Product Name: 2in1 PC, Version 1.21

Product Type: Network Separator

Date: June 21, 1999

Conformance Claim: EAL 2

PP Identifier: None

Security Target:

Validation Report:

Key Words: firewall, packet-filtering, proxy, SunScreen, EFS, SunScreen EFS, application proxy, access control

Vendor: Sun Microsystems, Inc.

POC: Gary D. Markin Voltaire Advanced Data Security

Phone: (703) 883-8202

Fax: (703) 883-8213

Email:

Web:

CC Testing Lab: COACT, Inc., CAFE Lab

PRODUCT DESCRIPTION:

The 2in1 PC operates on a single AT compatible PC running MS-DOS, Microsoft Windows 3.x, Windows 95, Windows 98, Windows NT (Versions 3.51 and 4), OS/2, SCO and LINUX operating systems. The PC must include either one or two IDE-ATA compatible hard drives. If the host PC consists of only one hard drive, then the following disk partitions are created during the installation, a Transition, Public (B), Secure (A) and an optional partition labeled Functional. If the host PC consists of two hard drives, then the first disk, the master, includes the same partitions as in the one disk configuration while the second disk, the slave, is solely dedicated as an extension to either the Public (B) or the Secure (A) disk partition.

The 2in1 PC manages all access attempts to the hard disk by intercepting all IDE traffic traveling between the hard disk and the disk controller on the motherboard. This is to ensure that access to a particular disk partition is allowed for the PC's current security state.

The 2in1 PC will allow the host PC to operate in only one of three security states at any given point in time. These security states include Transition, Public (B) and Secure (A). When the PC is first powered on, the machine is always booted into the Transition state. In this state, access is only granted to the Transition disk partition, conditional access is granted to the Functional disk partition and the two network connections are physically severed. In order to change machine states to either Public (B) or Secure (A), the PC performs a soft boot before the other machine state is loaded. When the PC is operating in the Public (B) machine state, access is only granted to the Public (B) disk partition, conditional access is granted to the Functional disk partition if it exists and the Public (B) network connection is established. When the PC is operating in the Secure (A) machine state, access is only granted to the Secure (A) disk partition, conditional access is granted to the Functional disk partition if it exists and the Secure (A) network connection is established. The access privilege to the Functional disk partition is conditional as it is configurable by the Administrator to be a swap space between the Public (B) and the Secure (A) disk partitions. In both the Public (B) and Secure (A) operating states, the Administrator can configure each state's ability to have read, read/write or no access to the Functional area. When the machine is in the Transition machine state, the conditional access can be modified by the Administrator as either read/write or no access to the Functional disk partition. When the PC switches between the Public (B) and the Secure (A) operating state, the PC always performs a soft boot, by default, loads into the Transition machine state and then performs another reboot before loading the other machine state, Public (B) or Secure (A).

The 2in1 PC security controller manages access to each of the two networks, Public (B) and Secure (A), through the use of four redundant relays. There are two relays dedicated to each network and the current security state of the machine determines whether or not the two relays for each network are connected or disconnected. The supported network connections to the 2in1 PC include, Ethernet RJ-45, Fast Ethernet RJ-45, telephone line RJ-11, Token Ring, ISDN, 100Base-T4 Ethernet or 100VGAnylan for both the Public (B) and Secure (A) network inputs. Each of these inputs is routed through physically separate relays. The Public (B) network input is routed through one relay, through another redundant relay and out of the 2in1 PC onto the Public (B) network output. The Secure (A) network input is routed through one relay, through another redundant relay and out of the 2in1 PC and onto the Secure (A) network output. The network outputs from both the Public (B) and the Secure (A) connections are routed via a Y-cable into the Network Interface Card on the host PC. Through the use of four redundant relays, physical separation of the two network connections is achieved.

EVALUATION SUMMARY:

The Security Target provided by Voltaire Advanced Data Security defines the security requirements that are offered by the 2in1 PC. These requirements were derived from the Common Criteria for Information Technology Security Evaluation, Version 2.0, May 1998. The 2in1 PC was evaluated according to the security requirements defined in the Security Target. These requirements included both assurance and functional components. The assurance components offered by the 2in1 PC were verified at EAL2 with an augmentation of ADV_SPM.1, Informal TOE Security Policy Model. The functional component classes that were verified include User Data Protection, Identification and Authentication, Security Management and Protection of the TOE Security Functions. The evaluation was completed in June 1999 and it was determined that the 2in1PC meets all of the requirements defined in the Security Target. For the specific details of the evaluation, refer to the 2in1 PC Final Evaluation Report.

ENVIRONMENTAL STRENGTHS

Once the 2in1 PC has been installed and correctly configured, it provides a single PC the ability to securely access two physically separate networks. This security is enforced at the physical layer of the Open Systems Interconnection (OSI) stack and on the IDE bus.