User manual | null User manual

Sertifiseringsmyndigheten for IT-sikkerhet Norwegian Certification Authority for IT Security
SERTIT-017 CR Certification Report
Issue 1.0 18th April 2011
Thinklogical VX 160 Router KVM Matrix Switch (VXR 000160 Rev B)
CERTIFICATION REPORT - SERTIT STANDARD REPORT TEMPLATE SD 009 VERSION 2.0 13.09.2007
SERTIT, P.O. Box 14, N-1306 Bærum postterminal, NORWAY
Phone: +47 67 86 40 00 Fax: +47 67 86 40 09 E-mail: [email protected] Internet: www.sertit.no
Thinklogical VX 160 Router KVM Matri x Switch (VXR000160 Rev B)
EAL 4
ARRANGEMENT ON THE RECOGNITION OF COMMON CRITERIA CERTIFICATES IN
THE FIELD OF INFORM ATION TECHNOLOGY SECURITY
SERTIT, the Norwegian Certification Authority for IT Sec urity, is a member of the
above Arrangement and as such this confirms that the Common Criteria certificate
has been issued by or under the authority of a Party to this Arrangement and is the
Party’s cla im that the certificate has been issued in accordance with the terms of
this Arrangement
The judgements contained in the cert ificate and Cert ification Report are those of
SERTIT which issued it and the Norwegian evaluation facility (EVIT) which carried
out the evaluation. There is no implication of acceptance by other Members of the
Agreement Group of liability in respect of those judgements or for loss sustained as
a result of reliance pla ced upon those judgements by a third party. [*]
[* Mutual Recognition under the CC recognit ion arrangement applies to EAL 4.]
Page 2 of 22
SERTIT-017 CR Issue 1.0
18th April 2011
Thinklogical VX 160 Router KVM Matrix Switch
(VXR-000160 Rev B)
EAL 4
Contents
1
Certification Statement
5
2
Abbreviations
6
3
References
7
4
4.1
4.2
4.3
4.3.1
4.3.2
4.3.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.12
4.13
4.14
4.15
4.16
4.17
Executive Summary
Introduction
Evaluated Product
TOE scope
System Type and Overview
TOE Physical Boundaries
TOE Logica l Boundaries
Protection Profile Conformance
Assurance Level
Security Policy
Security Claims
Threats Countered
Threats Countered by the TOE’s environment
Threats and Attacks not Countered
Environmental Assumptions and Dependencies
IT Security Objectives
Non-IT Security Objectives
Functional Security Requirements
Security Function Policy
Evaluation Conduct
General Points
8
8
8
8
8
10
10
10
11
11
11
11
11
11
11
12
12
12
13
13
14
5
5.1
5.2
5.3
5.4
5.5
5.6
5.7
Evaluation Findings
Introduction
Delivery
Installation and Guidance Documenta tion
Misuse
Vulnerability Analysis
Developer’s Tests
Evaluators’ Tests
15
16
17
17
17
18
18
18
6
6.1
6.2
6.2.1
Evaluation Outcome
Certifica tion Result
Recommendations
Restrictive Switching
18
18
18
19
Annex A: Evaluated Configuration
TOE Identification
TOE Documenta tion
TOE Configuration
SERTIT-017 CR Issue 1.0
18th April 2011
20
20
21
22
Page 3 of 22
Thinklogical VX 160 Router KVM Matri x Switch (VXR000160 Rev B)
Page 4 of 22
EAL 4
SERTIT-017 CR Issue 1.0
18th April 2011
Thinklogical VX 160 Router KVM Matrix Switch
1
EAL 4
Certification Statement
Forsvarets Logistikkorganisasjon / lnvesteringsavdelingen/ NBF Thinklogical VX 160
Router KVM Matrix Switch is a fiber optic switch that uses multi-mode or singlemode fiber optics to transmit and receive a digital video pulse stream without
alteration 0r interpretation of the original signal.
Thinklogical VX 160 Router KVM Matrix Switch (VXR-000160 Rev B) has been
evaluated under the terms of the Norwegian Certification Scheme for lT Security and
has met the Common Criteria Part 3 conformant requirements of Evaluation
Assurance Level EAL 4 for the specified Common Criteria Part 2 conformant
functionality in the specified environment when running on the platforms specified
in Annex A.
;Kjartan Jager
Author
*'^""'/(/r=*-
:Certifier
Ouality Assurance
Lars Borgos
,.1,/
Ouality Assurance
rKjell W.
:Approved
Head
i
i-------
.
:
r
Date approved
SERTIT-017 CR lssue 1.0
l Bth Ap
ril
2011
of
Be
rgan
;{/rzn.
