1
National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
Market Central, Inc.
SecureSwitch® Dual Network Switch
Model #5000600
Report Number: CCEVS-VR-01-0004
Dated: October 31, 2001
Version: 1.03
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6740
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740
®
TM
2
ACKNOWLEDGEMENTS
Validation Team
Timothy J. Bergendahl
The MITRE Corporation
Bedford, MA 01730
Common Criteria Testing Laboratory
COACT, Inc. CAFE Laboratory
Columbia, MD 21046
The following trademark is acknowledged:
SecureSwitch® is a registered trademark of Market Central, Inc.
3
Table of Contents
Figures .................................................................................................................................3
Tables...................................................................................................................................3
1. Executive Summary........................................................................................................4
2. Identification...................................................................................................................5
3. Security Policy ................................................................................................................7
4. Assumptions and Clarification of Scope......................................................................7
4.1 Usage Assumptions....................................................................................................7
4.2 Environmental Assumptions ......................................................................................8
4.3 Clarification of Scope.................................................................................................8
5. Architectural Information.............................................................................................8
6. Documentation..............................................................................................................10
7. IT Product Testing .......................................................................................................10
8. Evaluated Configuration .............................................................................................12
9. Results of Evaluation....................................................................................................12
10. Comments/Recommendations...................................................................................13
11. Security Target ...........................................................................................................13
12. Acronyms.....................................................................................................................13
13. Bibliography................................................................................................................14
14. Certificate Details.......................................................................................................15
Figures
Figure 1. SecureSwitch®, front view................................................................................6
Figure 2. SecureSwitch®, rear view. ................................................................................6
Figure 3. Left Ethernet PC board assembly....................................................................9
Figure 4. Shielded tubes, each containing an Ethernet PC board assembly................9
Figure 5. Shielded tubes, each containing an Ethernet PC board assembly, in
position within the TOE...........................................................................................10
Tables
Table 1. Evaluator test results for the SecureSwitch® Dual Network Switch, Model
#5000600 TOE...........................................................................................................11
4
1. Executive Summary
The purpose of this report is to document the results of the evaluation of SecureSwitch®
Dual Network Switch, Model #5000600, a product of Market Central, Inc., of Pittsburgh,
PA.1
This report is not an endorsement of the product by any agency of the United States
Government, and no warranty of the product is either expressed or implied.
Evaluation at EAL42
of SecureSwitch® Dual Network Switch, Model #5000600, a stand-
alone, all-hardware product was performed by the COACT, Inc.3
CAFE Laboratory of
Columbia, MD. The project, which also involved the evaluation of the applicable
Security Target (ST), was completed on October 31, 2001.
The SecureSwitch Dual Network Switch, Model #5000600 TOE is a mechanical switch
assembly that controls the connections to two separate networks. The TOE provides the
capability to connect to only one of the networks at any given time, and prevents
crosstalk, or bleed-over, from one network to the other. The TOE consists of two
separate mechanical switches, connected with a non-metallic bar that prevents both
switches from being either open or closed at the same time. One switch must be open
and one closed. The housing of the TOE is also non-metallic, to prevent conduction of
any signal between the two separate networks. Additionally, internal to the TOE, each of
the switch mechanisms is encased in a composite copper/iron shielding to prevent any
electromagnetic coupling of the two networks. The non-metallic housing of the TOE is
assembled with tamper-resistant screws to reduce the possibility of a user gaining
physical access to the composite copper/iron shielding, switches, and/or internal wiring.
The SecureSwitch® Dual Network Switch, Model #5000600 does not claim conformance
to any Protection Profile (PP).
The Security Target (ST) for the SecureSwitch® Dual Network Switch, Model
#5000600, is contained within the COACT, Inc. document Market Central
SecureSwitch® Security Target, V1.3, dated October 29, 2001 [STV1.3]. The ST is
compliant with the Specification of Security Targets requirements found within Annex C
of Part 1 of the CC [CCV2.1P1].
