Protection Profile for Virtualization Extended Package Client Virtualization. Version: National Information Assurance Partnership

Similar documents
Protection Profile for Virtualization Extended Package Server Virtualization. Version: National Information Assurance Partnership

Version: National Information Assurance Partnership

Protection Profile for Server Virtualization

Protection Profile for Virtualization. Version: National Information Assurance Partnership

Application Software Extended Package for Web Browsers. Version: National Information Assurance Partnership

Market Central, Inc. Security Target

Extended Package for Secure Shell (SSH) Version: National Information Assurance Partnership

CC and CEM addenda. Exact Conformance, Selection-Based SFRs, Optional SFRs. May Version 0.5. CCDB xxx

Application Software Extended Package for Web Browsers. Version: National Information Assurance Partnership

Network Device collaborative Protection Profile Extended Package SIP Server

Crypto Catalog. Version: National Information Assurance Partnership

Symantec Data Loss Prevention 14.5

MQAssure TM NetSignOn Secure Desktop Login

Dell EMC NetWorker 9.1

collaborative Protection Profile Module for Full Drive Encryption Enterprise Management March 23 rd, 2018

Xerox WorkCentre 5222/5225/5230. Security Target

DoD ANNEX FOR PROTECTION PROFILE FOR APPLICATION SOFTWARE V1.2. Version 1, Release February Developed by DISA for the DoD

PP-Module for Clients. Version: National Information Assurance Partnership

BMC Software, PATROL Perform/Predict, Version Security Target

COMMON CRITERIA CERTIFICATION REPORT

etrust Admin V8.0 Security Target V2.3 Computer Associates 6150 Oak Tree Blvd, Suite 100 Park Center Plaza II Independence, OH 44131

COMMON CRITERIA CERTIFICATION REPORT

Korean National Protection Profile for Single Sign On V1.0 Certification Report

CC and CEM addenda. Modular PP. March Version 1.0 CCDB

DBMS PP Extended Package Access History (DBMS PP_EP_AH) Version 1.02

Tabular Presentation of the Application Software Extended Package for Web Browsers

Microsoft Windows Common Criteria Evaluation

COMMON CRITERIA CERTIFICATION REPORT

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme

Korean National Protection Profile for Electronic Document Encryption V1.0 Certification Report

Supporting Document Mandatory Technical Document. Evaluation Activities for Stateful Traffic Filter Firewalls cpp. October Version 2.

Fuji Xerox ApeosPort-II 7000/6000 Series Controller Software for Asia Pacific. Security Target

SailPoint IdentityIQ Common Criteria Security Target. SailPoint

Xerox WorkCentre 7228/7235/7245 Series Security Kit. Security Target

National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme

EpsonNet ID Print Authentication Print Module Security Target Ver1.11

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. for

EMC VNXe1600 OE v3.1.3

Protection Profile Summary

Certification Report

MecWise HR 3.1 (R1) (MecWise ehuman Resource) Security Target

COMMON CRITERIA CERTIFICATION REPORT

Computer Associates. Security Target V2.0

ST Version Date January 24, 2011 Version 1-12

RSA Identity Governance and Lifecycle v Security Target

Avocent Cybex SwitchView SC Series Switches Security Target

National Information Assurance Partnership

McAfee Web Gateway Version EAL 2 + ALC_FLR.2 Security Target

Certification Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

NDcPP v1.0 Assurance Activity Report for Dell Networking Platforms

COMMON CRITERIA CERTIFICATION REPORT

COMMON CRITERIA CERTIFICATION REPORT

COMMON CRITERIA CERTIFICATION REPORT

Samsung Electronics Co., Ltd. Samsung Galaxy Note 5 & Galaxy Tab S2 VPN Client

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. for

Protection Profile for Hardcopy Devices v1.0 Errata #1, June 2017

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

FED 5. Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Tivoli Provisioning Manager Security Target. Version:

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

COMMON CRITERIA CERTIFICATION REPORT

webmethods Fabric 6.5 EAL2 Common Criteria Evaluation Security Target V December 2005

Security Target. EMC XtremIO v Evaluation Assurance Level (EAL): EAL2+ Doc No: D102 Version: March 2016.

