WIXLIB

Dell EMC NetWorker 9.1Security TargetEvaluation Assurance Level (EAL): EAL2 Doc No: 1986-000-D102Version: 1.210 July 2017EMC Corporation176 South StreetHopkinton, MA, USA01748Prepared by:EWA-Canada1223 Michael Street, Suite 200Ottawa, Ontario, CanadaK1J7T2

Dell EMC NetWorker 9.1Security TargetCONTENTS1SECURITY TARGET INTRODUCTION . 11.1DOCUMENT ORGANIZATION. 11.2SECURITY TARGET REFERENCE . 11.3TOE REFERENCE . 21.4TOE OVERVIEW . 21.5TOE DESCRIPTION . 21.5.1Physical Scope . 21.5.2TOE Environment . 61.5.3TOE Guidance . 71.5.4Logical Scope. 71.5.5Functionality Excluded from the Evaluated Configuration . 82CONFORMANCE CLAIMS . 92.1COMMON CRITERIA CONFORMANCE CLAIM . 92.2ASSURANCE PACKAGE CLAIM. 92.3PROTECTION PROFILE CONFORMANCE CLAIM . 93SECURITY PROBLEM DEFINITION . 103.1THREATS . 103.2ORGANIZATIONAL SECURITY POLICIES . 103.3ASSUMPTIONS . 104SECURITY OBJECTIVES . 124.1SECURITY OBJECTIVES FOR THE TOE. 124.2SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT . 124.3SECURITY OBJECTIVES RATIONALE . 134.3.1Security Objectives Rationale Related to Threats . 134.3.2Security Objectives Rationale Related to Assumptions . 155EXTENDED COMPONENTS DEFINITION . 175.1SECURITY FUNCTIONAL REQUIREMENTS . 175.2SECURITY ASSURANCE REQUIREMENTS . 176SECURITY REQUIREMENTS . 186.1CONVENTIONS . 18Doc No: 1986-000-D102Version: 1.2Date: 10 July 2017Page i of iii

Dell EMC NetWorker 9.1Security Target6.26.3TOE SECURITY FUNCTIONAL REQUIREMENTS. 186.2.1Security Audit (FAU) . 196.2.2User Data Protection (FDP) . 206.2.3Identification and Authentication (FIA) . 216.2.4Security Management (FMT) . 216.2.5TOE Access (FTA) . 23SECURITY FUNCTIONAL REQUIREMENTS RATIONALE . 236.3.1SFR Rationale Related to Security Objectives . 246.4DEPENDENCY RATIONALE . 266.5TOE SECURITY ASSURANCE REQUIREMENTS . 277TOE SUMMARY SPECIFICATION . 307.1TOE SECURITY FUNCTIONS. 307.1.1Security Audit . 307.1.2User Data Protection . 307.1.3Identification and Authentication . 337.1.4Security Management . 337.1.5TOE Access . 348TERMINOLOGY AND ACRONYMS . 358.1TERMINOLOGY . 358.2ACRONYMS . 35LIST OF TABLESTable 1 – TOE Components and Non-TOE Hardware and Software . 7Table 2 – Logical Scope of the TOE . 7Table 3 – Threats . 10Table 4 – Assumptions . 11Table 5 – Security Objectives for the TOE . 12Table 6 – Security Objectives for the Operational Environment . 13Table 7 – Mapping Between Objectives, Threats, OSPs, and Assumptions . 13Table 8 – Summary of Security Functional Requirements . 19Table 9 – Mapping of SFRs to Security Objectives . 24Table 10 – Functional Requirement Dependencies . 27Doc No: 1986-000-D102Version: 1.2Date: 10 July 2017Page ii of iii

Dell EMC NetWorker 9.1Security TargetTable 11 – Security Assurance Requirements . 28Table 12 – NetWorker Server Roles and Privileges . 32Table 13 – Terminology . 35Table 14 – Acronyms . 36LIST OF FIGURESFigure 1 – TOE Diagram . 3Figure 2 – TOE Boundary . 4Doc No: 1986-000-D102Version: 1.2Date: 10 July 2017Page iii of iii

