AhnLab MDS, MDS with MTA, and MDS Manager V2.1. Security Target

Transcription

1 AhnLab MDS, MDS with MTA, and MDS Manager V2.1 Security Target Version 0.4 June 14, 2017 Prepared for: AhnLab 673 Sampyeong-dong, Bundang-gu, Seongnam-si, Gyeonggi-do, Korea Prepared by: Common Criteria Testing Laboratory 6841 Benjamin Franklin Drive, Columbia, Maryland 21046

2 1. SECURITY TARGET INTRODUCTION SECURITY TARGET, TOE AND CC IDENTIFICATION CONFORMANCE CLAIMS CONVENTIONS Abbreviations and Acronyms TOE DESCRIPTION TOE OVERVIEW TOE ARCHITECTURE Physical Boundaries Logical Boundaries TOE DOCUMENTATION SECURITY PROBLEM DEFINITION SECURITY OBJECTIVES SECURITY OBJECTIVES FOR THE TOE IT SECURITY REQUIREMENTS ETENDED REQUIREMENTS TOE SECURITY FUNCTIONAL REQUIREMENTS Security Audit (FAU) Cryptographic Support (FCS) Identification and Authentication (FIA) Security Management (FMT) Protection of the TSF (FPT) TOE Access (FTA) Trusted Path/Channels (FTP) TOE SECURITY ASSURANCE REQUIREMENTS TOE SUMMARY SPECIFICATION SECURITY AUDIT FAU_GEN.1: Audit Data Generation CRYPTOGRAPHIC SUPPORT IDENTIFICATION AND AUTHENTICATION FIA_PMG_ET.1 Password Management SECURITY MANAGEMENT PROTECTION OF THE TSF FPT_APW_ET.1: Protection of Administrator Passwords TOE ACCESS FTA_SSL_ET.1: TSF-Initiated Session Locking TRUSTED PATH/CHANNELS FTP_ITC.1: Inter-TSF trusted channel PROTECTION PROFILE CLAIMS RATIONALE TOE SUMMARY SPECIFICATION RATIONALE

3 LIST OF TABLES Table 1: TOE Ports Table 2 TOE Security Functional Components Table 3 Auditable Events Table 4 Assurance Components Table 5 Cryptographic Functions Table 6 SFR Protection Profile Sources Table 7 Security Functions vs. Requirements Mapping Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is a single instance of AhnLab MDS, MDS with MTA, and MDS Manager V2.1. In this ST, the TOE instances may be collectively referred to as the AhnLab MDS. AhnLab Malware Defense System (MDS) and MDS with MTA are network devices for an Autonomous Malware Defense System (MDS) that combines signature, signature-less and reputation feed methods together, to detect both known and unknown malware entering the network.. MDS with MTA is a network device that includes MTA functionality via purchase of separate license. The MDS Manager Device is a network device that can be used to manage other MDS devices, though this capability is not covered in the evaluation. Each device supports the security functions specified in [NDcPP]. The focus of this evaluation is on the TOE functionality supporting the claims in the Collaborative Protection Profile for Network Devices (NDcPP) (See section 1.2 for specific version information). The only capabilities covered by the evaluation are those specified in the [NDcPP] Protection Profile, all other capabilities are not covered in the evaluation. The security functionality specified in [NDcPP] includes identification and authentication of administrators, auditing of security-relevant events, ability to verify the source and integrity of updates to the TOE, protected communications for administration and TOE operation, and specifies CAVP-validated cryptographic mechanisms. The Security Target contains the following additional sections: TOE Description (Section 2) Security Problem Definition (Section 3) Security Objectives (Section 4) IT Security Requirements (Section 5) TOE Summary Specification (Section 6) Protection Profile Claims (Section 7) Rationale (Section 8). 1.1 Security Target, TOE and CC Identification ST Title AhnLab MDS, MDS with MTA, and MDS Manager V2.1 Security Target ST Version Version 0.4 ST Date June 14, 2017 TOE Identification AhnLab MDS, MDS with MTA, and MDS Manager V2.1 TOE Versions:

4 Product Series Specific Product Device Device Software MDS MDS 1000 MDS Analyzer: MDS 2000 MDS 4000 MDS 6000 MDS 8000 MDS10000 Data Viewer: Host Controller: MDS with MTA MDS 4000 MDS Analyzer: MDS 6000 Data Viewer: Host Controller: MDS 8000 MDS Manager MDS MDS Manager 2000 MDS Manager 5000R MDS Manager 10000R Data Viewer: Host Controller: Data Viewer: Host Controller: Data Viewer: Host Controller: TOE Developer AhnLab Evaluation Sponsor AhnLab CC Identification Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September Conformance Claims This ST and the TOE it describes are conformant to the following CC specifications: collaborative Protection Profile for Network Devices Version 1.0, 27 February 2015, [CPPND] and including the following optional SFRs: FAU_STG.1, FCS_HTTPS_ET.1, FCS_SSHS_ET.1, FCS_TLSC_ET.2, and FCS_TLSS_ET.1. The following NIAP Technical Decisions apply to this PP and have been accounted for in the ST development and the conduct of the evaluation: TD0090: NIT Technical Decision for FMT_SMF.1.1 Requirement in NDcPP TD0094: NIT Technical Decision for validating a published hash in NDcPP TD0095: NIT Technical Interpretations regarding audit, random bit generation, and entropy in NDcPP TD0111: NIT Technical Decision for third party libraries and FCS_CKM.1 in NDcPP and FWcPP TD0112: NIT Technical Decision for TLS testing in the NDcPP v1.0 and FW cpp v1.0. TD0113: NIT Technical Decision for testing and trusted updates in the NDcPP v1.0 and FW cpp v1.0 TD0114: NIT Technical Decision for Re-Use of FIPS test results in NDcPP and FWcPP TD0115: NIT Technical Decision for Transport mode and tunnel mode in IPsec communication in NDcPP and FWcPP 4

