Kanguru Common Criteria Evaluated User Manual v1.21

Secure. Anytime. Anywhere.

Evaluated Product

User Guide

Version 1.21

Notices and Information

Please be aware of the following points before using your Kanguru product

Kanguru Solutions will not be held responsible for any illegal use of this product nor any losses incurred while using this product. The user is solely responsible for the copyright laws, and is fully responsible for any illegal actions taken.

Customer Service

To obtain service or technical support for your system, please contact Kanguru Solutions Technical Support Department at 508-376-4245, or visit www.Kanguru.com for web support.

Legal notice

In no event shall Kanguru Solutions’ liability exceed the price paid for the product from direct, indirect, special, incidental, or consequential software, or its documentation. Kanguru Solutions offers no refunds for its products. Kanguru Solutions makes no warranty or representation, expressed, implied, or statutory, with respect to its products or the contents or use of this documentation and all accompanying software, and specifically disclaims its quality, performance, merchantability, or fitness for any particular purpose. Kanguru Solutions reserves the right to revise or update its products, software, or documentation without obligation to notify any individual or entity.

Export Law Compliance

Regardless of any disclosure made to Kanguru Solutions pertaining to the ultimate destination of the specific Kanguru product, you warrant that you will not export, directly or indirectly, any Kanguru product without first obtaining the approval of Kanguru Solutions and the appropriate export license from the Department of Commerce or other agency of the United States Government. Kanguru Solutions has a wide range of products and each product family has different license requirements relative to exports.

End User License Agreement

This legal document is an agreement between you, the end user (“Licensee”), and Kanguru Solutions, a division of Interactive Media Corporation (“Licensor”).

By downloading or obtaining and using this software, you are consenting to be bound by the terms of this agreement, which includes the software license and software disclaimer of warranty.

This agreement constitutes the complete agreement between you and licensor. If you do not agree to the terms of this agreement, cease to use the product immediately and destroy any copies that you have made.

Software License

“The software” shall be taken to mean the software contained in this package, downloaded from Licensor’s website, or included within a hardware device and any subsequent versions or upgrades received as a result of having purchased this package. “Licensee” shall be taken as the original purchaser of the software.

Licensee has the non-exclusive right to use the software only on a single computer. Licensee may not electronically transfer the program from one computer to another over any type of network. Licensee may not distribute copies of the software or the accompanying documentation to others either for a fee or without charge. Licensee may not modify or translate the program or documentation. Licensee may not disassemble the program or allow it to be disassembled into its constituent source code.

This software is licensed only to you, the Licensee. You may not permit non-Licensees to use or install it on computers or networks other than explicitly specified in this license without the prior written consent of Licensor.

This license does not entitle you to any future upgrades or updates of software or configuration files, although Licensor may decide to make such upgrades or configuration file updates available with or without an associated fee.

Licensee’s use of the software indicates his/her acceptance of these terms and conditions. If Licensee does not agree to these conditions, then he or she must return any distribution media, documentation, and associated materials to the vendor from whom the software was purchased, and erase the software from any and all storage devices upon which it may have been installed or otherwise stored.

Disclaimer of Warranties

The software is provided on an “AS IS” basis, without warranty of any kind, including without limitation the warranties of merchantability, fitness for a particular purpose, and non-infringement. The entire risk as to the results and performance of the software is assumed by you, the Licensee. If the software is defective, you, and not Licensor or any distributor, agent or employee of Licensor assumes the entire cost of all necessary servicing, repair, or correction.

End User License Agreement

Limitations of Damages

In no event shall Licensor, or anyone else who has been involved in the creation, distribution, or delivery of this product be liable for any direct, indirect, special, punitive, exemplary, consequential or incidental damages (including but not limited to damages for loss of business profits, business interruption, loss of business information, and the like) arising out of the use or inability to use such product even if Licensor has been advised of the possibility of such damages. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

This software and any accompanying materials are copyrighted. Unauthorized copying of this software or of any of the textual materials accompanying it is expressly forbidden.

You may not modify, adapt, translate, reverse engineer, decompile, disassemble (except to the extent applicable laws specifically prohibit such restriction), or create derivative works based on the software.

Export Restrictions

You agree that you will not export the software to any country, person or entity subject to U.S. export restrictions.

Entire Agreement

This written End User License Agreement is the exclusive agreement between you and Licensor concerning the software and supersedes any and all prior oral or written agreements, negotiations or other dealings between us concerning the software. This License Agreement may be modified only by a writing signed by you and Licensor.

This agreement is subject to the laws and jurisdiction of the courts of the Commonwealth of Massachusetts, USA. If a court of competent jurisdiction invalidates one or more of the terms of this contract, the surviving terms continue in force.

This License Agreement is effective upon the earlier of your (1) use of the software; or (2) your manifesting assent to these terms as by clicking on the I Agree button shown when you downloaded or installed the software.

