SSL-TLS VPN

Certification Testing Report

Array Networks, Inc.

Array AG Series SSL VPN Appliances

Tested against this standard

ICSA Labs Network SSL-TLS VPN Criteria Version 4.0

October 29, 2020

Prepared by ICSA Labs

1000 Bent Creek Blvd., Suite 200
Mechanicsburg, PA 17050
www.icsalabs.com
ICSA Labs SSL-TLS VPN
Certification Testing Report

Summary of Test Results

Protocol and TLS version tested: TLS_1.2
Cipher Suite
Support Cipher suite tested:
TLS_RSA_WITH_AES_256_CBC_SHA
Array AG Series
SSL VPN Appliances X.509 Proper certificate mgt. from external CA
✅
Certificate
Management
and Validation Supports client certificate authentication
and proper validation ✅

Standalone client/server certificate

validation ✅

Security No unauthorized administrative access ✅

Testing
www.arraynetworks.com/products-
secure-access-gateways-ag-series.html No remote vulnerabilities found ✅

Properly enforces security policies ✅

Not susceptible to DoS attacks ✅

Administration Secure remote administrative access

Model
vxAG on AVX7800 ✅
Tested:
Firmware: Rel.AVX.2.7.0.76 Logging Robust logging of security-related events ✅
Rel.AG.9.4.0.215
MotionPro Client SSL VPN Client Window 10
v1.2.10 Platforms

Authentication Two-factor authentication ✅

and
Authorization
External AAA server support ✅

Access control ✅

Client host integrity checks ✅

Session Automatic and administrative session

✅

Certified
Control termination

Functional L3VPN
✅
Since September 2018 Testing

SSLTLSVPN- ARRAYNETWORKS-2020-1029-01 Page 1 of 6

Copyright © 2020 ICSA Labs. All rights reserved.
ICSA Labs SSL-TLS VPN
Certification Testing Report

About ICSA Labs

The goal of ICSA Labs is to significantly increase user and enterprise trust in information security products and solutions
by establishing publicly vetted requirements and developing robust test methodologies. For over twenty-five years, ICSA
Labs has performed independent, third-party security certification testing of computer and network security products,
beginning with anti-malware testing in 1991.

SSL-TLS VPN Certification Testing

ICSA Labs began testing SSL-TLS VPN solutions in 2004 based
on criteria developed by a consortium of SSL-TLS VPN vendors
with input from industry analysts and the end user community.
Since then, the focus of ICSA Labs SSL-TLS VPN testing is
verifying support for enterprise level SSL-TLS VPN functionality. “…the focus of ICSA Labs SSL-TLS
More specifically, ICSA Labs SSL-TLS VPN testing confirms that VPN testing is verifying support for
tested products properly implement TLS with strong cipher suite enterprise level SSL-TLS VPN
support, while providing certificate management and validation.
Additionally, testing includes proper authentication and functionality.”
authorization, session control and secure operation in either a
Reverse Web Proxy or Layer 3 VPN mode.

Also tested are platform security of the product itself, logging,

secure administration, and administrative functions.

Certified Product Details

Array Networks, Inc. provided the hardware, software, administrative documentation, and any necessary licenses to
perform testing. The models and versions listed below specify the configuration that successfully met all mandatory
requirements.

 AVX7800 (Rel.AVX.2.7.0.76)

 Virtual Secure Access Gateway (Rel.AG.9.4.0.215)

 MotionPro Client (Ver. 1.2.10)

In the case of a certified family of models, ICSA Labs periodically tests other models in the series. ICSA Labs SSL-TLS
Certification extends beyond the most recently tested model(s) (in bold below) to the other members of the Array AG
Series SSL VPN Appliances family. In this test cycle, ICSA Labs tested the vxAG virtual appliance running on Array
Networks’ AVX7800 hardware. vxAG is listed separately below to indicate that the virtual appliance runs on other
hypervisors; however, vxAG was not tested on those other hypervisors during this test cycle:

 AG1000v5  AG1100v5  AG1200v5  AG1500v5  AG1600v5

 AVX3600  AVX5800  AVX7600  AVX7800  AVX9800

 AVX10650  vxAG

  

SSLTLSVPN-ARRAYNETWORKS-2020-1029-01 Page 2 of 6
Copyright © 2020 ICSA Labs. All rights reserved.
ICSA Labs SSL-TLS VPN
Certification Testing Report

Scope of Assessment
ICSA Labs tests candidate SSL-TLS VPN products against publicly available criteria initially developed by a
consortium of SSL-TLS VPN vendors with input from industry analysts and the end user community. An ICSA Labs
certified SSL-TLS VPN product must satisfy all the mandatory requirements along with all related requirements to
elected optional functionality. For more information about the criteria, please visit the SSL-TLS section of the ICSA
Labs website (www.icsalabs.com).

