National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
Illumio Core v24.2.20
Report Number: CCEVS-VR-VID11614-2025
Version: 1.0
Date: June 20, 2025
National Institute of Standards and Technology Department of Defense
Information Technology Laboratory ATTN: NIAP, Suite: 6982
100 Bureau Drive 9800 Savage Road
Gaithersburg, MD 20899 Fort Meade.MD 20755-6982
Illumio Core v24.2.20 Validator Report
ACKNOWLEDGEMENTS
Validation Team
Daniel Faigin
Meredith Martinez
The Aerospace Corporation
Common Criteria Testing Laboratory
Diego Sierra Liras
DEKRA Cybersecurity Certification Laboratory,
Sterling, Virginia, USA
Illumio Core v24.2.20 Validator Report
Table of Contents
Contents
1 Executive Summary................................................................................................................................................ 5
2 Identification .......................................................................................................................................................... 6
3 Assumptions and Clarification of Scope................................................................................................................ 8
3.1 Assumptions........................................................................................................................................................ 8
3.2 Threats................................................................................................................................................................. 8
3.3 Objectives............................................................................................................................................................ 9
3.4 Clarification of Scope.......................................................................................................................................... 9
4 Architectural Information................................................................................................................................... 11
4.1 TOE Introduction .............................................................................................................................................. 11
4.2 Physical Boundaries .......................................................................................................................................... 11
5 Security Policy....................................................................................................................................................... 13
5.1 Enterprise Security Management....................................................................................................................... 13
5.2 Security Audit ................................................................................................................................................... 13
5.3 Identification and Authentication...................................................................................................................... 13
5.4 Security Management........................................................................................................................................ 14
5.5 Protection of the TOE Security Functions......................................................................................................... 14
5.6 TOE Access....................................................................................................................................................... 14
5.7 Trusted Path/Channels....................................................................................................................................... 14
6 Documentation ..................................................................................................................................................... 15
7 Evaluated Configuration...................................................................................................................................... 15
8 IT Product Testing............................................................................................................................................... 16
8.1 Developer Testing ............................................................................................................................................. 16
8.2 Evaluator Independent Testing.......................................................................................................................... 16
8.3 Testing Topology .............................................................................................................................................. 16
8.4 Test Hardware ................................................................................................................................................... 18
8.5 Test Software..................................................................................................................................................... 18
9 Results of the Evaluation...................................................................................................................................... 19
9.1 Evaluation of the Security Target (ASE) ........................................................................................................... 19
9.2 Evaluation of the Development (ADV).............................................................................................................. 20
9.3 Evaluation of the Guidance Documents (AGD)................................................................................................. 20
9.4 Evaluation of the Life Cycle Support Activities (ALC) .................................................................................... 20
9.5 Evaluation of the Test Documentation and the Test Activity (ATE)................................................................. 20
9.6 Vulnerability Assessment Activity (VAN)......................................................................................................... 21
Illumio Core v24.2.20 Validator Report
9.7 Summary of Evaluation Results......................................................................................................................... 21
10 Validator Comments ............................................................................................................................................ 22
11 Security Target ..................................................................................................................................................... 23
12 Acronyms .............................................................................................................................................................. 24
13 Terminology.......................................................................................................................................................... 26
14 Bibliography ......................................................................................................................................................... 28
5
Illumio Core v24.2.20 Validator Report
1 Executive Summary
This report documents the assessment of the National Information Assurance Partnership (NIAP) validation
team of the evaluation of Illumio Core v24.2.20, provided by Illumio. It presents the evaluation results, their
justifications, and the conformance results. This Validation Report is not an endorsement of the Target of
Evaluation by any agency of the U.S. government, and no warranty is either expressed or implied.
The evaluation was performed by the DEKRA Cybersecurity Certification Common Criteria Testing
Laboratory (CCTL) in Sterling, Virginia, United States of America, and was completed in June 2025. The
information in this report is largely derived from the Evaluation Technical Report (ETR) and associated test
reports, all written by DEKRA. The evaluation determined that the product is both Common Criteria Part 2
Extended and Part 3 Conformant and meets the assurance requirements set forth in the Standard Protection
Profile for Enterprise Security Management-Policy Management, version 2.1 [ESM_PM_PP].
The TOE, Illumio Core v24.2.20, is an enterprise policy management product. The TOE’s primary purpose is
to manage communications within, and across, tiers of applications by defining access control policy. The TOE
is a distributed software application that consists of the Policy Compute Engine (PCE) and the Virtual
Enforcement Node (VEN).
The Target of Evaluation (TOE) identified in this Validation Report has been evaluated at a NIAP approved
Common Criteria Testing Laboratory using the Common Methodology for IT Security Evaluation (Version
2022, Rev 1) for conformance to the Common Criteria for IT Security Evaluation (Version 2022, Rev 1), as
interpreted by the Assurance Activities contained in the [ESM_PM_PP].