Table of Contents

1. Introduction ........................................................................................ 6

1.1 Purpose of this document .................................................................................6

1.2 How to use this document ................................................................................7

2. Requirements and Assumptions ....................................................... 8

2.1 What is a CC compliant system? ......................................................................8

2.2 Identifying Your Defender Device .................................................................... 9

2.3 Hardware Requirements ...................................................................................9

2.4 Software Requirements .....................................................................................10

2.5 Requirements for the system’s environment ....................................................10

2.6 Requirements for administrators ......................................................................11

2.7 Requirements for users .....................................................................................11

2.8 Requirements for connectivity ..........................................................................12

2.9 Excluded functionality ......................................................................................12

2.10 Device reception .............................................................................................12

3. Documentation ...................................................................................13

Table of Contents

4. Software Installation .......................................................................... 15

4.1 Obtaining copies of UKLA and KRMC ...........................................................15

4.2 UKLA ...............................................................................................................16

4.3 KRMC ..............................................................................................................17

4.4 KDM .................................................................................................................18

4.4.1 Verifying the KDM Software Version ...................................................... 18

4.4.2 Verifying the KDM Client Edition .......................................................... 19

4.4.3 Updating Your Defender Device ............................................................. 21

4.4.3.1 Updating Cloud/Standard Edition Devices ................................22

4.4.3.2 Updating KRMC Enterprise Edition Devices ............................23

4.4.3.3 Updating No-Comms Edition Devices .......................................24

5. Common Criteria Certified Versions ...............................................25

5.1 Firmware verification Process ..........................................................................25

5.2 Client Software Verification Process ................................................................ 25

6. Device Self Test ................................................................................... 26

7. Standalone Device Setup ...................................................................27

8. Managed Devices ................................................................................ 27

9. Password Selection Recommendation .............................................. 28

10. Defender Elite200 Write Protect Switch ..........................................28

11. Verifying Your Files Using SHA256 Checksum ..............................29

11.1 SHA256 Checksum Values ............................................................................. 30

12. Changelog ...........................................................................................34

1. Introduction

1.1 Purpose of this document

The Kanguru Defender Family of encrypted storage devices is designed to provide secure and reliable portable storage.

Because security requirements are dependent upon the applications and environment, it is not possible to simply certify that the devices are “secure”, a more precise definition is needed.

The Common Criteria (CC) provides a widely recognized methodology for security certification of products. A CC evaluation is fundamentally a two-step process, consisting of defining the “security target” which describes the features that are to be evaluated, and then testing and verifying that the product actually implements these features with a sufficient level of assurance.

This document is a security guide that explains how to set up the evaluated configuration, and provides information to administrators and ordinary users to ensure secure operation of the Kanguru Defender devices. It is intended to be self-contained in addressing the most important issues at a high level, and refers to other existing documentation where more details are needed.

Introduction

The document addresses both administrators and users and the different tasks they are involved in.

Knowledge of the Common Criteria is not required for readers of this document.

Introduction

1.2 How to use this document

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119 (http://www.ietf.org/rfc/rfc2119.txt). Note that this document avoids the terms “SHOULD” and “SHOULD NOT” that are defined in RFC 2119.

Requirements are either absolute (and marked with MUST and equivalent terms), or entirely optional (in the sense of not affecting required security functions) and marked with RECOMMENDED, MAY or OPTIONAL.

If you follow the requirements in this document when setting up and using the devices, your configuration will match the evaluated configuration. Certain configuration options are marked as OPTIONAL and you MAY modify them as needed, but you MUST NOT make other changes, because they will make the system fail to match the evaluated configuration.

Of course, you MUST always use common sense. This document is not a formal specification, and legitimate reasons can exist to modify the device setup in ways not described here if that is necessary for the system to fulfill its intended purpose. Specifically, applying security patches released by the Kanguru is strongly RECOMMENDED even though that will cause a deviation from the evaluated configuration.

In cases where the requirements and recommendations in this document conflict with those in other sources (such as the provided manuals), the information in this configuration guide has higher precedence. You MUST follow the steps described here to reach the evaluated configuration, even if other documentation describes different methods.

Requirements and Assumptions

2. Requirements and Assumptions

2.1 What is a CC compliant system?

A system can be considered to be “CC compliant” if it matches an evaluated and certified configuration. This implies various requirements concerning hardware and software, as well as requirements concerning the operating environment, users, and the ongoing operating procedures.

Strictly speaking, an evaluation according to the CC represents the results of investigation of the security properties of the target system according to defined guidelines. It must not be considered as a guarantee for fitness for any specific purpose, but will provide help in deciding the suitability of the system considering how well the intended use fits the described capabilities. It is intended to provide a level of assurance about the security functions that have been examined by a neutral third party.

The software MUST match the evaluated configuration. In the case of the Defender Family, this also requires that the installed supporting software (UKLA and KRMC) are the same. The documentation (including this guide) will specify permitted variations, such as modifying certain configuration files and settings.

Note: KLA and UKLA are one and the same and are used interchangeably with each other in the document.

Stated requirements concerning the operating environment MUST be met. They are linked to the assumptions made in the Security Target.

Typical requirements are restrictions concerning permitted network connections (for the administrative access) and usage scenarios.