5 TD0116: NIT Technical Decision for a Typo in reference to RSASSA-PKCS1v1_5 in NDcPP and FWcPP TD0117 (supercedes TD0093): NIT Technical Decision for FIA_509_ET.1.1 Requirement in NDcPP TD0125: NIT Technical Decision for Checking validity of peer certificates for HTTPS servers TD0126: NIT Technical Decision for TLS Mutual Authentication TD0130: NIT Technical Decision for Requirements for Destruction of Cryptographic Keys TD0143: NIT Technical Decision for Failure testing for TLS session establishment in NDcPP and FWcPP TD0150: NIT Technical Decision for Removal of SSH re-key audit events in the NDcPP v1.0 and FW cpp v1.0 TD0151: NIT Technical Decision for FCS_TLSS_ET Testing - Issue 1 in NDcPP v1.0. TD0152: NIT Technical Decision for Reference identifiers for TLS in the NDcPP v1.0 and FW cpp v1.0 TD0153: NIT Technical Decision for Auditing of NTP Time Changes in the NDcPP v1.0 and FW cpp v1.0 TD0154: NIT Technical Decision for Versions of TOE Software in the NDcPP v1.0 and FW cpp v1.0 TD0155: NIT Technical Decision for TLSS tests using ECDHE in the NDcPP v1.0. TD0156: NIT Technical Decision for SSL/TLS Version Testing in the NDcPP v1.0 and FW cpp v1.0 TD0160: NIT Technical Decision for Transport mode and tunnel mode in IPSEC communications TD0164: NIT Technical Decision for Negative testing for additional ciphers for SSH TD0165: NIT Technical Decision for Sending the ServerKeyExchange message when using RSA TD0167: NIT Technical Decision for Testing SSH 2^28 packets TD0168: NIT Technical Decision for Mandatory requirement for CSR generation TD0169: NIT Technical Decision for Compliance to RFC5759 and RFC5280 for using CRLs TD0170: NIT Technical Decision for SNMPv3 Support TD0181: NIT Technical Decision for Self-testing of integrity of firmware and software TD0182: NIT Technical Decision for Handling of.509 certificates related to ssh-rsa and remote comms TD0183: NIT Technical Decision for Use of the Supporting Document TD0184: NIT Technical Decision for Mandatory use of.509 certificates TD0185: NIT Technical Decision for Channel for Secure Update TD0186: NIT Technical Decision for Applicability of.509 certificate testing to IPsec TD0187: NIT Technical Decision for Clarifying FIA_509_ET.1 test 1 TD0188: NIT Technical Decision for Optional use of.509 certificates for digital signatures 5

6 TD0189: NIT Technical Decision for SSH Server Encryption Algorithms TD0191: NIT Technical Decision for Using secp521r1 for TLS communication TD0195: NIT Technical Decision Making DH Group 14 optional in FCS_IPSEC_ET Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1, Revision 4, September 2012 Part 2 Extended Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 Revision 4, September 2012 Part 3 Conformant 1.3 Conventions The following conventions have been applied in this document: Security Functional Requirements Part 2 of the CC defines the approved set of operations that may be applied to functional requirements: iteration, assignment, selection, and refinement. o o o o Iteration: allows a component to be used more than once with varying operations. In the ST, iteration is indicated by a number in parentheses placed at the end of the component. For example, FDP_ACC.1(1) and FDP_ACC.1(2) indicate that the ST includes two iterations of the FDP_ACC.1 requirement, (1) and (2). Assignment: allows the specification of an identified parameter. Assignments are indicated using bold and are surrounded by brackets (e.g., [assignment]). Note that an assignment within a selection would be identified in italics and with embedded bold brackets (e.g., [[selectedassignment]]). Selection: allows the specification of one or more elements from a list. Selections are indicated using bold italics and are surrounded by brackets (e.g., [selection]). Refinement: allows the addition of details. Refinements are indicated using bold, for additions, and strike-through, for deletions (e.g., all objects or some big things ). Note that cases that are not applicable in a given SFR have simply been removed without any explicit identification. Other sections of the ST Other sections of the ST use bolding to highlight text of special interest, such as captions Abbreviations and Acronyms ACL AES APT CBC CC CLI DH FIPS HMAC Access Control List Advanced Encryption Standard Advanced Persistent Threat Cipher-Block Chaining Common Criteria for Information Technology Security Evaluation Command Line Interface Diffie-Hellman Federal Information Processing Standard Hashed Message Authentication Code 1 The TOE does not claim IPsec, therefore TD0195 is not applicable. 6

7 HTTPS IP IPsec IT CPPND MDS MTA NIT PP RSA SA SAR SFR SHA SSH ST TOE TSF Hyper-Text Transport Protocol Secure Internet Protocol Internet Protocol Security Information Technology Collaborative Protection Profile for Network Devices Malware Defense System Message Transfer Agent Network itc Interpretations Team Protection Profile Rivest, Shamir and Adleman (algorithm for public-key cryptography) Security Association Security Assurance Requirement Security Functional Requirement Secure Hash Algorithm Secure Shell Security Target Target of Evaluation TOE Security Functions 7