This Validation Report applies only to the specific version of the TOE as evaluated. The evaluation has been
conducted in accordance with the provisions of the NIAP Common Criteria Evaluation and Validation Scheme
and the conclusions of the testing laboratory in the evaluation technical report is consistent with the evidence
provided.
The validation team provided guidance on technical issues and evaluation processes and reviewed the
individual work units of the ETR for the [ESM_PM_PP] Assurance Activities. The validation team found that
the evaluation showed that the product satisfies all of the functional requirements and assurance requirements
stated in the Security Target (ST). Therefore, the validation team concludes that the testing laboratory’s
findings are accurate, the conclusions justified, and the conformance results are correct. The conclusions of the
testing laboratory in the evaluation technical report are consistent with the evidence produced.
The technical information included in this report was obtained from the Illumio Core v24.2.20 Security Target,
Version 0.5, June 6, 2025, and analysis performed by the Validation Team.
6
Illumio Core v24.2.20 Validator Report
2 Identification
The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards effort to establish
commercial facilities to perform trusted product evaluations. Under this program, security evaluations are
conducted by commercial testing laboratories called Common Criteria Testing Laboratories (CCTLs). CCTLs
evaluate products against Protection Profile containing Assurance Activities that are interpretation of CEM
work units specific to the technology described by the PP.
The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and consistency across
evaluations. Developers of information technology products desiring a security evaluation contract with a
CCTL and pay a fee for their product’s evaluation. Upon successful completion of the evaluation, the product
is added to NIAP’s Product Compliance List.
Table 1 provides information needed to completely identify the product, including:
• The Target of Evaluation (TOE): the fully qualified identifier of the product as evaluated.
• The Security Target (ST), describing the security features, claims, and assurances of the
product.
• The conformance results of the evaluation.
• The Protection Profile to which the product is conformant.
• The organizations and individuals participating in the evaluation.
Table 1: Evaluation Identifiers
Item Identifier
Evaluation
Scheme
United States NIAP Common Criteria Evaluation and Validation
Scheme
TOE Illumio Core v24.2.20
Protection
Profile
Standard Protection Profile for Enterprise Security Management- Policy
Management, version 2.1 (ESM_PM_PP)
Security Target
Illumio Core v24.2.20 Security Target, v0.5, June 6, 2025
Evaluation
Technical Report Part-1 Illumio Core 24.2.20 - ESM PM PP ETR of ST v0.3 June 10, 2025
Part-2 Illumio Core 24.2.20 - ESM PM PP ETR of TOE v0.2 June 10, 2025
CC Version Common Criteria for Information Technology Security Evaluation,
Version 2022 Revision 1
Conformance Result CC Part 2 extended; CC Part 3 conformant
7
Illumio Core v24.2.20 Validator Report
Sponsor Illumio, Inc.
Developer Illumio, Inc.
Common Criteria
Testing Lab (CCTL)
DEKRA Cybersecurity Certification, Sterling, Virginia, USA
CCEVS Validators
Daniel Faigin, Meredith Martinez
The Aerospace Corporation
8
Illumio Core v24.2.20 Validator Report
3 Assumptions and Clarification of Scope
3.1 Assumptions
This section identifies assumptions applicable to the ESM PM PP, as specified in the Protection Profile,
verbatim.
• A.CRYPTO: The TOE will use cryptographic primitives provided by the Operational
Environment to perform cryptographic services.
• A.ESM: The TOE will be able to establish connectivity to other ESM products in order to share
security data.
• A.ROBUST: The Operational Environment will provide mechanisms to the TOE that reduce
the ability for an attacker to impersonate a legitimate user during authentication.
• A.SYSTIME: The TOE will receive reliable time data from the Operational Environment.
• A.USERID: The TOE will receive identity data from the Operational Environment.
• A.MANAGE: There will be one or more competent individuals assigned to install, configure,
and operate the TOE.
3.2 Threats
The following lists the threats addressed by the TOE. The assumed level of expertise of the attacker for all the
threats identified below is Enhanced-Basic.
• T.ADMIN_ERROR: An administrator may unintentionally install or configure the TOE
incorrectly, resulting in ineffective security mechanisms.
• T.CONDTRADICT: A careless administrator may create a policy that contains contradictory
rules for access control enforcement.
• T.EAVES: A malicious user could eavesdrop on network traffic to gain unauthorized access to
TOE data.
• T.FORGE: A malicious user may exploit a weak or nonexistent ability for the TOE to provide
proof of its own identity in order to send forged policies to an Access Control product.
• T.MASK: A malicious user may attempt to mask their actions, causing audit data to be
incorrectly recorded or never recorded.
• T.UNAUTH: A malicious user could bypass the TOE’s identification, authentication, or
authorization mechanisms in order to illicitly use the TOE’s management functions.
• T.WEAKIA: A malicious user could be illicitly authenticated by the TSF through brute-force
guessing of authentication credentials.
