Validated Product - BAE Military Message Handling System (MMHS) Filters version 1.1.1

PRODUCT DESCRIPTION

BAE - IT designed, developed and implemented the Military Message Handling System (MMHS) Trusted Guard Release Version 1.1.1, which provides the capability of supporting the Defense Electronic Mail System (DEMS II), exchange of unclassified, designated, and classified military message traffic. Through a Secure/Multipurpose Internet Mail Extensions Version 3 with Enhanced Security Services (S/MIME v3 Ess) based solution, the MMHS will enable other Government Departments (OGD) users to electronically process and disseminate unclassified, designated, and classified military message traffic up to and including secret. The distinguishing feature of the MMHS Trusted Guard Release Version 1.1.1 is that it runs on the BAE EAL5+ STOP 6.1.E Trusted Operating System.

The MMHS Trusted Guard is designed to provide a high level of assurance (protection against circumvention, intrusion and tampering) and special filtering functions requiring and permitting connectivity between networks operating at different classification levels. The MMHS Trusted Guard consists of high assurance hardware and software elements that exist to prevent malicious messages from entering a system-high enclave, as well as prevent unauthorized transfer of information from a secure domain to another.

The MMHS Trusted Guard accepts as inputs, based on configurable option, X.400 and/or SMTP messages, LDAP responses for PKI data, and data stored on the local hard drive. Output data consists of X.400 and SMTP messages to be transferred access the guarded boundary, X.400 and SMTP Journal and audit messages stored on the local hard drive in log files.

The MMHS TOE specifically includes six filters within the content Validation Server subsystem in MMHS. The TOE and the TSF are identical. User data is considered to be mail messages transiting the TOE and the security attributes of each mail message. There is no TSF data. The six MMHS filters that comprise the TSF are:

• No Signed Receipts Request Filter
• Min/Max Filter
• Message Precedence (Routine or Lower) Filter
• Valid Message Format Filter
• Security Label (Protected B or Lower) Filter
• No Attachment Filter

The TOE evaluated configuration consists of the TOE running within the MMHS guard application running on the EAL5 certified XTS-400 Trusted Operating System. The logical boundary of the TOE includes the six filters described above. The physical boundary of the TOE is the software that implements the six filters; the TOE environment is the entire MMHS guard application running on the XTS-400 Trusted Operating System.

The filters themselves do not enforce access control. Each filter provides a decision function for access control to be implemented on the message. Furthermore, filtering is dependent upon the installation environment, local administration and the application into which the filters are integrated for physical security and the integrity of the data from which it uses to perform this filtering.

SECURITY EVALUATION SUMMARY

The BAE MMHS Trusted Guard version 1.1.1 TOE was evaluated against the Common Criteria for Information Technology Security Evaluation, Version 2.2, by the CygnaCom Solutions Common Criteria Testing Laboratory (CCTL). The evaluation methodology used was the Common Methodology for Information Technology Security Evaluation, Version 2.2. The CCTL concluded that the TOE was Common Criteria Part 2 and Part 3 conformant with EAL4, and is recommending that a certificate be issued. The validation was conducted by NIAP’s Common Criteria Evaluation and Validation Scheme (CCEVS). The evaluation was completed on 21 April 2006

ENVIRONMENTAL STRENGTHS

The Information Flow Control Security Function Policies that are included in the MMHS Guard:

• P.MAILONLY – The TOE enforces the P.MAILONLY security policy by not allowing Mail messages to require a receipt, allowing only routine or lower priority messages, and only allowing properly formatted mail messages. The filters that implement this policy are:
• No Signed Receipts Request Filter – The TOE does not allow mail messages that require a receipt to pass through the TOE.
• Message Precedence Filter – The TOE checks all messages for message precedence setting values and where such values are found, allows only those messages that have supported precedence levels to pass through the TOE.
• Valid Message Format Filter – The TOE allows only properly formatted messages to pass through the TOE.
• P.LABELFILTER – The TOE enforces the P.LABELFILTER security policy by only allowing Mail messages marked at one of the security levels Unclassified, Protected A, or Protected B. The filters that implement this policy are:
• Security Label (Protected B or Lower) Filter – The TOE checks that each message contains a valid security label and that the security label is appropriate for the message source and message destination networks and will allow only those messages with a valid security label and an appropriate security label for the message source and message destination networks to pass through the TOE.
• Min/Max Filter – The TOE checks the message recipient clearance against a defined minimum recipient clearance and check the message security label against a maximum security label for the particular type of recipient and if either check fails, does not allow the message to pass through the TOE.
• P.MOD_NOATTACHMENT – The TOE enforces the P.MOD_NOATTACHMENT security policy by not allowing Mail messages to have more than one P772 body part. The filter that enforces this policy is:
• No Attachment Filter – The TOE does not allow mail messages with attachments, i.e., mail messages with more than two body parts where one is the message itself and the other is the message body text, to pass through the TOE.

The TOE is hosted on a trusted operating system evaluated at a Common Criteria EAL5 level or higher, which protects filter application files and ensure directories are protected from unauthorized access.