Transcription
Security TargetforTumbleweed MMS and IME Version 5.5.3Release Date:June 1, 2005Version:4.5Status:FinalPrepared By:Tumbleweed Communications Corp.700 Saginaw DriveRedwood City, CA 94063Copyright Tumbleweed Communications Corp., 2005
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security TargetTable of Contents15210ST Introduction1.1Security Target Identification61.2Security Target Overview71.3CC Conformance Claims71.4Documents Conventions8TOE Description15Tumbleweed MMS and IME 5.5 Overview2.2Logical Boundaries122.2.1MMS Components132.2.2IME 243.2.1Threats against the TOE243.2.2Threats against the TOE Environment25Organizational Security Policies (OSPs)26Security Objectives274.1Security Objectives for the TOE274.2Security Objectives for the Environment304.2.1IT Environment Objectives304.2.2Non-IT Environment Objectives32IT Security Requirements5.133TOE Security Functional Requirements345.1.1Security Audit (FAU)345.1.2User Data Protection (FDP)355.1.3Identification & Authentication (FIA)365.1.4Security Management (FMT)375.1.5TOE Protection (FPT)415.1.6Trusted Path (FTP)415.235Physical BoundariesTOE Security Environment3.3492.12.336Explicitly Stated TOE Security Functional Requirements425.2.1Security Audit (FAU)425.2.2Communication (FCO)435.2.3User Data Protection (FDP)445.2.4Identification & Authentication (FIA)45Version 4.5June 1, 2005Page 2 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target5.2.5Security Management (FMT)475.2.6TOE Access (FTA)485.340Security Audit (FAU)495.3.2Cryptographic Operation (FCS)495.3.3Security Management (FMT)505.3.4TOE Protection (FPT)5055515.4.2Cryptographic Operation (FCS)535.4.3Identification & Authentication (FIA)53TOE Security Assurance Requirements545.5.1ACM: Configuration Management555.5.2ADO: Delivery and Operation565.5.3ADV: Development575.5.4AGD: Guidance Documents595.5.5ATE: Tests605.5.6AVA: Vulnerability Assessment62656465TOE Security Functions656.1.1Audit Function6.1.2Identification & Authentication Function666.1.3Message Security Function686.1.4Role-Based Access Function686.1.5Role Management Function706.1.6Trusted Path Function71656.2Security Mechanisms716.3Strength of Function Claim726.4Assurance Measures737Protection Profile Claims788Rationale798.170Strength of Function ClaimTOE Summary Specification6.16051Security Audit (FAU)5.66Explicitly Stated Environmental Security Functional Requirements5.4.15.550495.3.15.445Environmental Security Functional Requirements8.1.18.2Security Objectives Rationale79Security Objectives Coverage84Security Requirements Rationale928.2.1Security Requirements Coverage928.2.2Requirements Form a Consistent Whole968.2.3Explicitly Stated Requirements JustificationVersion 4.5105June 1, 2005Page 3 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target758.2.4Requirements are Justified1088.2.5Assurance Level Justification1128.380851138.3.1Security Functions Satisfy Functional Requirements1138.3.2Assurance Measures Meet Assurance Requirements1188.3.3Validation of Strength-of-Function1248.49TOE Summary Specification RationalePP Claims ry1269.3Interpretations127Version 4.5June 1, 2005Page 4 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security TargetList of Figures90Figure 1: Message Flow Using MMS and IME Together10Figure 2: MMS Components14Figure 3: IME Components16Figure 4: TOE Boundaries19List of Tables95100105Table 1: IT Security Functional Requirements33Table 2: Access Control Policy36Table 3a: Security Functions Management37Table 4: IME Auditable Events42Table 5: MMS Policies44Table 6: Actions Related to Policies45Table 7: Cryptographic Operations50Table 8: MMS Auditable Events52Table 9: Assurance Components (EAL 2 )54Table 10: Assurance Measures that Fulfill Assurance Requirements (EAL 2 )74Table 11: Security Environment mapped to Security Objectives for the TOE80Table 12: Security Environment mapped to Security Objectives for the TOE Environment82Table 13: Security Objectives Coverage84Table 14: Mapping of Security Objectives to Security Requirements for the TOE93Table 15: Mapping of Security Objectives to Security Requirements for the ITEnvironment95110Table 16: IT Security Requirements Justification96Table 17: Explicitly Stated Requirements Justification105Table 18: Security Functional Requirements Dependencies Mapping108Table 19: Mapping of Security Functions to Security Functional Requirements113Table 20: Reverse Mapping of Security Functional Requirements to Security Functions114115Table 21: Assurance Measures that Fulfill Assurance Requirements (EAL 2 )118Table 22: Interpretations127Version 4.5June 1, 2005Page 5 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target1ST Introduction1.1 Security Target IdentificationST Title: Security Target for Tumbleweed MMS and IME version 5.5.3120ST Version: 4.5ST Date: June 1, 2005TOE Identifier1: Tumbleweed MMS