• T.WEAKPOL: A Policy Administrator may be incapable of using the TOE to define policies
in sufficient detail to facilitate robust access control, causing an Access Control product to
behave in a manner that allows illegitimate activity or prohibits legitimate activity.
9
Illumio Core v24.2.20 Validator Report
3.3 Objectives
The following identifies the security objectives of the TOE. These security objectives reflect the stated intent to
counter identified threats and/or comply with any security policies identified.
• O.ACCESSID: The TOE will contain the ability to validate the identity of other ESM products
prior to distributing data to them.
• O.AUDIT: The TOE will provide measures for generating and recording security relevant
events that will detect access attempts to TOE-protected resources by users.
• O.AUTH: The TOE will provide a mechanism to securely validate requested authentication
attempts and to determine the extent to which any validated subject is able to interact with the
TSF.
• O.BANNER: The TOE will display an advisory warning regarding use of the TOE.
• O.CONSISTENT: The TSF will provide a mechanism to identify and rectify contradictory
policy data.
• O.DISTRIB: The TOE will provide the ability to distribute policies to trusted IT products using
secure channels.
• O.INTEGRITY: The TOE will contain the ability to assert the integrity of policy data.
• O.MANAGE: The TOE will provide the ability to manage the behavior of trusted IT products
using secure channels.
• O.POLICY: The TOE will provide the ability to generate policies that are sufficiently detailed
to satisfy the Data Protection requirements for one or more technology types in the Standard
Protection Profile for Enterprise Security Management Access Control.
• O.PROTCOMMS: The TOE will provide protected communication channels for
administrators, other parts of a distributed TOE, and authorized IT entities.
• O.SELFID: The TOE will be able to confirm its identity to the ESM deployment upon sending
data to other processes within the ESM deployment.
3.4 Clarification of Scope
All evaluations (and all products) have limitations, as well as potential misconceptions that need clarifying.
This text covers some of the more important limitations and clarifications of this evaluation. Note that:
• As with any evaluation, this evaluation only shows that the evaluated configuration meets
the security claims made, with a certain level of assurance. The level of assurance for this
evaluation is defined within the Standard Protection Profile for Enterprise Security
Management-Policy Management, version 2.1 (ESM_PM_PP)
• Consistent with the expectations of the Protection Profile, this evaluation did not
specifically search for, nor serious attempt to counter, vulnerabilities that were not
“obvious” or vulnerabilities to objectives not claimed in the ST. The CEM defines an
“obvious” vulnerability as one that is easily exploited with a minimum of understanding of
the TOE, technical sophistication and resources.
10
Illumio Core v24.2.20 Validator Report
• The functionality evaluated is scoped exclusively to the security functional
requirements specified in the Section 6 of the Security Target and their operation with
respect to the TOE is described in Section 8 of the Security Target. Any other
functionality provided by Illumio Core needs to be assessed separately and no further
conclusions can be drawn about their effectiveness.
• The evaluated configuration of the TOE is the Illumio Core v24.2.20. software product
and not any earlier or later versions released or in process. The TOE includes all the
code that enforces the policies identified (see Section 5).
The TOE supports several features that are not part of the evaluated functionality. These features are not tested
and excluded from the scope of the evaluation:
• Use of the SMTP
• High Availability and Failover functionality
• JSON/REST API use
• Policy-based encryption (SecureConnect)
• Configuration of policy targeting unmanaged Workloads
• Linux-based VEN
• LDAP Authentication
• All visual aspects of the visualization feature, (also known as Illumination map), except the feature
to add rules.
• Deny policies: only allow rules are evaluated.
• Flexible label types: only the four default labels are evaluated (application, environment, location,
role).
• Policy templates: the policies to be transmitted are generated from scratch.
• Windows outbound process-based enforcement: process-based enforcement allows more granular
segmentation based on process name. The object “Windows outbound process” is not evaluated.
• IPv6 support by the PCE and VEN
The TOE allows policies with multiple types of rules, destinations, and attributes. During the evaluation, a
sample was taken to test most of them; the rest were not covered during the evaluation.
The following parameters were covered during the evaluation:
1. Subject attributes: IP address, hostname, OS and pairing status.
2. Labels: location, application, environment and role.
3. Policy operations: create, update and delete.
4. Rules:
a. Traffic based on: inbound and outbound traffic.
b. Destination and source based on: workload, IP, port.
11
Illumio Core v24.2.20 Validator Report
c. Protocols: ICMP, RDP, DNS.
The TOE runs on multiple platforms however, not all of them were tested, therefore they are not part of the
evaluated configuration.
4 Architectural Information
Note: The following architectural description is based on the description presented in the Security Target.
4.1 TOE Introduction
The TOE, Illumio Core v24.2.20, is an enterprise policy management product. The TOE’s primary purpose is
to manage communications within, and across, tiers of applications by defining access control policy. The TOE
is a distributed software application that consists of the Policy Compute Engine (PCE) and the Virtual
Enforcement Node (VEN).