The operation of the system MUST be in agreement with defined organizational security policies, to ensure that actions by administrators and users do not undermine the system’s security.

Requirements and Assumptions

2.2 Identifying Your Defender Device

There are currently two Defender models that are certified for Common Criteria: 2000 and Elite200. You can visually identify which Defender model you own by checking the logo engraved on the device’s casing.

Defender 2000 Defender Elite200

2.3 Hardware Requirements

The hardware MUST be one of the following devices. This entire document applies to all hardware systems unless explicitly noted.

• Kanguru Defender Elite200

Part number Capacity FW Version

KDFE200-4G 4GB KDFE200-8G 8GB KDFE200-16G 16GB KDFE200-32G 32GB KDFE200-64G 64GB KDFE200-128G 128GB

• Kanguru Defender 2000

Part number Capacity FW Version

KDF2000-4G 4GB KDF2000-8G 8GB KDF2000-16G 16GB KDF2000-32G 32GB KDF2000-64G 64GB KDF2000-128G 128GB

02.03.10

02.05.10

02.03.10

02.05.10

Requirements and Assumptions

2.4 Software Requirements

The device client software MUST be one of the following applications. This entire document applies to all of the applications unless explicitly noted. The appropriate device specific Kanguru Defender Manager has to be used.

• Kanguru Defender Manager Elite200: ○ KDME200 v 2.0.0.0 - 2 ○ KDME200 v 2.0.0.0 - 3 ○ KDME200 v 2.0.0.0 - 6

• Kanguru Defender Manager 2000: ○ KDM2000 v 1.2.1.8 - 2 ○ KDM2000 v 1.2.1.8 - 3 ○ KDM2000 v 1.2.1.8 - 6

• Universal Kanguru Local Administrator: Version Release 3.2.0.3

• Kanguru Remote Management Console: Version 5.0.2.6

Important! Your Defender security device MUST be running the Kanguru Defender Manager software version listed above in order to be considered CC compliant. It is the user’s responsibility to ensure that their hardware is in compliance. For instructions on determining what version of Kanguru Defender Manager your device is running, please refer to section 4.4 KDM on page 18.

2.5 Requirements for the system’s environment

The security target covers devices that use Linux, MacOS and Windows hosts for access via the appropriate Kanguru Defender manager (KDM).

It is assumed that the value of the stored assets merits moderately intensive penetration or masquerading attacks. It is also assumed that physical controls in place would alert the system authorities to the physical presence of attackers within the controlled space.

You MUST use the devices only on trustworthy hosts that can be relied on to not have any malware installed.

The Kanguru Remote Management Console MUST be installed on a Windows 2008 System with MS SQL Server 2005, MS SQL Server 2008 or MS SQL Express and IIS already installed and the latest security patches applied.

The Kanguru Remote Management Console MUST be installed on a physically protected system that is only used for KRMC.

The Kanguru Central Server MUST NOT be used in the evaluated configuration.

Requirements and Assumptions

2.6 Requirements for administrators

When using the devices in an Enterprise configuration, there MUST be one or more competent individuals who are assigned to manage the devices. These individuals will have the ability to initialize and reset devices, reset and change user passwords as well as configure failed authentication handling.

The system administrative personnel MUST NOT be careless, willfully negligent, or hostile, and MUST follow and abide by the instructions provided by the administrator documentation.

Every person that has the ability to perform administrative actions via UKLA and KRMC has control over security properties of the devices and could, either by accident or deliberately, undermine security features of the system. This Configuration Guide provides the basic guidance on how to set up and operate the system securely, but is not intended to be the sole information required for a system administrator to learn how to operate the devices securely.

It is assumed, within this Configuration Guide, that administrators who use this guide have a good understanding and knowledge of operating security principles in general and of the Defender configuration in particular. We strongly advise that any organization that wants to operate the system in the evaluated configuration nevertheless have their administrators trained in security principles.

Every organization MUST trust their system administrators not to deliberately undermine the security of the devices.

This Configuration Guide provides the additional information a system administrator MUST obey when installing, configuring and operating the devices in compliance with the requirements defined in the Security Target for the Common Criteria evaluation.

2.7 Requirements for users

Users MUST inspect the device and packaging before use to verify that it has not been tampered with. The casing and any sealing (of the original packaging) MUST be intact without any marks. If the casing or seal is broken or has been tampered with, users MUST refuse delivery of the package.

Users MUST ensure that the authentication attribute can not be obtained by spying or shoulder surfing.

Users MUST ensure that the system that they use to access the devices are secure and do not contain any software that tries to access the devices in an unauthorized fashion.

Users MUST protect the host computer while absent (e.g. via a screen locker) while a device is connected or disconnect the device.

Users MUST check that the firmware version on the device is the correct CC certified version. For instructions on verifying the device’s firmware version and a comprehensive list of CC certified version, please refer to Chapter 5. Common Criteria Certified Versions on page 25.

+ 25 hidden pages

Kanguru Common Criteria Evaluated User Manual v1.21

Specifications and Main Features

Frequently Asked Questions

User Manual