The SecureSwitch® Dual Network Switch, Model #5000600 TOE has been shown to be
compliant with the TOE security functional requirements; the IT security functional
requirements; and the security assurance requirements identified within the ST.
1
Market Central, Inc., 500 Business Center Drive, Pittsburgh, PA 15205-1333. Telephone: (412) 494-2800.
2
Not all acronyms are expanded within this Validation Report. The Acronyms section of this report
contains several acronyms and expansions..
3
COACT, Inc., Rivers Ninety Five, 9140 Guilford Road, Suite L, Columbia, MD 21046. Telephone: (301)
498-0150.
5
• The TOE security functional requirements identified in the ST are:
FDP_IFC.2 Complete information flow control; FDP_IFF.1 Simple security
attributes; FPT_SEP.1 TSF domain separation; ESP_ISO.1 Electronic
Isolation – Network Sides; ESP_ISO.2 Electronic Isolation – Open Switch;
and ESP_SHL.1 Electronic Shielding. The later three TOE functional
requirements are extensible requirements.
• The IT security functional requirements identified in the ST are: FMT_MSA.1
Management of security attributes and FMT_MSA.3 Static attribute
initialisation.
• The security assurance requirements identified in the ST are those of EAL4.
The CCTL has presented work units and rationale that are consistent with the CC, the
Common Methodology for Information Technology Security Evaluation (CEM) [CEM],
and CCEVS Publication Number 4, Guidance to CCEVS Approved Common Criteria
Testing Laboratories [CCEVS4]. The CCTL evaluation team concluded that:
• The requirements of Class ASE: Security Target evaluation have been met, and
issued a Pass verdict for the Security Target (ST) [STV1.3].
• The TOE security functional requirements; the IT security functional requirements;
and the EAL4 assurance requirements identified within the ST [STV1.3] for the
SecureSwitch® Dual Network Switch, Model #5000600 TOE have been met, and
issued a Pass verdict for the TOE.
The validation team followed the procedures outlined in the CCEVS Publication Number
3, Guidance to Validators of IT Security Evaluations [CCEVS3]. The validation team
concluded that the evaluation verdicts of Pass for both the ST and the TOE.
2. Identification
Name and model number of evaluated product:
SecureSwitch® Dual Network Switch, Model #5000600
Developer:
Market Central Inc.
500 Business Center Drive
Pittsburgh, PA 15205-1333
Voice: (412) 494-2800
TOE Description:
6
The SecureSwitch Dual Network Switch, Model #5000600 TOE is a mechanical switch
assembly that controls the connections to two separate networks. The TOE provides the
capability to connect to only one of the networks at any given time, and prevents
crosstalk, or bleed-over, from one network to the other. The TOE consists of two
separate mechanical switches, connected with a non-metallic bar that prevents both
switches from being either open or closed at the same time. One switch must be open
and one closed. The housing of the TOE is also non-metallic, to prevent conduction of
any signal between the two separate networks. Additionally, internal to the TOE, each of
the switch mechanisms is encased in a composite copper/iron shielding, to prevent any
electromagnetic coupling of the two networks. The non-metallic housing of the TOE is
assembled with tamper-resistant screws, to reduce the possibility of a user from gaining
physical access to the composite copper/iron shielding, switches, and internal wiring.
Images of the SecureSwitch Dual Network Switch, Model #5000600 TOE are shown in
Figure 1 and Figure 2.
Figure 1. SecureSwitch®, front view.
Figure 2. SecureSwitch®, rear view.
7
3. Security Policy
The security policy for the SecureSwitch® Dual Network Switch, Model #5000600 TOE,
a mechanical switch assembly that controls connections to two separate networks, is as
follows:
1. The networks are identified as Network A and Network B. Both Network A
and Network B interface with the TOE via RJ45 connectors located at the rear
of the TOE (see Figure 2).