8 2. TOE Description The AhnLab MDS protection system mitigates Advanced Persistent Threat (APT) attacks by identifying known and unknown malware, detecting suspicious traffic, and removing the detected threats. The AhnLab MDS is a malware detection system that inspects network traffic and initiates intrusion mitigation. It is not a network communication filtering device (i.e., not a firewall). The Target of Evaluation (TOE) is the AhnLab MDS, MDS with MTA, and MDS Manager V2.1. AhnLab Malware Defense System (MDS) and MDS with MTA are network devices that provide malware detection for enterprise network security, protecting networks from Advanced Persistent Threat attacks, and provide the capability to immediately respond to remediate infected end-point systems. MDS with MTA also provides MTA functionality via purchase of separate license. MDS Manager is a network device without malware detection capabilities. In a distributed architecture, the MDS Manager Series Appliances also provide the capability to remotely manage multiple MDS and MDS/MTA appliances. However since distributed architectures are not included in the TOE, this capability is not evaluated. Each network device in the TOE: MDS, MDS with MTA, and MDS Manager provides all of the security requirements defined by the NDcPP including Security Audit, Cryptographic Support, Identification and Authentication, Security Management, Protection of the TSF, TOE Access, and Trusted path/channels. The TOE consists of the following appliances: MDS, or MDS with MTA, or MDS Manager identified above; and the software installed on the appliance. Each TOE instance consists of a single appliance and is capable of providing all security functions specified in [NDcPP]. Internally, the devices differ in the amount of internal memory, the operating system, the type of CPU and the number of network ports. The device specifications are as follows. Device Main Processor Storage Network Ports Operating System MDS 1000 MDS 2000 Intel Core i3 Dual Core Intel eon Quad Core MDS 4000 Intel eon 10 Core Intel eon Quad Core 2ea MDS 6000 MDS 8000 Intel eon 12 Core 2ea Intel eon 18 MDS10000 Core 2ea MDS 2000 Manager MDS Manager 5000R Intel eon Dual Core 3.1 Ghz Intel eon Quad Core 3.2 Ghz HDD: 1TB HDD: 1TB, SSD: 256GB HDD: 2TB, SSD: 480GB HDD: 1TB, SSD: 512GB HDD: 4TB, SSD: 1.2GB HDD: 2TB, SSD: 3.2TB HDD:500GB, Main: 4GB HDD: 2TB; Main: 8GB 1G Ports(Copper) 6ea 1G Ports (Fiber) 2ea 1G Ports(Copper) 5ea 1G Ports (Copper/Fiber combo) 4ea Linux Linux GbE (Copper) 4ea Linux G Ports(Copper) 2ea 1G Ports (Cooper) or (Fiber) 8ea 10G Ports (Fiber) 2ea Linux GbE (Copper) 4ea Linux /100/1000 Ethernet Ports(Copper) 2ea (MGT) 1G Ports (Fiber) 8ea 10G Ports (Fiber) 4ea 1G Ports(Copper) 2ea 1G Ports(Copper) 2ea Linux gentoo gentoo 8

9 MDS Manager 10000R Intel eon Quad Core 3.4 Ghz HDD: 4TB; Main 16GB 1G Ports(Copper) 2ea gentoo 2.1 TOE Overview The MDS product is a network device providing APT analysis, detection and remediation of monitored network communications. MDS with MTA provides additional message transfer agent (MTA) functionality that is responsible for transferring and routing electronic mail messages. The MDS Manager device provides a subset of the MDS device functionality (it does not contain the analyzer component) but provides all of the security functionality specified in the [CPPND]. 2.2 TOE Architecture The TOE is comprised of one instance of the following product series appliances with software: MDS Series Appliance MDS with MTA Series Appliance MDS Manager Series Appliance The specific device models and software for each series are identified in Section 1.1. Each appliance includes a MDS Manager software component that monitors and responds to malware and abnormal traffic detected by the MDS Analyzer component (described below). The MDS Manager software component has two parts: a Data Viewer and a Host Controller. The Data Viewer records and displays logs and warnings about detected malware files and security events. The Data Viewer observes the abnormal patterns of files and network traffic transferred through the host systems within the internal network, which are logically connected to the MDS system, and controlled directly by Host Controller. The Host Controller runs threat scans and remediation commands on host systems. The Host Controller receives the commands for responding to the malware, based on the administrator's settings, and also communicates with the external MDS agent (when configured) for remediation of detected threats. MDS Agents are not included in the evaluated configuration. The MDS Manager software component included in all appliances provide all of the security functions specified in the NDcPP: identification and authentication of administrators, auditing of security-relevant events, ability to verify the source and integrity of updates to the TOE, protected communications for administration and TOE operation, and specifies CAVP-validated cryptographic mechanisms using OpenSSL-FIPS The MDS and MDS with MTA appliances also contain the MDS Analyzer component that detects and analyzes known and unknown malicious files. The MDS Analyzer is located within the network such that it can monitor all of the network traffic. All traffic monitored by the MDS Analyzer is scanned and detected malware causes a notification to be sent to the MDS Manager software component. The MDS Analyzer does not provide any security functionality defined in this ST. The MDS with MTA appliance also consists of MTA functionality available through purchase of a separate license. In summary, the TOE appliances are network devices composed of the following software components: MDS Appliance: MDS Manager software component, and MDS Analyzer component MDS with MTA Appliance: MDS Manager software component, MDS Analyzer component, and license to activate the MTA functionality. MDS Manager Appliance: MDS Manager software component 9

10 The MDS Manager software component provides all of the security functions expected for a secure network device as defined in the NDcPP. These are summarized above and in Section and defined in Section 5.2 of this ST. The TOE is a hardware appliance with embedded software installed at the factory. The TOE must be initially configured (e.g., network addresses, default routes, administrator accounts) using a command line interface from a local directly connected console. Once network interfaces have been configured on an appliance, administration of the TOE is performed either from a local, directly connected console, or from a networked administrative workstation. Administration from a network workstations is performed using either an SSH protected terminal emulator or a TLS protected browser connection. The AhnLab MDS products come packaged with MDS Agent software that can be subsequently installed on a host/pc to support the product s malware detection and mitigation functions. When installed, the Agent software does not execute within the MDS appliance and does not provide any of the TOEs security functions. In the evaluated configuration, the Agent software is not installed. The following three figures show sample deployment topologies for each of the three TOEs. Note the product supports multiple deployments and as such shows some components or multiple TOEs in a deployment. In the evaluated configuration, distributed TOEs are not supported; each TOE instance is a single device. In addition, the evaluated configuration does not include agents for any of the TOE instances. Please see the AhnLab guidance documentation for more details on the other deployment options. To assist in interpreting the figures please refer to the following: Solid lines: physical networks Dotted lines: management communication: for example the Data Viewer in the MDS Manager device can manage agent status in Host Controller in MDS or MDS Manager devices Red dotted line: monitoring for traffic to MDS analyzer Green line: MDS agent deploy Triangle: mirrored port 10

11 Figure 1 depicts a sample topology for the MDS Appliance TOE. Figure 1: Sample MDS Network Topology 11

12 Figure 2 depicts a sample topology for the MDS Manager TOE. In the evaluated configuration, the MDS Manager TOE is installed as a single instance with both Data Viewer and Host Controller software and without an MDS Analyzer device. The figure depicts the MDS Managers deployed in two distinct roles Data Viewer and Host Controller. The capabilities associated with each role are not covered by the evaluation, only the functions necessary to meet the requirements of [NDcPP]. Figure 2: Sample MDS and MDS Manger Network Topology 12

13 Figure 3 depicts a sample topology for the MDS with MTA TOE Physical Boundaries Figure 3: Sample MDS with MTA Network Topology The basic architecture of the AhnLab TOE is a single physical, hardware appliance with a local console port and network ports. The TOE is comprised of this physical appliance; and the software running within it. Being a network device, network protocols are some of the primary interfaces to the TOE. In the evaluated configuration, the following IP ports must be configured (TOE instance dependent). Port Description TCP Web Management Interface (for MDS/MDS with MTA) TCP Web Management Interface (for MDS Manager) TCP 22 Secure Shell connection to CLI for management UDP 514/516 The port used to transfer the logs using the syslog port (UDP 514) 13

14 Table 1: TOE Ports The TOE s operational environment must include: o o o an external log server, an NTP server (optional), and An administrative workstation equipped with a chrome version 40 (or higher) browser and SSH client software. SNMP is not included in the evaluated configuration and must not be configured or used. In addition, agents are not installed in the evaluated configuration Logical Boundaries This section summarizes the security functions provided by AhnLab MDS, MDS with MTA, and Manager: Security audit Cryptographic support Identification and authentication Security management Protection of the TSF TOE access Trusted path/channels Given that this Security Target conforms to the NDcPP, the security claims in this Security Target focus on the TOE as a secure network infrastructure device and do not focus on other key functions provided by the TOE, such as malware detection and mitigation. However, those functions can be freely used without affecting the claimed and evaluated security functions; they simply have not been evaluated to work correctly themselves Security Audit The TOE generates security relevant audit records including administrative activity. The audit records are stored on the TOE, protected from unauthorised deletion and can be sent to a remote audit server for storage. The connection for transmission of audit records uses TLS Cryptographic Support The TOE includes cryptographic functionality that provide random bit-generation, encryption/decryption, digital signature, secure hashing and key-hashing features. These features support cryptographic protocols including SSH, TLS and HTTPS Identification and Authentication The TOE identifies and authenticates all users prior to granting them access to the Web Management or Command Line interfaces. The TOE provides the ability to define administrative accounts that have permission to view and/or modify TOE configuration variables. Each of these administrative accounts has its own password. The TOE provides Password Management restrictions including support for minimum characters, and restrictions for character usage. The TOE provides.509 Certificate Validation, Authentication, and.509 Certificate Requests for certificates used in trusted channel protocols. 14

15 Security Management The TOE offers two administrative interfaces a Command Line Interface (CLI) provided at a local console as well as through SSH and a graphical user interface provided through TLS/HTTPS. Both interfaces require a username and password prior to allowing any administrative actions to define accounts and configure TOE functionality. SSH also supports authentication via public-key. The System Administrator is considered to be the authorized Security Administrator of the TOE (as defined in the [NDcPP]). The TOE provides functions to manage the TOE and TOE data Protection of the TSF The TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its security features. The TOE ensures that sensitive information such as passwords and cryptographic keys are stored such that they are not accessible even to an administrator. The TOE provides its own internal clock which it uses to provide a reliable time source for audit records. The TOE includes functions to perform self-tests and mechanisms for the update of the TOE software/firmware TOE Access The TOE can be configured to display an informative banner when an administrator establishes an interactive session. The TOE can also enforce an administrator-defined inactivity timeout value after which the inactive session (local or remote) will be terminated. Finally, the TOE allows administrators to terminate their own session Trusted Path/Channels The TOE protects administrator communications from network workstations using SSHv2, TLS v1.1 and TLS v1.2 depending upon the interface being accessed. The administrative Command Line Interface is access through the SSHv2 protocol, while TLS/HTTPS is used for the Web Management interface. In each case, both integrity and disclosure protection is ensured by the protocol being used. If the negotiation of an encrypted session fails or if the user does not have authorization for remote administration, an attempted connection is not established. The TOE protects communication with an external log server to prevent unintended disclosure or modification of audit records. 2.3 TOE Documentation There are numerous documents that provide information and guidance for the deployment of the TOE. In particular, the following Common Criteria specific guides reference the security-related guidance material for all devices in the evaluated configuration: AhnLab MDS V2.1, MDS Manager V2.1, MDS (MTA License Applied) V2.1 Configuring Common Criteria Compliance Guide v0.3 ( ) AhnLab MDS Installation Guide, v1.1 (May 30, 2016) AhnLab_mds_cli_eng, v1.1 (May 30, 2016) AhnLab_MDS_Admin_Guide, v1.1 (May 30, 2016) AhnLab MDS (MTA) Installation Guide, v1.1 (May 30, 2016) AhnLab_MDS (MTA)_cli_eng, v1.1 (May 30, 2016) AhnLab MDS (MTA) Admin Guide, v1.1 (May 30, 2016) AhnLab MDS Manager Installation Guide, v1.1 (May 30, 2016) 15