,,'
,Lfut UJ
SERTIT
l Bth April 2011
Page 5
of
22
Thinklogical VX 160 Router KVM Matri x Switch (VXR000160 Rev B)
2
EAL 4
Abbreviations
CC
Common Criteria for Information Technology Security Evaluat ion
CCRA
Arrangement on the Recognition of Common Criteria Cert ificates in the
Field of Information Technology Securit y
CEM
Common Methodology for Information Technology Securit y Evaluation
EAL
Evaluation Assurance Level
ETR
Evaluation Technica l Report
EVIT
Evaluation Facility under the Norwegian Certification Scheme for IT
Secur ity
SERTIT
Norwegian Certification Authority for IT Security
ST
Security Target
TOE
Target of Evaluation
TSF
TOE Security Functions
TSP
TOE Security Policy
Page 6 of 22
SERTIT-017 CR Issue 1.0
18th April 2011
Thinklogical VX 160 Router KVM Matrix Switch
(VXR-000160 Rev B)
3
EAL 4
References
[1]
Thinklogical VX 160 Router KVM Matrix Switch Security Target, version
3.6, January 2011.
[2]
Common Criteria Part 1, CCMB -2009-07-001, Version 3.1 R3, July 2009.
[3]
Common Criteria Part 2, CCMB -2009-07-002, Version 3.1 R3, July 2009.
[4]
Common Criteria Part 3, CCMB -2009-07-003, Version 3.1 R3, July 2009.
[5]
The Norwegian Cert ification Scheme, SD001E , Version 8.0, 20 August 2010 .
[6]
Common Methodology for Information Technology Securit y Evaluation,
Evaluation Methodology, CCMB -2009 -07-004, Version 3.1 R3, July 2009.
[7]
Evaluation Technica l Report Common Criteria EAL4 Evaluation of
Thinklogical Router KVM Ma trix Switches, v 1.1, 2011 -02-17.
[8]
Configuration Management_1_3.doc
[9]
VX40_160_320_Manua l_Rev_I.pdf
[10]
VX160 Assembly Procedure_Rev A.pdf
[11]
VX160 Configuration List_1_2.doc
[12]
VxRouter -ASCII -API_4_1.pdf
[13]
VX Routers Swit ch Tables
[14]
VX160_VEL -4_VEL-24_Quick_Start_Rev_A.pdf .
SERTIT-017 CR Issue 1.0
18th April 2011
Page 7 of 22
Thinklogical VX 160 Router KVM Matri x Switch (VXR000160 Rev B)
4
EAL 4
Executive Summary
4.1 Introduction
This Cert ification Report states the outcome of the Common Criteria securit y
evaluation of Thinklogical VX 160 Router KVM Matrix Switch (VXR-000160 Rev B) to
the Sponsor, Forsvarets Logist ikkorganisasjon / lnvesteringsavdelingen/ NBF , and is
intended to assist prospective consumers when judging the suitabilit y of the IT
securit y of the product for their particular requirements.
Prospective consumers are advised to rea d this report in conjunct ion with the
Security Target [1] which specifies the functional, environmental and assurance
evaluation requirement s.
4.2 Evaluated Product
The version of the product evaluated was Thinklogica l VX 160 Router KVM Matrix
Switch (VXR-000160 Rev B) .
This product is a lso described in this report a s the Target of Evaluation ( TOE). The
developer was Thinklogical.
Thinklogical VX 160 Router KVM Matrix Switch provides remote connections from a
set of shared computers to a set of shared peripherals. The switching capability of
the TOE is used to connect ports on a particular computer t o a particular peripheral
set. The corresponding electronic signal from a compute r port is transformed into an
optical signal by the V elocity extender, transmitted through an opt ical fiber,
switched by the KVM Matrix Switch to another optical fiber, and then transformed
back to an electronic form by the Velocity extender. The resulting signal is used by
the shared peripherals.
Details of the evaluated configuration, including the TOE’s supporting guidance
documentation, are given in Annex A.
4.3 TOE scope
4.3.1 System Type and Overview
The TOE is a Bi -directional routing system, which provides connect ion of 160 optica l
inputs located on the Upstream ports to any or all of the 160 optical outputs located
on the Downstream ports and connection of 160 opt ical input s located on the
Downstrea m ports t o a ny or a ll of the 160 optical outputs located on the Upstream
ports. The TOE consist s of 8 Data Upstream Cards having 20 opt ical input and Output
ports and 8 Data Downstream Cards having 20 optical input and Output port s. The
TOE allows for re mote operation of shared computers using sets of shared
peripherals, dyna mica lly connecting (switching) physica l ports on a particular
computer to a part icular shared peripheral set.
The TOE consists of the following hardware devices:
Page 8 of 22
SERTIT-017 CR Issue 1.0
18th April 2011
Thinklogical VX 160 Router KVM Matrix Switch
(VXR-000160 Rev B)



EAL 4
Thinklogical KVM Matr ix Switch (VX160 Router)
8 Data Upstream Cards
8 Data Downstream Ca rds
Velocity Transmitter Extenders are connected to Transmitter Port Groups on the Data
Upstream Cards of the Switch using optical fibers connections. Transmitter Port
Groups are marked gre en on the VX160 Swit ch.