version 5.5.3 (Build 4039) and Tumbleweed IME version 5.5.3 (Build 4018)125Assurance level: EAL 2 augmented with ACM CAP.3: Authorisation Controls, ACM SCP.1: TOECM coverage, ADV HLD.2: Security enforcing high-level design. (aka EAL 2 )Author: Tumbleweed.Common Criteria: Common Criteria for Information Technology Security Evaluation (CC),Version 2.1, August 1999 (aligned with ISO/IEC 15408: 1999)130Interpretations: National and International interpretations are provided within section 9.3 ofthis Security TargetKeywords: Secure Messaging, Secure E-mail, MMS, IME, Messaging Management System(MMS), Integrated Messaging Exchange (IME), S/MIME1Identification of the TOE for this evaluation remains as it is specified above. However,references in this document and other assurance documentation to Tumbleweed MMS andIME Version 5.5 also applies to Version 5.5.3.Version 4.5June 1, 2005Page 6 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target1.2 Security Target Overview135Tumbleweed MMS and IME together provide a turnkey solution that allows companies tocreate a secure messaging and email solution; define email-filtering policies, archive messagesthat violate policies, monitor messaging traffic, and intelligently route sensitive messagesthrough a secure channel.In addition, Tumbleweed MMS and IME also include administrative tools for systemmanagement, policy management, and account management.140145150155The Tumbleweed MMS and IME version 5.5 ST contains the following sections to provide mappingof the Security Environment to the Security Requirements that the Tumbleweed products meet in order tomitigate the defined threats:o TOE Description – Provides an overview of the TOE security functions and describes thephysical and logical boundaries for the TOE.oTOE Security Environment – Describes the threats, organizational security policies, andassumptions that pertain to the TOE and the TOE environment.oSecurity Objectives – Identifies the security objectives that are satisfied by the TOE and theTOE environment.oIT Security Requirements – Presents the Security Functional Requirements (SFRs) met by theTOE and its environment. In addition, the Security Assurance Requirements (SARs) met by theTOE are presented.oTOE Summary Specification – Describes the security functions provided by the TOE to satisfythe security requirements and objectives.oProtection Profile Claims – Presents the rationale concerning compliance of the ST with anyprotection profiles.oRationale – Presents the rationale for the security objectives, requirements, and the TOEsummary specifications as to their consistency, completeness, and suitability.oReferences – Presents a set of acronyms, vocabulary of terminology, and interpretations ofrequirements that apply to this ST.1601.3 CC Conformance ClaimsThis TOE is CC Version 2.1 Part 2 extended and CC Version 2.1 Part 3 conformant.This ST claims assurance at EAL 2 (augmented with ACM CAP.3: Authorisation Controls,ACM SCP.1: TOE CM coverage, ADV HLD.2: Security enforcing high-level design).Version 4.5June 1, 2005Page 7 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target1651.4 Documents ConventionsThere are several font variations within this ST. The section below provides an explanation ofthe font conventions used to show operations, as defined in Common Criteria, performed on therequirements. When NIAP interpretations are included in requirements, the additions from theinterpretations are displayed as refinements.Assignment:Requirement text will appear in Italics and underlinedIteration:Typical CC requirement naming will be followed by a lower case letterfor each new iteration. (Ex. FMT MOF.1.1a)Selection:Requirement text will appear in bold and underlinedRefinement:Requirement text will appear in bold italicsVersion 4.5June 1, 2005Page 8 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target1702TOE DescriptionThis section describes the Target of Evaluation (TOE) in terms of the class of product, theprovided security functionality, and the TOE boundaries.2.1 Tumbleweed MMS and IME 5.5 Overview175The Tumbleweed MMS and IME version 5.5 products consist of the two main components thatcomprise the TOE: The Tumbleweed MMS, also known as Messaging Management System (MMS),provides the enforcement of email-filtering policies for the use of corporate emailsystems. Such policies include those for mail filtering, included attachments, virusscanning, encryption filtering, signature filtering. Policies covering Secure PublicNetwork handling, and headers removal are not included within this evaluation and arenot claimed for this TOE. The Tumbleweed IME, also known as Integrated Messaging Exchange (IME), providesbusinesses with a secure interactive communications channel to reach their customers andpartners.180185In the context of Tumbleweed, encrypted messages and