Dell EMC NetWorker 9.1Security Target1 SECURITY TARGET INTRODUCTIONThis Security Target (ST) defines the scope of the evaluation in terms of theassumptions made, the intended environment for the Target of Evaluation(TOE), the Information Technology (IT) security functional and assurancerequirements to be met, and the level of confidence (evaluation assurance level)to which it is asserted that the TOE satisfies its IT security requirements. Thisdocument forms the baseline for the Common Criteria (CC) evaluation.1.1DOCUMENT ORGANIZATIONSection 1, ST Introduction, provides the ST reference, the TOE reference, theTOE overview and the TOE description.Section 2, Conformance Claims, describes how the ST conforms to theCommon Criteria and Packages. This ST does not conform to a ProtectionProfile (PP).Section 3, Security Problem Definition, describes the expected environmentin which the TOE is to be used. This section defines the set of threats that arerelevant to the secure operation of the TOE, organizational security policies withwhich the TOE must comply, and secure usage assumptions applicable to thisanalysis.Section 4, Security Objectives, defines the set of security objectives to besatisfied by the TOE and by the TOE operating environment in response to theproblem defined by the security problem definition.Section 5, Extended Components Definition, defines the extendedcomponents.Section 6, Security Requirements, specifies the security functional andassurance requirements that must be satisfied by the TOE and the ITenvironment.Section 7, TOE Summary Specification, describes the security functions thatare included in the TOE to enable it to meet the IT security functionalrequirements.Section 8 Terminology and Acronyms, defines the acronyms andterminology used in this ST.1.2SECURITY TARGET REFERENCEST Title:Dell EMC NetWorker 9.1 Security TargetST Version:1.2ST Date:10 July 2017Doc No: 1986-000-D102Version: 1.2Date: 10 July 2017Page 1 of 36

Dell EMC NetWorker 9.1Security Target1.3TOE REFERENCETOE Identification:Dell EMC NetWorker 9.1.0.5 build 89TOE Developer:EMC CorporationTOE Type:Backup and Recovery Solution (Data Protection)1.4TOE OVERVIEWEMC NetWorker is a backup and recovery solution that provides robust accesscontrol, authentication and auditing. It is implemented as a collection of serviceson Windows and Linux based systems, as well as several Command LineInterfaces (CLIs) and Graphical User Interfaces (GUIs). An administrator mayinitiate NetWorker functions either from within the GUI-based NetWorkerManagement Console (NMC) Applet or from a set of NetWorker command-lineinterfaces. Additionally, end users of client systems can perform ad-hoc backupand restore operations.The evaluated configuration of the TOE consists of four major components: NetWorker Server and Authentication Service software running on adedicated Linux instance on general purpose computing hardware NetWorker Client software running in two separate instances on generalpurpose computing hardware for:oWindows Server 2008 R2oLinux (Red Hat Enterprise Linux 6.6) NetWorker Storage Node software running on a dedicated Linux instanceon general purpose computing hardware with an attached storage device NMC Server software running on a dedicated Linux instance on generalpurpose computing hardware. The NMC Server delivers the NMC Applet,which runs from a Java Virtual Machine within a supported web browserThe TOE is a software only TOE.1.51.5.1TOE DESCRIPTIONPhysical ScopeFigure 1 shows the deployment for the evaluated configuration. Note that thelines indicate the primary communications paths only. Figure 2 shows the TOEBoundary.Doc No: 1986-000-D102Version: 1.2Date: 10 July 2017Page 2 of 36

Dell EMC NetWorker 9.1Security TargetFigure 1 – TOE DiagramDoc No: 1986-000-D102Version: 1.2Date: 10 July 2017Page 3 of 36

