Gigamon GigaVUIE, 5.9.00 February 25, 2021 National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Gigamon GigaVUE Version 5.9.00 Report Number: CCEVS-VR-VID11129-2021 Version 1.0 February 25, 2021 National Institute of Standards and Technology Department of Defense Information Technology Laboratory ATTN: NIAP, Suite 6982 100 Bureau Drive 9800 Savage Road Gaithersburg, MD 20899 Fort Meade, MD 20755-6982 ® TM VALIDATION REPORT Gigamon GigaVUE, 5.9.00 ii ACKNOWLEDGEMENTS Validation Team Jerome Myers Meredith Hennan Kenneth Stutterheim Marybeth Panock Aerospace Corporation Common Criteria Testing Laboratory Herbert Markle, CCTL Technical Director Christopher Rakaczky Joshua Jones Courtney Simon Booz Allen Hamilton (BAH) Laurel, Maryland Gigamon GigaVUIE, 5.9.00 February 25, 2021 Table of Contents 1 EXECUTIVE SUMMARY................................................................................................................................4 2 IDENTIFICATION ...........................................................................................................................................5 3 ASSUMPTIONS AND CLARIFICATION OF SCOPE.................................................................................6 4 ARCHITECTURAL INFORMATION............................................................................................................9 5 SECURITY POLICY ......................................................................................................................................12 6 DOCUMENTATION.......................................................................................................................................14 7 EVALUATED CONFIGURATION...............................................................................................................15 8 IT PRODUCT TESTING................................................................................................................................16 9 RESULTS OF THE EVALUATION..............................................................................................................21 10 VALIDATOR COMMENTS ..........................................................................................................................23 11 ANNEXES ........................................................................................................................................................24 12 SECURITY TARGET .....................................................................................................................................25 13 LIST OF ACRONYMS....................................................................................................................................26 14 TERMINOLOGY ............................................................................................................................................27 15 BIBLIOGRAPHY ............................................................................................................................................28 VALIDATION REPORT Gigamon GigaVUE, 5.9.00 4 1 Executive Summary This report documents the assessment of the National Information Assurance Partnership (NIAP) validation team of the evaluation of Gigamon GigaVUE version 5.9.00 provided by Gigamon, Inc. It presents the evaluation results, their justifications, and the conformance results. This Validation Report is not an endorsement of the Target of Evaluation by any agency of the U.S. government, and no warranty is either expressed or implied. The evaluation was performed by the Booz Allen Hamilton Inc. Common Criteria Testing Laboratory (CCTL) in Laurel, Maryland, United States of America, and was completed in February 2021. The information in this report is largely derived from the evaluation sensitive Evaluation Technical Report (ETR) and associated test reports, all written by Booz Allen. The evaluation determined that the product is both Common Criteria Part 2 Extended and Part 3 Conformant and meets the assurance requirements set forth in the collaborative Protection Profile for Network Devices Version 2.2e (NDcPP). The Target of Evaluation (TOE) is the Gigamon GigaVUE version 5.9.00, which is the Gigamon GigaVUE Visibility appliance, running the GigaVUE software version 5.9.00 (also known as GigaVUE). The GigaVUE's primary functionality is to use the Gigamon Forwarding Policy to receive out-of-band copied network data from external sources (TAP or SPAN port) and forward that copied network data to one or many tool ports for packet capture or analyzing tools based on user selected criteria. GigaVUE can also copy the network traffic itself when sitting in-line with the network flow using passive, inline and bypass taps or any combination. GigaVUE features extensive filtering abilities enabling authorized users to forward precise customized data flows of copied data from many sources to a single tool, from a single source to many tools, or from many sources to many tools. However, the evaluated TOE functionality includes only the security functional behavior that is defined in the claimed NDcPP. The TOE identified in this Validation Report has been evaluated at a NIAP approved Common Criteria Testing Laboratory using the Common Methodology for IT Security Evaluation (Version 3.1, Rev 5) for conformance to the Common Criteria for IT Security Evaluation (Version 3.1, Rev 5), as interpreted by the Assurance Activities contained in the NDcPP. This Validation Report applies only to the specific version of the TOE as evaluated. The evaluation has been conducted in accordance with the provisions of the NIAP Common Criteria Evaluation and Validation Scheme and the conclusions of the testing laboratory in the evaluation technical report is consistent with the evidence provided. The validation team monitored the activities of the evaluation team, provided guidance on technical issues and evaluation processes, and reviewed the individual work units of the ETR for the NDcPP Assurance Activities. The validation team found that the evaluation showed that the product satisfies all of the functional requirements and assurance requirements stated in the Security Target (ST). Therefore, the validation team concludes that the testing laboratory’s findings are accurate, the conclusions justified, and the conformance results are correct. The conclusions of the testing laboratory in the evaluation technical report are consistent with the evidence produced. The technical information included in this report was obtained from the Gigamon GigaVUE Version 5.9.00 Security Target v1.0, dated February 2, 2021 and analysis performed by the Validation Team. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 5 2 Identification The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards (NIST) effort to establish commercial facilities to perform trusted product evaluations. Under this program, security evaluations are conducted by commercial testing laboratories called Common Criteria Testing Laboratories (CCTLs) using the Common Evaluation Methodology (CEM) in accordance with National Voluntary Laboratory Assessment Program (NVLAP) accreditation. The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and consistency across evaluations. Developers of information technology products desiring a security evaluation contract with a CCTL and pay a fee for their product’s evaluation. Upon successful completion of the evaluation, the product is added to NIAP’s Product Compliant List. Table 1 provides information needed to completely identify the product, including:  The Target of Evaluation (TOE): the fully qualified identifier of the product as evaluated.  The Security Target (ST), describing the security features, claims, and assurances of the product.  The conformance result of the evaluation.  The Protection Profile to which the product is conformant.  The organizations and individuals participating in the evaluation. Table 1 – Evaluation Identifiers Item Identifier Evaluation Scheme United States NIAP Common Criteria Evaluation and Validation Scheme TOE Gigamon GigaVUE version 5.9.00 Refer to Table 2 and 3 for Model Specifications Protection Profile collaborative Protection Profile for Network Devices, Version 2.2e, 27 March 2020, including all applicable NIAP Technical Decisions and Policy Letters Security Target Gigamon GigaVUE Version 5.9.00 Security Target v1.0, dated February 2, 2021 Evaluation Technical Report Evaluation Technical Report for a Target of Evaluation “Gigamon GigaVUE Version 5.9.00” Evaluation Technical Report v1.0 dated February 2, 2021 CC Version Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5 Conformance Result CC Part 2 extended, CC Part 3 conformant Sponsor Gigamon, Inc. Developer Gigamon, Inc. Common Criteria Testing Lab (CCTL) Booz Allen Hamilton, Laurel, Maryland CCEVS Validators Jerome Myers, Meredith Hennan, Kenneth Stutterheim, and Marybeth Panock – The Aerospace Corporation VALIDATION REPORT Gigamon GigaVUE, 5.9.00 6 3 Assumptions and Clarification of Scope 3.1 Assumptions The following assumptions about the operational environment are made regarding its ability to provide security functionality.  It is assumed that the TOE is deployed in a physically secured operational environment and not subjected to any physical attacks.  It is assumed that there are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE.  The TOE is not responsible for protecting network traffic that is transmitted across its interfaces that is not related to any TOE management functionality or generated data.  TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner.  It is assumed that regular software and firmware updates will be applied by a TOE Administrator when made available by the product vendor.  Administrator credentials are assumed to be secured from unauthorized disclosure.  TOE Administrators are trusted to ensure that there is no unauthorized access possible for sensitive residual information on the TOE when it is removed from its operational environment. 3.2 Threats The following lists the threats addressed by the TOE.  T.UNAUTHORIZED_ADMINISTRATOR_ACCESS – Threat agents may attempt to gain Administrator access to the Network Device by nefarious means such as masquerading as an Administrator to the device, masquerading as the device to an Administrator, replaying an administrative session (in its entirety, or selected portions), or performing man-in-the-middle attacks, which would provide access to the administrative session, or sessions between Network Devices. Successfully gaining Administrator access allows malicious actions that compromise the security functionality of the device and the network on which it resides.  T.WEAK_CRYPTOGRAPHY – Threat agents may exploit weak cryptographic algorithms or perform a cryptographic exhaust against the key space. Poorly chosen encryption algorithms, modes, and key sizes will allow attackers to compromise the algorithms, or brute force exhaust the key space and give them unauthorized access allowing them to read, manipulate and/or control the traffic with minimal effort.  T.UNTRUSTED_COMMUNICATION_CHANNELS – Threat agents may attempt to target Network Devices that do not use standardized secure tunnelling protocols to protect the critical network traffic. Attackers may take advantage of poorly designed protocols or poor key management to successfully perform man-in- the-middle attacks, replay attacks, etc. Successful attacks will result in loss of confidentiality and integrity of the critical network traffic, and potentially could lead to a compromise of the Network Device itself.  T.WEAK_AUTHENTICATION_ENDPOINTS – Threat agents may take advantage of secure protocols that use weak methods to authenticate the endpoints, e.g. a shared password that is guessable or transported as plaintext. The consequences are the same as a poorly designed protocol, the attacker could masquerade as the Administrator or another device, and the attacker could insert themselves into the network stream and perform a man-in-the-middle attack. The result is the critical VALIDATION REPORT Gigamon GigaVUE, 5.9.00 7 network traffic is exposed and there could be a loss of confidentiality and integrity, and potentially the Network Device itself could be compromised.  T.UPDATE_COMPROMISE – Threat agents may attempt to provide a compromised update of the software or firmware which undermines the security functionality of the device. Non-validated updates or updates validated using non- secure or weak cryptography leave the update firmware vulnerable to surreptitious alteration.  