Transcription

122-BCERTIFICATION REPORT No. CRP255Citrix XenServer5.6 Platinum EditionIssue 1.0August 2010 Crown Copyright 2010 – All Rights ReservedReproduction is authorised, providedthat this report is copied in its entirety.CESG Certification BodyIACS Delivery Office, CESGHubble Road, CheltenhamGloucestershire, GL51 0EXUnited KingdomAugust 2010Issue 1.0Page 1 of 20

CRP255 – Citrix XenServer 5.6CERTIFICATION STATEMENTThe product detailed below has been evaluated under the terms of the UK IT Security Evaluation and CertificationScheme and has met the specified Common Criteria requirements. The scope of the evaluation and the assumedusage environment are specified in the body of this report.Sponsor:Citrix Systems IncDeveloper:Citrix Systems IncProduct and Version: Citrix XenServer 5.6 Platinum EditionPlatform:n/aDescription:Citrix XenServer 5.6 Platinum Edition is a server virtualisation product that runs directly onserver hardware and establishes an environment comprising a number of virtual machines(or “domains”), each configured to operate with a set of virtual CPU, memory, storage, andnetwork resources.CC Version:Version 3.1 Revision 3CC Part 2:ConformantCC Part 3:ConformantEAL:EAL2 augmented by ALC FLR.2PP Conformance:NoneCLEF:SiVentureCC Certificate:CRP255Date Certified:20 August 2010The evaluation was performed in accordance with the requirements of the UK IT Security Evaluation and Certification Scheme as described inUK Scheme Publication 01 [UKSP01] and 02 [UKSP02P1], [UKSP02P2]. The Scheme has established the CESG Certification Body, whichis managed by CESG on behalf of Her Majesty’s Government.The purpose of the evaluation was to provide assurance about the effectiveness of the TOE in meeting its Security Target [ST], whichprospective consumers are advised to read. To ensure that the Security Target gave an appropriate baseline for a CC evaluation, it was firstitself evaluated. The TOE was then evaluated against this baseline. Both parts of the evaluation were performed in accordance with CC Part 1[CC1] and 3 [CC3], the Common Evaluation Methodology [CEM] and relevant Interpretations.The issue of a Certification Report is a confirmation that the evaluation process has been performed properly and that no exploitablevulnerabilities have been found in the evaluated configuration of the TOE. It is not an endorsement of the product.ARRANGEMENT ON THE RECOGNITION OF COMMON CRITERIA CERTIFICATESIN THE FIELD OF INFORMATION TECHNOLOGY SECURITYThe CESG Certification Body of the UK IT Security Evaluation and Certification Scheme is a member of the above Arrangement [CCRA]and, as such, this confirms that the Common Criteria certificate has been issued by or under the authority of a Party to this Arrangement and isthe Party’s claim that the certificate has been issued in accordance with the terms of this Arrangement.The judgements1 contained in the certificate and in this report are those of the Qualified Certification Body which issued them and of theEvaluation Facility which performed the evaluation. There is no implication of acceptance by other Members of the Arrangement Group ofliability in respect of those judgements or for loss sustained as a result of reliance placed by a third party upon those judgements.MUTUAL RECOGNITION AGREEMENT OF INFORMATION TECHNOLOGY SECURITY EVALUATION CERTIFICATESThe SOGIS MRA logo which appears below confirms that the conformant certificate has been authorised by a Participant to this Agreement[MRA] and it is the Participant’s statement that the certificate has been issued in accordance with the terms of this Agreement.The judgments 1 contained in the certificate and this Certification Report are those of the compliant Certification Body which issued them andof the Evaluation Facility which carried out the evaluation. Use of the logo does not imply acceptance by other Participants of liability inrespect of those judgments or for loss sustained as a result of reliance placed upon those judgments by a third party.CCRA logo1CC logoSOGIS MRA logoAll judgements contained in this Certification Report are covered by the CCRA [CCRA] and the MRA [MRA].Page 2 of 20Issue 1.0August 2010