The following is a summary of the SSL-TLS VPN requirements:

1. Protocol and Cipher Suite Support – The TLS protocol and underlying cryptography must be implemented
properly.
2. X.509 Certificate Management and Validation – The product must support X.509 certificate management
such as secure enrollment and renewal. When supporting client certificate authentication, the product must
properly validate client certificates. SSL VPN Client apps must support proper certificate validation for SSL
VPN Server certificates.
3. Security Testing – The product must prevent unauthorized access and protect against common exploits and
attacks.
4. Administration – The product must have secure administrative capabilities including strong authentication,
secure remote access, and administrative and user session management.
5. Logging – The product must have the ability to accurately log the required data for system and session
related events.
6. SSL VPN Client Platforms – The product must support a Windows based client with Internet Explorer or
Firefox for browser based access.
7. Authentication and Authorization – The product must support secure user authentication mechanisms,
including strong authentication and granular control of access to resources. The product must also have the
ability to perform integrity checks of the client system before granting access and throughout the session.
8. Session Control – The product must provide automatic controls of user sessions.
9. Functional Testing – The product must support at least one mode of operation, Reverse Web Proxy (RWP)
or Layer 3 VPN (L3VPN). When operating in RWP mode, the product must prevent leaking of internal network
information and properly clean session related data. Typically, this requirement is satisfied with the use of a
cache cleaning mechanism or a virtual desktop environment during the VPN session. In a L3VPN operation,
the product must support proper disabling of split tunneling and prevent bypassing the VPN tunnel.

SSLTLSVPN-ARRAYNETWORKS-2020-1029-01 Page 3 of 6
Copyright © 2020 ICSA Labs. All rights reserved.
ICSA Labs SSL-TLS VPN
Certification Testing Report

Testing Details
General Notes
The initial configuration was performed following the steps in the Quick Installation Guide shipped with the
AVX7800 appliance. With web access to the AVX appliance management interface, the ICSA Labs followed the
“System Setup & Network Settings” chapter in the ArrayOS AVX 2.7 User Guide. ICSA Labs then configured the
Virtual Secure Access Gateway (vxAG), following the steps in the vxAG Deployment Guide. The following
documents were used as references where needed:
 Array AVX 2.7 User Guide
 ArrayOS AG 9.4 User Guide
 Array AVX 2.7 CLI Handbook
 ArrayOS AG 9.4 CLI Handbook
 vxAG Deployment Guide

Protocol and Cipher Suite Support

During testing, only TLS v1.2 was enabled in the “General SSL Settings” for the “Virtual Site”.
Additionally, in the “Advanced SSL Settings”, the enabled cipher suites were limited to strong cipher suites
(e.g. 256 bit AES, RSA/SHA). Sessions were then established with TLS v1.2 using the
TLS_RSA_WITH_AES_256_CBC_SHA cipher suite.

X.509 Certificate Management and Validation

Certificates for the vxAG on AVX7800 were managed (i.e. installed, viewed, and replaced) in the “Site
Configuration SSL/DTLS Certificates” admin pages on the “Certificates/Key” tab. To create a
certificate request for signing by an external CA, a CSR was generated marking the Private Key as Exportable.
Then, the signed certificate and private key were imported on the “Certificates/Key” tab. Note that while the
following warning was generated, “…certificate chain is incomplete…Please import
intermediate CA or root CA”, it was safely ignored.

The vxAG on the AVX VPN Server supported and properly validated client certificates, exhibiting the appropriate
behavior for valid, expired, revoked and certificates with invalid signatures. The vxAG on AVX7800 also handled
CRLs properly (i.e. valid, expired, and invalid signature situations).

Security Testing
ICSA Labs used numerous tools and test methods to verify that the vxAG on AVX7800 was not vulnerable to
known exploits and threats.

Administration
Administrative access to vxAG via https/ssh was secured by disabling weak cipher suites. Via the CLI, the
command ‘webui ssl protocol v12’ was entered. For the vxAG on AVX7800, weak cipher suites could not
be disabled for ssh access; therefore, a separate physical port was used for the vxAG on AVX7800 administrative
interface with restricted access to the physical AVX appliance management port. Administrative session timeout is
supported and is configured within the “Base System - System Management Access Control.”

Logging
The vxAG Base System (accessible from “Admin Tools - Monitoring") was configured to send log events to
a remote SYSLOG server. ICSA Labs verified all required data was captured for each required event. The
following is an example log entry for an event (failed user authentication) recorded on the SYSLOG server:

INFO Sep 01 2020 13:04:04 AN AN_SQUID_LOG 1598979844.000 0 user=(null) 198.51.100.1 TCP_MISS/200 7981
GET /client_sec/l3vpn/version.xml - DIRECT/127.0.0.1 -
NOTICE Sep 01 2020 13:04:13 AN id=ArrayOS time="2020-09-01 13:04:13" timezone=EDT(-0400) fw=AN pri=5
vpn=sslvpn101-1 user=chuck src=198.51.100.1 sport=51721 dst=0.0.0.0 dport=80 dstname=localhost

