Validated Product - California Microwave Mail List Agent and Profiling User Agent (MLA/PUA) Version 3.1.0 with Patch A

PRODUCT DESCRIPTION

The NGSC/CMS MLA/PUA is an enterprise profiling and mail list system. The MLA/PUA is used to automatically identify, filter and distribute Military Message Handling System (MMHS) messages to recipients based on interest profiles. The MLA/PUA integrates Microsoft Exchange 2000 and Microsoft Active Directory Services with the NGSC/CMS MailRoom message profiler. The MLA/PUA also has a mail list capability that uses Directory System Agent (DSA) data to generate a distribution list that can be used to send out mail to the various members of the mail list. The MLA/PUA is designed to operate in a distributed network environment.

The MLA/PUA is composed of two subsystems, the MLA and the PUA. MLA and PUA are two logical groupings of functions that enforce security policies that are applied on messages created by a sender when the sender attempts to send the message to a recipient (user, mail-list, port). The TSF enforces a mandatory security policy decisions as well as administrator discretionary access control access policy decisions after requesting such decisions and providing necessary identity and security label information to the policy decision maker.

The MLA/PUA interfaces with an Access Control Library (ACL) server – the policy decision maker – that stores access control information about the potential message senders and receivers, including their security labels, as well as access lists that identify allowed sender/receiver pairs. With the sender's identity, the security level of the sender, and the intended receiver's identity, the MLA/PUA calls the ACL server whenever an access decision is required. When called by the MLA/PUA, the ACL server returns a binary decision to grant or refuse access and then the MLA/PUA enforces the access decision.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the CA Microwave MLA/PUA TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1 and NIAP CCEVS and International Interpretations effective on September 16, 2002. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 family of assurance requirements. The product, when configured as specified in the CA Microwave MLA/PUA 3.5 Installation Manual dated 5 August 2003, satisfies all of the security functional requirements stated in the CA Microwave MLA/PUA Security Target (Version 1.0) dated 12 August 2003. One validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in August 2003. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-03-0044, dated 13 August 2003) prepared by CCEVS.

ENVIRONMENTAL STRENGTHS

The MLA/PUA plays an integrated role in enforcing security policies for sending mail messages among senders and receivers. To accomplish this, the MLA/PUA interacts with a number of environmental entities. MLA/PUA supports two security functions:

Access Control
The MLA/PUA product interfaces with the ACL that provides access control information about the message recipient including the security label associated with the recipient, which is not necessarily a person, as well as access lists that identify appropriate sender/receiver pairs. With the level of the sender and the label of the recipient, a security policy engine that is outside the TOE is called that returns a binary decision to grant or refuse access. The TOE enforces the access decision. Therefore, the TSF enforces a mandatory security policy as well as an administrator defined access policy based upon sender and receiver identity.

Identification
The TOE interfaces with the S/MIME Freeware Library (SFL) and the Certificate Management Library (CML) libraries in the IT Environment, as well as the ACL to provide additional security functions. The CML provides the functions necessary for validating the certificates and their associated certification paths. The SFL provides the decryption and encryption services.

The TOE has the message parsed and decrypted so that TOE can see the inside signedData, to obtain the message and signed attributes. The inside signed attributes include the inside security label of the message, and the receipt request (if any).

The TOE verifies the outside-originator's signature and the validity of the message. If the signature is invalid, the TOE terminates processing the message. Therefore, through the senders certificate the TOE identifies the sender as well as the security label of the message, which is the security level at which the message was sent.

The X.500 DSA, which the TOE also interfaces with, contains the MMHS security objects such as public certificates, application certificates, CRLs, and SPIFs. These security objects are downloaded, verified and cached by the TOE to support the enforcement of its security policies.