National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report Tenix Datagate Inc Interactive Link Data Diode Device, Gigabit Variant Version 3.0 (P/N FID003) Report Number: CCEVS-VR-06-0051 Dated: 17 November 2006 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 VALIDATION REPORT Tenix Interactive Link Data Diode Device ACKNOWLEDGEMENTS Validation Team Ken Elliott III The Aerospace Corp. Columbia, MD ii VALIDATION REPORT Tenix Interactive Link Data Diode Device Table of Contents 1 Executive Summary.................................................................................................... 1 1.1 Interpretations ......................................................................................................... 2 1.2 Threats to Security.................................................................................................... 2 2 Identification............................................................................................................... 4 3 Security Policy............................................................................................................ 5 4 Assumptions................................................................................................................ 6 5 Architectural Information ........................................................................................... 8 6 Documentation.......................................................................................................... 11 7 IT Product Testing .................................................................................................... 19 7.1 Developer Testing............................................................................................. 19 7.2 Evaluation Team Independent Testing ............................................................. 19 7.3 Evaluation Team Penetration Testing............................................................... 19 8 Evaluated Configuration........................................................................................... 19 9 Results of the Evaluation .......................................................................................... 20 10 Validator Comments/Recommendations .............................................................. 21 11 Annexes................................................................................................................. 21 12 Security Target...................................................................................................... 21 13 Glossary ................................................................................................................ 21 14 Bibliography ......................................................................................................... 23 iii VALIDATION REPORT Tenix Interactive Link Data Diode Device 1 Executive Summary The original evaluation of the Tenix Interactive Link Data Diode Device (IL-DDD) was performed by COACT, Inc. in the United States and was completed on 22 August 2005. This evaluation was augmented by analysis performed by the National Security Agency, as well as two CCEVS Technical Oversight Panels (TOPs). Subsequent the original validation activity, an updated version of the IL-DDD was submitted for additional validation. The changes to the originally-evaluated device were evaluated by the National Security Agency, as they were limited in scope and did not warrant a full re-evaluation by a CCTL. This subsequent evaluation was conducted in accordance with the requirements of the Common Criteria, Version 2.1 and the Common Methodology for IT Security Evaluation (CEM), Version 1.0. For evaluation of CC Part 3 components above EAL4 performed by the CCTL, methodology was created by the CCTL and validator and approved by CCEVS. For evaluation of CC Part 3 components above EAL4 performed by NSA, the validator determined that the work performed was commensurate with an EAL7 level of effort. The Target of Evaluation (TOE) identified in this Validation Report has been evaluated at a NIAP approved Common Criteria Testing Laboratory, and at the NSA as well, using the Common Methodology for IT Security Evaluation (Version 1.0) for conformance to the Common Criteria for IT Security Evaluation (Version 2.1), supplemented with additional methodology. This Validation Report applies only to the specific version of the TOE as evaluated. The evaluation has been conducted in accordance with the provisions of the NIAP Common Criteria Evaluation and Validation Scheme and the conclusions of the testing laboratory and the NSA in the evaluation technical report are consistent with the evidence adduced. This Validation Report is not an endorsement of the Tenix IL-DDD product by any agency of the US Government and no warranty of the product is either expressed or implied. The validation team worked the vendor and NSA to define the appropriate evidence and analysis for the evaluation effort; NSA personnel carried out the evaluation activities which were reviewed by the validator. The validation team found that the evaluation showed that the product continued to provide all of the functional requirements and assurance requirements stated in the original Security Target (ST). Because the changes to the product were “below” the level of abstraction presented in the security target, no