Dell EMC Unity OE v4.2

DoD ANNEX FOR MOBILE DEVICE FUNDAMENTALS (MDF) PROTECTION PROFILE (PP) V3.1. Version 1, Release July Developed by DISA for the DoD

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. for

Protection profiles for TSP Cryptographic modules - Part 5

Security Target. Juniper Networks vgw Series Version 5.5. Document Version 0.5. March 22, 2013

Forcepoint NGFW 6.3.1

Certification Report

Data Security Kit DA-SC04 Security Target

Check Point Endpoint Security Media Encryption

collaborative Protection Profile for Network Devices

IOGEAR Secure KVM Switch Series. Security Target

AnyConnect Secure Mobility Client for Windows 10

AirTight Networks SpectraGuard Enterprise [v 5.0] and SpectraGuard SAFE Enterprise Edition [v 2.0] Security Target Version [1.

Supporting Document Mandatory Technical Document. Foreword

Market Participant Client Platform

Brocade FastIron SX, ICX, and FCX Series Switch/Router

LANDesk Management Suite 8, V Security Target

COMMON CRITERIA CERTIFICATION REPORT

Australasian Information Security Evaluation Program

RSA Identity Governance and Lifecycle

CREDANT Mobile Guardian (CMG) Enterprise Edition Version SP4 Security Target

Employee Express Security Module (EmplX Security Module) Security Target

- Table of Contents -

collaborative Protection Profile for Full Drive Encryption Authorization Acquisition Version 2.0 September 09, 2016

StillSecure VAM V5.5. Security Target V1.6

Certification Report

Certification Report

Certification Report

Certification Report

CA Siteminder Web Access Manager R12 SP1-CR3 Security Target

BSI-CC-PP-0088-V for

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Transcription:

Protection Profile for Virtualization Extended Package Client Virtualization Version: 1.0 2016-11-17 National Information Assurance Partnership 1

Revision History Version Date Comment v1.0 2016-11-17 Initial publication 2

Table of Contents 1 Introduction... 4 1.1 verview...4 1.2 Terms...4 1.3 Compliant Targets of Evaluation...4 1.3.1 TE Boundary... 4 1.4 Use Cases...5 2 Conformance Claims... 6 3 Security Problem Description... 7 3.1 Threats...7 3.2 Assumptions...7 3.3 rganizational Security Policies...7 4 Security bjectives... 8 4.1 Security bjectives for the TE...8 4.2 Security bjectives for the perational Environment...8 4.3 Security bjectives Rationale...8 5 Security Requirements... 9 5.1 Base PP Security Functional Requirements Direction...9 5.2 TE Security Functional Requirements...9 5.2.1 Security Management (FMT)... 9 5.3 TE Security Assurance Requirements... 12 A. ptional Requirements... 13 B. Selection-Based Requirements... 13 C. bjective Requirements... 14 D. Entropy Documentation and Assessment... 15 E. References... 16 F. Acronyms... 17 3

1 Introduction 1.1 verview The scope of this Extended Package (EP) is to describe the security functionality of a Client Virtualization product in terms of [CC] and to define functional and assurance requirements for such products. This EP is not complete in itself, but rather extends the Protection Profile for Virtualization (Base Virtualization PP). This is because Client Virtualization is a specific type of Virtualization System and is expected to implement security functionality that is not common to all Virtualization Systems in general. Therefore, additional SFRs have been defined in this EP to define security functionality that is unique to this particular type of Virtualization System. 1.2 Terms All relevant terminology for this EP are defined in the Base Virtualization PP. 1.3 Compliant Targets of Evaluation Client Virtualization, for the purposes of this EP, refers to a Virtualization System that implements virtualized hardware components locally on an endpoint machine. Endpoints are typically client hardware such as desktop or laptop computers that a user interacts with directly, but may also include headless embedded systems without direct human interaction. A Virtualization System creates a virtualized hardware environment for each instance of a guest operating system (a virtual machine) permitting these environments to execute concurrently while maintaining isolation and the appearance of exclusive control over assigned computing resources. Client virtualization is generally used on endpoint systems, making use of the local machine's resources (memory, CPU, etc.) to provide isolated user environments. This document does not address virtualization on mobile devices (typically devices that use a baseband processor and/or connect to a cellular network), nor does it address application virtualization or containers. 1.3.1 TE Boundary The TE boundary is the same as that which is defined for a Virtualization System in general. Refer to the Base Virtualization PP for an outline of the TE boundary. 4