T.UNDETECTED_ACTIVITY – Threat agents may attempt to access, change, and/or modify the security functionality of the Network Device without Administrator awareness. This could result in the attacker finding an avenue (e.g., misconfiguration, flaw in the product) to compromise the device and the Administrator would have no knowledge that the device has been compromised.  T.SECURITY_FUNCTIONALITY_COMPROMISE – Threat agents may compromise credentials and device data enabling continued access to the Network Device and its critical data. The compromise of credentials includes replacing existing credentials with an attacker’s credentials, modifying existing credentials, or obtaining the Administrator or device credentials for use by the attacker.  T.PASSWORD_CRACKING – Threat agents may be able to take advantage of weak administrative passwords to gain privileged access to the device. Having privileged access to the device provides the attacker unfettered access to the network traffic and may allow them to take advantage of any trust relationships with other Network Devices.  T.SECURITY_FUNCTIONALITY_FAILURE – An external, unauthorized entity could make use of failed or compromised security functionality and might therefore subsequently use or abuse security functions without prior authentication to access, change or modify device data, critical network traffic or security functionality of the device. 3.3 Clarification of Scope All evaluations (and all products) have limitations, as well as potential misconceptions that might benefit from additional clarification. This text covers some of the more important limitations and clarifications of this evaluation. Note that:  As with any evaluation, this evaluation only shows that the evaluated configuration meets the security claims made, with a certain level of assurance. The level of assurance for this evaluation is defined within the collaborative Protection Profile for Network Devices, Version 2.2e 27 March 2020, including all relevant NIAP Technical Decisions. A subset of the “optional” and “selection-based” security requirements defined in the NDcPP are claimed by the TOE and documented in the ST.  Consistent with the expectations of the Protection Profile, this evaluation did not specifically search for, nor seriously attempt to counter, vulnerabilities that were not “obvious” or vulnerabilities to security functionality not claimed in the ST. The CEM defines an “obvious” vulnerability as one that is easily exploited with a minimum of understanding of the TOE, technical sophistication and resources.  The functionality evaluated is scoped exclusively to the security functional requirements specified in the Security Target in accordance with the NDcPP and applicable Technical Decisions. All other functionality provided by these devices is not covered by this evaluation and needs to be assessed separately as no further conclusions can be drawn about their effectiveness. In particular, the GigaVUE’s network traffic capture, filter, and forwarding capabilities described in Section 1.3 of the Security Target were not assessed VALIDATION REPORT Gigamon GigaVUE, 5.9.00 8 as part of this evaluation. Further information of excluded functionality can be found in Section 2.3 of the Security Target. The evaluated configuration of the TOE Gigamon GigaVUE version 5.9.00, which is the Gigamon GigaVUE appliance described in Table 1 running the Gigamon GigaVUE-OS software version 5.9.00. In the evaluated configuration, the TOE uses TLS/HTTPS to secure remote web-based administration, SSH to secure remote command-line administration. and TLS, HTTPS and SSH to secure transmissions of security-relevant data from the TOE to external entities such as authentication server and syslog. The TOE includes administrative guidance in order to instruct Security Administrators in the secure installation and operation of the TOE. Adherence to this guidance is sufficient to ensure that the TOE is operated in accordance with its evaluated configuration. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 9 4 Architectural Information Note: The following architectural description is based on the description presented in the Security Target. 4.1 TOE Introduction The TOE, Gigamon GigaVUE version 5.9.00, is a network device that includes hardware and software. In the evaluated configuration, the TOE is a standalone device that is not deployed as a distributed TOE. The GigaVUE is a family of products that provide different performance and capability specifications; the TOE includes the models listed in Table 2 and Table 3 below. These devices can be accessed locally via serial port and remotely via SSH CLI and TLS/HTTPS web GUI. 4.2 Physical Boundary The TOE is a rack-mounted network device comprised of both software and hardware. The hardware is comprised of the following TOE evaluated platforms: Property HC3 HC2 HC1 Model Number GVS-HC301 (AC power) GVS-HC302 (DC power) GVS-HC2A1 (AC power) GVS-HC2A2 (DC power) GVS-HC101 (AC power) GVS-HC102 (DC power) Size 3RU 2RU 1RU Processor Intel Atom C2758 NXP QorIQ P2041 Intel Atom C2538 TAP Modules None TAP-HC0-D25AC0 TAP module, SX/SR Internal TAP module 50/125, 12 TAPs TAP-HC0-D25BC0 TAP module, SX/SR Internal TAP module 62.5125, 12 TAPs TAP-HC0-D35CC0 TAP module, LX/LR Internal TAP module, 12 TAPs TAP-HC0-G100C0 TAP and Bypass Module, Copper, 12 TAP or BPS pairs TAP-HC1-G10040 TAP and Bypass module, 10/100/1000M Copper, 4 TAPs or BPC pairs Bypass Combo Modules BPS-HC3-C25F26 Bypass Combo Module, GigaVUE- HC3, 2 100Gb SR4 BPS pairs, 16 10G cages BPS-HC0-D25A4G Bypass Combo Module 4 SX/SR 50/125 BPS pairs, 16 10G cages BPS-HC0-D25B4G Bypass Combo Module 4 SX/SR 62.5/125 BPS pairs, 16 10G cages BPS-HC0-D35C4G Bypass Combo Module 4 LX/LR BPS-HC1-D25A24 Bypass Combo Module, 2 SX/SR 50/125 BPS pairs, 4 10G cages VALIDATION REPORT Gigamon GigaVUE, 5.9.00 10 Property HC3 HC2 HC1 BPS pairs, 16 10G cages BPS-HC0-Q25A28 Bypass Combo Module 2 40G SR4 BPS pairs, 8 10G cages GigaSMART Modules SMT-HC3-C05 GigaSMART, GigaVUE- HC3, 5x100G QSFP28 cages (includes Slicing, Masking, Source Port Tagging, and Tunneling De- encapsulation) SMT-HC0-R GigaSMART, GigaVUE-HC2 rear module; SMT-HC0-X16 GigaSMART, GigaVUE- HC2 front module, 16 10G cages (includes Slicing, Masking, Source Port Tagging, and Tunneling De- encapsulation) SMT-HC1-S GigaSMART GigaVUE-HC1, Gen3: Processing up to 30G (includes Slicing, Masking, Source Port Tagging, and