4.2 Physical Boundaries
The TOE is a software application that is installed on the operating system running on the server hardware. The
TOE does not include the hardware, or the operating system on which it is installed. It also does not include the
third-party software that is required for the TOE to run.
The PCE is delivered as an RPM package compatible with RHEL 9.4. The VEN this is an MSI compatible
with Windows Sever 2022 standard. All installers are secured with end-user generated public key and
downloaded from the vendor’s secure support portal.
The following table lists the TOE software components and the operating environment in the evaluated
configuration.
Table 2: Host Platform Environment Components
TOE Component Definition Operational Environment
Operating System CPU
PCE- Policy Compute
Engine
Red Hat Enterprise Linux 9.4 Intel Xeon Silver 4216
VEN- Virtual Enforcement
Node
Windows Server 2022 standard Intel Xeon Gold 6130
The below list of Operational Environment components is expected to be patched to include the latest security
fixes for each component.
• Platform services:
o Trusted Certificate Store
• Installation specific; at minimum, store certificates in default /etc/pki/ca-
trust directories (linked by /etc/ssl/certs/) using appropriate read-only
permissions.
12
Illumio Core v24.2.20 Validator Report
o Syslog daemon (syslog-ng)
• rsyslog 8.24.0 or higher, or syslog-ng 3.1.8 or higher.
o Operating System (RHEL 9.4)
• Platform-provided Cryptographic Module (Red Hat Enterprise Linux
OpenSSL Cryptographic Module, Windows Cryptographic Primitives
Library)
• External IT services:
o Audit Server (syslog)
• rsyslog 8.24.0 or higher, or syslog-ng 3.1.8 or higher.
o Authentication Server (SAML)
• Any SAML 2.0-compliant provider.
o DNS Server
• Any modern DNS bind service such as bind 9.16.
o NTP Server
• Any modern NTP or chronyd service such as chrony 4.5.
• Optional external servers
o SMTP Server
• Any modern SMTP service such as postfix 3.5.
o External Certificate Authority (CA)
• Installation specific; any modern CA implementation should be sufficient.
13
Illumio Core v24.2.20 Validator Report
5 Security Policy
5.1 Enterprise Security Management
The Illumio PCE’s policy model supports policies using either a label-based system or plain IP lists. By using
labels, the rules don't require the use of an IP address or subnet, like traditional firewall solutions. Illumio PCE
also supports the writing of IP list-based policies, like traditional firewalls.
Once managed workloads (VEN) are labeled, administrators can write policies that use those labels. For
example, an administrator can write a policy to allow traffic between the API Server of an ERP application to a
specific port on the Database Server of the ERP application. This makes it easy to write and maintain policies
that are understandable by humans.
The TOE implements a whitelist access control policy model; consequently, the TOE does not allow any
contradictory policy to be defined.
The PCE generates policy that the VEN consumes and implements. When an administrator modifies or creates
a security policy rule, the PCE generates an updated overall policy and calculates policy changes for each
affected VEN as part of the process called provisioning. All paired VENs periodically connect to the PCE to
check for policy updates. If the VEN cannot connect to the PCE, it continues to enforce the last-known-good
policy. If the VEN fails to connect to PCE on two consecutive occasions (an outage approximately
corresponding to 10 minutes), the VEN enters a degraded state.
5.2 Security Audit
The TOE generates audit records of security relevant events as they occur. Generally, any use of a management
functions via the Web UI, as well as relevant IT environment events, will be audited. The PCE uses the RHEL
auditing daemon (rsyslog or syslog-ng) for storing local audit trail (e.g., in /var/log/), and is capable of
uploading logs to an external audit server over a secure channel.
VEN does not use the Windows audit daemon. The VEN sends the following types of audit events to the PCE
by invoking the PCE API.
• Heartbeat events are reported every 5 minutes.
• Traffic flows are reported every 10 minutes.
• Changes to network interfaces are reported asynchronously.
The PCE generates audit events when the APIs are invoked.
5.3 Identification and Authentication
The TOE requires users to be identified and authenticated before they can access any of the TOE’s functions.
Users are locked out of their accounts when they fail to log in after consecutive failures.
The number of unsuccessful authentication attempts can be configured by changing the default value of the
runtime variable in the configuration file.
The TOE also integrates with external authentication servers that manage external domain credentials. The
TOE does not directly manage domain passwords and does not implement any SF that creates or modifies
14
Illumio Core v24.2.20 Validator Report
these credentials.
The TOE associates all of a user’s security attributes (e.g., username, email, role, scope) with the subjects
acting on the behalf of that user. Users receive their privileges by way of membership in roles.
5.4 Security Management
The PCE maintains the administrative user roles: Global Organization owner, Global Administrator, Global
Viewer, Global Policy Object provisioner, each of these roles has varying levels of privileges which determine
what management functions the administrative users are able to perform via the TOE’s Console interface
which is a web-based GUI.
The TOE maintains a list of roles. Each authenticated user is automatically associated with a role. Global
Organization Owners also have the ability to create custom roles and assign or change all Limited Scope roles.
