ATE_COV.2 PASS
Depth ATE_DPT.1 PASS
Functional Tests ATE_FUN.1 PASS
Independent Testing ATE_IND.2 PASS
Vulnerability Assessment AVA PASS
Vulnerability Analysis AVA_VAN.3 PASS
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 14 (17)
10 Evaluator Comments and Recommendations
The evaluators do not have any comments or recommendations concerning the prod-
uct or using the product.
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 15 (17)
11 Glossary
CC Common Criteria
CEM Common Evaluation Methodology
CLI Command Line Interface
CM Configuration Management
cOS Clavister Operating System
CPU Central Processing Unit
CRL Certificate Revocation List
HMAC Keyed Hash Message Authentication Code
http Hypertext Transfer Protocol
https Hypertext Transfer Protocol Secure (i.e. TLS over http)
ICMP Internet Control Message Protocol
IP Internet Protocol
IPSec Internet Protocol Security
IPv4 Internet Protocol version 4
IPv6 Internet Protocol version 6
NAT Network Address Translation
RAM Random Access Memory
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SSH Secure Shell
ST Security Target
TCP Transmission Control Protocol
TLS Transport Layer Security
TOE Target of Evaluation
TSF TOE Security Functions
TSFI TSF Interface
UDP User Datagram Protocol
VPN Virtual Private Network
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 16 (17)
12 Bibliography
ST Security Target - Clavister cOS Core v.15.00, Clavister AB,
2025-02-11, document version G
AGD Guidance Documentation - Clavister cOS Core v.15.00,
Clavister AB, 2024-11-01, document version B
ADM Clavister cOS Core Administration Guide, Clavister AB,
2024-10-30, document version 15.00.00
CLI Clavister cOS Core CLI Reference Guide, Clavister AB,
2024-10-30, document version 15.00.00
LOG Clavister cOS Core Log Reference Guide, Clavister AB,
2024-10-30, document version 15.00.00
CCpart1 Common Criteria for Information Technology Security Evaluation,
Part 1, version 3.1 revision 5, CCMB-2017-04-001
CCpart2 Common Criteria for Information Technology Security Evaluation,
Part 2, version 3.1 revision 5, CCMB-2017-04-002
CCpart3 Common Criteria for Information Technology Security Evaluation,
Part 3, version 3.1 revision 5, CCMB-2017-04-003
CC CCpart1 + CCpart2 + CCpart3
CEM Common Methodology for Information Technology Security
Evaluation, version 3.1 revision 5, CCMB-2017-04-004
EP-002 002 Evaluation and Certification, CSEC, 2023-06-02, document
version 35.0
EP-188 188 Scheme Crypto Policy, CSEC, 2023-09-06, document
version 13.0
Swedish Certification Body for IT Security
Certification Report Clavister cOS Core 15.00.00
24FMV2956-37 1.0 2025-02-27
CSEC2024006 17 (17)
Appendix A Scheme Versions
During the certification the following versions of the Swedish Common Criteria Eval-
uation and Certification scheme have been used.
A.1 Scheme/Quality Management System
During the certification the following versions of the Swedish Common Criteria Eval-
uation and Certification scheme have been used.
Version Introduced Impact of changes
2.5.2 2024-06-17 None
2.5.1 Application Original version
A.2 Scheme Notes
Scheme Notes applicable to the certification
Scheme
Note
Version Title Applicability
SN-15 5.0 Testing Compliant
SN-18 4.0 Highlighted requirements on the ST Compliant
SN-22 4.0 Vulnerability assessment Compliant
SN-27 1.0 ST requirements at the time of ap-
plication
Compliant
SN-28 2.0 Updated procedures Compliant
SN-31 1.0 New procedures for site-visit and
testing oversight
Compliant