attachments are hereafter referred to as“IME packages” or “packages”. There are four different IME roles. The first role is an IMEAdministrator. The other three roles are collectively referred to as IME users, which includes thefollowing roles. An IME Group Manager typically is a standard user, yet with the additional capability toadd additional users to the group, as well as, remove members and change theirpassword. The second user role is an IME Group Member, which is a member of an IME Group. The third IME user role is an IME Individual Account User, not a member of a group, butjust an individual user account.190195Version 4.5June 1, 2005Page 9 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security TargetFigure 1: Message Flow Using MMS and IME TogetherVersion 4.5June 1, 2005Page 10 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target2001. A User sends an email message. Email messages destined for recipients outside thecustomer site are converted to SMTP format for transmission across the Internet. MMSroutinely scans these email messages and enforces policies.2. If an email message does not trigger a redirect policy, it is routed to the recipient usingSMTP (unless other policies dictate special handling, for example, delivery usingS/MIME).2053. If the email message triggers a redirection policy, MMS converts the message into anIME package and transmits it to the IME Server using the Tumbleweed Server APIclient. The package will be transmitted over SSL (Secure Socket Layer) between theMMS 5.5 and IME 5.5 serversNote: While this scenario shows policies redirecting outbound email to the IME secureserver, policies can also be defined redirecting inbound email to the IME secure server.2102154. Optionally, MMS returns a package description to notify the sender of the redirection.This notification takes the form of an email message and includes the IME package ID,service options, such as priority, and access information for the sender’s IME account.5. IME Server sends an SMTP message notifying recipient(s) of the IME package,including a URL with which the package can be retrieved. Or, if a recipient’s AccountType specifies Secure Envelope (SE) delivery, the recipient can open the encryptedmessage from within the email client, regardless of whether they are online or offline.6. The Recipient retrieves the package using a Web browser. The recipient will be requiredto authenticate with the IME Server and use a secure (SSL) connection to access andretrieve the package.2207. IME Server optionally generates receipt confirmation messages to notify the sender wheneach recipient retrieves the package.8. IME Server sends the reply to a message through Secure Response delivery to MMSusing Internet Inter-ORB Protocol (IIOP) if the recipient’s delivery method has SecureResponse delivery selected.2259. MMS then sends the replied message to the sender (original sender of the message thatwas replied) using SMTP.Version 4.5June 1, 2005Page 11 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target2.2 Logical Boundaries230This section describes the flow of information when a message is sent from an MMS system thatuses Secure Redirect. Figure 1 above illustrates how mail is routed using the Secure Redirectservice. Figure 1a illustrates the logical boundary of the TOE. TOE components are marked asred.Figure 1a: Logical Boundary of the TOE235Version 4.5June 1, 2005Page 12 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target2.2.1 MMS ComponentsThe MMS Server consists of the following components:240245250 MMS Web-based Administrative Interface; CORBA; Event Logger; Policy Engine; Security Manager.Figure 2 below shows the relation of how these MMS components work together to support thefunctionalities that MMS provides. MMS configuration data, policies, certificates, directoryinformation, event log data, messages, archived messages and message meta-data are stored onthe MMS SQL database.Figure 2 also includes the two other external interfaces, the MMSDownloadService.exe and theMMSRelayService.exe. These mediate access to the public internet and allow the MMS server toreceive SMTP messages and to download new virus definitions.Version 4.5June 1, 2005Page 13 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security TargetFigure 2: MMS Components2552.2.1.1 MMS Web-based Administrative Interface260The Administrator Interface component of MMS provides an interface for remote administrationof the MMS server. This interface is only accessible by individuals that possess MMS 1st levelor 2nd level administration rights. The only subsystem which the MMS Web-basedAdministrative Interface directly interacts with is the security manager subsystem which acts as areference monitor mediating all requests for access to data or to other subsystems.2.2.1.2 CORBAThe CORBA component of MMS