The TOE restricts management functions to the “Global Organization Owner” administrator role. An
administrator will authenticate to the TOE by providing their local or domain user credentials.
5.5 Protection of the TOE Security Functions
The TOE internally uses a database as a persistent store to ensure its proper functioning. Login credentials to
the PCE console, i.e., passwords of users who are authorized to access the Product, are also stored in the
database. Users’ password credentials are stored in the form of salted hashes in the database. The database
itself is internal to the Illumio Product.
The operational environment implements all protocols and handles associated session keys. The TOE does not
implement a mechanism designed to circumvent OS security measures.
5.6 TOE Access
The TOE can be configured by an administrator to force an interactive session’s termination based on a
timeout value. A remote session that is inactive for the defined timeout value will be terminated. Once
terminated, the user will be required to re-enter their username and password in order to establish a new
session. The TOE can be configured to display advisory banners as part of the authentication prompt.
5.7 Trusted Path/Channels
The TOE uses cryptographic primitives provided by the Operation Environment to implement secure channel
functionality. The TOE consists of two components PCE and VEN. PCE implements secure remote
administration, exports audit records to an external audit server, integrates with an external authentication
server, and securely transfers policy updates to VEN. VEN securely connects to PCE to receive policy updates.
The TOE supports SAML-based external authentication server (Active Directory Federation Services). The
TOE acts as a SAML consumer and accepts digitally signed tokens as a proof of identity.
The TOE supports TLS v1.2 protocol to securely communicate between PCE and VEN. In this case, PCE acts
as a server and VEN acts as a client.
15
Illumio Core v24.2.20 Validator Report
6 Documentation
The vendor provides a standard set of guidance documents that covers the core functionality of the product.
These documents were used during the evaluation of the TOE:
• Illumio Core Common Criteria Guide 24.2.20, 11500-000, June 2025
• Illumio Core Administration Guide 24.2.20 and 24.2.10, 11501-A 000
• Security Policy User Guide 24.2.20 and 24.2.10, 11501-S 000
• Illumio Core 24.2.10 and 24.2.20 Install, Configure, Upgrade, 11501-I 000
These guidance documents contain the security-related guidance material for this evaluation and must be
referenced to place the product within the Common Criteria evaluated configuration. The guidance documents
are applicable for the version of Illumio Core claimed by this evaluation.
Any additional customer documentation provided with the product, or that is available online was not included
in the scope of the evaluation and therefore should not be relied upon when configuring or operating the device
as evaluated.
7 Evaluated Configuration
The evaluated configuration, as defined in the Security Target, is the Illumio Core v24.2.20 software installed
on the following platforms:
Table 3: Evaluated Configuration
Series Supported Platforms
Policy Compute Engine (PCE) v24.2.20 Red Hat Enterprise Linux 9.4 running on Intel Xeon Silver 4216
Virtual Enforcement Node (VEN) v24.2.11 Windows Sever 2022 running on Intel Xeon Gold 6130
Section 4.2 describes the TOE’s boundary as well as the operational environment components to which it
communicates. In its evaluated configuration, the TOE is configured to communicate with the following
environmental components:
• Web Browser used for remote administration of the TOE.
• Database for storage of configuration, operation, and audit data for the TOE.
• Authentication Store provide enterprise authentication and user data.
• Underlying endpoint system for hosting the Illumio Core software.
• Underlying Server on which the Illumio Core software is installed.
To use the product in the evaluated configuration, the product must be configured as specified in the Illumio
Core Common Criteria Guide 24.2.20 document. Refer to Section 6 for the full list of documents needed for
instructions on how to place the TOE in its evaluated configuration.
16
Illumio Core v24.2.20 Validator Report
8 IT Product Testing
This section describes the testing efforts of the Evaluation Team. The information is derived from the Illumio
core v24.2.20 Test Report document, as summarized in the evaluation Assurance Activity Report (AAR). The
purpose of this activity was to confirm that the TOE behaves in accordance with security functional
requirements specified in the ST.
8.1 Developer Testing
PP ESM_PM v2.1 evaluations do not require developer testing evidence for assurance activities.
8.2 Evaluator Independent Testing
A test plan was developed in accordance with the Testing Assurance Activities specified in the PP_ESM_PM
v2.1.
The formal testing activity was conducted between March 3 to June 10 with TOE installed in the Dekra lab
located at 405 Glenn Dr, Suite 12, Sterling, VA 20164.
• The Evaluator successfully performed the following activities during independent testing:
• Placed TOE into evaluated configuration by following the preparative procedures.
• Successfully executed the ESM PM v2.1 Assurance-defined tests.
• Planned and executed a series of vulnerability/penetration tests.
It was determined after examining the Test Report and full set of test results provided by the evaluators the
testing requirements for PP ESM PM v2.1 are fulfilled.
