Assurance Activities Report for a Target of Evaluation NETSCOUT Arbor Edge Defense and APS Systems Security Target (Version 1.1) Assurance Activities Report (AAR) Version 1.1 12/12/2019 Evaluated by: Booz Allen Hamilton Common Criteria Test Laboratory NIAP Lab # 200423 1100 West St. Laurel, MD 20707 Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme 1 of 84 The Developer of the TOE: NETSCOUT Systems, Inc. 310 Littleton Road Westford, MA 01886 - 4105 The Author of the Security Target: Booz Allen Hamilton 1100 West St Laurel, 20707 USA The TOE Evaluation was sponsored by: Booz Allen Hamilton Evaluation Personnel: Herbert Markle Alex Massi Christopher Rakaczky Courtney Simon Applicable Common Criteria Version Common Criteria for Information Technology Security Evaluation, September 2012 Version 3.1 Revision 4 Common Evaluation Methodology Version Common Criteria for Information Technology Security Evaluation, Evaluation Methodology, September 2012 Version 3.1 Revision 4 2 of 84 Table of Contents 1 Purpose ............................................................................................................................................... - 1 - 2 TOE Summary Specification Assurance Activities ............................................................................ - 1 - 3 Operational Guidance Assurance Activities ..................................................................................... - 11 - 4 Test Assurance Activities (Test Report) ........................................................................................... - 21 - 4.1 Platforms Tested and Composition ......................................................................................... - 21 - 4.1.1 Test Configuration .............................................................................................................. - 21 - 4.2 Omission Justification ............................................................................................................. - 22 - 4.3 Test Cases ............................................................................................................................... - 23 - 4.3.1 Security Audit ..................................................................................................................... - 23 - 4.3.2 Cryptographic Security ....................................................................................................... - 26 - 4.3.3 Identification and Authentication ....................................................................................... - 46 - 4.3.4 Security Management ......................................................................................................... - 60 - 4.3.5 Protection of the TSF .......................................................................................................... - 63 - 4.3.6 TOE Access ........................................................................................................................ - 69 - 4.3.7 Trusted Path/Channels ........................................................................................................ - 72 - 5 Evaluation Activities for SARs ........................................................................................................ - 74 - 6 Conclusions ...................................................................................................................................... - 80 - 7 Glossary of Terms ............................................................................................................................ - 80 - 3 of 84 12/12/2019 CC TEST LAB #200423-0 1 Purpose The purpose of this document is to serve as a non-proprietary attestation that this evaluation has satisfied all of the TSS, AGD, and ATE Assurance Activities required by the Protection Profiles/Extended Packages to which the TOE claims exact conformance. 2 TOE Summary Specification Assurance Activities The evaluation team completed the testing of the Security Target (ST), ‘NETSCOUT Arbor Edge Defense and APS Systems Security Target version 1.1’, and confirmed that the TOE Summary Specification (TSS) contains all Assurance Activities as specified by the ‘collaborative Protection Profile for Network Devices version 2.0 + Errata 20180314 (NDcPP). The evaluators were able to individually examine each SFR’s TSS statements and determine that they comprised sufficient information to address each SFR claimed by the TOE as well as meet the expectations of the NDcPP Assurance Activities. Through the evaluation of ASE_TSS.1-1, described in the ETR, the evaluators were able to determine that each SFR was described in enough detail to demonstrate that the TSF addresses the SFR. However, in some cases the Assurance Activities that are specified in the claimed source material instruct the evaluator to examine the TSS for a description of specific behavior to ensure that each SFR is described to an appropriate level of detail. The following is a list of each SFR, the TSS Assurance Activities specified for the SFR, and how the TSS meets the Assurance Activities. Additionally, each SFR is accompanied by the source material (NDcPP) that defines where the most up-to-date TSS Assurance Activity was defined. Note: Since the TOE is not distributed, TSS Assurance Activities for distributed TOEs have been omitted for clarity. FAU_GEN.1 – “For the administrative task of generating/import of, changing, or deleting of cryptographic keys as defined in FAU_GEN.1.1c, the TSS should identify what information is logged to identify the relevant key.” Section 8.1.1 of the TSS contains an example of an audit record that is generated for a cryptographic key generation. The example includes a description of each portion of the audit record including the identification of which key was acted upon (in this case SSH key: Apr 11 11:32:30 arbor-aps2800.catl.local auth: COMMAND services ssh key generate BY admin FROM cli VIA 192.168.1.3 Apr 11 11:32:30 arbor-aps2800.catl.local auditcomsh: User: admin Command: / services ssh key generate Apr 11 11:32:32 arbor-aps2800.catl.local ssh: User admin successfully generated host key Date and Time – Apr 11 11:32:30 Event Type - services ssh key generate Subject Identity - User: admin Success or Failure of the event - User admin successfully generated host key Source of the Event - FROM cli VIA 192.168.1.3 FAU_GEN.2 – This SFR does not contain any NDcPP TSS Assurance Activities. FAU_STG_EXT.1 – “The evaluator shall examine the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided. The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored locally; what happens when the local audit data store is full; and how these records are protected against unauthorized access. The TSS states in section 8.1.3 the TOE will send audit records to a remote syslog server via an encrypted TLS channel that is provided by the OpenSSL FIPS cryptographic module v2.0.8. When the TOE is configured to send data to the syslog server, the audit records immediately pushed to the syslog server. If Page - 1 - 12/12/2019 CC TEST LAB #200423-0 syslog server connectivity is unavailable, audit records will only be stored locally. Upon re-establishment of communications with the syslog server, new audit records will resume being transmitted to it but the audit records that were generated during the time the syslog server connection was down remain stored locally and are not sent to the syslog server. The evaluator shall examine the TSS to ensure that it details the behaviour of the TOE when the storage space for audit data is full. When the option ‘overwrite previous audit record’ is selected this description should include an outline of the rule for overwriting audit data. If ‘other actions’ are chosen such as sending the new audit data to an external IT entity, then the related behaviour of the TOE shall also be detailed in the TSS. The TSS states in section 8.1.3 the TSF has a fixed audit log rotation method for storing and automatically deleting old records. The TOE allocates 64 MB for up to 11 separate log files to store audit data. When the first audit log is full, a second is automatically created. This process is repeated until 11 files have been created. Once the 11th file is full, the first file is deleted and another is created to be populated with the newest audit data. The evaluator shall examine the TSS to ensure that it details whether the transmission of audit information to an external IT entity can be done in realtime or periodically. In case the TOE does not perform transmission in realtime the evaluator needs to verify that the TSS provides details about what event stimulates the transmission to be made as well as the possible as well as acceptable frequency for the transfer of audit data.” The TSS states in section 8.1.3 when the TOE is configured to send data to the syslog server, the audit records immediately pushed to the syslog server. FCS_CKM.1 – “The evaluator shall ensure that the TSS identifies the key sizes supported by the TOE. If the ST specifies more than one scheme, the evaluator shall examine the TSS to verify that it identifies the usage for each scheme.” The TSS states in section 8.2.1 that the TOE generates Elliptic Curve (ECC) keys using NIST curve P-256, P-384 and P-521 in accordance with FIPS PUB 186-4. The ECC keys are generated in support of TLS key establishment.