Tunneling De- encapsulation) Port Modules PRT-HC3-C08Q08 Port Module, 8x100G QSFP28 cages, 8x40 QSFP+ cages PRT-HC3-X24 Port Module, GigaVUE-HC3, 24x10G PRT-HC0-X24 Port Module, 24x10G (QSFP) PRT-HC0-Q06 Port Module, 6x40G (QSFP+) PRT-HC0-C02 Port Module, 2x100G (QSFP28) None Fixed Ports 10/100/1000M Mgmt. port Serial Console 10/100/1000M Mgmt. port Serial Console 10/100/1000M Mgmt. port Serial Console 12 1G/10G Ports (QSFP) 4 10/100/1000M Ports Table 2 – HC Series Properties Property TA200 Model Number GigaVUE-TA200 Edge Traffic Aggregation Node GVS-TAC21 (AC power) GVS-TAC22 (DC power) Size 2RU Processor Intel Xeon D1527 Fixed Ports 10/100/1000M Mgmt. port Serial Console 64 100G/40G ports Configurable Ports None Table 3 – TA Series Properties VALIDATION REPORT Gigamon GigaVUE, 5.9.00 11 The TOE software is the Gigamon GigaVUE software version 5.9.00. Note that the GigaVUE software is built on top of the CentOS versions listed below in Table 4. GigaVUE OS CentOS HC2 CentOS 5.8 HC1, HC3, TA200 CentOS 6.6 Table 4 – Software Versions The TOE resides on a network and supports (in some cases optionally) the following hardware, software, and firmware in its environment: Component Definition Certification Authority (CA) A server that acts as a trusted issuer of digital certificates and distributes a CRL that identifies revoked certificates. LDAP Server A system that is capable of receiving authentication requests using LDAP over TLS and validating these requests against identity and credential data that is defined in an LDAP directory. Management Workstation Any general-purpose computer that is used by an administrator to manage the TOE. The TOE can be managed remotely, in which case the management workstation requires an SSH client to access the CLI or a web browser to access the web GUI, or locally, in which case the management workstation must be physically connected to the TOE using the serial port and must use a terminal emulator that is compatible with serial communications. Syslog Server The Syslog Server connects to the TOE and allows the TOE to send Syslog messages to it for remote storage. This is used to send copies of audit data to be stored in a remote location for data redundancy purposes. Table 5 – IT Environment Components VALIDATION REPORT Gigamon GigaVUE, 5.9.00 12 5 Security Policy 5.1.1 Security Audit Audit records are generated for various types of management activities and events. The audit records include the date and time stamp of the event, the event type and subject identity. In the evaluated configuration, the TSF is configured to transmit audit data to a remote Syslog Server using SSHv2, but audit data is also stored locally to ensure availability of the data if communications with the Syslog Server are unavailable. Local audit records are stored in “message” files which are rotated to ensure a maximum limit of disk usage is enforced. Only users with the Admin privilege can access or delete the log files. Users with the Admin privilege are considered trusted users and are therefore not expected to delete or modify the audit records. 5.1.2 Cryptographic Support The TOE uses sufficient security measures to protect its data in transmission by implementing cryptographic methods and trusted channels. The TOE uses SSH to secure the remote CLI and Syslog Server trusted channels. The TOE also uses TLS/HTTPS to secure the trusted channels for the secure web GUI and LDAP server. Cryptographic keys are generated using the CTR_DRBG provided by this module. The TOE erases all plaintext secret and private keys that reside in both RAM and non-volatile storage with zeroes. In the evaluated configuration, the TOE operates in “Secure Cryptography Mode” which is used to restrict algorithms to meet the PP requirements. The following table contains the CAVP algorithm certificates: SFR Algorithm CAVP Cert. # FCS_CKM.1 FCS_COP.1/SigGen ECDSA C1796 FCS_CKM.2 CVL C1796 FCS_COP.1/DataEncryption AES C1796 FCS_COP.1/Hash SHS C1796 FCS_COP.1/KeyedHash HMAC C1796 FCS_RBG_EXT.1 DRBG C1796 Table 6 – Cryptographic Algorithm Table 5.1.3 Identification and Authentication All users must be identified and authenticated to the TOE before being allowed to perform any actions on the TOE. This is true of users accessing the TOE via the local console, or protected paths using the remote CLI via SSH or web GUI via TLS/HTTPS. Users authenticate to the TOE using one of the following methods:  Username/password (defined on the TOE)  LDAP authentication  Username/public key (SSH only) The TSF provides a configurable number of maximum consecutive authentication failures that are permitted by a user. Once this number has been met, the account is locked for a configurable time interval. Passwords that are maintained by the TSF can be composed of upper case, lower case, VALIDATION REPORT Gigamon GigaVUE, 5.9.00 13 numbers and special characters. The Security Administrator can define the password length between 8 and 30 characters. Password information is never revealed during the authentication process including during login failures. Before a user authenticates to the device, a configurable warning banner is displayed. As part of establishing trusted remote communications, the TOE provides X.509 certificate functionality. In addition to verifying the validity of certificates, the TSF can check their revocation status using a certificate revocation list (CRL). The TSF can also generate a Certificate Signing Request in order to obtain a signed certificate to install for its own use as a TLS server. 5.1.4 Security Management The TOE defines two roles: Admin and Monitor. Each of these roles has varying levels of fixed privilege to interact with the TSF. The Admin role is able to perform all security-relevant management functionality (such as user management, password policy configuration, application of software updates, and configuration of cryptographic settings). The Monitor role provides view-only access to ports and configurations. Therefore, the term “Admin”, used throughout this document, is considered to be a Security Administrator of the TSF. Management functions can be performed using the local CLI, remote CLI, or web GUI. All software updates to the TOE are performed manually. 