Transcription
Security Target: McAfee Enterprise Mobility Management 9.7Security TargetMcAfee Enterprise Mobility Management 9.7Document Version 0.9July 5, 2012Document Version 0.9 McAfeePage 1 of 39
Security Target: McAfee Enterprise Mobility Management 9.7Prepared For:Prepared By:McAfee, Inc.Apex Assurance Group, LLC2821 Mission College Blvd.530 Lytton Avenue, Ste. 200Santa Clara, CA 95054Palo Alto, CA is document provides the basis for an evaluation of a specific Target of Evaluation (TOE), theEnterprise Mobility Management 9.7. This Security Target (ST) defines a set of assumptions about theaspects of the environment, a list of threats that the product intends to counter, a set of securityobjectives, a set of security requirements and the IT security functions provided by the TOE which meetthe set of requirements.Document Version 0.9 McAfeePage 2 of 39
Security Target: McAfee Enterprise Mobility Management 9.7Table of Contents1Introduction . 61.1 ST Reference .61.2 TOE Reference .61.3 Document Organization .61.4 Document Conventions.71.5 Document Terminology .71.6 TOE Overview .81.6.1 McAfee EMM Hub.81.6.2 McAfee EMM Console.91.6.3 McAfee EMM Portal.91.7 TOE Description .91.7.1 Physical Boundary .91.7.2 Hardware and Software Supplied by the IT Environment.101.7.3 Logical Boundary.111.8 Rationale for Non‐bypassability and Separation of the TOE .122Conformance Claims .132.1 Common Criteria Conformance Claim .132.2 Protection Profile Conformance Claim.133Security Problem Definition .143.1 Threats.143.2 Organizational Security Policies .143.3 Assumptions .154Security Objectives .164.1 Security Objectives for the TOE.164.2 Security Objectives for the Operational Environment .164.3 Security Objectives Rationale .175Extended Components Definition .226Security Requirements.236.1 Security Functional Requirements .236.1.1 Security Audit (FAU).236.1.2 User Data Protection (FDP) .256.1.3 Identification and Authentication (FIA).276.1.4 Security Management (FMT) .286.2 Security Assurance Requirements.296.3 CC Component Hierarchies and Dependencies .296.4 Security Requirements Rationale.306.4.1 Security Functional Requirements for the TOE.306.4.2 Security Assurance Requirements .326.5 TOE Summary Specification Rationale.337TOE Summary Specification .367.1 Policy Management.36Document Version 0.9 McAfeePage 3 of 39
Security Target: McAfee Enterprise Mobility Management 9.77.27.37.4Identification and Authentication.37Management .38Audit .38List of TablesTable 1 – ST Organization and Section Descriptions.7Table 2 – Terms and Acronyms Used in Security Target .8Table 3 – Evaluated Configuration for the TOE .9Table 4 – Management System Component Requirements.11Table 5 – Supported Mobile Platforms.11Table 6 – Logical Boundary Descriptions .12Table 7 – Threats Addressed by the TOE .14Table 8 – Organizational Security Policies .15Table 9 – Assumptions.15Table 10 – TOE Security Objectives .16Table 11 – Operational Environment Security Objectives.17Table 12 – Mapping of Assumptions, Threats, and OSPs to Security Objectives .18Table 13 – Rationale for Mapping of Threats, Policies, and Assumptions to Objectives.21Table 14 – TOE Functional Components.23Table 15 – Audit Events and Details .24Table 16 – TSF Data Access Permissions.28Table 17 – Security Assurance Requirements at EAL2.29Table 18 – TOE SFR Dependency Rationale .30Table 19 – Mapping of TOE SFRs to Security Objectives .31Table 20 – Rationale for Mapping of TOE SFRs to Objectives .32Table 21 – Security Assurance Measures .33Table 22 – SFR to TOE Security Functions Mapping .34Table 23 – SFR to TSF Rationale.35Table 24 – Policy Controls for Device Types .37Table 25 – Data Access Permissions .38Table 26 – Predefined EMM Event Reports.39List of FiguresDocument Version 0.9 McAfeePage 4 of 39
Security Target: McAfee Enterprise Mobility Management 9.7Figure 1 – TOE Boundary .10Document Version 0.9 McAfeePage 5 of 39