2. The TOE allows signals from either Network A or Network B to pass through
it. The user of the TOE selects either Network A or Network B as the signal
source via switches located at the front of the TOE (see Figure 1). These
switches are joined by a bar in a manner that prevents both switches from
being opened (i.e., no signal flow) or closed (i.e., signal flow) at the same
time.
3. For the TOE, the following electronic isolation metric shall apply to ensure
there is a minimum isolation between two sides of an open switch:
• From 200 kHz to 300 kHz, the TOE shall show an attenuation greater than
78 dB.
• From 300 kHz to 1.3 MHz, the TOE shall show an attenuation greater than
78 dB.
• From 1.0 MHz to 11.0 MHz, the TOE shall show an attenuation greater
than 79 dB.
• From 10.0 MHz to 110.0 MHz, the TOE shall show an attenuation greater
than 75 dB.
Note: Quality RF coaxial switches normally are rated > 60 dB.
4. Assumptions and Clarification of Scope
4.1 Usage Assumptions
The SecureSwitch® Dual Network Switch, Model #5000600 is an all-hardware stand-
alone TOE. The following assumptions were made during the evaluation of the TOE.
• The TOE was assumed to be connected as follows:
- to one computer and two separate networks using standard network connectors
or
8
- to two separate computers and two separate networks using standard network
connectors;
• Connections to and from the TOE were assumed to involve shielded cabling to
minimize emanations from the connections;
• Users of the TOE were assumed to possess the necessary privileges to access the
network connections managed by the TOE;
• Users of the TOE were assumed to be non-hostile;
• Users of the TOE were assumed to follow all guidance.
4.2 Environmental Assumptions
The following environmental assumption was made during the evaluation of the
SecureSwitch® Dual Network Switch, Model #5000600 TOE.
• The TOE was assumed to be located within controlled access facilities to prevent
unauthorized physical access.
4.3 Clarification of Scope
The SecureSwitch® Dual Network Switch, Model #5000600 was evaluated as a stand-
alone TOE. In practice, however, it is realistic to assume that a purchaser of the TOE will
use the product as a component of a system (e.g., consisting of a PC supporting an
operating system and application software; a monitor; a keyboard; a mouse; network
interface cards; shielded cables; and the TOE). Although the TOE has been evaluated at
EAL4, it cannot be assumed that such a system provides EAL4 assurance.
5. Architectural Information
The all-hardware SecureSwitch® Dual Network Switch, Model #5000600 TOE is
comprised of three layers, identified as follows:
• The two independent switch mechanisms (see Figure 1, Figure 4, and Figure 5);
• The electronic interface connectors (see Figure 3);
• The copper/iron shielded casing (see Figure 4 and Figure 5).
Figure 1 and Figure 2 show the front and rear view, respectively, of the TOE. As can be
seen in Figure 1, each of the two switch interfaces has a knob attached. The two knobs
are connected by a crossbar, enabling both of them to switch at the same time. The
crossbar is the only connection between the two switching mechanisms.
Figure 3 contains an image of the left Ethernet PC board assembly (there are two per
TOE, one left and one right).
9
Figure 3. Left Ethernet PC board assembly.
Each Ethernet PC board assembly is placed into a proprietary copper/iron shielded
casing as shown in Figure 4.
Figure 4. Shielded tubes, each containing an Ethernet PC board assembly.
Figure 5 shows the two shielded tubes, each containing an Ethernet PC board assembly,
in position within the TOE prior to placement of the upper external protective casing.
10
Figure 5. Shielded tubes, each containing an Ethernet PC board assembly, in
position within the TOE.
The fully-assembled SecureSwitch® Dual Network Switch, Model #5000600 TOE
(Figure 1 and Figure 2) contains no electrical connections between the two independent
switch mechanisms.
6. Documentation
The following document contains details relating to the installation and operation of the
SecureSwitch® Dual Network Switch, Model #5000600 TOE.
Market Central, March 1998, Part Number 5000600, SecureSwitch®, Ethernet/Ethernet
Guide.
The document cited above is non-proprietary and is distributed with each purchased
SecureSwitch® Dual Network Switch, Model #5000600.