Velocity Receiver Extenders are connected to receiver port groups on the Data
Downstream Cards of t he Switch using optica l fiber connect ions. Receiver Port
Groups are marked blue on the VX 160 Switch.
Each Transmitter and Receiver Port Group is composed of two ports: T port and R
port. Two optical ca bles are then required to connect a Velocity Tra nsmitter or
Receiver Extender to a Transmitter or Receiver Port Group on the Switch. One cable is
used to transmit data from the Extender to the Switch; the other ca ble is used to
transmit data from the Switch to the Extender. As a result, a bi -directional
connection is established, where data can flow in both direct ions.
All data types, including video, audio and serial data are converted t o an opt ical
form and transmitted in a single optica l cable.
The purpose of the Switch is t o establish logical connections between Transmitter
and Receiver Port Groups, while preserving Data Separation Security Function Policy
(SFP).
Data Separation Security Funct ion Policy stat es that data shall flow between
Transmitter Port group A and Receiver Port group B if and only if a deliberate logica l
connection has been established to connect A to B. There shall be no data flow
between any pair of Transmitter Port Groups or Receiver Port Groups. There shall be
no data flow between Transmitter Port Groups or Receiver Port Groups and any other
physical port on the Switch.
The TOE can be administe red over a wired 10/100BASE -TX LAN connection or the
Serial ( RS232) connect ion using an external management computer. This computer
was not part of the evaluation, but assumed to be physically secure.
SERTIT-017 CR Issue 1.0
18th April 2011
Page 9 of 22
Thinklogical VX 160 Router KVM Matri x Switch (VXR000160 Rev B)
EAL 4
F i g u r e 1 s h o w s t h e V X 3 2 0 R o u t e r i n a n e v a lu a t e d c o n f ig u r a t io n . A n e q u i v a le n t la y o u t is
t h e e v a l u a t e d c o n f i g u r a t i o n f o r t h e V X 4 0 a n d V X 1 6 0 R o u te r s .
4.3.2 TOE Physical Boundaries
VX 160 Router KVM Ma trix Switch is a hardwa re device. TOE Physical Boundaries then
correspo nd to the physical boundaries of the device enclosure.
4.3.3 TOE Logical Boundaries
TOE logical boundaries include all software a nd firmware components inside the
VX160 Router KVM Ma trix Switch.
The following Security Functions are provided by the TOE

User Data Protection ( enforces Data Separation SFP),
This Security Target includes all product security features. There are no security
features outside the scope of the evaluation.
4.4 Protection Profile Conformance
The Security Target [1] did not claim conforma nce to any protection profile.
Page 10 of 22
SERTIT-017 CR Issue 1.0
18th April 2011
Thinklogical VX 160 Router KVM Matrix Switch
(VXR-000160 Rev B)
EAL 4
4.5 Assurance Level
The Security Target [1] specified the assurance requirements for the evaluation.
Predefined evaluation assurance level E AL 4 was used. Common Crit eria Part 3 [4]
describes the scale of assurance given by predefined assurance levels EAL1 t o EAL7.
An overview of CC is given in CC Part 1 [2].
4.6 Security Policy
The TOE security policies are detailed in the ST[1].
4.7 Security Claims
The Security Target [1] fully specifies the TOE’s security objectives, t he threats,
Organisational Security Policies which these objectives meet and security funct iona l
requirements and security functions to elaborate the objectives. All of the SFR’s are
taken from CC Part 2 [3]; use of this standard facilitates comparis on with other
evaluated products.
4.8 Threats Countered


Residual data may be t ransferred between different port groups in violation of
data separation securit y policy
State information may be transferred to a port group other than the intended
one
4.9 Threats Countered by the TOE’s environment


The TOE may be delivered and installed in a manner which violates t he security
policy.
An attack on the TOE may violate the securit y policy.
4.10 Threats and Attacks not Countered
No threats or attacks t hat are not countered are d escribed.
4.11 Environmental Assumptions and Dependencies




The switch, the transmitters, the receivers, the optical connect ions from the
Switch t o the transmit ters and receivers and the wired network connections
from the Swit ch to the administrators are physical ly secure.
The TOE meets the appropriate national requirements (in the country where
used) for conducted/radiated electromagnetic emissions.
The TOE is installed and managed in accordance with the manufacturer’s
direct ions.
The TOE users and a dministrators are non-hostile and follow a ll usage
guidance.
SERTIT-017 CR Issue 1.0
18th April 2011
Page 11 of 22
Thinklogical VX 160 Router KVM Matri x Switch (VXR000160 Rev B)

EAL 4
Vulnerabilit ies associated with attached devices are a concern of the
application scenario and not of the TOE.
4.12 IT Security Objectives



The TOE shall not viola te the confident iality of information which it processes.
Information generated within any peripheral set/computer connection shall
not be accessible by any other peripheral set/computer connect ion.
No information sha ll be shared be tween switched computers and periphera l
sets via the TOE in violation of Data Separation SFP.
4.13 Non-IT Security Objectives





The TOE shall meet the appropriate national requirements (in the country
where used) for conducted/radiated electroma gnetic emissions.
The TOE shall be installed and managed in accordance with the manufacturer’s
direct ions.
The authorized user shall be non -hostile and follow all usage guida nce.
The Switch, the transmitters, the receivers, the optical connect ions from the
Switch t o the tr ansmit ters and receivers and the wired network connections
from the TOE to the administrators shall be physically secure.
Vulnerabilit ies associated with attached devices or their connect ions to the
TOE, shall be a concern of the application scenario and n ot of the TOE.
4.14 Functional Security Requirements






Enforce the Data Separation Policy when exporting user data, controlled under
the SFP, from outside of the TOE.
Export the user data without the user data's associated security att ributes.
Enforce the Data Se paration Policy on the set of Transmitter and Receiver Port
Groups, and the bi -directional flow of data and state information bet ween the
shared peripherals and the switched computers.
Enforce the Data Separation Policy based on t he following t ypes of subj ect
and information security attributes:
- Transmitter and Receiver Port Groups ( subject s)
- peripheral data and state information ( objects)
- port group IDs
- logical connections of Transmitter and Receiver Groups (attributes)
Permit an information flow betw een a controlled subject and controlled
information via a controlled operation if the following rules hold:
- peripheral data and state information can only flow between
Transmitter and Receiver port groups that have been previously
logically connected by t he administrator usi ng the TOE management
interface
Enforce that Transmitter Port Group may be logically connected to multiple
Receiver Port Groups, out of which bi -directional information flow will be
established only with a single Primary Receiver Port Group selected by the
Page 12 of 22
SERTIT-017 CR Issue 1.0
18th April 2011
Thinklogical VX 160 Router KVM Matrix Switch
(VXR-000160 Rev B)

EAL 4
administrator. The remaining Non -Primary Receiver port groups will only
receive unidirectional multicast audio and video signals. Any Receiver Port
Group may only be logically connected t o a single Transmitter Port Group .
Explicitly deny an information flow based on t he following rules:
- No data or state information flow shall be allowed between logica lly
unconnected port groups.
- No data or state information flow shall be allowed between any two
Receiver Port Groups.
- No data or state information flow shall be allowed between any two
Transmitter Por t Groups.
- No data or state information flow shall be allowed between any
Receiver or Transmitter Port Group and any ot her non -optica l physical
port on the Switch
4.15 Security Function Policy
The TOE logically connects Transmitter and Receiver Port Groups according to the
current switching configuration. The data flows between a part icular Transmitter Port
Group and a set of Receiver Port Groups if and only if there is an active logical
connection connecting these. If there are multiple Receiver Port Groups connected to
a Transmitter Port Group, bi -directional information flow will be then established
between the Primary Receiver Port Group and the Transmitter Port G roup. The
remaining Non-Primary Receiver Port Groups will receive uni -directional multi -cast
video and audio signals from the Transmitter Port Group.
4.16 Evaluation Conduct
The eva luation was carried out in accordance with the requirements of the
Norwegian Certification Scheme for IT Security as described in SERTIT Document
SD001[5]. The Scheme is managed by the Norwegian Certification Authorit y for IT
Security (SERTIT). As st ated on page 2 of this Certification Report, SERTIT is a
member of the Arrangement on the Recognition of Common Criteria Certificates in
the Field of Information Technology Securit y (CCRA), and the evalua tion was
conducted in accordance with the terms of this Arrangement.
The purpose of the eva luation wa s to provide assurance about the effecti veness of
the TOE in meet ing its Security Target [1], which prospective consumers are advised t o
read. To ensure that the Security Target [1] gave an appropriate baseline for a CC
evaluation, it was first itself evaluated. The TOE was then evaluated against this
baseline. Both parts of the evaluation were performed in accordance with CC Part
3[4] and the Common Evaluation Methodology (CEM) [6].
SERTIT monitored the evaluation which was carried out by the Norconsult EVIT
Commercial Evaluation Facility ( CLEF/EVIT). The evaluation was completed when the
EVIT submitted the final Evaluation Technical Report (ETR) [7] t o SE RTIT in
17.02.2011 . SERTIT then produced this Cert ification Report.