Security Target: McAfee Enterprise Mobility Management 9.71 IntroductionThis section identifies the Security Target (ST), Target of Evaluation (TOE), Security Target organization,document conventions, and terminology. It also includes an overview of the evaluated product.1.1 ST ReferenceST TitleSecurity Target: McAfee Enterprise Mobility Management 9.7ST Revision0.9ST Publication DateJuly 5, 2012AuthorApex Assurance Group1.2 TOE ReferenceTOE ReferenceMcAfee Enterprise Mobility Management 9.7TOE TypeMobile Security1.3 Document OrganizationThis Security Target follows the following format:SECTIONTITLE1Introduction2Conformance Claims3Security Problem Definition4Security Objectives56Extended ComponentsDefinitionSecurity Requirements7TOE Summary SpecificationDocument Version 0.9DESCRIPTIONProvides an overview of the TOE and defines the hardwareand software that make up the TOE as well as the physicaland logical boundaries of the TOELists evaluation conformance to Common Criteria versions,Protection Profiles, or Packages where applicableSpecifies the threats, assumptions and organizationalsecurity policies that affect the TOEDefines the security objectives for the TOE/operationalenvironment and provides a rationale to demonstrate thatthe security objectives satisfy the threatsDescribes extended components of the evaluation (if any)Contains the functional and assurance requirements for thisTOEIdentifies the IT security functions provided by the TOE andalso identifies the assurance measures targeted to meet theassurance requirements. McAfeePage 6 of 39
Security Target: McAfee Enterprise Mobility Management 9.7Table 1 – ST Organization and Section Descriptions1.4 Document ConventionsThe notation, formatting, and conventions used in this Security Target are consistent with those used inVersion 3.1 of the Common Criteria. Selected presentation choices are discussed here to aid the SecurityTarget reader. The Common Criteria allows several operations to be performed on functionalrequirements: The allowable operations defined in Part 2 of the Common Criteria are refinement,selection, assignment and iteration. The assignment operation is used to assign a specific value to an unspecified parameter, such asthe length of a password. An assignment operation is indicated by italicized text. The refinement operation is used to add detail to a requirement, and thus further restricts arequirement. Refinement of security requirements is denoted by bold text. Any text removed isindicated with a strikethrough format (Example: TSF). The selection operation is picking one or more items from a list in order to narrow the scope of acomponent element. Selections are denoted by underlined text. Iterated functional and assurance requirements are given unique identifiers by appending to thebase requirement identifier from the Common Criteria an iteration number inside parenthesis,for example, FIA UAU.1.1 (1) and FIA UAU.1.1 (2) refer to separate instances of the FIA UAU.1security functional requirement component.Outside the SFRs, italicized text is used for both official document titles and text meant to beemphasized more than plain text.1.5 Document TerminologyThe following table describes the terms and acronyms used in this Document Version 0.9DEFINITIONActive DirectoryCommon Criteria version 3.1 (ISO/IEC 15408)Central Processing UnitDataBase Management SystemEvaluation Assurance LevelEnterprise Mobility ManagementGraphical User InterfaceIdentification & AuthenticationInternet Information ServicesInternet ProtocolInformation TechnologyMedia Access ControlMicrosoft Data Access Components McAfeePage 7 of 39
Security Target: McAfee Enterprise Mobility Management ETSCTSFTSPVGAXMLDEFINITIONNew Technology File SystemNetwork Time ProtocolOriginal Equipment ManufacturerOperating SystemOrganizational Security PolicyProtection ProfileRandom Access MemorySecurity FunctionSecurity Function PolicySecurity Functional RequirementStrength Of FunctionService PackStructured Query LanguageSecure Socket LayerSecurity TargetTarget of EvaluationTOE Scope of ControlTOE Security FunctionTOE Security PolicyVideo Graphics ArrayeXtensible Markup LanguageTable 2 – Terms and Acronyms Used in Security Target1.6 TOE OverviewThe McAfee EMM platform provides secure management of mobile devices. McAfee EMM allows tointegration of smartphones into enterprise networks with the same level of security protection enabledon laptops and desktops. With McAfee EMM, System Administrators have the tools and capabilitiesneeded to effectively secure mobile devices in the enterprise network, seamlessly manage them in ascalable architecture, and efficiently assist users when problems arise.McAfee EMM is a web‐based solution that helps manage the entire life