provides a distributed object framework for thecommunication channel to an IME Server and, in the evaluated configuration, will be encryptedVersion 4.5June 1, 2005Page 14 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target265with OpenSSL. CORBA provides a communication path between the IME and the MMS servers.When a message is received by the CORBA subsystem, it is decrypted and stored in the MMSdatabase.2.2.1.3 Event Logger270The Event Logger component of MMS generates logs of system events for the MMS server. Theevents generated by the Event Logger can be viewed and sorted through the MMS Web-BasedAdministrator interface. The event logger monitors the security manager subsystem, when anauditable event occurs the event logger subsystem records it in the MMS database.2.2.1.4 Policy Engine275280When a new message is added to the MMS SQL 2000 database it is always passed to the PolicyEngine for analysis. The MMS Policy Engine component of MMS uses the MMS Directory, adatabase within the MMS SQL 2000 database server, to determine which policies apply to eachemail message. The engine then evaluates each email message and checks against all the policiesin succession. After this evaluation, the policy engine determines the disposition of the messageand what action to take based on the action dictated by the most restrictive policy.The policy engine always checks all of the policy categories, even if the email message isintercepted or blocked by the first policy category it encounters. Checking all the policycategories enables complete and detailed reporting on policy violations, without a noticeableeffect on performance.2.2.1.5 Security Manager285The Security Manager component of MMS provides a control of access permissions to MMS 1stlevel administrators and MMS 2nd level administrators and allows for the management of MMSconfigurations. The security manager subsystem acts as a reference monitor to the MMS webBased Administrator Interface mediating all requests for access to data or to other subsystems.Version 4.5June 1, 2005Page 15 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target2.2.2 IME Components290295The IME product consists of the following components: Account Manager IME Web-Based Administrative Interfaces CORBA Event Logger Secure Envelope Security Manager IME Web-Based User Interfaces IME HTTP GatewayFigure 3: IME Components300Version 4.5June 1, 2005Page 16 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target2.2.2.1 Account Manager305The Account Manager component of IME manages the IME accounts, maintains account-relatedinformation, and validates each account every time the IME user or IME administratorauthenticates to IME. The account manager is invoked by the security manager subsystem andinteracts with the event logger subsystem to report auditable events.2.2.2.2 IME Web-Based Administrative Interfaces310315The Administrative Interface component of IME provides an interface for remote administrationof the IME product. This interface is only accessible by individuals that possess IMEadministration rights. When an IME Administrator attempts authentication the Security ManagerSubsystem is invoked so that the user ID and associated password provided may be verified todetermine if the user is granted access. The user ID and password verification is provided bychecking the supplied information against what is stored in the IME database. If the user ID andpassword matches a user ID and associated password within the IME database, then access isgranted.2.2.2.3 CORBAThe CORBA component of IME provides the distributed object framework that allows the IMEServer components to communicate in addition to allowing communication from MMS.320325The Naming Service of CORBA is the process that allows the components to find each other onthe network. It keeps track of the component locations. The Naming Service acts like a WhitePages directory to provide a reference that allows you to access a particular component. Whenthe IME Server starts, the IME Server components can be accessed through the CORBA NamingService.The CORBA subsystem provides a communication path between the IME and the MMS servers.When a message is received by the CORBA subsystem, it is decrypted and sent to the IMEdatabase, via the event logger subsystem.2.2.2.4 Event Logger330The Event Logger component of IME generates logs of system events for the IME product. TheEvent Logger can be viewed either through the IME Web-Based Administrator interface, orthrough the application log of the event viewer within the operating system. Auditable eventsmay be passed to the event logger either from the MMS server, via the CORBA subsystem orfrom the IME account manager and security manager subsystems.Version 4.5June 1, 2005Page 17 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target2.2.2.5 Secure Envelope335340The Secure Envelope component of IME provides an alternative delivery method for a user tostore an encrypted package locally on their personal computer without the need of retrieving thepackage from the IME product every time the package is accessed. Generally, when a package issent using Secure Envelope, the package is encrypted on the IME product using either thepackage password provided by the sender or the account password of the recipient. Thereforeonce the recipient receives the package, they may authenticate and decrypt the package locallywithout the need of connecting to the IME product. The secure envelope subsystem is invokedfrom the IME Web-Based User interface but all requests are mediated by the security managersubsystem.2.2.2.6 Security Manager345The Security Manager Subsystem performs the identification and authentication function andenforces the accesses users are granted based on their role. For example if an entity is identifiedas an IME user and attempts authentication via the IME Web-Based Admin Interface, theSecurity Manager Subsystem then denies the authentication request. Before accessing any IMEdata or resources users must be identified and authenticated by the Security manager. Thesecurity manager then creates a user session with access rights appropriate to the user’s role.3502.2.2.7 IME Web-Based User Interfaces355The User Interface component of IME provides individuals possessing a user account, aninterface for remote accessibility of the IME product for their specified account. Within thisinterface, an IME Group Member, IME Group Manager and IME Individual Account User canretrieve messages, send messages, access their address book, and change their passwords. Whenan IME user attempts authentication the Security Manager Subsystem is invoked so that the userID and associated password provided may be verified to determine if the user is granted access.The user ID and password verification is provided by checking the supplied information againstwhat is stored in the IME database. If the user ID and password matches a user ID andassociated password within the IME database, then access is granted.3602.2.2.8 IME HTTP Gateway365The IME HTTP Gateway acts as a broker between HTTP client requests and the IME back-endAPI. The HTTP gateway assists the Security Manager in enforcing the identification andauthentication function. Following the establishment of a session the HTTP gateway creates atoken associated with the identity of the authenticated user. This token is passed with eachrequest for access to TOE functionality and TOE or user data. The Security Manager can use thistoken to ensure that the user session is not hijacked.Version 4.5June 1, 2005Page 18 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target2.3 Physical BoundariesFigure 4: TOE BoundariesVersion 4.5June 1, 2005Page 19 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target370375380385390395400405410The TOE is defined to be the Tumbleweed MMS and IME version 5.5 products. The diagramshown above in Figure 4 represents the physical boundaries of the TOE. Each grayed area withinthe figure represents a physical machine, showing the physical layout and relationships with theTOE and non-TOE components.The TOE is intended to operate in a protected environment. This means that all componentsshould be behind a suitably configured firewall, with the external HTTP gateway on the firewallDMZ. A DMZ is a screened subnet between a company's private network and the outside publicnetwork used to allow external users access to an organizations public data, like web pages,while protecting the firm’s private network. The Security Target and supporting documents onlymake specific claims about the firewall and network architecture, not about the specifics of thefirewall and its rulebase. Indeed the TOE imposes no special configuration rules on the firewallthan would be needed for any system using mail and internet i.e. access on at least port 23 forSMTP, port 80 for HTTP and port 443 for HTTPS.The MMS server consists of the MMS version 5.5 product, a SQL 2000 database server, and anIIS 5.0 Web Server running on Windows 2000 Server. The IME server consists of the IMEversion 5.5 product with a SQL 2000 database server running on Windows 2000 Server. The twoIIS 5.0 web servers communicating with the IME server run on separate machines with Windows2000 Server.The first web server is identified as the external HTTP gateway and is recommended to be withina DMZ environment so that a complete separation, as well as, use of the CORBA / IIOP overSSL communication channel is provided to allow a secure communication between the externalHTTP gateway and IME. The second web server is located internally within the networkinfrastructure and is referred to as the internal HTTP gateway.The TOE