8.3 Testing Topology
As shown below, the test topology is configured for a dedicated and fully isolated ‘Test’ LAN. This setup
prevents general access while still granting evaluators direct access to the TOE. The setup consists of a ‘Test’
LAN for IPv4. The server is local to the ‘Test’ LAN and packet capture is done by a VM connected to a
mirrored port on the switch. All devices in the testing setup are synchronized through an NTP server.
Note: The diagram below shows the components involved in the testing.
17
Illumio Core v24.2.20 Validator Report
Figure 1: TOE Test Environment Network Diagram
Table 4: Testing Topology Identifiers
Device Devices information Purpose
Tested platforms
PCE IPv4: 192.168.3.119
Host Name: pce.dekracc.lab
TOE, connected to S1 port 1
OS: Red Hat Enterprise Linux release
9.4
VEN 1 IPv4: 192.168.3.129
Host Name: VEN1-DC
TOE, connected to S1 port 2
OS: Windows Serve 2022
This host is a Domain Controller (DC)
Functions: DC, DNS server
Console Server BlackBox LES1608A TOE’s Console access
Console server with
USB and RJ45
interfaces
Console server with firewall
integrated
Provide local console access to TOEs
through USB or RJ45 interfaces
LAN switches
S1 192.168.3.x/24 Switch with port mirroring capability
Virtualized servers
192.168.0.208
18
Illumio Core v24.2.20 Validator Report
Device Devices information Purpose
Syslog Server IPv4: 192.168.3.181
Host Name: syslog.dekracc.lab
OS: Kali GNU/Linux Rolling 2024.3
syslog-ng-4.8.1
Function: audit server
ADFS IPv4: 192.168.3.81
Hostname: ADFS-VEN2
OS: Windows Server 2022
Function: ADFS server
Evaluator Machine IPv4: 192.168.3.180
Hostname: kali-cc
OS: Kali GNU/Linux Rolling 2024.3
NTP version: chronyd version 4.6.1
Function: ntp server
VEN 2 IPv4: 192.168.3.130
Host Name: VEN2
Another VEN needed for testing
OS: Windows Server 2022
VEN 3 IPv4: 192.168.3.68
Host Name: VEN3
Another VEN needed for testing
OS: Windows Server 2022
8.4 Test Hardware
The testing environment in the lab has been implemented using the following hardware:
• Dell N3024 Switch with port-mirroring capabilities.
• Dell PowerEdge 630 used as Jump Box Server to access the local testing environment: running
Windows 10 Professional
• Dell PowerEdge R550 server running VMWare ESXi 7.0 update 3.
• Dell PowerEdge R440 running RHEL 9.4
• Dell PowerEdge R640 running Windows Server 2022
8.5 Test Software
All testing will be conducted using the following software:
• Wireshark v4.2.5 (64-bit)
• OpenVAS v23.13.1
• ZenNmap v7.95
• Kali Linux 2025.1
• Firefox 128.8.0esr
• OpenSSH 9.9p2
• Curl 8.13.0-rc2
19
Illumio Core v24.2.20 Validator Report
• Tcpdump v4.99.0
• For Audit Server:
o Kali Linux 2025.1 with syslog-ng version 4.8.1
• For Active Directory Federated Services, DHCP, DNS Server, DC:
o Windows Server 2022
9 Results of the Evaluation
The results of the assurance requirements are generally described in this section and are presented in detail in
the proprietary ETR. The reader of this document can assume that all Evaluation Activities and work units
received a passing verdict.
A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding
evaluator action elements.
The evaluation was conducted based upon CC version 2022 rev 1 and CEM version 2022 rev 1. The evaluator
determined the TOE to be Part 2 extended, and meets the SARs contained in the PP. Additionally the evaluator
performed the Evaluation Activities specified in the [ESM_PM_PP].
The following evaluation results are extracted from the proprietary Evaluation Technical Report provided by
the CCTL and are augmented with the validator’s observations thereof.
9.1 Evaluation of the Security Target (ASE)
The evaluation team applied each ASE CEM work unit. The ST evaluator ensured the ST contained a
description of the environment in terms of policies and assumptions, a statement of security requirements
claimed to be met by the TOE that are consistent with the Common Criteria, and product security function
descriptions that support the requirements. Additionally, the evaluator performed an assessment of the
Evaluation Activities specified in the [ESM_PM_PP] in order to verify that the specific required content of the
TOE Summary Specification is present, consistent, and accurate.
The validator reviewed the work of the evaluation team and found that sufficient evidence and justification was
provided by the evaluation team to confirm that the evaluation was conducted in accordance with the
requirements of the CEM, and that the conclusion reached by the evaluation team was justified.
20
Illumio Core v24.2.20 Validator Report
9.2 Evaluation of the Development (ADV)
The evaluation team applied each ADV CEM work unit specified in the [ESM_PM_PP]. The evaluation team
assessed the design documentation and found it adequate to aid in understanding how the TSF provides the
security functions. The design documentation consists of a functional specification contained in the Security
Target’s TOE Summary Specification.