7. IT Product Testing
Market Central, Inc. provided tests and test results applicable to the SecureSwitch® Dual
Network Switch, Model #5000600 TOE.
COACT, Inc. CAFE Laboratory evaluators tested the TOE. Some of the tests conducted
directly exercised the TSF. These specific tests are shown in Table 1.
11
Test
Identifier
Test Description Expected Results Actual Results
ET13 From 200 kHz to 300 kHz
the TOE should show an
attenuation greater than 80
dB.
The TOE will show
an attenuation
greater than 80 dB.
The TOE shows an
attenuation greater
than 78.25 dB at
250.0 kHz that is
limited by machine
noise from the
spectrum analyzer.
ET14 From 300 kHz to 1.3
MHz, the TOE should
show an attenuation
greater than 80 dB.
The TOE will show
an attenuation
greater than 80 dB.
The TOE shows an
attenuation greater
than 78.69 dB at
800.0 kHz that is
limited by machine
noise from the
spectrum analyzer.
ET15 From 1.0 MHz to 11.0
MHz, the TOE should
show an attenuation of 80
dB up to 7 MHz, and then
decrease to 75 dB at 11
MHz.
The TOE will show
an attenuation of 80
dB up to 7 MHz that
then decreases to 75
dB at 11 MHz.
The TOE shows an
attenuation greater
than 79.46 dB at
10.0 MHz that is
limited by machine
noise from the
spectrum analyzer.
This attenuation
remains level with
the machine noise,
up to 11.0 MHz.
ET16 From 10.0 MHz to 110.0
MHz, the TOE should
show an attenuation of 60
dB up to 30 MHz.
The TOE will show
an attenuation of 60
dB up to 30 MHz.
The TOE shows an
attenuation greater
than 75.0 dB at
100.0 MHz that is
limited by machine
noise from the
spectrum analyzer.
Table 1. Evaluator test results for the SecureSwitch® Dual Network Switch, Model
#5000600 TOE.
The evaluators also designed and executed other tests to demonstrate that the
SecureSwitch® Dual Network Switch, Model #5000600 TOE operates as specified.
12
8. Evaluated Configuration
The SecureSwitch® Dual Network Switch, Model #5000600 TOE is delivered in the
evaluated configuration. The all-hardware TOE does not use software, is a passive
device, and does not provide data execution or storage capabilities.
9. Results of Evaluation
The Security Target (ST) for the SecureSwitch® Dual Network Switch, Model
#5000600, is contained within the COACT, Inc. document Market Central
SecureSwitch® Security Target, V1.3, dated October 29, 2001 [STV1.3]. The ST is
compliant with the Specification of Security Targets requirements found within Annex C
of Part 1 of the CC [CCV2.1P1].
The SecureSwitch® Dual Network Switch, Model #5000600 TOE has been shown to be
compliant with the TOE security functional requirements; the IT security functional
requirements; and the security assurance requirements identified within the ST.
• The TOE security functional requirements identified in the ST are:
FDP_IFC.2 Complete information flow control; FDP_IFF.1 Simple security
attributes; FPT_SEP.1 TSF domain separation; ESP_ISO.1 Electronic
Isolation – Network Sides; ESP_ISO.2 Electronic Isolation – Open Switch;
and ESP_SHL.1 Electronic Shielding. The later three TOE functional
requirements are extensible requirements.
• The IT security functional requirements identified in the ST are: FMT_MSA.1
Management of security attributes and FMT_MSA.3 Static attribute
initialisation.
• The security assurance requirements identified in the ST are those of EAL4.
The CCTL has presented work units and rationale that are consistent with the CC, the
Common Methodology for Information Technology Security Evaluation (CEM) [CEM],
and CCEVS Publication Number 4, Guidance to CCEVS Approved Common Criteria
Testing Laboratories [CCEVS4]. The CCTL evaluation team concluded that:
• The requirements of Class ASE: Security Target evaluation have been met,
and issued a Pass verdict for the Security Target (ST) [STV1.3].