5.1.5 Protection of the TSF The TOE stores usernames and passwords in a password file that cannot be viewed by any user on the TOE regardless of the user's role. The passwords are hashed using SHA-512. Public keys are stored in the configuration database which is integrity checked at boot time. Key data is stored in plaintext on the hard drive but cannot be accessed by any user. The TOE has an underlying hardware clock that is used for keeping time. The time can be manually set by the administrator. Power-on self-tests are executed automatically when the cryptographic module is loaded into memory. All binaries (e.g., executables, libraries), are located on a read-only partition and cannot be modified. In addition, the TOE has a configuration database that is integrity checked at boot time. The version of the TOE (both the currently executing version and the installed/updated version, if different) can be verified from any of the administrative interfaces provided by the TSF. The updated image is verified via a digital signature. 5.1.6 TOE Access The TOE can terminate inactive local console, remote CLI or web GUI sessions after a specified time period. The default setting is 15 minutes. Users can also terminate their own interactive sessions. Once a session has been terminated, the TOE requires the user to re-authenticate to establish a new session. The TOE displays an administratively configured banner on the local console or remote CLI and the web GUI prior to allowing any administrative access to the TOE. 5.1.7 Trusted Path/Channels The TOE connects and sends data to IT entities that reside in the Operational Environment via trusted channels. In the evaluated configuration, the TOE connects with a Syslog Server using SSH to encrypt the audit data that traverses the channel. The TOE also connects with an LDAP server using TLS. When accessing the TOE remotely, administrators interface with the TSF using a trusted path. The remote CLI is protected via SSH and the web GUI is protected by TLS/HTTPS. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 14 6 Documentation The following documents were available with the TOE for evaluation:  Gigamon GigaVUE Version 5.9.00 Security Target v1.0, dated February 2, 2021 (ST).  Gigamon GigaVUE Version 5.9.00 Supplemental Administrative Guidance for Common Criteria- v1.0 (AGD)  GigaVUE-OS-CLI-ReferenceGuide-v5900  GV-FM-OS-AdministrationGuide-v5900  GigaVUE-HC1 Hardware Installation Guide-v5900  GigaVUE-HC2 Hardware Installation Guide-v5900  GigaVUE-HC3 Hardware Installation Guide v5900  GigaVUE-TA Series Hardware Installation Guide-v5900 The documentation listed above is the only documentation that should be trusted to install, administer, or use the TOE in its evaluated configuration. Any additional customer documentation provided with the product, or that which may be available online, was not included in the scope of the evaluation and therefore should not be relied upon to configure or operate the device as evaluated. To use the product in the evaluated configuration, the product must be configured as specified in the AGD listed above. Consumers are encouraged to download configuration guides from the NIAP website to ensure the device is configured as evaluated. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 15 7 Evaluated Configuration The evaluated configuration, as defined in the Security Target, is Gigamon GigaVUE version 5.9.00, which is the Gigamon GigaVUE appliance, running the software: Gigamon GigaVUE version 5.9.00. Section 4.2 describes the TOE’s physical configuration as well as the operational environment components to which it communicates. In its evaluated configuration, the TOE is configured to communicate with the following environment components:  Certificate Authority (CA) for distribution of certificates and CRLs  LDAP Server for remote authentication  Management Workstation for local and remote administration  Syslog Server for recording of syslog data To use the product in the evaluated configuration, the product must be configured as specified in the Gigamon GigaVUE Version 5.9.00 Supplemental Administrative Guidance for Common Criteria Version 1.0 document. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 16 8 IT Product Testing This section describes the testing efforts of the developer and the evaluation team. It is derived from information contained in the proprietary Gigamon GigaVUE Version 5.9.00 Test Plan, dated April 21, 2020, and characterized in the Assurance Activity Report for a Target of Evaluation “Gigamon GigaVUE Version 5.9.00” Assurance Activities Report v1.0, dated February 2, 2021, which is publicly available. 8.1 Test Configuration The evaluation team configured the TOE for testing according to the Gigamon GigaVUE Version 5.9.00 Supplemental Administrative Guidance for Common Criteria Version 1.0 (AGD) document. The evaluation team set up a test environment for the independent functional testing that allowed them to perform the assurance activities against the TOE over the SFR relevant interfaces. The evaluation team conducted testing in the Booz Allen CCTL facility on an isolated network. Testing was performed against all three management interfaces defined in the ST (local CLI, remote CLI, and web GUI). The TOE was configured to communicate with the following environment components:  Function: LDAP Server, CRL Distribution Point, Certification Authority o OS: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux. o Protocols: TLS, SSH o Tools:  HTTPS server used was Server version: Apache/2.4.10 (Debian) Server  Certificate Authority/CRL Distribution Point (OpenSSL 1.0.1t)  LDAP Server for remote authentication (OpenLDAP 2.4.40)  Function: Syslog Server o OS: Linux 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3 (2017-12-03) x86_64 GNU/Linux o Protocols: TLS, SSH o Tools:  Syslog Server for recording of syslog data (rsyslogd 8.24.0)  Tcpdump version 4.9.2  Function: Switch o Model: Cisco Catalyst WS-C Switch, WS-C3560X-24P-L o OS: Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(55)SE3 o Protocols: N/A The following machines were used as the Management Workstations (“Test Workstation”) for local and remote administration:  Function: Test Workstation o Platform: Dell Precision M4800 Laptop o OS: Windows 10 o Protocols: TLS, SSH o Tools: VALIDATION REPORT Gigamon GigaVUE, 5.9.00 17  Google Chrome: version 75.0.3770.142  Wireshark: version 3.2.5  Firefox Quantum: version 77.0.1  PuTTY .70  Function: Test Workstation o Platform: HP EliteBook Laptop o OS: Windows 10 o Protocols: TLS, SSH o Tools:  Wireshark: version 2.6.4  Firefox Quantum: version 68.0.1  Internet Explorer: version 11.726.16299.0  Google Chrome: version 75.0.3770.142  PuTTY SSH Client: version .70  Function: Test Workstation o Platform: VMware ESXi based Virtual Machine o OS: (Linux 4.15.0-kali2-amd64 #1 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux) o Protocols: TLS, SSH o Tools:  Tcpdump: version 4.9.2  Libpcap version 1.8.1  OpenSSL version 1.0.2k VALIDATION REPORT Gigamon GigaVUE, 5.9.00 18 TOE Local Console (serial) Terminal Workstation GigaVUE (TOE) Switch Test Workstation Syslog Server CRL Distribution Point LDAP Server Certification Authority Man-in-the-middle (MITM)* * the MITM network path is indicated by a dashed line, which was used when performing the following test cases: 36, 37, 38, 51, 52, 73, 74, 75 Figure 1 - Test Configuration 8.2 Developer Testing No evidence of developer testing is required in the Evaluation Activities for this product. 8.3 Evaluation Team Independent Testing The test team's test approach was to test the security mechanisms of the TOE by exercising the external interfaces to the TOE and viewing the TOE behavior on the platform. The ST and the independent test plan were used to demonstrate test coverage of all SFR testing assurance activities as defined by the NDcPP for all security relevant TOE external interfaces. TOE external interfaces that will be determined to be security relevant are interfaces that  change the security state of the product,  permit an object access or information flow that is regulated by the security policy,  are restricted to subjects with privilege or behave differently when executed by subjects with privilege, or  invoke or configure a security mechanism. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 19 Security functional requirements were determined to be appropriate to a particular interface if the behavior of the TOE that supported the requirement could be invoked or observed through that interface. The evaluation team tested each interface for all relevant behavior of the TOE that applied to that interface. 8.4 Evaluation Team Vulnerability Testing The evaluation team reviewed vendor documentation, formulated hypotheses, performed vulnerability analysis, and documented the hypotheses and analysis in accordance with the NDcPP requirements. Keywords were identified based upon review of the Security Target and AGD. The following keywords (version information used for refining results) were identified: Keyword Description Gigamon This is a generic term for searching for known vulnerabilities produced by the company as a whole. GigaVUE This is a generic term for searching for known vulnerabilities for the specific product. CentOS (5.8) This is a generic term searching for known vulnerabilities for the underlying TOE operating system. CentOS (6.6) This is a generic term searching for known vulnerabilities for the TOE’s cryptographic TLS module. OpenSSL (1.0.2v) This is a generic term searching for known vulnerabilities for the TOE’s cryptographic SSH module. OpenSSH (6.2p2) This is a generic term searching for known vulnerabilities for the TOE’s underlying host processor. Intel Atom (C2758 and C2538) This is a generic term searching for known vulnerabilities for the TOE’s underlying host processor. Intel Xeon (D1527) This is a generic term searching for known vulnerabilities for the TOE’s underlying host processor. QorIQ (P2041) This is a generic term searching for known vulnerabilities for the TOE’s underlying web server. These keywords were used individually and as part of various permutations and combinations to search for vulnerabilities on public vulnerability sources on February 2, 2021. The following public vulnerability sources were searched:  NIST National Vulnerabilities: https://web.nvd.nist.gov/view/vuln/search  Common Vulnerabilities and Exposures: http://cve.mitre.org/cve/ https://www.cvedetails.com/vulnerability-search.php  US-CERT: http://www.kb.cert.org/vuls/html/search  SecurITeam Exploit Search: www.securiteam.com  Tenable Network Security http://nessus.org/plugins/index.php?view=search  Tipping Point Zero Day Initiative http://www.zerodayinitiative.com/advisories  Offensive Security Exploit Database: https://www.exploit-db.com/  Rapid7 Vulnerability Database: https://www.rapid7.com/db/vulnerabilities Upon the completion of the vulnerability analysis research, the team had identified several generic vulnerabilities upon which to build a test suite. These tests were created specifically with the intent of exploiting these vulnerabilities within the TOE or its configuration. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 20 The team tested the following areas:  Port Scanning Remote access to the TOE should be limited to the standard TOE interfaces and procedures. This test attempted to find ways to bypass these standard interfaces of the TOE and open any other vectors of attack.  Fuzzing – Mutated TYPE and CODE This attack attempts to determine if the TOE will properly handle malformed ICMP and IP packets that it receives with mutated TYPE and CODE values.  Fuzzing – Mutated remaining field This attack attempts to determine if the TOE will properly handle malformed ICMP and IP packets that it receives with mutated remaining field values.  Web Interface Vulnerability Identification (Nessus & Burp Suite) Burp Suite is a web application vulnerability assessment tool. It looks for major vulnerabilities including cross-site scripting, SQL injection, directory traversal, unchecked file uploads, etc. as well as less critical vulnerabilities such as unnecessary information disclosure. Nessus is a general-purpose network-based vulnerability scanner. It also looks for a suite of major vulnerabilities, including misconfigurations, default credentials, and web application related vulnerabilities.  SSH Timing Attack (User Enumeration) This attack attempts to enumerate validate usernames for the SSH interface, by observing the difference in server response times to valid username login attempts.  Force SSHv1 This attack determines if the SSH server on the TOE will accept an SSHv1 connection when the TOE claims to only support SSHv2.  Remote Network Scan (Nessus) Nessus is a general-purpose network-based vulnerability scanner. It also looks for a suite of major vulnerabilities, including misconfigurations, default credentials, and web application related vulnerabilities.  CLI Privilege Escalation This attack involves enumerating a valid username with an attempt to access the underlying OS CLI shell, then cracking the user’s password and logging in. The evaluation team determined that no residual vulnerabilities exist that are exploitable by attackers with Basic Attack Potential. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 21 9 Results of the Evaluation The results of the assurance requirements are generally described in this section and are presented in detail in the proprietary Test Plan and proprietary ETR. The reader of this document can assume that all Evaluation Activities and work units received a passing verdict. A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding evaluator action elements. The evaluation was conducted based upon CC version 3.1 rev 5 and CEM version 3.1 rev 5. The evaluation determined the TOE to be Part 2 extended, and meets the SARs contained the PP. Additionally, the evaluator performed the Evaluation Activities specified in the NDcPP. The following evaluation results are extracted from the non-proprietary Evaluation Technical Report provided by the CCTL and are augmented with the validator’s observations thereof. 9.1 Evaluation of the Security Target (ASE) The evaluation team applied each ASE CEM work unit. The ST evaluation ensured the ST contains a description of the environment in terms of policies and assumptions, a statement of security requirements claimed to be met by the Gigamon GigaVUE product that is consistent with the Common Criteria, and product security function descriptions that support the requirements. Additionally, the evaluator performed an assessment of the Evaluation Activities specified in the NDcPP Supporting Documents in order to verify that the specific required content of the TOE Summary Specification is present, consistent, and accurate. The validators reviewed the work of the evaluation team and found that sufficient evidence and justification was provided by the evaluation team to confirm that the evaluation was conducted in accordance with the requirements of the CEM, and that the conclusion reached by the evaluation team was justified. 9.2 Evaluation of the Development (ADV) The evaluation team applied each ADV CEM work unit. The evaluation team assessed the design documentation and found it adequate to aid in understanding how the TSF provides the security functions. The design documentation consists of a functional specification contained in the Security Target’s TOE Summary Specification. Additionally, the evaluator performed the Evaluation Activities specified in the NDcPP Supporting Documents related to the examination of the information contained in the TOE Summary Specification. The validators reviewed the work of the evaluation team and found that sufficient evidence and justification was provided by the evaluation team to confirm that the evaluation was conducted in accordance with the Assurance Activities, and that the conclusion reached by the evaluation team was justified. 9.3 Evaluation of the Guidance Documents (AGD) The evaluation team applied each AGD CEM work unit. The evaluation team ensured the adequacy of the user guidance in describing how to use the operational TOE. Additionally, the evaluation team ensured the adequacy of the administrator guidance in describing how to securely administer the TOE. The guides were assessed during the design and testing phases of the evaluation to ensure they were complete. Additionally, the evaluator performed the Evaluation Activities specified in the NDcPP Supporting Document related to the examination of the information contained in the operational guidance documents. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 22 The validators reviewed the work of the evaluation team and found that sufficient evidence and justification was provided by the evaluation team to confirm that the evaluation was conducted in accordance with the Assurance Activities, and that the conclusion reached by the evaluation team was justified. 9.4 Evaluation of the Life Cycle Support Activities (ALC) The evaluation team applied each ALC CEM work units. The evaluation team found that the TOE was identified. The validators reviewed the work of the evaluation team and found that sufficient evidence and justification was provided by the evaluation team to confirm that the evaluation was conducted in accordance with the requirements of the CEM, and that the conclusion reached by the evaluation team was justified. 9.5 Evaluation of the Test Documentation and the Test Activity (ATE) The evaluation team applied each ATE CEM work unit. The evaluation team ran the set of tests specified by the Assurance Activities in the NDcPP Supporting Documents and recorded the results in a Test Report, summarized in the Evaluation Technical Report and sanitized for non- proprietary consumption in the Assurance Activity Report. The validators reviewed the work of the evaluation team and found that sufficient evidence was provided by the evaluation team to show that the evaluation activities addressed the test activities in the NDcPP Supporting Documents, and that the conclusion reached by the evaluation team was justified. 9.6 Vulnerability Assessment Activity (VAN) The evaluation team applied each AVA CEM work unit. The evaluation team performed a public search for vulnerabilities, performed vulnerability testing and did not discover any issues with the TOE. The evaluation team also ensured that the specific vulnerabilities defined in the NDcPP Supporting Documents were assessed and that the TOE was resistant to exploit attempts that utilize these vulnerabilities. The validators reviewed the work of the evaluation team and found that sufficient evidence and justification was provided by the evaluation team to confirm that the evaluation addressed the vulnerability analysis requirements in the NDcPP Supporting Documents, and that the conclusion reached by the evaluation team was justified. 