16 AhnLab_mds manager_cli_eng, v1.1 (May 30, 2016) AhnLab MDS Manager Admin Guide, v1.1 (May 30, 2016) 16

17 3. Security Problem Definition This security target includes by reference the Security Problem Definition (composed of organizational policies, threat statements, and assumptions) from the collaborative Protection Profile for Network Devices Version 1.0, 27 February 2015 (CPPND). The [CPPND] offers additional information about the identified threats, but that has not been reproduced here and the [CPPND] should be consulted if there is interest in that material. In general, the [CPPND] has presented a Security Problem Definition appropriate for network infrastructure devices, such as an IDS, and as such is applicable to the AhnLab MDS, MDS with MTA, and MDS Manager TOE. 17

18 4. Security Objectives The [CPPND] security objectives for the operational environment are reproduced below, since these objectives characterize technical and procedural measures each consumer must implement in their operational environment. The [CPPND] does not specifically define any security objectives for the TOE. In general, the [CPPND] has presented a Security Objectives statement appropriate for network infrastructure devices, such as an IDS, and as such is applicable to the AhnLab MDS, MDS with MTA, and MDS Manager TOE. 4.1 Security Objectives for the TOE OE.PHYSICAL OE.NO_GENERAL_PURPOSE OE.NO_THRU_TRAFFIC_PROTECTION OE.TRUSTED_ADMIN OE.UPDATES OE.ADMIN_CREDENTIALS_SECURE Physical security, commensurate with the value of the TOE and the data it contains, is provided by the environment. There are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE. The TOE does not provide any protection of traffic that traverses it. It is assumed that protection of this traffic will be covered by other security and assurance measures in the operational environment. TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner. The TOE firmware and software is updated by an administrator on a regular basis in response to the release of product updates due to known vulnerabilities. The administrator s credentials (private key) used to access the TOE must be protected on any other platform on which they reside 18

19 5. IT Security Requirements This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) that serve to represent the security functional claims for the Target of Evaluation (TOE) and to scope the evaluation effort. The SFRs have all been drawn from the Protection Profile (PP): collaborative Protection Profile for Network Devices Version 1.0, 27 February 2015, [CPPND]. As a result, refinements and operations already performed in that PP are not identified (e.g., highlighted) here, rather the requirements have been copied from that PP and any residual operations have been completed herein. Of particular note, the [CPPND] made a number of refinements and completed some of the SFR operations defined in the CC and that PP should be consulted to identify those changes if necessary. The SARs are the set of SARs specified in [CPPND]. 5.1 Extended Requirements All of the extended requirements in this ST have been drawn from the [CPPND]. The [CPPND] defines the following extended SFRs and since they are not redefined in this ST, the [CPPND] should be consulted for more information in regard to those CC extensions. FAU_STG_ET.1: Protected Audit Event Storage FCS_HTTPS_ET.1: HTTPS Protocol FCS_RBG_ET.1: Random Bit Generation FCS_SSHS_ET.1: SSH Server Protocol FCS_TLSC_ET.2: TLS Client Protocol with Authentication FCS_TLSS_ET.1: TLS Server Protocol FIA_PMG_ET.1: Password Management FIA_UIA_ET.1: User Identification and Authentication FIA_UAU_ET.2: Password-based Authentication Mechanism FIA_509_ET.1:.509 Certificate Validation FIA_509_ET.2: 509 Certificate Authentication FIA_509_ET.3:.509 Certificate Requests FPT_APW_ET.1: Protection of Administrator Passwords FPT_SKP_ET.1: Protection of TSF Data (for reading of all symmetric keys) FPT_TST_ET.1: TSF Testing FPT_TUD_ET.1: Trusted Update FTA_SSL_ET.1: TSF-initiated Session Locking 5.2 TOE Security Functional Requirements The following table identifies the SFRs that are satisfied by the TOE. 19

20 Requirement Class FAU: Security audit FCS: Cryptographic support FIA: Identification and authentication FMT: Security management FPT: Protection of the TSF FTA: TOE access FTP: Trusted path/channels Security Audit (FAU) Audit Data Generation (FAU_GEN.1) FAU_GEN.1.1 Requirement Component FAU_GEN.1: Audit Data Generation FAU_GEN.2: User identity association FAU_STG.1: Protected audit trail storage FAU_STG_ET.1: Protected Audit Event Storage FCS_CKM.1: Cryptographic Key Generation (for asymmetric keys) FCS_CKM.2: Cryptographic Key Establishment (Refined) FCS_CKM.4: Cryptographic Key Destruction FCS_COP.1(1): Cryptographic Operation (AES Data Encryption/ Decryption) FCS_COP.1(2): Cryptographic Operation (Signature Generation and Verification) FCS_COP.1(3): Cryptographic Operation (Hash Algorithm) FCS_COP.1(4): Cryptographic Operation (Keyed Hash Algorithm) FCS_HTTPS_ET.1: HTTPS Protocol FCS_RBG_ET.1: Random Bit Generation FCS_SSHS_ET.1: SSH Server Protocol FCS_TLSC_ET.2: TLS Client Protocol with Authentication FCS_TLSS_ET.1: TLS Server Protocol FIA_PMG_ET.1: Password Management FIA_UIA_ET.1: User Identification and Authentication FIA_UAU_ET.2: Password-based Authentication Mechanism FIA_UAU.7: Protected Authentication Feedback FIA_509_ET.1:.509 Certificate Validation FIA_509_ET.2:.509 Certificate Authentication FIA_509_ET.3:.509 Certificate Requests FMT_MOF.1(1)/TrustedUpdate: Management of security functions behaviour FMT_MTD.1: Management of TSF Data FMT_SMF.1: Specification of Management Functions FMT_SMR.2: Restrictions on Security Roles FPT_APW_ET.1: Protection of Administrator Passwords FPT_SKP_ET.1: Protection of TSF Data (for reading of all symmetric keys) FPT_TST_ET.1: TSF Testing (Extended) FPT_TUD_ET.1: Trusted Update FPT_STM.1: Reliable Time Stamps FTA_SSL_ET.1: TSF-initiated Session Locking FTA_SSL.3: TSF-initiated Termination FTA_SSL.4: User-initiated Termination FTA_TAB.1: Default TOE Access Banners FTP_ITC.1: Inter-TSF Trusted Channel (Refined) FTP_TRP.1: Trusted Path (Refinement) Table 2 TOE Security Functional Components The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the not specified level of audit; and c) All administrative actions comprising: 20

21 Administrative login and logout (name of user account shall be logged if individual user accounts are required for administrators). Security related configuration changes (in addition to the information that a change occurred it shall be logged what has been changed). Generating/import of, changing, or deleting of cryptographic keys (in addition to the action itself a unique key name or key reference shall be logged). 2 Resetting passwords (name of related user account shall be logged). Starting and stopping services (if applicable) [no other actions]; d) Specifically defined auditable events listed in Table 3. Requirement Auditable Events Additional Audit Record Contents FCS_HTTPS_ET.1 Failure to establish a HTTPS Session. Reason for failure FCS_SSHS_ET.1 3 Failure to establish an SSH session Reason for failure FCS_TLSC_ET.2 Failure to establish a TLS session Reason for failure FCS_TLSS_ET.1 Failure to establish a TLS Session Reason for failure FIA_UIA_ET.1 FIA_UAU_ET.2 FIA_509_ET.1 All use of identification and authentication mechanism. All use of identification and authentication mechanism Unsuccessful attempt to validate a certificate Provided user identity, origin of the attempt (e.g., IP address). Provided user identity, origin of the attempt (e.g., IP address). Reason for failure FMT_MOF.1(1)/TrustedUpdate Any attempt to initiate a None manual update FMT_MTD.1 All management activities None of TSF data FPT_STM.1 Changes to time. The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address). FPT_TUD_ET.1 Initiation of update; result of the update attempt (success or failure) No additional information FTA_SSL_ET.1 Any attempts at unlocking of an interactive session. 4 The termination of a remote session by the session locking mechanism. None FTA_SSL.3 The termination of a remote session by None 2 There are no administrative tasks requiring generating/import of, changing, or deleting of cryptographic keys. Therefore there no audit records are generated for management of cryptographic keys. 3 TD0150 has removed Successful SSH rekey events from the audit table (for FCS_SSHS_ET.1). 4 Lock the session is an optional selection in FTA_SSL_ET.1. The SFR also allows terminate the session which is the selection for this TOE. Therefore the audit event was corrected to reflect this selection. 21

22 Requirement Auditable Events Additional Audit Record Contents the session locking mechanism. FTA_SSL.4 The termination of an interactive session. None FTP_ITC.1 FTP_TRP.1 Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions Table 3 Auditable Events Identification of the initiator and target of failed trusted channels establishment attempt Identification of the claimed user identity FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: 1) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and 2) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, information specified in column three of Table User identity association (FAU_GEN.2) FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event Protected audit trail storage (FAU_STG.1) FAU_STG.1.1 FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorised deletion. The TSF shall be able to prevent unauthorised modifications to the stored audit records in the audit trail Protected Audit Event Storage (FAU_STG_ET.1) FAU_STG_ET.1.1 The TSF shall be able to transmit the generated audit data to an external IT entity using a trusted channel according to FTP_ITC.1. FAU_STG_ET.1.2 FAU_STG_ET.1.3 The TSF shall be able to store generated audit data on the TOE itself. The TSF shall [overwrite previous audit records according to the following rule: [the TOE begins overwriting the oldest events when the device disk size reaches a defined percentage of its capacity]] when the local storage space for audit data is full Cryptographic Support (FCS) Cryptographic Key Generation (Refined) (for asymmetric keys) (FCS_CKM.1) FCS_CKM.1.1 The TSF shall generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm: [ RSA schemes using cryptographic key sizes of 2048-bit or greater that meet the following: FIPS PUB 186-4, Digital Signature Standard (DSS), Appendix B.3; ]. 22

23 Cryptographic Key Establishment (Refined) (FCS_CKM.2) FCS_CKM.2.1 The TSF shall perform cryptographic key establishment in accordance with a specified cryptographic key establishment method: [ ] Cryptographic Key Destruction (FCS_CKM.4) FCS_CKM RSA-based key establishment schemes that meets the following: NIST Special Publication B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography ; The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method [ For plaintext keys in volatile storage, the destruction shall be executed by a [single overwrite consisting of [zeroes]]; For plaintext keys in non-volatile storage, the destruction shall be executed by the invocation of an interface provided by a part of the TSF that [ o logically addresses the storage location of the key and performs a [single] overwrite consisting of [zeroes]] ] that meets the following: No Standard Cryptographic Operation (AES Data Encryption/Decryption)) (FCS_COP.1(1)) FCS_COP.1.1(1) The TSF shall perform encryption/decryption in accordance with a specified cryptographic algorithm AES used in [CBC] mode and cryptographic key sizes [128 bits, 256 bits] that meet the following: AES as specified in ISO , [CBC as specified in ISO 10116] Cryptographic Operation (Signature Generation and Verification)) (FCS_COP.1(2)) FCS_COP.1.1(2) The TSF shall perform cryptographic signature services (generation and verification) in accordance with a specified cryptographic algorithm [ RSA Digital Signature Algorithm and cryptographic key sizes (modulus) [2048 bits], ] that meets the following: [ ]. For RSA schemes: FIPS PUB 186-4, Digital Signature Standard (DSS), Section 5.5, using PKCS #1 v2.1 Signature Schemes RSASSA-PSS and/or RSASSAPKCS1v1_5 6 ; ISO/IEC , Digital signature scheme 2 or Digital Signature scheme 3, 5 This SFR has been changed by TD TD0116 has been applied to correct the type in the PP. 23

24 Cryptographic Operation (Hash Algorithm) (FCS_COP.1(3)) FCS_COP.1.1(3) The TSF shall perform cryptographic hashing services in accordance with a specified cryptographic algorithm [SHA-1, SHA-256] that meet the following: ISO/IEC :2004. Application Note: The TOE platform uses SHA-256 for trusted update verification and for protection of Administrator passwords Cryptographic Operation (Keyed Hash Algorithm) (FCS_COP.1(4)) FCS_COP.1.1(4) HTTPS Protocol (FCS_HTTPS_ET.1) The TSF shall perform keyed-hash message authentication in accordance with a specified cryptographic algorithm [HMAC-SHA-256] and cryptographic key sizes [256 bits] and message digest sizes [256] bits that meet the following: ISO/IEC :2011, Section 7 MAC Algorithm 2. FCS_HTTPS_ET.1.1 The TSF shall implement the HTTPS protocol that complies with RFC FCS_HTTPS_ET.1.2 The TSF shall implement HTTPS using TLS. FCS_HTTPS_ET.1.3 The TSF shall establish the connection only if [the peer initiates handshake] Random Bit Generation (FCS_RBG_ET.1) FCS_RBG_ET.1.1 FCS_RBG_ET.1.2 The TSF shall perform all deterministic random bit generation services in accordance with ISO/IEC 18031:2011 using [CTR_DRBG (AES)]. The deterministic RBG shall be seeded by at least one entropy source that accumulates entropy from [[one] software-based noise source] with a minimum of [256 bits] of entropy at least equal to the greatest security strength, according to ISO/IEC 18031:2011 Table C.1 Security Strength Table for Hash Functions, of the keys and hashes that it will generate SSH Server Protocol (FCS_SSHS_ET.1) FCS_SSHS_ET.1.1 The TSF shall implement the SSH protocol that complies with RFCs 4251, 4252, 4253, 4254 and [6668]. FCS_SSHS_ET.1.2 The TSF shall ensure that the SSH protocol implementation supports the following authentication methods as described in RFC 4252: public key-based, password-based. FCS_SSHS_ET.1.3 The TSF shall ensure that, as described in RFC 4253, packets greater than [3500 bytes] bytes in an SSH transport connection are dropped. FCS_SSHS_ET.1.4 The TSF shall ensure that the SSH transport implementation uses the following encryption algorithms and rejects all other encryption algorithms: [aes128-cbc, aes256- cbc]. FCS_SSHS_ET.1.5 The TSF shall ensure that the SSH transport implementation uses [ssh-rsa] and [no other public key algorithms] as its public key algorithm(s) and rejects all other public key algorithms. FCS_SSHS_ET.1.6 The TSF shall ensure that the SSH transport implementation uses [hmac-sha2-256] and [no other MAC algorithms] as its MAC algorithm(s) and rejects all other MAC algorithm(s). FCS_SSHS_ET.1.7 The TSF shall ensure that [diffie-hellman-group14-sha1] and [no other methods] are the only allowed key exchange methods used for the SSH protocol FCS_SSHS_ET The TSF shall ensure that within SSH connections the same session keys are used for a threshold of no longer than one hour, and no more than one gigabyte of transmitted data. After either of the thresholds are reached a rekey needs to be performed. 7 This requirement has been changed by TD

25 TLS Client Protocol with Authentication (FCS_TLSC_ET.2) FCS_TLSC_ET.2.1 The TSF shall implement [TLS 1.2 (RFC 5246)] supporting the following ciphersuites: Mandatory Ciphersuites: TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 3268 [Optional Ciphersuites: TLS_RSA_WITH_AES_256_CBC_SHA as defined in RFC 3268]. FCS_TLSC_ET.2.2 FCS_TLSC_ET.2.3 FCS_TLSC_ET.2.4 FCS_TLSC_ET.2.5 The TSF shall verify that the presented identifier matches the reference identifier according to RFC The TSF shall only establish a trusted channel if the peer certificate is valid. The TSF shall present the Supported Elliptic Curves Extension in the Client Hello with the following NIST curves: [none] and no other curves. The TSF shall support mutual authentication using.509v3 certificates TLS Server Protocol (FCS_TLSS_ET.1) FCS_TLSS_ET.1.1 The TSF shall implement [TLS 1.2 (RFC 5246), TLS 1.1 (RFC 4346)] supporting the following ciphersuites: Mandatory Ciphersuites: TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 3268 [Optional Ciphersuites: no other ciphersuite]. FCS_TLSS_ET The TSF shall deny connections from clients requesting SSL 2.0, SSL 3.0, TLS 1.0, and [ none]. FCS_TLSS_ET.1.3 The TSF shall generate key establishment parameters using RSA with key size 2048 bits and [no other size] and [no other] Identification and Authentication (FIA) Password Management (FIA_PMG_ET.1) FIA_PMG_ET.1.1 The TSF shall provide the following password management capabilities for administrative passwords: a) Passwords shall be able to be composed of any combination of upper and lower case letters, numbers, and the following special characters: #, %, ^, *, (, ), [ _, +, -, =, [, ], \, {, },, :, ;,,,., /,? ]]; b) Minimum password length shall settable by the Security Administrator, and support passwords of 15 characters or greater. 8 This requirement has been changed by TD This SFR was modified by TD