cycle of the mobile device.McAfee EMM’s unique combination of device management, on‐device security, network control, andcompliance reporting delivers a powerful mobile device security solution.The following sections provide a summary of the specific TOE sub‐components. Note thatcommunication between the distributed components of the TOE is protected from disclosure andmodification by cryptographic functionality provided by the operational environment.1.6.1 McAfee EMM HubThe McAfee EMM Hub (Hub) manages communications between McAfee EMM components. TheMcAfee EMM Hub allows secure communications between McAfee EMM modules across the firewall(between the DMZ and the internal network) and eliminates the need to open custom firewall ports. SSLDocument Version 0.9 McAfeePage 8 of 39
Security Target: McAfee Enterprise Mobility Management 9.7communications may be established between the components. Using a custom installation, the Hub canalso communicate with the DMZ components via HTTP (non‐secure).1.6.2 McAfee EMM ConsoleThe McAfee EMM Console (Console) is the application used to manage the McAfee EMM system anddevices. It is an IIS application accessible via Internet Explorer or Firefox web browsers, with MicrosoftSilverlight installed. Through the Console, administrative users configure system settings, changepolicies, manage devices and users, administer McAfee EMM roles, perform Helpdesk functions, andview reports.1.6.3 McAfee EMM PortalThe McAfee EMM Portal (EMM Portal) allows device users to initiate requests for software downloadsand to perform a few Helpdesk functions. The McAfee EMM Portal is an IIS application. Users access theEMM Portal from a browser on a PC or on a mobile device.1.7 TOE Description1.7.1 Physical BoundaryThe TOE is a software TOE and includes the EMM Server components (listed below) executing on thesame system:a. McAfee EMM Hub including Cert Enrollb. McAfee EMM Consolec. McAfee EMM PortalNote specifically that the hardware, operating systems and third party support software (e.g. DBMS) oneach of the systems are excluded from the TOE boundary.In order to comply with the evaluated configuration, the following hardware and software componentsshould be used:TOE COMPONENTTOE SoftwareIT EnvironmentVERSION/MODEL NUMBERMcAfee EMM 9.7.0.38202McAfee iOS Client App Version 4.6McAfee Android Client App Version 2.1Hardware specified in the following: Table 4 – Management System Component Requirements Table 5 – Supported Mobile PlatformsTable 3 – Evaluated Configuration for the TOEThe evaluated configuration consists of a single instance of the management system and one or moreinstances of managed systems running the McAfee EMM Client App.Document Version 0.9 McAfeePage 9 of 39
Security Target: McAfee Enterprise Mobility Management 9.7The following figure presents an example of an operational configuration. The shaded elements in theboxes at the top of the figure represent the TOE components.Figure 1 – TOE Boundary1.7.2 Hardware and Software Supplied by the IT EnvironmentThe TOE is a software TOE. The hardware, operating systems and all third party support software (e.g.,DBMS) on the systems on which the TOE executes are excluded from the TOE boundary.The platform on which the EMM Server software is installed must be dedicated to functioning as themanagement system. EMM Server operates as a distribution system and management system for aclient‐server architecture offering components for the server part of the architecture (not the clients).The TOE requires the following hardware and software configuration on this management platformplatform:COMPONENTProcessorMemoryFree Disk SpaceMonitorOperating SystemDBMSDocument Version 0.9MINIMUM REQUIREMENTSIntel Pentium III‐class or higher; 1GHz or higher1 GB RAM1 GB1024x768, 256‐color, VGA monitor or higherWindows Server 2003 x86 or 64 bitWindows Server 2008 64 bit (Standard or Enterprise Versions)Windows Server 2008 R2 64 bitMicrosoft SQL Server 2005Microsoft SQL Server 2008 McAfeePage 10 of 39