SERTIT-017 CR Issue 1.0
18th April 2011
Page 13 of 22
Thinklogical VX 160 Router KVM Matri x Switch (VXR000160 Rev B)
EAL 4
4.17 General Points
The eva luation a ddressed the security funct ionality claimed in the Security Target [1]
with reference to the a ssumed operating environment specified by the Security
Target[1]. The eva luated configuration was that specified in Annex A. Prospect ive
consumers are advised to check that this matches their identified requirements and
give due consideration to the recommendations and caveats of this report.
Certification does not guarantee that the IT product is free from security
vulnera bilities. This Certification Report and the belonging Certifica te only reflect
the view of SE RTIT at t he time of cert ification. It is furthermore the responsibility of
users (both exist ing and prospective) to check w hether any security vulnera bilities
have been discovered since the date shown in this report. This Certification Report is
not an endorsement of the IT product by SERTIT or any other organization that
recognizes or gives effect to this Cert ification Report , and no warra nty of the IT
product by SE RTIT or any other organizat ion t hat recognizes or gives effect to this
Certification Report is either expressed or implied.
Page 14 of 22
SERTIT-017 CR Issue 1.0
18th April 2011
Thinklogical VX 160 Router KVM Matrix Switch
(VXR-000160 Rev B)
5
EAL 4
Evaluation Findings
The eva luators examined the following assurance classes and componen ts taken from
CC Part 3 [4]. These classes comprise the EAL 4 assurance package.
Assurance class
Development
Guidance documents
Life -cycle support
Security Target
evaluation
Tests
Vulnerabilit y assessment
Assurance components
ADV_ARC.1
Security architecture description
ADV_FSP.4
Complete functional specification
ADV_IMP.1
Implementation representation of t he
TSF
ADV_TDS.3
Basic modular design
AGD_OPE.1
Operational user guida nce
AGD_PRE.1
Preparative procedures
ALC_CMC.4
Production support, acceptance
procedures and automation
ALC_CMS.4
Problem tracking CM coverage
ALC_DEL.1
Delivery procedures
ALC_DVS.1
Identification of security measures
ALC_LCD.1
Developer defined life -cycle model
ALC_TAT.1
Well-defined development tools
ASE_CCL.1
Conformance cla ims
ASE_ECD.1
Extended components definition
ASE_INT.1
ST introduct ion
ASE_OBJ.2
Security objectives
ASE_REQ.2
Derived security requirements
ASE_SPD.1
Security problem definition
ASE_TSS.1
TOE summary specifica tion
ATE_COV.2
Analysis of coverage
ATE_DPT.1
Testing: basic design
ATE_FUN.1
Functional test ing
ATE_IND.2
Independent testing – sample
AVA_VAN.3
Focused vulnera bility a nalysis
All assurance classes were found to be satisfa ctory and were awarded an overall
“pass” verdict.
SERTIT-017 CR Issue 1.0
18th April 2011
Page 15 of 22
Thinklogical VX 160 Router KVM Matri x Switch (VXR000160 Rev B)
EAL 4
5.1 Introduction
The eva luation a ddressed the requirements specified in the Securit y Target [1]. The
results of this work were reported in the ETR [7] under the CC Part 3 [4] headings. The
following sections not e considerations that a re of part icular relevance to either
consumers or those involved with subsequent assurance ma intenance and re evaluation of the TOE .
The EAL 4 eva luation of the Thinklogica l VX 160 Router KVM Matrix Switch has
shown that the TOE is methodically designed, tested and reviewed. The evaluation has
further shown that the TOE is developed in a secure environment, uses well -defined
development tools, has a properly defined life -cycle model and has procedures for
standard commercia l delivery services. The TOE is under proper configuration
management, and follows strict procedures on how for instance changes to the TOE
are reviewed and accepted. The guidance documentation helps install, administer and
use the TOE in a secure manner. The TOE has been tested and reviewed for exploitable
vulnera bilities using a n Enhanced -Basic atta ck potential, by both t he developer and
evaluators.
If the TOE is not physically protected and managed as required for the highest level
of security classified data handled or transferred by the TOE, the KVM switch can be
tampered with leading to the compromise of sensitive data or a denial of service
caused by the disruption of the systems the KVM switch is connect ed. In an evaluated
configurat ion, the KVM switch is physically protected in accordance with the
requirements of the highest classification connected to the KVM switch.
Without a backup of the KVM switch's configuration, a denial of service may occur if
the configuration cannot be rest ored quickly in the advent that it is lost or a faulty
switch needs t o be replaced. Tests performed by the eva luator verify that
configurations are not lost in case of fail -over between primary and secondary
controller card, upstream/downstream cards or SF P+ modules.
If a network attached KVM switch is attached to a dedicated network there is less
opportunity for a malicious user to compromise the interface and create a denial of
service by issuing disruptive commands t o a server. The guidance documentation
states that the Network Hub is a dedicated network that is only used to connect the
VX Router to the computer server. This dedica ted network does not connect to any
other components and does not extend beyond the physically secure environment. The
dedicated network connection could be repla ced by a direct serial connection (RS 232) between the VX Router and the computer server. It also states that the VX
Router and the computer server used t o mana ge the Router must be protected
according to the highest sec urity classification of any component in the entire
network application.
Without a written description of the KVM switch, the management devices (CSCS)
attached to the KVM switch, and the classification level of each information system
attached to the KVM switch, tampering with the KVM switch by a dding or moving
Page 16 of 22
SERTIT-017 CR Issue 1.0
18th April 2011
Thinklogical VX 160 Router KVM Matrix Switch
(VXR-000160 Rev B)
EAL 4
connections cannot be verified and the physical configuration cannot be reproduced
if needed. This can lea d to a denial of service if a connection is removed or moved or
a compromise of sensit ive da ta if a connection is added or moved. W hen the TOE is
implemented in its operational environment, a written description of the KVM swit ch,
the information systems attached to the KVM switch, and the classification level of
each information system attached to the KVM switch should be creat ed.
As the guidance documentation describes, it is recommended that the messages file
are reviewed and any errors in the Restrictive Switching Table be corrected before
implementing multiple levels of security classificat i on doma ins on t he same VX
Router. It is also recommended that Restrict ive Switching be fully tested before
implementing multiple levels of security classificat ion doma ins on t he same VX
Router.
5.2 Delivery
On receipt of the TOE, the consumer is recommended t o check that t he evaluated
version has been supplied, and to check that the security of the TOE has not been
compromised in delivery.
The Thinklogical Configuration Mana gement process [8] assures that all products
shipped from the warehouse are fully documented and that they follow the CM
procedures. Products a re shipped via Federal Express, UPS or DHL t o the consumer. A
signature is required a t the receiving end for all shipments.
Dimensions and weight are noted for each shipment. The CM process assures that all
tracking information a nd shipment information within Intuitive software are logged
as well as hard copies in the Sales Order folder.
In the product manual [9], Part 1, Installation, there are provided acceptance
procedures describing what the consumers should check for in the delivered product.
These procedures should ensure that the consumers inspects the delivered product
and finds it in good condition so that the installation process can begin.
5.3 Installation and Guidance Documentation
In the product manual [9] “Part 1: Hardware” there is included a text describing that
user has to check that all parts of the TOE as indicated in the ST have been delivered
in the correct version. If you have ordered an EAL4 certified unit, please verify that
you have received the proper materia ls. The label described is in accordance with t he
ST [1].
5.4 Misuse
There is always a risk of intentional and unint entional misconfigurations that could
possibly compromise confidential information. Administrators should follow the
guidance [9] for the TOE in order to ensure that the TOE operates in a secure manner.
The guidance documents adequately the mode of operation of the TOE, all
assumptions a bout the intended environment and all requirements for external
SERTIT-017 CR Issue 1.0
18th April 2011
Page 17 of 22
Thinklogical VX 160 Router KVM Matri x Switch (VXR000160 Rev B)
EAL 4
securit y. Sufficient guidance is provided for t he consumer t o effect ively administer
and use the TOE’s security functions.
5.5 Vulnerability Analysis
The eva luators’ assessment of potentia l exploitable vulnerabilit ies in the TOE has
been addressed and shows that the vulnerability analysis is complet e, and that the
TOE in its intended environment is resistant to attackers with an Enhanced -Basic
attack potential.
5.6 Developer’s Tests
The eva luators’ assessments of the developers’ tests shows that the developer te sting
requirements is extensive and that the TSF sat isfies the TOE securit y functional
requirements. The test ing performed on the TOE by both the developer and evaluat or
showed that the EAL 4 assurance components requirements are fulfilled.
5.7 Evaluators’ Tests
The eva luator have independent ly tested the TSFs and verified that the TOE behaves
as specified in the design documentation and confidence in the developer's test
results is ga ined by performing a sample of the developer's tests.
6
Evaluation Outcome
6.1 Certification Result
After due consideration of the ETR [7], produced by the E valuators, and the conduct
of the evaluation, as witnessed by the Cert ifier, SERTIT has determined that
Thinklogical VX 160 Router KVM Matrix Switch (VXR-000160 Rev B) meet the
Common Criteria Part 3 conformant requirements of Evaluation Assurance Level EAL 4
for the specified Common Criteria Part 2 conformant functionality in the specified
environment.
6.2 Recommendations
Prospective consumers of Thinklogical VX 160 Router KVM Matr ix Switch (VXR000160 Rev B) should understand the specific scope of the cert ification by reading
this report in conjunction with the Security Target [1]. The TOE should be used in
accordance with a number of environmental considerations as specified in the
Security Target.
Only the evaluated TOE configurat ion should be installed. This is specified in Annex A
with further relevant information given above under Section 4.3 “TOE Scope” and
Section 5 “Evaluation Findings”.
The TOE should be used in accordance with the supporting guidance documentation
included in the evaluat ed configuration.
Page 18 of 22
SERTIT-017 CR Issue 1.0
18th April 2011
Thinklogical VX 160 Router KVM Matrix Switch
(VXR-000160 Rev B)
EAL 4
6.2.1 Restrictive Switching
Restrictive Switching is used t o provide for multiple levels of securit y classification
domains on t he same V X Router. Each destination needs to ensure that no
unauthorized content is displayed or accessed. Therefore, each input and output
needs to be prioritized. Priorit ies can range from 1 to the t otal number of port s that
can be connected in a switch matrix. An output can connect to an input with a
priority greater than or equal to its priorit y.
The Restricted Switching function is performed according to a table defining the
Input and Output port number and its priority value . The restricted output is
determined before enabling the output.
VX40_160_320_320V_Manual_Rev_H.pdf, Appendix D: Secure Applications shows an
explanation of how to provide a table defining priorities for each input and output of
the switch matrix. This d ocument describes how to create a csv file that will ena ble
restrict ive switching.
One very important point from this document is the exact description of the
characters that must be used in the table, these are quoted below. Failing to use the
characters exact ly as described this will cause the Restrictive Switching t o fail.
Using advanced text editors (e.g. MS W ord) to build the table can ca use problems as
many advanced text editors use auto -correct functions that will replace some ASCII
characters with others.
Double quotes (or speech marks), character code = 34
Lower case i
character code = 105
Lower case o
character code = 111
Comma
character code = 44
Carriage Return
character code = 13
Line Feed
character code = 10
(")
(i)
(o)
(,)
(CR)
(LF)
The VX Router will interpret the Restrictive Switching Table ( csv file) during the
boot -up. Any errors that occur during the Restrictive Switching Table interpretation
process will be logged in the messages file at the following location:
var/l og/messa ges
It is recommended that the messages file be reviewed and any errors in the
Restrictive Switching Table be corrected before implementing multiple levels of
securit y classification domains on t he same VX Router. It is also recommended that
Restrictive Switching be fully tested before implementing multiple levels of securit y
classification doma ins on the same VX Router.
SERTIT-017 CR Issue 1.0
18th April 2011
Page 19 of 22
Thinklogical VX 160 Router KVM Matri x Switch (VXR000160 Rev B)
EAL 4
Annex A: Evaluated Configuration
TOE Identification
Thinklogical VX 160 Router KVM Matrix Switch is a fiber optic switch using multimode or single -mode fiber optics to transmit and receive a digital video pulse stream
without alterat ion or interpretation of the origina l signal. The TOE provides remote
connections from a set of shared computers t o a set of shared peripherals. The
switching capabilit y of the TOE is used to connect ports on a particular computer t o
a particular periphera l set. The TOE provides a capability t o dynamically change the
switching configuration.
Note: All modules may be replaced without interruption to other module functions.
100-240V ~ 50/60 Hz
12A
100-240V ~ 50/60 Hz
12A
Load-sharing Redundant Power Modules
Fan Tray Module
PORTS
PORTS
1-20
21-40
POWER
41-60
POWER
1-20
61-80
POWER
POWER
21-40
POWER
41-60
POWER
61-80
POWER
81-100
POWER
ACTIVE
ACTIVE
FAULT
FAULT
101-120
POWER
121-140
POWER
141-160
POWER
81-100
POWER
POWER
101-120
121-140
141-160
POWER
POWER
POWER
20
T
20
R
T
20
R
T
20
R
T
20
R
T
20
R
T
20
R
T
20
R
19
19
19
19
19
19
19
19
19
18
18
18
18
18
18
18
18
18
20
T 20
R
T
20
R
T
20
R
T
20
R
T
20
R
T
20
R
T
20
R
19
19
19
19
19
19
19
18
18
18
18
18
18
18
17
17
17
17
17
17
17
17
16
16
16
16
16
16
16
16
15
15
15
15
15
15
15
15
14
14
14
14
14
14
14
14
T
R
USB
USB
LAN
LAN
RESET
RESET
17
17
17
17
17
17
17
17
16
16
16
16
16
16
16
16
15
15
15
15
15
15
15
15
14
14
14
14
14
14
14
14
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
12
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
11
10
10
10
10
10
10
10
10
10
10
10
10
10
10
10
10
T
R
Controller Card
(Second Controller Card
is Optional)
CONSOLE CONSOLE
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
7
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
5
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
3
3
3
3
3
3
3
2
2
2
2
2
2
2
1
T 1
R
T
1
R
T
1
R
T
1
R
T
1
R
T
1
R
T
1
R
I/O BOARD
I/O BOARD
UPSTREAM
I/O BOARD
I/O BOARD
I/O BOARD
I/O BOARD
DOWNSTREAM
RS232
3
2
I/O BOARD
RS232
3
3
2
T
R
I/O BOARD
1
CONTROLLER
CONTROLLER
T
R
I/O BOARD
2
1
T
1
R
I/O BOARD
CONTROLLER
Output (Downstream) Cards
Ports 1-80
Input (Upstream) Cards
Ports 1-80
Page 20 of 22
3
2
3
T
R
I/O BOARD
UPSTREAM
3
3
2
2
2
1
T
1
R
T
1
R
I/O BOARD
I/O BOARD
3
T
R
I/O BOARD
3
2
2
1
T
1
R
I/O BOARD
T
R
I/O BOARD
DOWNSTREAM
Output (Downstream) Cards
Ports 81-160
Input (Upstream) Cards
Ports 81-160
SERTIT-017 CR Issue 1.0
18th April 2011
Thinklogical VX 160 Router KVM Matrix Switch
(VXR-000160 Rev B)
EAL 4
The TOE enforces secure separation of information flows corresponding to different
switched connect ions. The corresponding Dat a Separation Security Policy is the main
securit y feature of the TOE.