The validator reviewed the work of the evaluation team and found that sufficient evidence and justification was
provided by the evaluation team to confirm that the evaluation was conducted in accordance with the
Assurance Activities, and that the conclusion reached by the evaluation team was justified.
9.3 Evaluation of the Guidance Documents (AGD)
The evaluation team applied each AGD CEM work unit specified in the [ESM_PM_PP]. The evaluation team
ensured the adequacy of the user guidance in describing how to use the operational TOE. Additionally, the
evaluation team ensured the adequacy of the administrator guidance in describing how to securely administer
the TOE. The guides were assessed during the design and testing phases of the evaluation to ensure they were
complete.
The validator reviewed the work of the evaluation team and found that sufficient evidence and justification was
provided by the evaluation team to confirm that the evaluation was conducted in accordance with the
Assurance Activities, and that the conclusion reached by the evaluation team was justified.
9.4 Evaluation of the Life Cycle Support Activities (ALC)
The evaluation team applied each ALC CEM work unit specified in the [ESM_PM_PP], as well as the
Assurance Activities specified for ALC_CMC.1 and ALC_CMS.1. The evaluation team found that the TOE
was identified.
The validator reviewed the work of the evaluation team and found that sufficient evidence and justification was
provided by the evaluation team to confirm that the evaluation was conducted in accordance with the
requirements of the CEM, and that the conclusion reached by the evaluation team was justified.
9.5 Evaluation of the Test Documentation and the Test Activity (ATE)
The evaluation team applied each ATE CEM work unit specified in the [ESM_PM_PP]. The evaluation team
ran the set of tests specified by the Assurance Activities in the ESM_PM_PP and recorded the results in a Test
Report, summarized in the Evaluation Technical Report and sanitized for non-proprietary consumption in the
Assurance Activity Report.
The validator reviewed the work of the evaluation team and found that sufficient evidence was provided by the
evaluation team to show that the evaluation activities addressed the test activities in the [ESM_PM_PP], and
that the conclusion reached by the evaluation team was justified.
21
Illumio Core v24.2.20 Validator Report
9.6 Vulnerability Assessment Activity (VAN)
The evaluation team applied each AVA CEM work unit specified in the [ESM_PM_PP]. The evaluation team
performed a public search for vulnerabilities and performed vulnerability testing.
On May 29, 2025, the evaluation team searched the following public vulnerability repositories:
• The National Vulnerability Database at https://nvd.nist.gov/vuln
• The CVE Details website at https://www.cvedetails.com/vulnerability-search.php
The public search for vulnerabilities did not uncover any residual vulnerability. See Section 4.6 of the AAR
for keywords searched and additional information regarding the vulnerability analysis.
The validator reviewed the work of the evaluation team and found that sufficient evidence and justification was
provided by the evaluation team to confirm that the evaluation addressed the vulnerability analysis Assurance
Activities in the [ESM_PM_PP], and that the conclusion reached by the evaluation team was justified.
9.7 Summary of Evaluation Results
The evaluation team’s assessment of the evaluation evidence demonstrates that the claims in the ST are met.
Additionally, the evaluation team’s test activities also demonstrated the accuracy of the claims in the ST.
The validation team’s assessment of the evidence provided by the evaluation team is that it demonstrates that
the evaluation team performed the Assurance Activities in the [ESM_PM_PP], and correctly verified that the
product meets the claims in the ST.
22
Illumio Core v24.2.20 Validator Report
10 Validator Comments
The validation team notes that the evaluated configuration is dependent upon the TOE being configured per the
evaluated configuration instructions in the Illumio Core Common Criteria Guide 24.2.20 document.
Please note that the functionality evaluated is scoped exclusively to the security functional requirements
specified in the Security Target. Other functionality included in the product was not assessed as part of this
evaluation. All other functionality provided by devices in the operational environment need to be assessed
separately and no further conclusions can be drawn about their effectiveness.
The excluded functionality is specified in section 3.4 of this report. All other items and scope issues have been
sufficiently addressed elsewhere in this document.
Although the ESM_PM_PP_v2.1 has recently been archived, NIAP gave an exception for this evaluation so
long as the ST SFRs and associated assurance activities and ASE work units were converted to CC:2022. The
following updates were made to the ST and ETR to be in compliance with CC:2022 rev 1.
Table 5: ESM_PM_PP to CC:2022 Conversion
ESM_PM_PP_v2.1 CC:2022 CONVERSION
FAU_STG_EXT.1.1 and
FAU_STG_EXT.1.2
FAU_STG.1
FAU_STG_EXT.1.3 FAU_STG.2
CC v3.1 ASE Work Units CC:2022 ASE Work Units
23
Illumio Core v24.2.20 Validator Report
11 Security Target
The security target for this product’s evaluation is Illumio Core 24.2.20 Security Target, v0.5, June 6, 2025.