SSLTLSVPN-ARRAYNETWORKS-2020-1029-01 Page 4 of 6
Copyright © 2020 ICSA Labs. All rights reserved.
ICSA Labs SSL-TLS VPN
Certification Testing Report

arg=/prx/000/http/localhost/login rcvd=203 type=vpn msg="Authentication failed, login method

(localdb_method), reason (authentication failure)."
INFO Sep 01 2020 13:04:13 AN id=ArrayOS time="2020-9-1 13:04:13" timezone=EDT(-0400) fw=AN pri=6
eid=10000002 user=chuck device=0XORBLIOGJTW2DIZEUVZ0+CKUENAULDGCV+E+EMY6SI= src=198.51.100.1 sport=51721
type=vpn msg="authentication failed"

SSL VPN Client Platforms

During testing, the client system was a Windows 10 system with the Array Networks MotionPro Client version
1.2.10. The MotionPro Client was installed as an Administrator on the Windows 10 system prior to connecting to
the vxAG on the AVX VPN server.

Authentication and Authorization

The vxAG on AVX7800 was configured to enable two-factor user authentication by requiring the use of client
certificates during TLS session establishment. Also, ICSA Labs verified that the client certificate contents (e.g. a
username in the Subject field) could be used to match user credentials for additional security. The vxAG
supported access control based on both user and group identity with authorization policies that allowed or denied
access to specific resources. Support for authentication to external AAA servers was also tested, and ICSA Labs
verified the mechanisms could be configured in a secure manner (e.g. LDAP over TLS). Various attempts were
subsequently made in an attempt to circumvent the configured policies, but none succeeded.

In addition to the authentication and authorization testing described above, verification of host integrity checking
upon and during session establishment was performed. ICSA Labs’ testing verified that sessions would be
prevented initially, or disconnected after being established, when the client system did not meet the configured
requirements, that included having:

 a minimum MS Windows version and patch level,

 MS Windows firewall enabled with a specific version,
 MS Windows Virus & Threat Protection enabled. (Note, the Windows 10 SDK for Windows Defender does
not allow for verifying last update time; thus, signature max age cannot be checked when using MS
Windows Virus & Threat Protection for AV protection on Windows 10.)

Options for the above settings are accessed in the “Virtual Site Security Settings - Client
Security” pages.

With the version of the MotionPro Client initially submitted for testing host checking for firewall and antivirus did
not function in accordance with the requirements. Version 1.2.10 of the MotionPro Client satisfied the
requirements.

Session Control
“User Session Control” is configured for the “Virtual Site” in the “Site Configuration Security
Settings.” ICSA Labs configured sessions per user, idle timeout, maximum session lifetime, and
unauthenticated session lifetime. ICSA Labs found through testing that these settings were properly enforced.

Functional Testing
The mode of operation for which certification has been granted for the Array AG Series SSL VPN Appliances,
including the tested vxAG on AVX7800, is the Layer 3 VPN mode. The VPN session can be configured to disable
split tunneling. Split tunneling is controlled by the configuration of the “Network-type VPN Resource Item”
within the “VPN Access Method” configuration. Initially during this test cycle, the MotionPro Client did not
prevent circumventing the Layer 3 VPN tunnel; however, with MotionPro Client Version 1.2.10, ICSA Labs verified
that the tunnel could not be circumvented and was therefore able to meet the testing requirements.

SSLTLSVPN-ARRAYNETWORKS-2020-1029-01 Page 5 of 6
Copyright © 2020 ICSA Labs. All rights reserved.
ICSA Labs SSL-TLS VPN
Certification Testing Report

Authority

This report is issued by the authority of the General Manager, ICSA Labs. Tests are performed under normal operating
conditions.

ICSA Labs Array Networks, Inc.

The goal of ICSA Labs is to significantly increase user
and enterprise trust in information security products and
solutions. For more than 25 years, ICSA Labs, an
independent division of Verizon, has been providing
credible, independent, 3rd party security product testing
and certification for many of the world’s top security
product developers and service providers. Enterprises
worldwide rely on ICSA Labs to set and apply objective
testing and certification criteria for measuring product
compliance and performance.
Array Networks, the network functions platform company,
develops purpose-built systems for hosting virtual
networking and security functions with guaranteed
performance.
Proven at over 5000 worldwide customer deployments,
Array is recognized by leading enterprises and service
providers for next-generation technology that takes the
guesswork out of NFV deployment and delivers agility at
scale.

www.icslabs.com www.arraynetworks.com

ICSA Labs Array Networks, Inc.

1000 Bent Creek Blvd., Suite 200 1371 McCarthy Blvd.
Mechanicsburg, PA 17050 Milpitas, CA 95035

SSLTLSVPN-ARRAYNETWORKS-2020-1029-01 Page 6 of 6
Copyright © 2020 ICSA Labs. All rights reserved.