changes to that document were necessary. Therefore the validation team concludes that the evaluation findings are accurate, the conclusions justified, and the conformance results are correct. The conclusions of the evaluators in the evaluation technical report are consistent with the evidence produced. All of the changes to the originally evaluated device were at a level of abstraction such that only EAL7-level evidence (the LLD and IMP) was substantially affected. As such, the NSA performed all of the evaluation activity associated with this TOE. While the administrators guide (AGD) was affected, re-evaluation of the guide was only necessary in 1 VALIDATION REPORT Tenix Interactive Link Data Diode Device light of the additional LLD evidence, and so this additional analysis was also performed by NSA personnel. The technical information included in this report is primarily taken directly from the original evaluation as documented in Validation Report CCEVS-VR-05-0119. Minor updates and additions have been made to reflect the modifications to the IL-DDD from its originally validated version. While much of the information is from, and refers to, the original evaluation and validation activity, most of the information on the activities and findings from the original activity is retained in this document so that it can stand alone, rather than serve as a supplement to CCEVS-VR-05-0119. 1.1 Interpretations The following interpretations are incorporated into the evaluation. National Interpretations I-0405 – American English Is An Acceptable Refinement, 2000-12-20 I-0407 – Empty Selections Or Assignments, 2002-01-04 I-0427 – Identification of Standards, 2001-06-22 International Interpretations RI # 3 - Unique identification of configuration items in the configuration list, 2002-02-11 RI # 4 - ACM_SCP.*.1C requirements unclear, 2001-11-12 RI # 8 - Augmented and Conformant overlap, 2001-07-31 RI #19 – Assurance Iterations, 2002-02-11 RI # 31 - Obvious vulnerabilities, 2002-10-25 RI #49 – Threats met by the Environment, 2001-02-16 RI #64 – Apparent higher standard for explicitly stated requirements, 2001-02-16 RI # 65 - No component to call out security function management, 2001-07-31 RI # 69 – Informal Security Policy Model, 2001-03-30 RI # 75 - Duplicate Informative Text for ATE_FUN.1-4 and ATE_IND.2-1, 2000-10-15 RI #84 – Aspects of objectives in TOE and environment, 2001-02-16 RI #85 – SOF Claims additional to the overall claim, 2002-02-11 RI # 116 - Indistinguishable work units for ADO_DEL, 2001-07-31 RI # 127 – TSS Work unit not at the right place, 2002-10-25 RI # 128 – Coverage of the delivery procedures, 2002-11-15 RI # 133 - Consistency analysis in AVA_MSU.2, 2002-10-25 RI #138 – Iteration and narrowing of scope, 2002-06-05 1.2 Threats to Security The Security Target identified the following threats that the evaluated product addresses: 2 VALIDATION REPORT Tenix Interactive Link Data Diode Device T.TRANSFER A USER or process, e.g. a Trojan horse, on the HIGH SIDE NETWORK that accidentally or deliberately breaches the confidentiality of some HIGH SIDE INFORMATION by transmitting data through the IL-DDD to the LOW SIDE NETWORK. T.TAMPER An adversary tampers with the contents of IL-DDD during delivery, and/or after installation to cause the compromise the confidentiality of some HIGH SIDE INFORMATION. T.LOGIC A USER or process on the LOW SIDE NETWORK transmits data to the TOE that causes a modification to the TSF. T.FAILURE The IL-DDD has a hardware failure that allows HIGH SIDE INFORMATION to be transmitted to the LOW SIDE NETWORK and thus makes the INFORMATION available to LOW SIDE USERS. It is important to note that the protection offered (and the security policy enforced) is one that preserves the confidentiality of the high-side data. No mechanisms concerning the protection of the integrity of the high side data were evaluated. 3 VALIDATION REPORT Tenix Interactive Link Data Diode Device 2 Identification The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards effort to establish commercial facilities to perform trusted product evaluations. Under this program, security evaluations are conducted by commercial testing laboratories called Common Criteria Testing Laboratories (CCTLs) using the Common Evaluation Methodology (CEM) for Evaluation Assurance Level (EAL) 1 through 4 in accordance with National Voluntary Laboratory Assessment Program (NVLAP) accreditation. The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and consistency across evaluations. Developers of information technology products desiring a security evaluation contract with a CCTL and pay a fee for their product’s evaluation. Upon successful completion of the evaluation, the product is added to NIAP’s Validated Products List. Where an Evaluation Assurance Level above EAL4 is granted, CCEVS is responsible for ensuring that the additional assurance components are met. For this evaluation, the CCTL and CCEVS determined appropriate methodology for those components of the ACM, ALC, and ADO families that were different from EAL4 to EAL7, and then monitored the CCTL’s compliance to this methodology. Additionally, ATE_IND.3 was performed by the CCTL using methodology approved by the validator. For the remaining ADV, ATE, and AVA work units above EAL4, an NSA evaluation team performed their analysis directly on the requirements (that is, no formal methodology was formulated). Table 1 provides information needed to completely identify the product, including: • The Target of Evaluation (TOE): the fully qualified identifier of the product as evaluated; • The Security Target (ST), describing the security features, claims, and assurances of the product; • The conformance result of the evaluation; • The organizations and individuals participating in the evaluation. Table 1: Evaluation Identifiers Item Identifier Evaluation Scheme United States NIAP Common Criteria Evaluation and Validation Scheme TOE: Tenix Interactive Link Data Diode Device, Gigabit Variant, version 3.0, Part Number FID003 Protection Profile Not applicable. 