• The TOE security functional requirements; the IT security functional
requirements; and the EAL4 assurance requirements identified within the ST
[STV1.3] for the SecureSwitch® Dual Network Switch, Model #5000600
TOE have been met, and issued a Pass verdict for the TOE.
13
10. Comments/Recommendations
10.1 Evaluator Comments
COACT, Inc. CAFE Laboratory evaluators included the following individuals.
• Arthur K. Arber
• Jennifer A. Arthur
• Eric J. Grimes
• Tiffani A. Parsons
• Peter C. Sargent
10.2 Validator Comments
The following Validator comments are provided:
• The SecureSwitch® Dual Network Switch, Model #5000600 is an all-hardware
TOE that was evaluated as a stand-alone product;
• Testing of the SecureSwitch® Dual Network Switch, Model #5000600 TOE was
well thought out, thorough, and very professionally done.
11. Security Target
The following document, incorporated here by reference, is the Security Target (ST) for
the Market Central, Inc., SecureSwitch® Dual Network Switch, Model #5000600:
• Market Central SecureSwitch® Security Target, V1.3, dated October 29, 2001,
COACT Inc. document number F4-1001-002 [STV1.3].
12. Acronyms
14
Acronym Expansion
CC Common Criteria for Information Technology Security
Evaluation. [Note: Within this Validation Report, CC
always means Version 2.1, dated August 1999.]
CCEVS Common Criteria Evaluation and Validation Scheme
CCTL Common Criteria Testing Laboratory
EAL Evaluation Assurance Level
MHz Megahertz
NIAP National Information Assurance Partnership
NIST National Institute of Standards and Technology
NSA National Security Agency
NVLAP National Voluntary Laboratory Accreditation Program
PC Personal Computer
PP Protection Profile
RF Radio Frequency
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functions
dB decibel
kHz Kilohertz
13. Bibliography
URLs
• Common Criteria Evaluation and Validation Scheme (CCEVS):
(http://niap.nist.gov/cc-scheme).
• COACT, Inc. CAFE Laboratory: (http://www.coact.com/cafe.html).
• Market Central, Inc.: (http://www.mctech.com).
CCEVS Documents
[CCV2.1P1] Common Criteria for Information Technology Security Evaluation,
Version 2.1, Part 1: Introduction and general model, August 1999,
CCIMB-99-031.
[CCV2.1P2] Common Criteria for Information Technology Security Evaluation,
Version 2.1, Part 2: Security functional requirements, August 1999,
CCIMB-99-032.
15
[CCV2.1P3] Common Criteria for Information Technology Security Evaluation,
Version 2.1, Part 3: Security Assurance Requirements, August 1999,
CCIMB-99-033.
[CEMV.10P2] Common Methodology for Information Technology Security Evaluation,
Version 1.0, Part 2: Evaluation Methodology, August 1999, CEM-99/045.
CCEVS Documents
[CCEVS3] NIAP Common Criteria Evaluation and Validation Scheme for IT
Security: Guidance to Validators of IT Security Evaluations, Draft,
Version 0.5, February 2001.
[CCEVS4] NIAP Common Criteria Evaluation and Validation Scheme for IT
Security: Guidance to Common Criteria Testing Laboratories (Draft)
Version 1.0, 20 March 2001.
Other Documents
[STV1.3] Market Central SecureSwitch® Security Target, V1.3, dated October 29,
2001, COACT Inc. document number F4-1001-002.
[Guide98] Market Central, March 1998, Part Number 5000600, SecureSwitch®,
Ethernet/Ethernet Guide.
14. Certificate Details
Product Name: SecureSwitch® Dual Network Switch
Version and Release Numbers: Model #5000600
Evaluation Platform: N/A
Assurance Level: EAL4
Name of CCTL: COACT, Incorporated
Validation Report Number: CCEVS-VR-01-0004
Date Issued: 31 October 2001
Protection Profile Identifier: N/A