environment consists of web/messenger clients, IME administration client, MMSadministration client, three web servers, two database servers, the underlying operating systemsand supported hardware for both MMS and IME, and optionally an internal mail server. Theweb/messenger clients provide a web-based interface for IME users to access the IME serverover the internet. To access the IME server as an IME user, an IME web client must connect tothe external HTTP gateway. The IME administration client provides a web-based interface forIME administrators to access and administrate the IME server. To access the IME server foradministration, an IME administrator client may only connect through the internal HTTPgateway. This disallows administration of the IME server from the internet. The MMSadministration client provides a web-based interface for MMS administrators to access andadministrate the MMS server. The web servers provide the capability for IME users, IMEadministrators, and MMS administrators to access the MMS and IME servers via HTTP/HTTPS.The database server for the IME server provides storage of configuration data, and user data.The database server for the MMS server provides storage of configuration data, virus definitions,queued packages, and archived packages.In cases where an internal mail server is provided, the MMS server relays messages to this serverafter checking its configured policies to make sure that the messages do not violate any policy orVersion 4.5June 1, 2005Page 20 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Targetrequire to be redirected to IME. In cases where an internal mail server is not provided, MMSserver checks incoming messages for configured policies to make sure that the messages do notviolate any policy and then redirect the messages to IME.415A typical case of information flow internally into the MMS and IME messaging and emailsolution would be the following:An SMTP message is directed from the internet to the domain in which MMS is hosting.The organization’s firewall directs the incoming SMTP message to the MMS server. TheMMS server checks the message in accordance with the policies it has defined. If amessage triggers a policy, the policy will enforce the actions specified for that policy.Depending on the action specified, MMS may drop the delivery, return the message backto the sender, quarantine the delivery, detain the delivery, defer the delivery, delivernormally, or redirect to the IME server. In the event the message is redirected to the IMEserver, the message is encrypted and sent through the CORBA / IIOP over SSLcommunication channel. Once IME receives this new message, it sends a notification tothe IME user’s email account to notify the user of a new IME delivery. Depending on thesecurity provided for the IME message, the notification sent to the user may include apersonalized URL to receive the message, a URL to login to IME via an IME account, aURL to login to IME via a package password via an IME account, a URL to login to IMEvia a package password, or the actual message encrypted within an attachment, alsoknown as Secure Envelope.420425430The following hardware components are not considered part of the TOE, yet the TOE requires ata minimum two Intel Pentium computers consisting of the following:435 Processor equivalent to Pentium III, 700 MHz or higher recommended. RAM – 512 MB minimum (1 GB or more recommended). Hard Drive Space – 300 MB minimum (for IME Server installation)20 GB (for MMS installation). TCP/IP networking adapter.The following software components are required for TOE operation but are not considered to bepart of the TOE:440445 MMS and IME Database Server (SQL 2000 with SP3, installed locally on each server) Web Server (IIS 5.0) - required to be installed on MMS for remote administration, andadditionally installed separately from IME; IME requires two web servers which includeinternal and external HTTP gateways Web Client/Messenger Client (JavaScript or ActiveX capable) Operating system (Windows 2000 Server with SP3)Version 4.5June 1, 2005Page 21 of 127
Copyright 2005 Tumbleweed Communications Corp.Tumbleweed MMS and IME Version 5.5.3 Security Target3450455TOE Security EnvironmentThe TOE environment is both a physically and a logically secure environment that can operate ina mode capable of protecting the transmitted or stored information at the highest classificationlevel of messages in this environment. Additionally, the MMS and IME will coexist with othernetwork devices
In addition, Tumbleweed MMS and IME also include administrative tools for system management, policy management, and account management. The Tumbleweed MMS and IME version 5.5 ST contains the following sections to provide mapping of the Security Environment to the Security Requirements that the Tumbleweed products meet in order to