1.4 Use Cases Requirements in this EP are designed to address the security problem in the following use cases. The description of these use cases provides instructions for how the TE and its perational Environment should be made to support the functionality required by this EP. [USE CASE 1] Locally Managed Client A local administrator creates and runs one or more VMs locally. This client could be stand-alone or connected to a network. [USE CASE 2] Enterprise Managed Client An enterprise administrator for the VS centrally manages one or more client hypervisors, creating and configuring VMs which are then pushed to the clients. These VMs are then available for users on that client to run using the computing resources of that client. (Note that this is not Virtual Desktop Infrastructure where the hypervisors and the VMs run on remote servers. While both can be centrally managed and accessed from clients, for client virtualization, the VMs are local to the endpoint machine.) [USE CASE 3] Headless Client A VM is used by a program without direct human interaction. The use case(s) that are applicable to the TE may influence the selections and assignments made for certain requirements in both this EP and in the base PP. For example, a locally managed client (use case 1) may not necessarily provide remote administration which would exempt it from claiming the selection-based requirement FTP_TRP.1 in the base PP. 5

2 Conformance Claims Conformance Statement A product must be evaluated against the Client Virtualization EP in conjunction with the base Virtualization PP; a product may not be evaluated solely against the Client Virtualization EP. To be conformant to this EP, an ST must demonstrate Exact Conformance, a subset of Strict Conformance as defined in [CC] Part 1 (ASE_CCL). The ST must include all components in this EP that are: Unconditional (which are always required) Selection-based (which are required when certain selections are chosen in the unconditional requirements) and may include components that are ptional bjective. Unconditional requirements are found in the main body of the document (Section 5), while appendices contain the selection-based, optional, and objective requirements. The ST may iterate any of these components but it must not introduce any additional component (e.g., from CC Part 2 or 3) that is not defined in the Base Virtualization PP (which this EP extends), or in this EP itself. CC Conformance Claims This EP is conformant to Parts 2 (extended) and 3 (conformant) of Common Criteria Version 3.1, Revision 4 [CC]. PP Claim This EP does not claim conformance to any Protection Profile. Note that this EP extends the Base Virtualization PP, which means that it relies on this PP to provide some set of base functionality which is then expanded upon by this EP. This however does not imply that the EP itself is conformant to this PP. Package Claim This EP does not claim conformance to any packages. 6

3 Security Problem Description The security problem is described in terms of the threats that the TE is expected to address, assumptions about its operational environment, and any organizational security policies that the TE is expected to enforce. Note that as an EP of the Base Virtualization PP, all threats, assumptions, and SPs defined in the base PP will also apply to a TE unless otherwise specified, depending on which of the base PPs it extends. The Security Functional Requirements defined in this EP will mitigate the threats that are defined in the EP but may also mitigate some threats defined in the base PPs in more comprehensive detail due to the specific capabilities provided by a Client Virtualization System. 3.1 Threats This PP defines no additional threats beyond those defined in the Base Virtualization PP. Note however that the SFRs defined in this EP will assist in the mitigation of the T.UNAUTHRIZED_UPDATE and T.UNAUTHRIZED_ACCESS threats defined in that PP. 3.2 Assumptions This PP defines no additional assumptions beyond those defined in the Base Virtualization PP. 3.3 rganizational Security Policies This PP defines no additional SPs beyond those defined in the Base Virtualization PP. 7

4 Security bjectives 4.1 Security bjectives for the TE This PP defines no additional TE security objectives beyond those defined in the Base Virtualization PP. Note however that the SFRs defined in this EP will assist in the enforcement of the.vmm_integrity and.management_access objectives defined in that PP. 4.2 Security bjectives for the perational Environment Because this EP does not define any additional assumptions or organizational security policies, there are no additional security objectives for the perational Environment to satisfy. 4.3 Security bjectives Rationale This section is not applicable to this EP because no additional security objectives are defined. 8