TOE Documentation
The supporting guidance documents evaluated were:
[a]
ThinklogicalSecurityTarget_ 3_6_VX160.doc
[b]
Configuration Management_1_3.doc
[c]
Quality Manual Appendix_Rev_A.pdf
[d]
Quality Manual Issue_Rev_New.pdf
[e]
VX40_160_320_Manua l_Rev_I.pdf
[f]
VX160 Assembly Procedure_Rev A.pdf
[g]
ALC.TAT.1_Intuit ive_1_0.pdf
[h]
ECR FO RM_1_0.doc
[i]
VX160 Configuration List_1_2.doc
[j]
ALC.DEL_1_0.doc
[k]
ALC_1_1.doc
[l]
FlowChart_1_1.pdf
[m]
Software ALC_TAT_1_1.pdf
[n]
AutoCAD TAT_1.0.pdf
[o]
ALC.TAT.1_Intuit ive_1_0.pdf
[p]
PADS POWERPCB.pdf
[q]
Guide for PADS Project s Rev2.pdf
[r]
ECRs_1_0.pdf
[s]
ADV_ARC_1_1.pdf
[t]
VX160_Functiona lSpec_1_1.pdf
[u]
VX160_DesignSpec_1_2.pdf
[v]
VxRouter -ASCII -API_4_1.pdf
[w]
VX Routers Swit ch Tables
[x]
MatrixSwitchContFlow_1_1.pdf
[y]
VX160_VEL -4_VEL-24_Quick_Start_Rev_A.pdf
[z]
VX160_VEL -3AV+_VEL-24_Quick_Start_Rev_B.pdf
SERTIT-017 CR Issue 1.0
18th April 2011
Page 21 of 22
Thinklogical VX 160 Router KVM Matri x Switch (VXR000160 Rev B)
EAL 4
[aa]
VX Common Criteria Test -VX160_1_3
[bb]
VX Common Criteria Test -VX160_1_3_with_test_result s
[cc]
ATE_COV_VX_1_3.doc
[dd]
ATE_DPT_VX_1_2.pdf
[ee]
VX160 Checklist_1_0.xls
[ff]
VX160_test_1_0.doc
[gg]
ALC_DVS_1_0.doc
[hh]
Employee Manual_Rev A.pdf
[ii]
Organization Chart_1_0.docx
[jj]
Part Codes_1_0.xls
[kk]
ADV_IMP_VX160_1_0.pdf
[ll]
Using-the-ASCII-Interface_4_0.pdf
TOE Configuration
The following configuration was used for test ing:
Velocity Matrix Router 160 (VXR-000160 Rev B)
Velocity Matrix Router 160 Data Upstream Ca rd, 20 Ports, SFP+, Multi -Mode (VXMDI0020 Rev B)
Velocity Matrix Router 160 Data Downstream Card, 20 Ports, SFP+, Multi -Mode
(VXM-DO0020 Rev B)
Item
Identifier
Version
Hardware
Velocity Matrix Router 40
VXR-000160 Rev B
Hardware
Velocity Matrix Router 160 Data
Upstream Card, 20 Port s, SFP+, Multi Mode
VXM-DI0020 Rev B
Hardware
Velocity Matrix Router 160 Data
Downstream Card, 20 Ports, SFP+,
Multi -Mode
VXM-DO0020 Rev B
Manuals
VX40_160_320_Manua l
Rev_I
Page 22 of 22
SERTIT-017 CR Issue 1.0
18th April 2011

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project