4 VALIDATION REPORT Tenix Interactive Link Data Diode Device Item Identifier 3 ST: Interactive Link Data Diode Device Common Criteria Security Target, Issue 5.1, 19 August, 2005. Evaluation Technical Report Tenix Interactive Link Data Diode Device Version 2.1 Evaluation Technical Report, August 22, 2005. CC Version Common Criteria for Information Technology Security Evaluation, Version 2.1 Conformance Result CC Part 2 conformant, CC Part 3 augmented (AVA_CCA.3) Sponsor Tenix Datagate Inc. Developer Tenix Defence Pty Ltd Common Criteria Testing Lab (CCTL) COACT, Inc., Columbia, MD (for original evaluation) CCEVS Validator Ken Elliott, The Aerospace Corporation Security Policy The TOE provides protection of the confidentiality of data on the HIGH SIDE network whose sole connection point to the LOW SIDE network is through the TOE. The TOE provides a unidirectional transmission of electronic signals (information) from a LOW SIDE network to a HIGH SIDE network. All security functions are provided by the Interactive Link Data Diode Device (IL-DDD). The information flow control policy can be summarized as: Unidirectional Flow Security Function Policy (SFP) The asset of HIGH SIDE INFORMATION is to be kept confidential from processes, applications and users on the LOW SIDE while allowing information to flow from the LOW SIDE to the HIGH SIDE. 5 VALIDATION REPORT Tenix Interactive Link Data Diode Device 4 Assumptions The IL-DDD provides a connection between two networks of different security levels; HIGH SIDE NETWORK and the LOW SIDE NETWORK. Note that all HIGH SIDE USERS must be cleared to use the LOW SIDE NETWORK. The assumptions made about the intended environment are: A.PERSONNEL The IL-DDD shall be installed, administered and used by authorized personnel who possess the necessary privileges to access the HIGH SIDE INFORMATION. A.PHYSICAL The intended environment shall be capable of storing and operating the IL-DDD in accordance with the requirements of the HIGH SIDE. Note there may also be a requirement for protecting critical system resources within secure environments greater than the requirements of the HIGH SIDE; e.g., a secured HIGH SIDE server room. The IL-DDD may be regarded as a critical resources if users of the HIGH SIDE NETWORK have a critical requirement to access information from the LOW SIDE NETWORK. A.EMISSION It is intended that the IL-DDD operate in an environment where physical (or some other) security measures prevent any TEMPEST attack. This could be achieved by ensuring that the security boundary is outside the IL-DDD Equipment Radiation TEMPEST Zone (ERTZ). The IL-DDD operates at the edge of the secure boundary where the LOW SIDE NETWORK meets the HIGH SIDE NETWORK. Care should be taken to determine the relationship of the IL-DDD ERTZ to its secure boundary and to keep the ERTZ within them A.INSTALLATION The system management staff in accordance with the Administration Documentation shall install the IL-DDD. The appropriate SECURITY AUTHORITY shall accredit the installation of the IL-DDD. A.TRAINING All staff who have access to a secure INFORMATION systems shall be trained in the reasons for security, how the security has been implemented, why it has been implemented in that way and their responsibilities in ensuring that the INFORMATION system security is maintained. A.NETWORK The IL-DDD(s) (i.e., either a singular or multiple devices) is the only method of interconnecting the LOW and HIGH SIDE NETWORKs. This prevents a threat agent from circumventing the security being provided by the IL-DDD through an untrusted product. 6 VALIDATION REPORT Tenix Interactive Link Data Diode Device A.NO_EVIL Authorised users of the TOE are non-hostile and follow all usage guidance to ensure that the IL-DDD is operated in a secure manner. 7 VALIDATION REPORT Tenix Interactive Link Data Diode Device 5 Architectural Information The Interactive Link Data Diode Device (IL-DDD), as shown below, is a hardware product providing a unidirectional data path between a source and destination. The IL- DDD inputs and outputs are connected to their servers via fiber-optic cables to minimize electromagnetic radiation. Circuitry within the unit ensures that signals can pass only from input to output, and not vice versa. This requires data transfers over the diode to be sent without acknowledgments. TSF A number of additional components are pictured above; while not part of the TOE, these additional components are necessary in order for a user to be able to transfer data from the low workstation/server to the high workstation/server. These components are described in the IT Environment section below. The IL-DDD is implemented solely in hardware. The IL-DDD provides a unidirectional data path from the LOW SIDE NETWORK to the HIGH SIDE NETWORK. Features include: • Data transfer over the diode is sent without acknowledgment; • Multiple workstations or PCs can share a single Data Diode. The Interactive Link provides a one-way data flow from the LOW SIDE NETWORK to the HIGH 8 VALIDATION REPORT Tenix Interactive Link Data Diode Device SIDE NETWORK via the IL-DDD. The Interactive Link software (which is not part of the TOE, but runs in the IT Environment as explained below) provides the method for the data to be transferred to the HIGH SIDE NETWORK. These data (which are determined by the target system’s security policy, and could include e-mail, SNMP traps, etc.) are sent from low to high without examination by the IL-DDD. TOE Changes Changes from the originally evaluated product involved replacing the receiver/transmitter components and internal buffer (to accommodate Gigabit throughput). From an external logical interface perspective, apart from a faster throughput there are no differences between the updated TOE and the originally-evaluated TOE. From a physical perspective, transceiver components (rather than dedicated receiver/transmitter components) were used, but internally one side of each component was grounded so that the transceiver physically functions as a receiver only on the low side and a transmitter only on the high side. The evaluation verified that the implementation matched this design so that there is high assurance that no light can be transmitted through the device from the high side to the low side. IT Environment The IT environment provides support for the TOE, allowing the TOE to operate with full functionality. The IT environment includes the HIGH and LOW SIDE servers and IL software. The IL-DDD is installed between the HIGH and LOW SIDE NETWORKs and is located with the HIGH SIDE SERVER, in the HIGH SIDE NETWORK space. The HIGH SIDE SERVER receives LOW SIDE INFORMATION transferred across the IL-DDD from the LOW SIDE SERVER. The HIGH SIDE SERVER distributes INFORMATION to the appropriate HIGH SIDE DESTINATION. The LOW SIDE SERVER packages up the display INFORMATION so that it can be transferred across the unidirectional IL-DDD. The following components are required for the IT environment and are necessary to deploy the complete Interactive Link architecture; it should be noted, however, that these dependencies are in all instances for functional purposes. • The HIGH SIDE Interactive Link Server (HILS) consists of hardware, a commercial operating system and purpose built software, and contains no security functions. • The LOW SIDE Interactive Link Server (LILS) consists of hardware, a commercial operating system and purpose built software which contains no security functions. • The IL Software is purpose built software, has different aspects resident on both the HILS and the LILS, and contains no security functions. The IL-DDD is installed between the HIGH and LOW SIDE NETWORKs and is located with the HILS, in the HIGH SIDE NETWORK space. The HILS receives LOW SIDE INFORMATION transferred across the IL-DDD from the LILS. The HILS distributes INFORMATION to the 9 VALIDATION REPORT Tenix Interactive Link Data Diode Device appropriate HIGH SIDE USER’S WINDOW SERVER. The LILS packages up the INFORMATION so that it can be transferred across the unidirectional IL-DDD. 10 VALIDATION REPORT Tenix Interactive Link Data Diode Device Documentation The following documentation was supplied to support the evaluation of the TOE. Note that the TOE was evaluated as part of a (still on-going) evaluation of the Interactive Link product at EAL 7; consequently, the documentation delivered covered both the IL-DDD and an additional product known as the Interactive Link Keyboard Switch (IL-KBS). The documentation list below reflects a superset of the documentation actually used in the evaluation of the IL-DDD product. Bolded documentation indicates documentation added for this version of the TOE. Document Version IL SUPPORTING DOCUMENTATION (96162D00001001DL.xls) Issue 1 IL PRODUCTS (96162D00001001IL.xls) Issue 5 UNIT TRANSPORTABLE (96162D00002001PL.XLS) Issue 1 INTERACTIVE LINK SYSTEM (96162D00003001CL.xls) Issue 4 KEYBOARD SWITCH 10BASE-T SHIPPABLE (US) (96162D01001001-003CL.xls) Issue 4 KEYBOARD SWITCH (96162D01001001DL.xls) Issue 3 KBS ACCESSORY PACK (US) (96162D01100001-001PL.xls) Issue 1 KBS (10BASE-T) SHIPPABLE (US) (96162D01200001-006PL.xls) Issue 2 KBS ASSEMBLY (10BASE-T) (96162D01305001CL.xls) Issue 3 KBS ASSEMBLY (10BASE-T) (96162d01305001PL.xls) Issue 8 KEYBOARD SWITCH 10BASE-T CIRCUIT CARD ASSEMBLY (96162D01310001-001CL.xls) Issue 1 KEYBOARD SWITCH 10BASE-T CIRCUIT CARD ASSEMBLY (96162D01310001-001PL.xls) Issue 1 KEYBOARD SWITCH 10BASE-T PROGRAMMED CCA (96162D01311001-001CL.xls) Issue 1 KEYBOARD SWITCH 10BASE-T PROGRAMMED CCA (96162D01311001-001PL.xls) Issue 1 FRONT PANEL CIRCUIT CARD ASSEMBLY (96162D01320001CL.xls) Issue 1 FRONT PANEL CIRCUIT CARD ASSEMBLY (96162d01320001PL.xls) Issue 4 INTERACTIVE LINK APPROVED SOURCES LISTING (96162d01990200.xls) Issue 6 DATA DIODE DEVICE SHIPPABLE (US) (96162D02400001- 001CL.xls) Issue 4 DATA DIODE DEVICE SHIPPABLE (US) (96162D02400001- 001PL.xls) Issue 5 DATA DIODE DEVICE (96162D02400001DL.xls) Issue 3 11 VALIDATION REPORT Tenix Interactive Link Data Diode Device Document Version DATA DIODE DEVICE ACCESSORY PACK (US) (96162D02410001-001PL.xls) Issue 1 DATA DIODE DEVICE ASSEMBLY (96162D02430001CL.xls) Issue 3 DATA DIODE DEVICE ASSEMBLY (96162d02430001PL.xls) Issue 7 DATA DIODE DEVICE CIRCUIT CARD ASSEMBLY (96162D02431001CL.xls) Issue 2 DATA DIODE DEVICE CIRCUIT CARD ASSEMBLY (96162d02431001PL.xls) Issue 4 ADMINISTRATOR PACK (96162D04001001CL.xls) Issue 3 ADMINISTRATOR PACK (96162d04001001PL.xls) Issue 4 HIERARCHY.doc None SUPPORT SYSTEMS PROCEDURE DOCUMENT AND DATA CONTROL (msp0702.doc) Issue 3.1 Configuration Management Documentation (B217P00001001.pdf) Issue 1.0 KBS Assembly Procedure (96162k01990101.doc) Issue 1 DDD Assembly Procedure (96162K01990102.doc) Issue 1 WORK INSTRUCTION FOR CLEARCASE CONFIGURATION MANAGEMENT (infosec_wi_050201.doc) Issue 3.0 WORK INSTRUCTION FOR IMPLEMENTING A RELEASE BASELINE (infosec_wi_050202.doc) Issue 2.0 Janus Phase 1 Version Description Document (Janus Ph1 VDD.doc) Issue 1.0 DDD_2.1.4_CAD.TXT None DDD_2.1.4_DOCS.TXT None IL_RELEASE_5.0.1_CAD.TXT None IL_RELEASE_5.0.1_DOCS.TXT None IL_RELEASE_5.0.1_SOURCE.TXT None KBS_10BASET_2.1.0_CAD.TXT None KBS_10BASET_2.1.0_DOCS1.TXT None KBS_10BASET_2.1.0_SOURCE.TXT None KBS_MAN_6.0.1_DOCS.txt None KBS_MAN_6.0.1_SOURCE.txt None SUPPORT_EQUIP_1.1.0_DOCS.txt None tool_config.txt None Infosec Documentation.xls None Infosec ECO Register.xls None Infosec ECP Register.xls None Software.xls None Software_COTS.xls None Software_ESD.xls None 12 VALIDATION REPORT Tenix Interactive Link Data Diode Device Document Version PROJECT MANAGEMENT PROCEDURES DEVELOPMENT DOCUMENTATION SYSTEM (DDS) STANDARD (msi040101.doc) Issue 1 PROJECT MANAGEMENT PROCEDURES PROJECT MANAGEMENT (msp0401.doc) Issue 2 ENGINEERING PROCEDURES CONFIGURATION CONTROL (msp0502.doc) Issue 2.1 ENGINEERING PROCEDURES CONTROL OF THE DEVELOPMENT ENVIRONMENT (msp0505.doc) Issue 2 SUPPORT SYSTEMS PROCEDURE DOCUMENT AND DATA CONTROL (msp0702.doc) Issue 3.1 Configuration Management Plan (CMP_v4.3_B214.P01.000.003.doc) Issue 4.3 ECP Template (sd001.doc) Issue 1 ECO Template (sd002.doc) Issue 1 Corrective Action Request Template (sd013.doc) Issue 1 Nonconformance/Trouble Report (sd009.doc) Issue 1 Contract Change Proposal (sd199.doc) Issue 1 Request for Deviation/Waiver (sd080.doc) Issue 1 B217D001002 Configuartion Control Identification Register (CCI_register.doc) Issue 2.0 ECP226 Evidence (ECP226.doc) N/A ECP226 Evidence (ECP226trail.doc) N/A WORK INSTRUCTION FOR DELIVERY PROCEDURES FOR INTERACTIVE LINK COMPONENTS (infosec_wi_060201.doc) Issue 2.0 Tenix Datagate US Work Instruction For Purchase Order Validation (Purchase_Order_Validation_TDUS-WI-030301_v1.1.doc) Issue 1.1 Tenix Datagate US Work Instruction For Quotations (Quotations- TDUSWI-030302.doc) Issue 1.0 Tenix Datagate Work Instruction For Sales Order Processing (Sales_Order_Processing_TDC-WI-030301.doc) Issue 1.0 Delivery and Operation Procedures (B217P00001003.pdf) Issue 1.0 Functional Specification (B217P00002002_v7.doc) Issue 7 High Level Design (B217P00002003_v8`.doc) Issue 8 Engineering Specification for the Type 5 Keyboard and Mouse Interface Rev A IBM Personal System/2 Mouse Technical Reference Second Edition IBM Personal System/2 Hardware Interface Technical Reference - Common Interfaces First Edition Data Diode Device Implementation (B217P00002008.pdf) Issue 3.0 Drawing 96162D01310002 Keyboard Switch Schematic Diagram 22 sheets (96162D01310002_9.pdf) Issue 9 Drawing 96162D01310001 Keyboard Switch Circuit Card Assembly 1 sheet (96162D01310001_6.pdf) Issue 6 13 VALIDATION REPORT Tenix Interactive Link Data Diode Device Document Version Drawing 96162D01310020 Keyboard Switch Printed Board 8 sheets (96162D01310020_7.pdf) Issue 7 Drawing 96162D01320001 Front Panel Circuit Card Assembly 1 sheet (96162D01320001_r3.pdf) Issue 3 Drawing 96162D01320002 Front Panel Schematic Diagram 1 sheet (96162D01320002_r2.pdf) Issue 2 Drawing 96162D01320020 Front Panel Printed Board 6 sheets (96162D01320020_r3.pdf) Issue 3 Drawing 96162D02431001 Data Diode Device Circuit Card Assembly 1 sheet (96162D02431001_2 .pdf) Issue 2 Drawing 96162D02431002 Data Diode Device Schematic Diagram 1 sheet (96162D02431002_2.pdf) Issue 2 Drawing 96162D02431020 Data Diode Device Printed Board 8 sheets (96162D02431020_2 .pdf) Issue 2 Interactive Link Implementation (B217P00002006_V6.0.doc) Issue 6.0 hfbr11xx.pdf None hfbr-1115_2115.pdf None hp.eps None motorola_mc10h188_rev5.pdf None pin_conversionrev6.pdf None schs123.pdf None schs182.pdf None scls085b.pdf None scls088b.pdf None scls100b.pdf None scls116c.pdf None scls181b.pdf None scls305a.pdf None Interactive Link Semiformal Low-level Design (B217P00002004_v4.doc) Issue 4.0 Data Diode Device Semiformal Low-level Design (B217P00002009.doc) Issue 3.0 Correspondence Demonstration (B217P00002007.v6.doc) Issue 6 Security Policy Model (B217P00002001.doc) Issue 6.0 INTERACTIVE LINK FORMAL POLICY AND ARCHITECTURE (9125P01000014.pdf) Version 3.0 Interactive Link Guidance Documentation (B217P00003001.pdf) Issue 1.0 IL-DDD INSTALLATION AND ADMINISTRATION GUIDE (96162H05001001_v17.pdf) Issue 17 IL-KBS WORKSTATION INSTALLATION AND USER GUIDE (96162H01300001_V15.pdf) Issue 15 14 VALIDATION REPORT Tenix Interactive Link Data Diode Device Document Version Interactive Link Life Cycle Support Documentation (B217P00001004.pdf) Issue 2.0 PROJECT MANAGEMENT PROCEDURES DEVELOPMENT DOCUMENTATION SYSTEM (DDS) STANDARD (msi040101.doc) Issue 1 WORK INSTRUCTION FOR PROTEL CAD SYSTEM (msi050502.doc) Issue 2.0 WORK INSTRUCTION FOR PRINTED BOARD DESIGN USING COMPUTER AIDED DESIGN (CAD) (msi050503.doc) Issue 1 QUALITY SYSTEM PROCEDURES REVIEW AND AUDIT (msp0102.doc) Issue 3.2 PROJECT MANAGEMENT PROCEDURES PROJECT MANAGEMENT (msp0401.doc) Issue 2.0 ENGINEERING PROCEDURES CONTROL OF CUSTOMER SUPPLIED PRODUCT (msp0501.doc) Issue 2.1 ENGINEERING PROCEDURES CONFIGURATION CONTROL (msp0502.doc) Issue 2.1 ENGINEERING PROCEDURES INSPECTION AND TESTING (msp0503.doc) Issue 2.1 ENGINEERING PROCEDURES CONTROL OF THE DEVELOPMENT ENVIRONMENT (msp0505.doc) Issue 2 PRODUCTION PROCEDURES MANUFACTURE AND PROCESS CONTROL (msp0601.doc) Issue 3 PRODUCTION PROCEDURES RECEIPT, HANDLING AND DELIVERY (msp0602.doc) Issue 2.2 PRODUCTION PROCEDURES CONTROL OF INSPECTION, MEASURING AND TEST EQUIPMENT (msp0603.doc) Issue 2 SUPPORT SYSTEMS PROCEDURE PURCHASING SUPPLIES AND SELECTING AND CONTROLLING SUBCONTRACTORS (msp0701.doc) Issue 3 SUPPORT SYSTEMS PROCEDURE DOCUMENT AND DATA CONTROL (msp0702.doc) Issue 4.0 SUPPORT SYSTEMS PROCEDURES CONTROLLING AND CORRECTING DEFICIENCIES (msp0703.doc) Issue 2 Project Management Plan (PMP_v1.0_B214.P01.000.002.doc) Issue 1.0 Project Quality Plan (QMP_v2.0_B214.P01.000.00_v2draft.doc) Issue 2.0 WORK INSTRUCTION FOR DRAWING OFFICE PRACTICES (sda040105.doc) Issue 1 WORK INSTRUCTION FOR SECURITY PRACTICES AND PROCEDURES (SDAWI020501v02.doc) Issue 2.0 WORK INSTRUCTION FOR INFORMATION SYSTEMS SECURITY PRACTICES AND PROCEDURES (SDAWI020504_v2.1.doc) Issue 2.1 15 VALIDATION REPORT Tenix Interactive Link Data Diode Device Document Version Interactive Link Programming Languages and Compilers (il- languagescompilers.doc) Issue 1 Functional Tester Description (96162E01810001.doc) Issue 2 KBS/MCS Functional Test Procedure (96162k01000045.doc) Issue 1 KBS/MCS Programming & Security Function Test Procedure (96162k01990100.doc) Issue 1 Janus Phase 2B – Version Description Document (Janus P2b Version Description.doc) Issue 1.3 IL-KBS / IL-MCS Bed-Of-Nails Description (kbs_mcs_bon_description.doc) Issue 0.1/010 System Engineering Management Plan (SEMP.doc) Issue 1.0 Software Development Plan (SW_development_plan.doc) Issue 1.1 Interactive Link Version 1 Test and Evaluation Master Plan (V1_test_eval_master_plan.doc) Issue 2.1 Contract/Technical Progress Report for June 2000 (cprJune2000_issue1.doc) Jun-00 DDTS (ddts.doc) None Infosec Master Schedule (infomstr_26Jan01.pdf) 1/26/2001 Release Note (sd038.doc) Issue 1 Software Inspection Record (sd109.doc) Issue 1 Document Review Record (sd204.doc) Issue 2 Borland C++ QuickTour Version 4.5 Borland C++ DOS Reference Version 4.5 Borland C++ Library Reference Version 4.5 Borland C++ User's Guide Version 4.5 Borland C++ Programmer's Guide Version 4.5 Borland C++ Class Library Guide Version 4.5 Borland Turbo Debugger User's Guide Version 4.5 Borland Turbo Profiler User's Guide Version 4.5 Borland ObjectWindows Tutorial Version 2.5 Borland ObjectWindows Reference Guide Version 2.5 Borland ObjectWindows Programmer's Guide Version 2.5 Interactive Link Common Criteria Security Target Issue 12.2 Tests (B217P00004001_v7.doc) Issue 7 Tests (B217P00004001_v7.doc) Issue 7 Interactive Link CC Evaluation Master Test Plan (B217P00004002_V6.0.doc) Issue 6 Interactive Link CC Evaluation Test Bed Setup and Demonstration (B217P00004014_v2.doc) Issue 2.0 TR001 Test Procedure (B217P00004003.v4.doc) Issue 4 TR002 Test Procedure (B217P00004004.V4.doc) Issue 4 16 VALIDATION REPORT Tenix Interactive Link Data Diode Device Document Version TR003 Test Procedure (B217P00004005.V4.doc) Issue 4 TR004 Test Procedure (B217P00004006.V4.doc) Issue 4 TR005 Test Procedure (B217P00004007.V4.doc) Issue 4 TR006 Test Procedure (B217P00004008.v4.doc) Issue 4 TR007 Test Procedure (B217P00004009.v4.doc) Issue 4 TR008 Test Procedure (B217P00004010_V3.0.doc) Issue 3 TR009 Test Procedure (B217P00004011_V3.0.doc) Issue 3 TR010 Test Procedure (B217P00004016_V3.0.doc) Issue 3 TR011 Test Procedure (B217P00004012_V4.0.doc) Issue 4 TR013 Test Procedure (B217P00004013_V5.0.doc) Issue 5 TR014 Test Procedure (B217P00004015_V3.0.doc) Issue 3 TR015 Test Procedure (B217P00004032_V2.0.doc) Issue 2 TR016 Test Procedure (B217P00004033_V3.0.doc) Issue 3 TR017 Test Procedure (B217P00004034_V2.0.doc) Issue 2 Tests (B217P00004001_v7.doc) Issue 7 TR001 Test Result (B217P00004036_v1.pdf) Issue 1 TR002 Test Result (B217P00004037_v1.pdf) Issue 1 TR003 Test Result (B217P00004038_v1.pdf) Issue 1 TR004 Test Result (B217P00004039_v1.pdf) Issue 1 TR005 Test Result (B217P00004040_v1.pdf) Issue 1 TR006 Test Result (B217P00004041_v1.pdf) Issue 1 TR007 Test Result (B217P00004042_v1.pdf) Issue 1 TR008 Test Result (B217P00004043_v1.pdf) Issue 1 TR009 Test Result (B217P00004025_v1.pdf) Issue 1 TR010 Test Result (B217P00004045_v1.pdf) Issue 1 TR011 Test Result (B217P00004046_v1.pdf) Issue 1 TR013 Test Result (B217P00004047_v1.pdf) Issue 1 TR014 Test Result (B217P00004048_v1.pdf) Issue 1 TR015 Test Result (B217P00004049_v1.pdf) Issue 1 TR016 Test Result (B217P00004050_v1.pdf) Issue 1 TR017 Test Result (B217P00004051_v1.pdf) Issue 1 Binding and Covert Channel Analysis (B217P00005001_v2.0.doc) Issue 2 Evaluation of Misuse for Interactive Link (B217P00005005_v3.0.pdf) Issue 3.0 Evaluation of Misuse for Data Diode Device (B217P00005002_v2.0.pdf) Issue 2.0 Vulnerability Analysis – Highly Resistive for the Data Diode Device (B217P00005004_V2.0.pdf) Issue 2 Vulnerability Analysis – Highly Resistive for the Interactive Link (B217P00005006_V4.0.pdf) Issue 4 17 VALIDATION REPORT Tenix Interactive Link Data Diode Device Document Version Data Diode Device Semiformal Low-level Design (B217P00002009.pdf) Issue 4.0 TR014 Test Result (B217P00004048_V2.0.pdf) Issue 2.0 IL-DDD INSTALLATION AND ADMINISTRATION GUIDE (96162H05001001_v18Final.pdf) Issue 18 Impact Analysis report IAR-IL-DDD-001 For the Interactive Link Data Diode Device (IAR-IL-DDD-001.pdf) Issue 1.0 18 VALIDATION REPORT Tenix Interactive Link Data Diode Device 6 7 IT Product Testing This section describes the testing efforts of the developer and the Evaluation Team. 6.1 Developer Testing The vendor ran the documented test procedures before the evaluation team’s Independent Testing Activity began. The vendor provided a complete set of test results for analysis. Both the CCTL and NSA evaluators analyzed the vendor test procedures to ensure adequate coverage and to determine if the interfaces between subsystems were behaving as expected, and determined that the developer’s actual test results matched the vendor’s expected results. The CCTL analysis covered interfaces and depth to the subsystem level, while the NSA analysis looked at testing to the low-level design. Developer testing consists of both informal and formal testing. Informal testing is performed by engineers at various points in the development process, while formal testing is documented in the procedures examined by the evaluators. The IL-DDD was tested when connected between two workstations, one simulating the high side, one simulating the low side. 6.2 Evaluation Team Independent Testing The CCTL ran all of the developer tests. Because of the simplicity of the TOE, no additional functional tests were formulated by the team on the IL-DDD. 6.3 Evaluation Team Penetration Testing Penetration testing on the TOE was performed both by CCTL and NSA evaluators. Testing performed by the CCTL demonstrated penetration resistance commensurate with AVA_VLA.2, while that done by the NSA demonstrated penetration resistance commensurate with AVA_VLA.3. Testing was based on examination of the high- and low-level design, including schematics. For the IL-DDD, CCTL penetration testing targeted ADO claims on the tamper resistant seals incorporated into the TOE. Proprietary test reports were generated for both the CCTL and NSA activities. Evaluated Configuration The evaluated configuration consists of the Interactive Link Data Diode Device (IL-DDD) designated as Tenix Interactive Link Data Diode Device, version 3.0, Part Number FID003. The devices require no configuration, other than attaching the appropriate connections. Note that the TOE must be the only connection between the low network and the high network. While mis-configuration of the software in the IT Environment (as described above) may result in an inability to perform useful work, it will not effect the enforcement 19 VALIDATION REPORT Tenix Interactive Link Data Diode Device 8 of the confidentiality of high-side data and thus has no security impact on the evaluated configuration. Results of the Evaluation The evaluation was conducted in accordance with the requirements of the Common Criteria, Version 2.1 and the Common Methodology for IT Security Evaluation (CEM), Version 1.0. For evaluation of CC Part 3 components above EAL4 performed by the CCTL, methodology was created by the CCTL and validator and approved by CCEVS. For evaluation of CC Part 3 components above EAL4 performed by NSA, the validator determined that the work performed was commensurate with an EAL7 level of effort, and adequately addressed the EAL7 requirements. Both Evaluation Teams assigned a Pass, Fail, or Inconclusive verdict to each work unit of each assurance component. For Fail or Inconclusive work unit verdicts, the Evaluation Teams advised the developer of the issue that needed to be resolved or the clarification that needed to be made to the particular evaluation evidence. The Evaluation Team accomplished this by providing Notes, Comments, or Vendor Actions in the draft ETR sections for an evaluation activity (e.g., ASE, ADV) that recorded the Evaluation Team’s evaluation results and that the Evaluation Team provided to the developer. The Evaluation Team also communicated with the developer by telephone and electronic mail. If applicable, the Evaluation Team re-performed the work unit or units affected. In this way, the Evaluation Team assigned an overall Pass verdict to the assurance component only when all of the work units for that component had been assigned a Pass verdict. Verdicts were not assigned to assurance classes. In addition to the activities of the Evaluation Teams, CCEVS performed two Technical Oversight Panel activities on the product. The first panel addressed the ADV class, focusing on the accuracy of the CCTL’s analysis of that evidence. While some discrepancies were found, the evidence was found to be largely satisfactory and was subsequently brought into compliance with the requirements. The second panel addressed the ATE class, with some amount of focus on the AVA_VLA activities. This panel found no major deficiencies with the test plan, developer’s test methodology and results, nor with the proposed penetration testing. The validation team followed the procedures outlined in the Common Criteria Evaluation and Validation Scheme (CCEVS) publication number 3 for Technical Oversight and Validation Procedures. The validation team has observed the evaluation and all of its activities were in accordance with the Common Criteria, the Common Evaluation Methodology, and the CCEVS. The validation team therefore concludes that the evaluation and its results of pass are complete. 20 VALIDATION REPORT Tenix Interactive Link Data Diode Device 9 10 11 12 Validator Comments/Recommendations In addition to the information presented in other sections of this document, the validator has the following comments: Evaluated Configuration: The TOE consists only of the IL-DDD physical device. While this device performs its security functions in accordance with the ST, it is important for users to understand that other, unevaluated, software and hardware is necessary to provide the capability to transfer information from the low side to the high side. The use and configuration of this supporting software and hardware will have to be assessed in the user’s environment. Provided Security Functionality: It is also important for users to understand that the scope of the evaluation focused on the TOE’s ability to protect high-side data from being disclosed to low-side entities. There was no evaluation of the capability for low-side entities to corrupt high-side data, and similarly no evaluation of the capability for low-side entities to deny service to high-side entities. Annexes Not applicable. Security Target The Security Target is identified as Interactive Link Data Diode Device Common Criteria Security Target, Issue 5.1, 19 August, 2005. The document identifies the security functional requirements (SFRs) necessary to implement Information Flow Protection and TOE Self Protection security policies. These include TOE SFRs and the security assurance requirements necessary for EAL 7. Glossary The following definitions are used throughout this document: Application Server refers to a server computer, which executes application software that interacts with a USER. Data Diode Device refers to a device that allows the flow of data in one direction only. Hardware refers to the physical equipment used to process programs. 21 VALIDATION REPORT Tenix Interactive Link Data Diode Device High side is a descriptor used to refer to items associated with the HIGH SIDE NETWORK. High side Network refers to the network that has a security level greater that the LOW SIDE NETWORK. Information the INFORMATION is an object, it is considered in two forms: LOW SIDE INFORMATION and HIGH SIDE INFORMATION. Infosec refers to Information System Security. Interface Ports are associated with the IL-DDD, there are two forms of the subject INTERFACE PORTS the INPUT PORT and OUTPUT PORT. Low side is a descriptor used to refer to items associated with the LOW SIDE NETWORK. Low side Network refers to the network that has a security level lower than the HIGH SIDE NETWORK. Security Authority refers to an independent third party that has been assigned the responsibility to mandate secure usage of the HIGH SIDE classified INFORMATION by the ultimate owner of the INFORMATION. Software refers to the programs and associated data that can be dynamically written and modified. System Management Staff is responsible for the installation and maintenance of the Interactive Link Data Diode Device. TEMPEST refers to electromagnetic emanations that can be related to the INFORMATION being processed by an INFORMATION system. Target of Evaluation (TOE) refers to an information technology product or system and its associated administrator and user guidance documentation that is the subject of an evaluation. Unidirectional Network Bridge refers to the software that supports data to flow from the LOW SIDE NETWORK to the HIGH SIDE NETWORK via the DATA DIODE DEVICE. User refers to the person who utilises the IL-DDD in performance of duties. 22 VALIDATION REPORT Tenix Interactive Link Data Diode Device 13 Bibliography The Validation Team used the following documents to produce this Validation Report: • Common Criteria for Information Technology Security Evaluation, Version 2.1, Parts 1, 2, and 3. • Common Criteria, Evaluation and Validation Scheme for Information Technology Security, Guidance to Validators of IT Security Evaluations, Scheme Publication #3, Version 1.0, January 2002. • Common Evaluation Methodology for Information Technology Security – Part 1: Introduction and general model, Version 0.6, 11 January 1997. • Common Evaluation Methodology for Information Technology Security – Part 2: Evaluation Methodology, Version 1.0, August 1999. • Interactive Link Data Diode Device Common Criteria Security Target, Issue 5.1, 19 August, 2005. • Tenix Interactive Link Data Diode Device Version 2.1 Evaluation Technical Report, August 22, 2005. • Test Report for a Target of Evaluation, Tenix Interactive Link version 5.0, August 24th , 2004. • Penetration Test Report for a Target of Evaluation, Tenix Interactive Link version 5.0, August 26th , 2004. • Impact Analysis Report IAR-IL-DDD-001 For the Interactive Link, Data Diode Device, 25 May, 2006. • ETR sections for NSA evaluation effort 23