5 Security Requirements 5.1 Base PP Security Functional Requirements Direction The Base Virtualization PP defines requirements for generic virtualization systems, not all of which provide Client Virtualization functionality. Therefore, the SFRs defined in the base PP provide the ST author with a number of selections and assignments as well as optional and selection-based requirements in order to capture the entire set of virtualization systems that can be evaluated. This section provides the ST author with specific instructions that must be taken for including the relevant SFRs from the base PP when the TE claims conformance to this EP in particular. At this time, there are no specific actions that must be taken with the base PP SFRs beyond ensuring that all mandatory SFRs are present, all selections and assignments are completed appropriately, and all selection-based SFRs are claimed based on the selections that are chosen. 5.2 TE Security Functional Requirements The Security Functional Requirements (SFRs) included in this section are those that the TSF is expected to satisfy. The Security Functional Requirements (SFRs) included in this section are derived from Part 2 of the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, with additional extended functional components. The CC defines operations on Security Functional Requirements: assignments, selections, assignments within selections and refinements. This document uses the following font conventions to identify the operations defined by the CC: Assignment: Indicated with italicized text; Refinement made by EP author: Indicated with bold text; Selection: Indicated with underlined text; Assignment within a Selection: Indicated with italicized and underlined text; Iteration: Indicated by appending the SFR name with a slash and unique identifier suggesting the purpose of the iteration, e.g., /CDR for an SFR relating to call detail records; Extended SFRs: identified by having a label ET after the SFR name. 5.2.1 Security Management (FMT) FMT_MF_ET.1 Management of Security Functions Behavior FMT_MF_ET.1.1 The TSF shall be capable of supporting [selection: local, remote] administration. Application Note: FMT_MF_ET.1.2 Selection of remote requires the selection-based requirement FTP_TRP.1 defined in the base PP to be included in the ST. The TSF shall be capable of performing the following management functions, controlled by an Administrator or User as shown in Table 1, based on the following key: = Mandatory (TE must provide that function to that role) 9

= ptional (TE may or may not provide that function to that role) N = Not Permitted (TE must not provide that function to that role) S = Selection-Based (TE must provide that function to that role if the TE claims a particular selection-based SFR) Number Function Administrator User 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Ability to update the Virtualization System Ability to configure Administrator password policy as defined in FIA_PMG_ET.1 Ability to create, configure and delete VMs Ability to set default initial VM configurations Ability to configure virtual networks including VM Ability to configure and manage the audit system and audit data Ability to configure VM access to physical devices Ability to configure inter-vm data sharing Ability to enable/disable VM access to Hypercall functions Ability to configure removable media policy Ability to configure the cryptographic functionality Ability to change default authorization factors Ability to enable/disable screen lock Ability to configure screen lock inactivity timeout Ability to configure remote connection inactivity timeout Ability to configure lockout policy for unsuccessful authentication attempts through [selection: timeouts between attempts, limiting number of attempts during a time period] Ability to configure name/address of directory server to bind with Notes (all SFR references are from the Base Virtualization PP) N See FPT_TUD_ET.1 S N Must be selected if ST includes FIA_PMG_ET.1. See FDP_VNC_ET.1 N See FDP_VMS_ET.1 and FMT_MSA_ET.1 See FPT_HCL_ET.1 See FPT_RDM_ET.1 N N N See FIA_AFL_ET.1 10