24
Illumio Core v24.2.20 Validator Report
12 Acronyms
Acronym Definition
CC Common Criteria
CM Configuration Management
CSP Critical Security Parameter
ESM Enterprise Security Management
FIPS Federal Information Processing Standard
HTTP Hypertext Transfer Protocol
IP Internet Protocol
IT Information Technology
NIST National Institute of Standards and Technology
OE Operational Environment
OS Operating System
OSP Organizational Security Policy
PM Policy Management
PP Protection Profile
SAR Security Assurance Requirement
SFP Security Function Policy
SFR Security Functional Requirement
ST Security Target
25
Illumio Core v24.2.20 Validator Report
TLS Transport Layer Security
TOE Target of Evaluation
TSF TOE Security Function
ERP Enterprise Resource Planning Applications
26
Illumio Core v24.2.20 Validator Report
13 Terminology
Terminology Definition
Access Control A mechanism put in place to allow or deny the execution of defined
operations requested by defined subjects to be performed against defined
objects or the result achieved by employing such a mechanism.
Attribute-Based Access Control A means of access control that is based upon the attributes of a user rather
than the rights of a user. An example would be a system that grants access to
specific resources if a user is an engineer and denies access to the same
resources if the user is a contractor.
Authorized Administrator A term synonymous with “Administrator”, used because some Common
Criteria SFRs use the specific terminology.
Consume The act of an Access Control product receiving a policy, parsing it, and
storing it in a manner such that it can be used to enforce access control
Discretionary Access Control A means of access control based on authorizations issued to a subject by
virtue of their identity or group membership.
Enterprise Security
Management
Systems and personnel required to order, create, disseminate, modify,
suspend, and terminate security management controls
Identity and Credential
Management Product
An ESM product that contains the primary functionality to store and manage
identities and credentials within an ESM deployment for the purposes of
identification and authentication.
Mandatory Access Control A means of access control based on the notion that all subjects and objects
within an enterprise are associated with one or more hierarchical labels. The
dominance relationship assigned to these labels determines if access is
permitted.
Operational Environment The collection of hardware and software resources in an enterprise that are not
within the TOE boundary. This may include but is not limited to third-party
software components the TOE requires to operate, resources protected by the
TOE, and the hardware upon which the TOE is installed.
Policy A collection of rules that determine how the Access Control SFP is
instantiated. These rules define the conditions under which defined subjects
are allowed to perform defined operations against defined objects.
Policy Administrator Within the context of the PP, this refers to one or more individuals who are
responsible for using the TOE to generate and distribute policies.
Policy Enforcement Point A component of an Enterprise Security Management that is responsible for
applying the Access Control SFP to all relevant behavior in an enterprise.
Synonymous with the Access Control product referred to within this PP.
27
Illumio Core v24.2.20 Validator Report
Policy Management product An application that is responsible for creating policies that are consumed by
the Policy Enforcement Point. These policies may be created through
automated mechanisms, by manual administrative input, or by some
combination of the two. This is the TOE as defined within this PP.
Role-Based Access Control A means of access control that authorizes subject requests based on the roles
to which they are assigned and the authorizations that are associated with
those roles.
Secure Configuration
Management Product
A product with the capability to alter the configuration of an ESM component
and/or the ability to provision systems that reside in the Operational
Environment
TOE Administrator Within the context of the PP, this refers to the one or more individuals who
are responsible for setting up the TOE, using the Policy Management product
to define policies the TOE consumes, and reviewing audit data the TOE
generates.
User A blanket term for a generic user of the TOE; any entity that is identified and
authenticated to the Policy Management product.
28
Illumio Core v24.2.20 Validator Report
14 Bibliography
URLs
[1] Common Criteria Evaluation and Validation Scheme (CCEVS): (http://www.niap-ccevs.org/cc-
scheme).
[2] Dekra Cybersecurity Certification CCTL (https://www.dekra.us/).
CCEVS Documents
1. Common Criteria for Information Technology Security Evaluation – Part 1: Introduction
and general model, Version 2022 Revision 1.
2. Common Criteria for Information Technology Security Evaluation – Part 2: Security
functional requirements, Version 2022 Revision 1
3. Common Criteria for Information Technology Security Evaluation – Part 3: Security
assurance requirements, Version 2022 Revision 1.
4. Common Evaluation Methodology for Information Technology Security Evaluation,
Version 2022 Revision 1
Other evaluation documents
1. Illumio Core Platform Security Target version 0.5, June 6, 2025
2. Illumio Core 24.2.20 Administration Guide, 11501-A 000
3. Security Policy User Guide 24.2.20, 11501-S 000
4. Illumio Core 24.2.10 and 24.2.20 Install, Configure, Upgrade, 11501-I 000
5. Illumio Core Common Criteria Guide 24.2.20, 11500-000, June 2025
6. Illumio Core v24.2 Third-Party Libraries Vulnerability Analysis Report version 0.5 May
2, 2025
7. Illumio - ESM Assurance Activity Report v0.2 June 10, 2025
8. Illumio Core v24.2.20 Evaluator Test Report v0.2 June 10, 2025