Security Target: McAfee Enterprise Mobility Management 9.7COMPONENTAdditional SoftwareNetwork CardDisk Partition FormatsDomain ControllersMINIMUM REQUIREMENTSInternet ExplorerFirefox(Microsoft Silverlight must be installed on either browser)Ethernet, 100Mb or higherNTFSThe system must have a trust relationship with the PrimaryDomainController (PDC) on the networkTable 4 – Management System Component RequirementsThe McAfee EMM Client App executes on one or more systems whose policy settings are to be auditedand enforced by the operating system. The supported platforms are:TYPEApple iOSGoogle AndroidPLATFORMiOS version 4 and 5Android version 2 and version 3Table 5 – Supported Mobile Platforms1.7.2.1 TOE Guidance DocumentationThe following guidance documentation is provided as part of the TOE: Product Guide: McAfee Enterprise Mobility Management (McAfee EMM ) 9.7Installation Guide: McAfee Enterprise Mobility Management (McAfee EMM ) 9.61Operational User Guidance and Preparative Procedures Supplement: McAfee Enterprise MobilityManagement 9.71.7.3 Logical BoundaryThis section outlines the boundaries of the security functionality of the TOE; the logical boundary of theTOE includes the security functionality described in the following sections.TSFIdentification andAuthenticationManagementDESCRIPTIONOn the management system, the TOE requires users to identify andauthenticate themselves before accessing the TOE software. No action canbe initiated before proper identification and authentication. Each TOE userhas security attributes associated with their user account that define thefunctionality the user is allowed to perform.The TOE’s Management Security Function provides support functionality thatenables users to configure and manage TOE components. Management ofthe TOE may be performed via the GUI. Management privileges are definedper‐user.1Note that the steps for installation of version 9.7 are the same as version 9.6; as such, no updated guide wasdeveloped.Document Version 0.9 McAfeePage 11 of 39
Security Target: McAfee Enterprise Mobility Management 9.7TSFAuditPolicy ManagementDESCRIPTIONThe TOE’s Audit Security Function provides auditing of management actionsperformed by administrators. Authorized users may review the auditrecords via EMM Console.The TOE pushes policies to managed systems (i.e., mobile devices). Thesepolicies dictate allowed features and functions and are specified by anadministrator through an access control policy.Table 6 – Logical Boundary Descriptions1.8 Rationale for Non bypassability and Separation of the TOEThe responsibility for non‐bypassability and non‐interference is split between the TOE and the ITEnvironment. TOE components are software only products and therefore the non‐bypassability andnon‐interference claims are dependent upon hardware and OS mechanisms. The TOE runs on top of theIT Environment supplied operating systems.The TOE ensures that the security policy is applied and succeeds before further processing is permittedwhenever a security relevant interface is invoked: the interfaces are well defined and insure that theaccess restrictions are enforced. Non‐security relevant interfaces do not interact with the securityfunctionality of the TOE. The TOE depends upon OS mechanisms to protect TSF data such that it canonly be accessed via the TOE. The system(s) on which TOE components execute is dedicated to thatpurpose.The TOE is implemented with well‐defined interfaces that can be categorized as security relevant ornon‐security relevant. The TOE is implemented such that non‐security relevant interfaces have nomeans of impacting the security functionality of the TOE. Unauthenticated users may not perform anyactions within the TOE. The TOE tracks multiple users by sessions and ensures the access privileges ofeach are enforced.The server hardware provides virtual memory and process separation, which the server OS utilizes toensure that other (non‐TOE) processes may not interfere with the TOE; all interactions are limited to thedefined TOE interfaces. The OS and DBMS restrict access to TOE data in the database to preventinterference with the TOE via that mechanism.Document Version 0.9 McAfeePage 12 of 39
Security Target: McAfee Enterprise Mobility Management 9.72 Conformance Claims2.1 Common Criteria Conformance ClaimThe TOE is Common Criteria Version 3.1 Revision 3 (July 2009) Part 2 conformant and Part 3 conformantat Evaluation Assurance Level 2 and augmented by ALC FLR.2 – Flaw Reporting Procedures.2.2 Protection Profile Conformance ClaimThe TOE does not claim conformance to a Protection Profile.Document Version 0.9 McAfeePage 13 of 39