18 Ability to configure name/address of audit/logging server to which N to send audit/logging records 19 Ability to configure name/address of network time server 20 Ability to configure banner N See FTA_TAB.1 21 Ability to connect/disconnect removable devices to/from a VM 22 Ability to start a VM 23 Ability to stop/halt a VM 24 Ability to checkpoint a VM 25 Ability to suspend a VM 26 Ability to resume a VM Table 1 Client Virtualization Management Functions Application Note: It is unlikely that this table will be identified as Table 1 in the ST. The ST author is permitted to apply a refinement operation to the table name in order to give it an appropriate identification. The ST author is expected to update this table with an indication as to whether any of the optional or selection-based functions are included as part of the TE. The ST author may also omit the Notes column as it is provided in this EP as an aid to the ST author in constructing this table. This SFR addresses the roles of the CC Part 2 SFRs FMT_MF.1, FMT_SMF.1, and FMT_SMR.2. Administration is considered local if the Administrator is physically present at the machine on which the VS is installed. Administration is considered remote if communications between the Administrator and the Management Subsystem travel on a network. There is no requirement to authenticate Users of the Virtualization System. Users that have access to VMs but not to the Management Subsystem need not authenticate to the Virtualization System in order to use Guest VMs. Requirements for authentication of VM users is determined by the policies of the domains running within the Guest VMs. For a VS where the S is part of the platform and not part of the TE, it is acceptable for the VS to invoke the Host S screen lock. Assurance Activity The evaluator shall examine the TSS and perational Guidance to ensure that it describes which security management functions require Administrator privilege and the actions associated with each management function. The evaluator shall verify that for each management function and role specified in Table 1, the defined role is able to perform all mandatory functions as well as all optional or selection-based functions claimed in the ST. 11

The evaluator shall examine the perational Guidance to ensure that it describes how the Administrator and/or User are able to perform each management function that the ST claims the TE supports. The evaluator shall verify for each claimed management function that the perational Guidance is sufficiently detailed to allow the function to be performed and that the function can be performed by the role(s) that are authorized to do so. The evaluator shall also verify for each claimed management function that if the TE claims not to provide a particular role with access to the function, then it is not possible to access the TE as that role and perform that function. 5.3 TE Security Assurance Requirements The Base Virtualization PP lists the Security Assurance Requirements (SARs) from Part 3 of the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4. As an EP of the Base Virtualization PP, this EP does not prescribe any SARs beyond those defined in the base PP. The evaluator shall ensure that the SARs defined in the claimed base PP are assessed against the entire TSF as appropriate. 12

A. ptional Requirements As indicated in Section 2, the baseline requirements (those that must be performed by the TE) are contained in the body of this EP. Additionally, there are three other types of requirements specified in Appendix A, Appendix B, and Appendix C. The first type (in this Appendix) are requirements that can be included in the ST, but are not required in order for a TE to claim conformance to this EP. The second type (in Appendix B) are requirements based on selections in the body of the EP: if certain selections are made, then additional requirements in that appendix must be included. The third type (in Appendix C) are components that are not required in order to conform to this EP, but will be included in the baseline requirements in future versions of this EP, so adoption by vendors is encouraged. Note that the ST author is responsible for ensuring that requirements that may be associated with those in Appendix A, Appendix B, and Appendix C but are not listed (e.g., FMT-type requirements) are also included in the ST. Currently, no optional requirements specific to this product type have been identified. B. Selection-Based Requirements As indicated in the introduction to this EP, the baseline requirements (those that must be performed by the TE or its underlying platform) are contained in the body of the EP. There are additional requirements based on selections in the body of the EP: if certain selections are made, then additional requirements below will need to be included. Currently, no selection-based requirements specific to this product type have been identified. 13

C. bjective Requirements This Annex includes requirements that specify security functionality which also addresses threats. The requirements are not currently mandated in the body of this EP as they describe security functionality not yet widely available in commercial technology. However, these requirements may be included in the ST such that the TE is still conformant to this EP, and it is expected that they be included as soon as possible. Currently, no objective requirements specific to this product type have been identified. 14

D. Entropy Documentation and Assessment The TE does not require any additional supplementary information to describe its entropy source(s) beyond the requirements outlined in the Entropy Documentation and Assessment section of the Base Virtualization PP. As with other base PP requirements, the only additional requirement is that the entropy documentation also applies to the specific Client Virtualization capabilities of the TE in addition to the functionality required by the base PP. 15

E. References Identifier Title [CC] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and General Model, CCMB-2012-09-001, Version 3.1 Revision 4, September 2012 Part 2: Security Functional Components, CCMB-2012-09-002, Version 3.1 Revision 4, September 2012 Part 3: Security Assurance Components, CCMB-2012-09-003, Version 3.1 Revision 4, September 2012 [Base Virtualization PP] Protection Profile for Virtualization, Version: 1.0, 2016-11-17 16

F. Acronyms All relevant acronyms for this EP are defined in the Base Virtualization PP. 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback