한땀한땀/Forefront

TMG CC인증 EAL 4+

updownme 2011. 5. 12. 09:24

http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/common-criteria.aspx

Common Criteria: A Global Security Standard

Many software products claim to make your networks secure, but how do you know for sure? Common Criteria (CC) is a framework for evaluating and certifying the security of IT products and systems that is recognized by governments and IT professionals around the world as a critical measure of the quality of an information technology security product. CC certification is increasingly used as one of the key decision-making criteria by local, federal, and international government agencies and is also becoming a key differentiator for many private-sector industries, such as finance and healthcare. You can read more about CC on the Common Criteria site.

Forefront TMG 2010

Microsoft Forefront TMG 2010 (Standard Edition and Enterprise Edition) has passed Common Criteria Evaluation Assurance Level 4+ (EAL 4+).

The certification work has been performed by the Federal Office for Information Security (BSI), the Common Criteria certification body of the German government and TÜViT Evaluation Body for IT security which evaluates products worldwide according to the ITSEC and the Common Criteria (CC).

This site contains information and downloads for the certified version. It provides links to the Security Target which lists the security and assurance claims certified by the evaluation, to additional guidance documentation and other required files.

Steps in order to ensure the integrity of Forefront TMG 2010 (Volume Licensing - Standard Edition and Enterprise Edition)

Please perform the following steps in order to ensure the integrity of your downloads from this website:

  1. Download the FCIV tool [1] from http://support.microsoft.com/default.aspx?scid=kb;en-us;841290 The SHA1 value of this download is
    99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex)
    and shall be verified before executing the downloaded file. This can be done using any tool capable of calculating SHA-1 values. While running the file you have to enter a destination folder where the FCIV executable should be extracted to.

  2. Download the CC Guidance Addendum [3] to the directory where FCIV has been extracted. Check the integrity of "MS_TMG_ADD_1.1.pdf" by executing the command fciv "MS_TMG_ADD_1.1.pdf" -sha1 and verify that the result is c12934f5d1e88dced709502d6304f5b6264234ff MS_TMG_ADD_1.1.pdf

  3. Depending on the downloaded version:
    If you received TMG 2010 Standard Edition via Web download, type the following
    fciv.exe -sha1 X16-23051.iso and verify that the result is daae6ed2f61b6474b9f2dfc9bad5e9bf75420295 x16-23051.iso

  4. If you received TMG 2010 Enterprise Edition via Web download, type the following
    fciv.exe -sha1 X16-23004.iso and verify that the result is
    5b4c04c4e4eff29e95ed46ff24b9f35802fe1158 X16-23004.iso

  5. After the final verification steps have been finished follow the Forefront TMG 2010 CC Guidance Addendum for the installation and configuration of the TOE (Target of Evaluation; for details see Security Target).

Steps in order to ensure the integrity of Forefront TMG 2010 (Boxed version - Standard Edition only)

Please perform the following steps in order to ensure the integrity of your downloads from this website:

  1. Download the FCIV tool [1] from http://support.microsoft.com/default.aspx?scid=kb;en-us;841290 The SHA1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the download. This can be done using any tool capable of calculating SHA-1 values. While running the file you have to enter a destination folder where the FCIV executable should be extracted to.

  2. Download the

    • -  Integrity Check Validation Data [2],

    • -  CC Guidance Addendum [3],
         to the directory where FCIV Tool has been extracted.

  3. Check the integrity of "MS_TMG_ADD_1.1.pdf" by executing the command
    fciv "MS_TMG_ADD_1.1.pdf" -sha1 and verify that the result is
    c12934f5d1e88dced709502d6304f5b6264234ff MS_TMG_ADD_1.1.pdf

  4. Check the integrity of "IntegrityCheckTMG2010.zip" by executing the command
    fciv "IntegrityCheckTMG2010.zip" -sha1 and verify that the result is
    6353467c49109fddacd9cbd85c80c0b144bf3f8c IntegrityCheckTMG2010.zip

  5. Verify that the folder contains the following files:

    • -  TMGFPPENUSE.xml

    • -  readme.htm

    • -  integritycheck_se_ENU.cmd

    • -  fciv.exe

  6. Insert the Forefront TMG 2010 DVD that requires validation into the DVD Drive X: (where X: is your DVD-ROM drive)

  7. Open a command window and change to the folder where the validation files are located. Then, type the following to validate Forefront TMG 2010 (Standard Edition): integritycheck_se_ENU.cmd X:

  8. If the DVD cannot be validated as an authentic DVD, a message will be displayed, indicating that the DVD is not authentic. The integritycheck.log file, listing the failure details, will be created in the folder with the original files.

    If the DVD is correctly validated, the following message will be displayed:
    The ... is an authentic (product name)

  9. After the final verification steps have been finished, follow the Forefront TMG 2010 CC Guidance Addendum for the installation and configuration of the TOE (Target of Evaluation; for details see Security Target).

[1] FCIV Tool
The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies cryptographic hash values of files. FCIV can compute MD5 or SHA-1 cryptographic hash values.

[2] Integrity Check Validation Data
This file contains hash values in form of XML files that can be used to verify the integrity of the product and command files for easier usage.

[3] CC Guidance Addendum
This document provides guidance information to be used with and modifies the guidance documentation specifically for the operation and use of the Common Criteria version.

ISA Server 2006

Microsoft Internet Security and Acceleration (ISA) Server 2006 has passed Common Criteria Evaluation Assurance Level 4+ (EAL 4+).

The certification work has been performed by the Federal Office for Information Security (BSI), the Common Criteria certification body of the German government.

Microsoft Internet Security and Acceleration (ISA) Server 2006 certification report is available for reading from the BSI website, here.

The CC Guidance Documentation Addendum for ISA Server 2006 is available for download from this page.

To ensure the integrity of your ISA 2006 downloads from this page, please perform the following steps.

  1. Download the FCIV tool from http://support.microsoft.com/default.aspx?scid=kb;en-us;841290The sha-1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the download. This can be done using any tool capable of calculating SHA-1 values.

  2. Download the "Integrity Check ISA 2006" and "CC Guidance Documentation Addendum" to the directory where FCIV has been extracted.

  3. Open a command prompt and change to directory where FCIV has been extracted.

  4. Check the integrity of "Integrity Check ISA 2006" by executing the command
    fciv "Integrity Check ISA 2006.zip" -sha1

  5. Verify that the result is
    06b67016f7f986a45011dd84f7ba5f98fb2cfcef integrity check isa 2006.zip

  6. Check the integrity of the CC Guidance Addendum by executing the command
    fciv "CC_Guidance_Documentation_Addendum_for_ISA_2006.pdf" -sha1

  7. Verify that the result is
    e9e5cd5369d1fbb0a2b57c27351b69ff5ea5978f cc_guidance_documentation_addendum_for_isa_2006.pdf

  8. Follow the CC Guidance Addendum for further Installation and Configuration of the TOE (Target Of Evaluation).

ISA Server 2004

Microsoft Internet Security & Acceleration (ISA) Server 2004 has achieved CC Evaluation Assurance Level 4+ (EAL 4+). Level 4 is the highest level possible that is mutually recognized by all countries participating in CC certification. This level provides the deepest evaluation and testing possible from an independent testing laboratory. In addition, ISA Server passed an even more thorough review, earning Level 4+. This CC certificate assures you that the evaluated security features of ISA Server Standard Edition are effective and implemented correctly.

ISA Server 2000 Standard Edition

In September 2003, ISA Server 2000 achieved certification for CC Evaluation Assurance Level 2 (EAL 2). ISA Server CC certification, coupled with the Windows 2000 Server EAL 4 + Flaw Remediation certification, is an important consideration for organizations requiring CC certification.

The Microsoft Commitment to CC Certification

Robust and objective non-Microsoft auditing, as with the certification process involved in CC, is critical for establishing trust in security products. Auditing represents a significant investment and is something that all customers should evaluate when making technology purchases. It is a Microsoft corporate goal to provide rigorous non-Microsoft auditing for all Microsoft security products, at a level comparable to or better than that of other vendors.