Dell EMC NetWorker 9.1Security TargetFigure 2 – TOE BoundaryDoc No: 1986-000-D102Version: 1.2Date: 10 July 2017Page 4 of 36

Dell EMC NetWorker 9.1Security TargetThe evaluated configuration of EMC NetWorker is made up of the followingcomponents: NetWorker Server (with the Auth-C authentication service)NetWorker Client (on both Red Hat Enterprise Linux 6.6 and WindowsServer 2008 R2)NetWorker Storage NodeNetWorker Management Console (NMC) Server, including thedownloadable NMC AppletAdditionally, a customer would be required to implement the EMC ElectronicLicense Management Server (ELMS). This is required to install and configureNetWorker, but is not involved in the day to day operation of the software, orthe enforcement of the security claims.1.5.1.1NetWorker ServerEach NetWorker Server provides backup/recovery scheduling, queuing andcoordination, and management of data lifecycles, volume pools, client indexes,and media databases.The Server coordinates backup operations. This involves defining the save setsto be backed up, creating entries for the client index and media databasestructures, and coordinating volume pools for receiving backup data. Writeoperations require server coordination to optimize performance by takingadvantage of server parallelism and managing writes between local and remotestorage nodes. Recover operations require the server to manage reads from thevolumes and to optimize performance through server parallelism. Serverparallelism controls how many total streams from all its clients a NetWorkerServer allows to be simultaneously active for the purposes of backup orrecovery. Data lifecycle operations require that the server routinely compare theage and status of stored data with policies specified by the administrator, andtake the action required to implement those policies. Volume managementoperations require the server:a. to locate volumes required by operations, and to automatically mount,unmount, and label those volumes as needed;b. to inventory autochangers; andc. to clone and stage data from one volume to another as requested.The NetWorker Server includes the Authentication Service. This service providesusers with an authentication token that is supplied with each subsequentrequest.1.5.1.2NetWorker ClientThe NetWorker client software provides client-initiated backup and recoveryfunctionality and communicates with the other NetWorker components. TheNetWorker Client software is installed on all computers that are backed up in theNetWorker implementation.Doc No: 1986-000-D102Version: 1.2Date: 10 July 2017Page 5 of 36

Dell EMC NetWorker 9.1Security Target1.5.1.3NetWorker Storage NodeThe NetWorker Storage Node software is installed on a computer resource withdirectly connected storage devices. The Storage Node software is installed bydefault with the NetWorker Server, but is installed on a separate machine in theevaluated configuration.Data may be backed up directly to storage resources associated with theNetWorker Server or may be sent to a NetWorker Storage Node. A storage nodecontrols storage devices such as tape drives, disk devices, autochangers, andsilos. Using a storage node off-loads much of the data transfer involved inbackup and recovery operations from the NetWorker Server, thereby improvingoverall performance.1.5.1.4NetWorker Management Console ServerThe NetWorker Management Console (NMC) Server is a Java-based webapplication server that provides centralized management, monitoring, andreporting of backup operations for NetWorker Servers and NetWorker Clientsacross multiple datazones. The NMC Server is accessed through a GUI that maybe run from any computer with a supported web browser and Java RuntimeEnvironment (JRE).1.5.2TOE EnvironmentThe following operating system and hardware components are required foroperation of the TOE in the evaluated configuration.TOE ComponentSupporting Softwareand Operating SystemSupporting HardwareNetWorker ServerRed Hat Enterprise Linux6.6General PurposeComputing HardwareAuthentication ServiceRed Hat Enterprise Linux6.6General PurposeComputing HardwareNMCRed Hat Enterprise Linux6.6General PurposeComputing HardwareNMC AppletBrowser (Mozilla FireFox52)General PurposeComputing HardwareWindows 7 SP1NetWorker Storage NodeRed Hat Enterprise Linux6.6General PurposeComputing HardwareWindows ClientWindows Server 2008 R2General PurposeComputing HardwareDoc No: 1986-000-D102Version: 1.2Date: 10 July 2017Page 6 of 36