Security Target: McAfee Enterprise Mobility Management 9.73 Security Problem DefinitionIn order to clarify the nature of the security problem that the TOE is intended to solve, this sectiondescribes the following: Any known or assumed threats to the assets against which specific protection within the TOE orits environment is required.Any organizational security policy statements or rules with which the TOE must comply.Any assumptions about the security aspects of the environment and/or of the manner in whichthe TOE is intended to be used.This chapter identifies assumptions as A.assumption, threats as T.threat and policies as P.policy.3.1 ThreatsThe following are threats identified for the TOE and the IT System the TOE monitors. The TOE itself hasthreats and the TOE is also responsible for addressing threats to the environment in which it resides.The assumed level of expertise of the attacker for all the threats is unsophisticated.The TOE addresses the following HALTT.PRIVILT.MOBILE POLICYDESCRIPTIONAn unauthorized user may attempt to disclose the data collected and producedby the TOE by bypassing a security mechanism.An unauthorized user may attempt to compromise the integrity of the datacollected and produced by the TOE by bypassing a security mechanism.An unauthorized user may inappropriately change the configuration of the TOEcausing potential intrusions to go undetected.An unauthorized user may attempt to remove or destroy data collected andproduced by the TOE.An unauthorized user may attempt to compromise the continuity of theSystem’s collection and analysis functions by halting execution of the TOE.An unauthorized user may gain access to the TOE and exploit system privilegesto gain access to TOE security functions and dataAn unauthorized user may access features or functions of managed systemsthat may compromise the security infrastructure.Table 7 – Threats Addressed by the TOE3.2 Organizational Security PoliciesAn organizational security policy is a set of rules, practices, and procedures imposed by an organizationto address its security needs. The following Organizational Security Policies apply to the TOE:POLICYDocument Version 0.9DESCRIPTION McAfeePage 14 of 39
Security Target: McAfee Enterprise Mobility Management GEP.PROTCTDESCRIPTIONUsers of the TOE shall be accountable for their actions within the TOE.All data collected and produced by the TOE shall only be used for authorizedpurposes.Static configuration information that might be indicative of the potential for afuture intrusion or the occurrence of a past intrusion of an IT System or eventsthat are indicative of inappropriate activity that may have resulted frommisuse, access, or malicious activity of IT System assets must be collected.Data collected and produced by the TOE shall be protected from modification.The TOE shall only be managed by authorized users.The TOE shall be protected from unauthorized accesses and disruptions of TOEdata and functions.Table 8 – Organizational Security Policies3.3 AssumptionsThis section describes the security aspects of the environment in which the TOE is intended to be used.The TOE is assured to provide effective security measures in a co‐operative non‐hostile environmentonly if it is installed, managed, and used correctly. The following specific conditions are assumed to existin an environment where the TOE is MICA.LOCATEA.MANAGEA.NOEVILA.PROTCTDESCRIPTIONThe TOE has access to all the IT System data it needs to perform its functions.The TOE is appropriately scalable to the IT Systems the TOE monitors.Access to the database used by the TOE via mechanisms outside the TOEboundary is restricted to use by authorized users.The TOE will be managed in a manner that allows it to appropriately addresschanges in the IT System the TOE monitors.The processing resources of the TOE will be located within controlled accessfacilities, which will prevent unauthorized physical access.There will be one or more competent individuals assigned to manage the TOEand the security of the information it contains.The authorized admi
ST Title Security Target: McAfee Enterprise Mobility Management 9.7 ST Revision 0.9 ST Publication Date July 5, 2012 Author Apex Assurance Group 1.2 TOE Reference TOE Reference McAfee Enterprise Mobility Management 9.7 TOE Type Mobile Security 1.3 Document Organization