9.7 Summary of Evaluation Results The evaluation team’s assessment of the evaluation evidence demonstrates that the claims in the ST are met. Additionally, the evaluation team’s test activities also demonstrated the accuracy of the claims in the ST. The validation team’s assessment of the evidence provided by the evaluation team is that it demonstrates that the evaluation team performed the Evaluation Activities in the NDcPP Supporting Document, and correctly verified that the product meets the claims in the ST. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 23 10 Validator Comments The validation team notes that the evaluated configuration is dependent upon the TOE being configured per the evaluated configuration instructions in the Gigamon GigaVUE Version 5.9.00 Supplemental Administrative Guidance for Common Criteria Version 1.0 document. No versions of the TOE and software, either earlier or later were evaluated. Administrators should take note of the fact that when the product is configured to offload audit files to an audit logging server, if that communications link is interrupted, the audit files generated during the time of the interruption will be captured locally. However, upon resumption of the connectivity, the offload begins with the reconnection and will NOT send those audit files generated during the outage. It will be necessary for the administrator to take steps to offload those files or they will be overwritten when the audit log is full. Please note that the functionality evaluated is scoped exclusively to the security functional requirements specified in the Security Target. Other functionality included in the product was not assessed as part of this evaluation. Other functionality provided by devices in the operational environment, such as the syslog server, need to be assessed separately and no further conclusions can be drawn about their effectiveness. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 24 11 Annexes Not applicable VALIDATION REPORT Gigamon GigaVUE, 5.9.00 25 12 Security Target The security target for this product’s evaluation is Gigamon GigaVUE Version 5.9.00 Security Target v1.0, dated February 2, 2021. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 26 13 List of Acronyms Acronym Definition AES Advanced Encryption Standard API Application Programming Interface CA Certificate Authority CAVP Cryptographic Algorithm Verification Program CC Common Criteria CLI Command-Line Interface cPP collaborative Protection Profile CPU Central Processing Unit CRL Certificate Revocation List CSP Content Security Policy DRBG Deterministic Random Bit Generator FTP File Transfer Protocol GUI Graphical User Interface HMAC Hash-based Message Authentication Code HTTPS Hypertext Transfer Protocol Secure I&A Identity and Access IDS Intrusion Detection System LDAP Lightweight Directory Access Protocol MAC Message Authentication Code NIAP National Information Assurance Partnership NTP Network Time Protocol OCSP Online Certificate Status Protocol OS Operating System PP Protection Profile RAM Random Access Memory RBG Random Bit Generator RNG Random Number Generator RU Rack Unit SCP Secure Copy Protocol SFR Security Functional Requirement SFTP SSH File Transfer Protocol SHA Secure Hash Algorithm SHS Secure Hash Standard SPAN Switched Port Analyzer SSH Secure Shell ST Security Target SVR Server TAP Test Access Port TFTP Trivial File Transfer Protocol TLS Transport Layer Security TOE Target of Evaluation TSF TOE Security Function UART Universal Asynchronous Receiver/Transmitter UI User Interface VALIDATION REPORT Gigamon GigaVUE, 5.9.00 27 14 Terminology Term Definition Administrator or ‘Admin’ A user who is assigned the ‘Admin’ role on the TOE and has the ability to manage the TSF. Synonymous with Security Administrator. Credential Data that establishes the identity of a user (e.g., a cryptographic key or password). Operating System (OS) Software that manages hardware resources and provides services for applications. Platform A platform can be an operating system, hardware environment, a software-based execution environment, or some combination of these. These types platforms may also run atop other platforms. Security Administrator An authorized administrator role that is authorized to manage the TOE and its data. This TOE defines three separate user roles, but only the most privileged role (Admin) is authorized to manage the TOE’s security functionality and is therefore considered to be the Security Administrator for the TOE. Trusted Channel An encrypted connection between the TOE and a system in the Operational Environment. Trusted Path An encrypted connection between the TOE and the application a Security Administrator uses to manage it (web browser, terminal client, etc.). User In a CC context, any individual who has the ability to access the TOE functions or data. VALIDATION REPORT Gigamon GigaVUE, 5.9.00 28 15 Bibliography 1. Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and general model, dated April 2017, version 3.1, Revision 5, CCMB-2017-004-001 2. Common Criteria for Information Technology Security Evaluation – Part 2: Security functional components, dated April 2017, version 3.1, Revision 5, CCMB-2017-004-002 3. Common Criteria for Information Technology Security Evaluation – Part 3: Security assurance components, dated April 2017, version 3.1, Revision 5, CCMB-2017-004-003 4. Common Methodology for Information Technology Security Evaluation – Evaluation Methodology, dated April 2017, version 3.1, Revision 5, CCMB-2017-004-004 5. collaborative Protection Profile for Network Devices, Version 2.2e, 27 March 2020 [NDcPP] 6. Gigamon GigaVUE Version 5.9.00 Security Target v1.0, dated February 2, 2021 [ST] 7. Gigamon GigaVUE Version 5.9.00 Supplemental Administrative Guidance for Common Criteria Version 1.0, dated February 2, 2021 [AGD] 8. GigaVUE-OS-CLI-ReferenceGuide-v5900 9. GV-FM-OS-AdministrationGuide-v5900 10. GigaVUE-HC1 Hardware Installation Guide-v5900 11. GigaVUE-HC2 Hardware Installation Guide-v5900 12. GigaVUE-HC3 Hardware Installation Guide v5900 13. GigaVUE-TA Series Hardware Installation Guide-v5900 14. Assurance Activity Report for a Target of Evaluation “Gigamon GigaVUE Version 5.9.00” Assurance Activities Report v1.0 dated February 2, 2021 [AAR] 15. Gigamon GigaVUE Version 5.9.00 Test Plan, dated April 21, 2020 16. Evaluation Technical Report for a Target of Evaluation “Gigamon GigaVUE Version 5.9.00” Evaluation Technical Report v1.0 dated February 2, 2021 [ETR]