CRP255 – Citrix XenServer 5.6TABLE OF CONTENTSCERTIFICATION STATEMENT .2TABLE OF CONTENTS.3I.EXECUTIVE SUMMARY .4Introduction. 4Evaluated Product and TOE Scope . 4Protection Profile Conformance. 4Security Claims . 4Evaluation Conduct. 5Conclusions and Recommendations . 5Disclaimers . 6II.TOE SECURITY GUIDANCE.7Introduction. 7Delivery. 7Installation and Guidance Documentation . 7III. EVALUATED CONFIGURATION .9TOE Identification . 9TOE Documentation . 9TOE Scope . 9TOE Configuration . 9Environmental Requirements. 11Test Configuration . 11IV.PRODUCT ARCHITECTURE .12Introduction. 12Product Description and Architecture. 12TOE Design Subsystems. 12TOE Dependencies . 14TOE Interfaces . 14V.TOE TESTING .15TOE Testing. 15Vulnerability Analysis . 15Platform Issues. 15VI.REFERENCES.16VII. ABBREVIATIONS & GLOSSARY.18August 2010Issue 1.0Page 3 of 20

CRP255 – Citrix XenServer 5.6I.EXECUTIVE SUMMARYIntroduction1.This Certification Report states the outcome of the Common Criteria (CC) securityevaluation of Citrix XenServer 5.6 Platinum Edition to the Sponsor, Citrix Systems Inc, assummarised on page 2 ‘Certification Statement’ of this report, and is intended to assistprospective consumers when judging the suitability of the IT security of the product for theirparticular requirements.2.Prospective consumers are advised to read this report in conjunction with the SecurityTarget [ST], which specifies the functional, environmental and assurance requirements.Evaluated Product and TOE Scope3.The following product completed evaluation to CC EAL2 augmented by ALC FLR.2 on4th August 2010: Citrix XenServer 5.6 Platinum EditionIt is abbreviated to ‘XenServer’ in this document.4.The Developer was Citrix Systems Inc.5.XenServer is a server virtualisation product that runs directly on server hardware andestablishes an environment comprising a number of virtual machines (or “domains”), eachconfigured to operate with a set of virtual CPU, memory, storage, and network resources. In thisway, a single physical server can present a number of separate logical servers, with each serveracting as though its resources were independent and running applications on a typical Windowsoperating system. XenServer maps and schedules the virtual resources onto the physicalresources of the server hardware, and thereby provides a number of potential advantagesincluding increased utilisation of the physical server resources.6.The evaluated configuration of this product is described in this report as the Target ofEvaluation (TOE). Details of the TOE Scope, its assumed environment and the evaluatedconfiguration are given in Chapter III ‘Evaluated Configuration’ of this report.7.Only Hardware Virtual Machine (HVM) Guests are included in the evaluatedconfiguration; Paravirtualised (PV) Guests are not included. Furthermore, Windows is the onlyGuest operating system (OS) supported in the evaluated configuration.8.An overview of the TOE and its product architecture can be found in Chapter IV ‘ProductArchitecture’ of this report. Configuration requirements are specified in Section 1.3.1 of theSecurity Target [ST].Protection Profile Conformance9.The Security Target [ST] does not claim conformance to any protection profile.Page 4 of 20Issue 1.0August 2010

CRP255 – Citrix XenServer 5.6Security Claims10. The Security Target [ST] fully specifies the TOE’s Security Objectives, the Threats whichthese Objectives counter and the Security Functional Requirements (SFRs) that refine theObjectives. All of the SFRs are taken from CC Part 2 [CC2]; use of this standard facilitatescomparison with other evaluated products.11. The environmental assumptions related to the operating environment are detailed inChapter III (in ‘Environmental Requirements’) of this report.Evaluation Conduct12. The CESG Certification Body monitored the evaluation which was performed by theSiVenture Commercial Evaluation Facility (CLEF). The evaluation addressed the requirementsspecified in the Security Target [ST]. The results of this work, completed in August 2010, werereported in the Evaluation Technical Report [ETR]. The CESG Certification Body raisedcomments on [ETR]; those comments were satisfactorily answered by the Evaluators([ETRSup1], [ETRSup2]).Conclusions and Recommendations13. The conclusions of the CESG Certification Body are summarised on page 2 ‘CertificationStatement’ of this report.14. Prospective consumers of Citrix XenServer 5.6 Platinum Edition should understand thespecific scope of the certification by reading this report in conjunction with the Security Target[ST]. The TOE should be used in accordance with the environmental assumptions specified inthe Security Target. Prospective consumers are advised to check that the SFRs and the evaluatedconfiguration match their identified requirements, and to give due consideration to therecommendations and caveats of this report.15. The TOE should be used in accordance with the supporting guidance documentationincluded in the evaluated configuration. Chapter II ‘TOE Security Guidance’ of this reportincludes a number of recommendations regarding the secure receipt, installation, configurationand operation of the TOE.16.In addition, the Evaluators’ comments and recommendations are as follows:a)All guidance necessary to determine that the TOE has been securely delivered, and tosecurely install and operate the TOE, is provided in or referenced from the TOE’s DeliveryProcedures [DP], Evaluated Configuration Guide [CCECG] and Administrator’s Guide[CCAG], which are all available for download from the XenServer 5.6 Common CriteriaVersion web page, which is reached by following the steps in paragraph 23 below.b)The consumer’s attention should be drawn to the procedure in the TOE’s EvaluatedConfiguration Guide [CCECG], section Initial Installation] to prepare the pool masterduring installation to ensure sufficient entropy is available for generation of the pool secret.August 2010Issue 1.0Page 5 of 20

CRP255 – Citrix XenServer 5.6c)It should be noted that XenCenter and XenCenterWeb are different applications: the XenCenter application supplied by Citrix may be used to manage the TOEin the evaluated configuration, as detailed in paragraph 32 below; XenCenterWeb is deprecated and must not be used in the evaluatedconfiguration.d)Citrix customers should download the TOE from the Citrix website. On completionof the download, the customer should verify the integrity of the TOE by performing anMD5 hash, as detailed in Chapter II ‘Delivery’ of this report.Disclaimers17. This report is only valid for the evaluated TOE. This is specified in Chapter III ‘EvaluatedConfiguration’ of this report.18. Certification is not a guarantee of freedom from security vulnerabilities. There remains asmall probability (smaller with higher Evaluation Assurance Levels) that exploitablevulnerabilities may be discovered after an evaluation has been completed. This report reflects theCESG Certification Body’s view at the time of certification.19. Existing and prospective consumers should check regularly for themselves whether anysecurity vulnerabilities have been discovered since the ETR was issued and, if appropriate,should check with the Vendor to see if any patches exist for the product and whether thosepatches have further assurance.20. The installation of patches for security vulnerabilities, whether or not those patches havefurther assurance, should improve the security of the TOE. However, note that unevaluatedpatching will invalidate the certification of the TOE, unless the TOE has undergone a formal recertification or is covered under an approved Assurance Continuity process by a CCRAcertificate-authorising Scheme.21. All product or company names used in this report are for identification purposes only andmay be trademarks of their respective owners.Page 6 of 20Issue 1.0August 2010

CRP255 – Citrix XenServer 5.6II.TOE SECURITY GUIDANCEIntroduction22.The following sections provide guidance of particular relevance to purchasers of the TOE.Delivery23.The consumer should download the TOE from https://www.citrix.com, as follows:a)the consumer logs in to their Citrix customer account, then clicks Downloads;b)from the Search Downloads by Products list, select XenServer;c)from the Select Product Version list, select XenServer 5.6;d)from the list under Product Software, select XenServer 5.6 Common CriteriaVersion.24.On completion of the download of the TOE, the consumer is recommended to:a)confirm that the correct version of the TOE has been downloaded; andb)verify the integrity of the TOE, by performing an MD5 hash of the software packageand comparing it to the values in the checksum file linked to the XenServer 5.6 CommonCriteria Version webpage.25.For reference, the MD5 hash values published in that checksum file are: fad62ddda35ae897bc1e6e273aaf1121 XenServer-5.6.0-install-cd.iso b1cd30c131da1bd7de6617bd33c65954 XenServer-5.6.0-source-1.iso a776866e5c923f94e58d8a04ccc33371 XenServer-5.6.0-source-4.iso26. Details of these download procedures are provided in the TOE’s Delivery Procedures[DP], which are linked from the above webpage.Installation and Guidance Documentation27.The Installation and Secure Configuration documentation is as follows:a)Common Criteria Delivery Procedures for Citrix XenServer 5.6, Platinum Edition[DP];b)Citrix XenServer 5.6 Installation Guide [XIG];c)Citrix XenServer 5.6 Virtual Machine Installation Guide [XVMIG];August 2010Issue 1.0Page 7 of 20

CRP255 – Citrix XenServer 5.6d)Common Criteria Evaluated Configuration Guide for Citrix XenServer 5.6, PlatinumEdition [CCECG];e)Common Criteria Administrator’s Guide for Citrix XenServer 5.6, Platinum Edition[CCAG].28.The Administration Guide documentation is as follows:a)XenServer 5.6 Administrator's Guide [XAG];b)Citrix XenServer Management API [XAPI];c)Common Criteria Administrator’s Guide for Citrix XenServer 5.6, Platinum Edition[CCAG];d)Common Criteria Evaluated Configuration Guide for Citrix XenServer 5.6, PlatinumEdition [CCECG].29.Owing to the nature of the TOE, User Guide documentation is not necessary.Page 8 of 20Issue 1.0August 2010

CRP255 – Citrix XenServer 5.6III. EVALUATED CONFIGURATIONTOE Identification30. The TOE is Citrix XenServer 5.6 Platinum Edition, consisting of “Citrix XenServer 5.6” asdownloaded from https://www.citrix.com (as detailed in Chapter II ‘Delivery’ of this report).TOE Documentation31. The relevant guidance documentation for the evaluated configuration is identified inChapter II (in ‘Installation and Guidance Documentation’) of this report.TOE Scope32. The TOE Scope is defined in the Security Target [ST] Sections 1.3 and 1.4. Functionalitythat is outside the TOE Scope is defined in [ST] Section 1.3.1. It should be noted that althoughthe XenCenter management console is not included in the TOE (because it does not implementany security functions, and it is not necessary for their operation), it may be used in the evaluatedconfiguration as a method of administering the TOE over the XML-RPC interface2 .TOE Configuration33. The evaluated configuration of the TOE is defined in [ST] Section 1.3.1, and in the TOE’sEvaluated Configuration Guide [CCECG] and Administrator’s Guide [CCAG], as shown inFigure 1 below:2Note the distinction in paragraph 16 between XenCenter and XenCenterWeb.August 2010Issue 1.0Page 9 of 20

CRP255 – Citrix XenServer ave persistentconnectionsHost2SlaveLocal Hostdom0console(s)NTP ectionsStoragenetworkconnectionStoragePhysical protection boundaryFigure 1 - TOE Evaluated Configuration34. The TOE should be installed on at least 2 servers (maximum of 16 servers) configured in apool, containing a Master Host and at least one Slave Host. The servers must satisfy thelimitations specified in [ST] Section 1.2.2. The host network interface cards (NICs) should beset up as follows, as specified in [CCECG] section ‘Network Configuration’.a)NIC0 - Management Network;b)NIC1 - Storage Network;c)NIC2 . NICn - One or more further NICs must be added as required to create GuestNetworks.35. The environment should provide network attached storage offering Network File System(NFS) storage, as specified in [ST] Section 1.2.2. The TOE should connect to the storage asdetailed in [CCECG] section ‘Storage Configuration’.Page 10 of 20Issue 1.0August 2010

CRP255 – Citrix XenServer 5.6Environmental Requirements36.The environmental assumptions for the TOE are stated in [ST] Section 3.5.37.The environmental IT configuration is detailed in [ST] Section 1.2.2 and [CCECG].38. The TOE was evaluated running on Dell Power Edge R710 servers, which met therequirements for the servers specified in [ST] Section 1.2.2.39.The TOE is required to be connected to the following non-TOE components: Storage: Virtual Hard Disk (VHD) on NFS; Citrix License Server; Network Time Protocol (NTP) server.40. Only Windows operating systems should be configured as a Guest OS in a Guest Domain,in accordance with the Virtual Machine (VM) Installation Guide [XVMIG]. Windows 2003Server and Windows 2008 Server were configured as Guest VMs for Developer and Evaluatortesting.Test Configuration41. The Developers used a configuration consistent with that detailed in ‘TOE Configuration’above for their testing. To enable the Developers to run their automated test suite, Secure Shell(SSH) was enabled for their testing. The Evaluators determined that the use of SSH for testingdid not adversely affect the results of the TOE security functionality tests.42. The Evaluators used the same configuration for their testing as that used by the Developer.The only exception was that, for the Evaluators’ testing, the [CCECG] ‘SSH Configuration’(which disabled SSH) was not applied, as the SSH connection to the host was used to completethe configuration necessary for some test cases. The Evaluators determined that this change hadno impact on the TOE or on the functionality being tested.August 2010Issue 1.0Page 11 of 20

CRP255 – Citrix XenServer 5.6IV. PRODUCT ARCHITECTUREIntroduction43. This Chapter gives an overview of the main TOE architectural features. Other details of thescope of evaluation are given in Chapter III ‘Evaluated Configuration’ of this report.Product Description and Architecture44. The architecture of the TOE, described in [ST] Sections 1.3 and 1.4.2, incorporates Dom0and XenHypervisor running directly on server hardware.License Server connectionNTP server connectionMaster-Slave persistentconnectionDom0Domain UHVM GuestStorage network connectionGuestOSGuest network connectionManagement network connectionXen HypervisorServer HardwareLocal Host dom0ConsoleFigure 2 - TOE Architecture45. These provide other domains (referred to collectively as “Domain U”) in which an OS suchas Windows is installed, and the domain will then behave as a separate server.TOE Design Subsystems46.The TOE subsystems, and their security functionality, are as follows 3 :a)The Xen Hypervisor: A virtual machine monitor that provides the virtualenvironment that supports and separates domains, schedules execution on the Host CPU(s),and maintains memory page mappings for all domains (including dom0) in its ownmemory (this Hypervisor memory is not accessible to any domain, including dom0).The Hypervisor implements a number of interfaces (hypercalls) used by domains or3Terminology used within the description of the TOE subsystems is defined in Chapter VII (‘Abbreviations’) of thisreport and in [ST] Section 0.6.Page 12 of 20Issue 1.0August 2010

CRP255 – Citrix XenServer 5.6processes running within them: dom0 is able to make privileged hypercalls; other domainsare only able to make unprivileged hypercalls.b)Dom0: A privileged domain which is also a PV domain – meaning that it knows thatit operates in a virtual environment. Dom0 is the only privileged domain, and indeed theonly PV domain, in the evaluated configuration; it has a special status because it isresponsible for creating the Guest Domains (using hypercalls) and provides access to allphysical devices. Dom0 runs the xapi process that (amongst other tasks) maintains adatabase (XML file) containing information about the Pool structure and status 4 , andhandles XenAPI requests. Dom0 also contains the XenStore database which storesinformation about domains and provides a means of communicating between Domain Uand dom0 5 .47. The security properties identified in [ST] Section 5.2 and Chapter 6 concern the ability ofXenServer to provide the following:a)Authentication of Administrators (FIA UID.2 & FIA UAU.2): This is concerned with connections from the Local Host dom0 Console,submission of xapi commands (as described in XenServer Management API [XAPI]as XML-RPC calls over the Management Network, and use of the HTTP Handlersover the Management Network. Administrators authenticate to dom0.b)Maintaining separation of data between Guest VMs (FDP IFC.1/VMData &FDP IFF.1/VMData): Separation of VMs is established primarily by the setting up of the domain inwhich the (Guest) VM runs: this is responsible for the allocation of memory andother resource connections (notably network and storage) for the VM. From the point of view of an Administrator, the main task involved in settingup an instance of a Guest VM is to use the XenAPI interface (as described in[XAPI]) to request the creation of a virtual machine into which the Guest OS is theninstalled (as described in [XVMIG] and, for setting up networking for the Guest (asdescribed in [CCECG]). The installation of the Guest OS in the Guest VM isessentially the same as installation onto a non-virtualised host, followed by theinstallation of the PV drivers. Administrators operate directly only on VMs, notdomains, but creation of a VM will also entail dom0 creating a Guest Domain tocontain the VM. From the point of view of XenServer, a XenAPI command requesting creationof a new VM is sent to the Pool Master, which identifies a suitable Slave Host on4The Master-Slave database is in fact a part of the xapi database. All changes to the Master-Slave database (inparticular updates from Slaves) are carried out by modifying the database on the Master (Slaves perform theseupdates over the Master-Slave Persistent Connection). The database on the Master is then regularly synchronisedwith the databases on the Slaves, so that (after synchronisation) all Hosts in the Pool have the same xapi database5In the evaluated configuration, Guest domains cannot use XenStore to share memory with each other.August 2010Issue 1.0Page 13 of 20

CRP255 – Citrix XenServer 5.6which to create the VM and executes a VM.start (or VM.start on) operation on theselected Host, referring to a VM that has previously been created (as above, whichcreates a VM in the Halted state, without a domain). This will cause the Host tocreate a new domain (using the domain builder process), then to locate the referencedVM inside the domain and start it running. Sharing of memory by any domain other than dom0 is disabled in the evaluatedconfiguration (as described in [CCECG], section Dynamic Memory Control).c)Maintaining separation of data between guest VDisks (FDP IFC.1/VDisk &FDP IFF.1/VDisk):Separation of virtual disks is established by the allocation of separate VirtualBlock Devices (VBDs) and Virtual Disk Images (VDIs) to VMs, and the linking offront-end drivers (used by the Guest OS in its Guest Domain) to back-end drivers(which connect the front-end drivers to dom0 in order to implement thecommunications with a physical storage device). d)Protection of memory de-allocated from a VM (FDP RIP.1):Memory is de-allocated from a VM when its domain is destroyed, at whichpoint the Hypervisor will overwrite the memory with zeroes. e)Provision of secure channels (FTP ITC.1):Secure channels are implemented by enforcing the use of HTTP overTLS/SSLv3 for connections to XenConsole, communications over the ManagementNetwork 6 , and communications on the Master-Slave Persistent Connection. TOE Dependencies48. The TOE dependencies on the IT environment are identified in Chapter III ‘EnvironmentalRequirements’.TOE Interfaces49. The external TOE Security Functions Interface (TSFI) is described in [ST] Section 1.3 andshown in Figure 2 above.6It should be noted that the License Server and NTP connections take place over the Management Network but donot use (or require) a secure channel.Page 14 of 20Issue 1.0August 2010

CRP255 – Citrix XenServer 5.6V.TOE TESTINGTOE Testing50.The Developer’s tests covered: all SFRs; all Security Functions (SFs); the TSFI, as identified in Chapter IV (in ‘TOE Interfaces’) of this report.51. The Developer used the test configuration described in Chapter III (in ‘TestConfiguration’) of this report. As also stated there, the Evaluators used the same testconfiguration as that used by the Developer.52. The Evaluators repeated 8 of the Developer’s automated test cases and 9 additional testsfrom the Developer’s automated regression test suite. The Evaluators confirmed the results wereconsistent with those reported by the Developer.53. The Evaluators devised and ran a total of 7 independent functional tests, different fromthose performed by the Developer. No anomalies were found.54. The Evaluators also devised and ran a total of 6 penetration tests to address potentialvulnerabilities considered during the evaluation and 4 additional tests to identify whether furtherpenetration tests were necessary. No exploitable vulnerabilities or errors were detected.55.The Evaluators finished running their penetration tests on 16th July 2010.Vulnerability Analysis56. The Evaluators’ vulnerability analysis, which preceded penetration testing and wasreported in [ETR], was based on public domain sources and the visibility of the TOE providedby the evaluation deliverables, in particular the Developer’s Security Architectural Design.Platform Issues57. The platform on which the TOE is installed should meet the requirements specified in [

Citrix XenServer 5.6 Platinum Edition is a server virtualisation product that runs directly on . [CCAG], which are all available for download the XenServer 5.6 Common Criteria from Version web page, which is reached by following the steps in paragraph 23 below. b) The consumer’s at