26 User Identification and Authentication (FIA_UIA_ET.1) FIA_UIA_ET.1.1 The TSF shall allow the following actions prior to requiring the non-toe entity to initiate the identification and authentication process: Display the warning banner in accordance with FTA_TAB.1; [no other actions] FIA_UIA_ET.1.2 The TSF shall require each administrative user to be successfully identified and authenticated before allowing any other TSF-mediated actions on behalf of that administrative user Password-based Authentication Mechanism (FIA_UAU_ET.2) FIA_UAU_ET.2.1 The TSF shall provide a local password-based authentication mechanism, [none] to perform administrative user authentication Protected Authentication Feedback (FIA_UAU.7) FIA_UAU.7.1 The TSF shall provide only obscured feedback to the administrative user while the authentication is in progress at the local console Certificate Validation (FIA_509_ET.1) FIA_509_ET.1.1 FIA_509_ET.1.2 The TSF shall validate certificates in accordance with the following rules: RFC 5280 certificate validation and certificate path validation. The certificate path must terminate with a trusted CA certificate. The TSF shall validate a certificate path by ensuring the presence of the basicconstraints extension and that the CA flag is set to TRUE for all CA certificates. The TSF shall validate the revocation status of the certificate using [Certificate Revocation List (CRL) as specified in RFC 5759 Section 5]. The TSF shall validate the extendedkeyusage field according to the following rules: o o o o Certificates used for trusted updates and executable code integrity verification shall have the Code Signing purpose (id-kp 3 with OID ) in the extendedkeyusage field. Server certificates presented for TLS shall have the Server Authentication purpose (id-kp 1 with OID ) in the extendedkeyusage field. Client certificates presented for TLS shall have the Client Authentication purpose (id-kp 2 with OID ) in the extendedkeyusage field. OCSP certificates presented for OCSP responses shall have the OCSP Signing purpose (id-kp 9 with OID ) in the extendedkeyusage field. The TSF shall only treat a certificate as a CA certificate if the basicconstraints extension is present and the CA flag is set to TRUE. 26

27 Certificate Authentication (FIA_509_ET.2) FIA_509_ET.2.1 FIA_509_ET.2.2 The TSF shall use.509v3 certificates as defined by RFC 5280 to support authentication for [TLS], and [no additional uses]. When the TSF cannot establish a connection to determine the validity of a certificate, the TSF shall [not accept the certificate] Certificate Requests (FIA_509_ET.3) FIA_509_ET.3.1 FIA_509_ET Security Management (FMT) The TSF shall generate a Certificate Request Message as specified by RFC 2986 and be able to provide the following information in the request: public key and [Common Name, Organization, Organizational Unit, Country]. The TSF shall validate the chain of certificates from the Root CA upon receiving the CA Certificate Response Management of Security Functions Behavior (FMT_MOF.1(1)/ TrustedUpdate) FMT_MOF.1.1(1)/TrustedUpdate The TSF shall restrict the ability to enable the functions to perform manual update to Security Administrators Management of TSF Data (FMT_MTD.1) FMT_MTD.1.1 The TSF shall restrict the ability to manage the TSF data to Security Administrators Specification of Management Functions (FMT_SMF.1) FMT_SMF Restrictions on Security (FMT_SMR.2) FMT_SMR.2.1 FMT_SMR.2.2 FMT_SMR.2.3 The TSF shall be capable of performing the following management functions: Ability to administer the TOE locally and remotely; Ability to configure the access banner; Ability to configure the session inactivity time before session termination or locking; Ability to update the TOE, and to verify the updates using [hash comparison 10 ] capability prior to installing those updates; [No other capabilities.] The TSF shall maintain the roles: Security Administrator. The TSF shall be able to associate users with roles. The TSF shall ensure that the conditions The Security Administrator role shall be able to administer the TOE locally; The Security Administrator role shall be able to administer the TOE remotely are satisfied. 10 FMT_SMF.1 was modified to comply with TD

28 5.2.5 Protection of the TSF (FPT) Protection of Administrator Passwords (FPT_APW_ET.1) FPT_APW_ET.1.1 FPT_APW_ET.1.2 The TSF shall store passwords in non-plaintext form. The TSF shall prevent the reading of plaintext passwords Protection of TSF Data (for reading of all symmetric keys) (FPT_SKP_ET.1) FPT_SKP_ET.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric keys, and private keys TSF Testing (Extended) (FPT_TST_ET.1) FPT_TST_ET Trusted Update (FPT_TUD_ET.1) FPT_TUD_ET.1.1 FPT_TUD_ET.1.2 FPT_TUD_ET Reliable Time Stamps (FPT_STM.1) FPT_STM TOE Access (FTA) The TSF shall run a suite of the following self-tests [during initial start-up (on power on), periodically during normal operation, at the request of the authorized user] to demonstrate the correct operation of the TSF: [process monitoring, software checksum tests, and cryptographic module self-tests]. The TSF shall provide security administrators the ability to query the currently executing version of the TOE firmware/software and [the most recently installed version of the TOE firmware/software] 11. The TSF shall provide security administrators the ability to manually initiate updates to TOE firmware/software and [no other update mechanism]. The TSF shall provide means to authenticate firmware/software updates to the TOE using a [published hash] prior to installing those updates. The TSF shall be able to provide reliable time stamps TSF-initiated Session Locking (FTA_SSL_ET.1) FTA_SSL_ET.1 The TSF shall, for local interactive sessions, [ terminate the session ] after a Security Administrator-specified time period of inactivity TSF-initiated Termination (FTA_SSL.3) FTA_SSL User-initiated Termination (FTA_SSL.4) FTA_SSL.4.1 Refinement: The TSF shall terminate a remote interactive session after a Security Administrator-configurable time interval of session inactivity. Refinement: The TSF shall allow Administrator-initiated termination of the Administrator s own interactive session. 11 TD0154 has modified this SFR. 28