Cisco 5940 Series Embedded Services Router Security Target. Revision 1.0

Transcription

1 Cisco 5940 Series Embedded Services Router Security Target Revision 1.0 May 2011

2 Table of Contents 1 SECURITY TARGET INTRODUCTION ST and TOE Reference Acronyms and Abbreviations TOE Overview TOE Product Type Supported non-toe Hardware/ Software/ Firmware TOE DESCRIPTION Physical Scope of the TOE Logical Scope of the TOE Identification and Authentication Secure Management Information Flow Control Intrusion Prevention Services Cryptography Secure Auditing TOE Evaluated Configuration Excluded Functionality Conformance Claims Common Criteria Conformance Claim Protection Profile Conformance Protection Profile Refinements Protection Profile Additions Protection Profile Conformance Claim Rationale TOE Appropriateness TOE Security Problem Definition Consistency Statement of Security Objectives Consistency Statement of Security Requirements Consistency SECURITY PROBLEM DEFINITION Assumptions Threats Organizational Security Policies SECURITY OBJECTIVES Security Objectives for the TOE Security Objectives for the Environment SECURITY REQUIREMENTS Conventions TOE Security Functional Requirements SFRs Drawn from pp_fw_tf_br_v Security audit (FAU) Cryptographic Support (FCS) User data protection (FDP) Identification and authentication (FIA) Security management (FMT) Protection of the TSF (FPT)

3 5.4 SFRs in addition to the SFRs found in pp_fw_tf_br_v Cryptographic Support (FCS) User data protection (FDP) Security management (FMT) Trusted Path/Channel (FTP) IDS Component Requirements (IDS) TOE SFR Dependencies Rationale for SFRs Found in pp_fw_tf_br_v TOE SFR Dependencies for SFRs in addition to the SFRs found in pp_fw_tf_br_v Security Assurance Requirements SAR Requirements Security Assurance Requirements Rationale Assurance Measures TOE Summary Specification TOE Security Functional Requirement Measures TOE Bypass and interference/logical tampering Protection Measures RATIONALE Rationale for TOE Security Objectives Rationale for the Security Objectives for the Environment Rationale for requirements/toe Objectives Annex A: References

4 List of Tables Table 1: ST and TOE Identification... 6 Table 2: Acronyms... 6 Table 3: IT Environment Components... 8 Table 4: TOE Provided Cryptography Table 5: Excluded Functionality Table 6: Protection Profiles Table 7: Protection Profile Refinements Table 8: Protection Profile Threat Additions Table 9: Protection Profile Security Objective Additions Table 10: Protection Profile Security Functional Requirement Additions and Refinements Table 11: TOE Assumptions Table 12: Threats Table 13: Security Objectives for the TOE Table 14: Security Objectives for the Environment Table 15: Security Functional Requirements Table 16: Security Functional Requirements Table 17: System Events Table 18: Dependency Rationale Table 19: Assurance Measures Table 20: Assurance Measures Table 21: How TOE SFRs Measures Table 22: Threat/Policies/Objectives Mappings Table 23: Threat/Policies/TOE Objectives Rationale Table 24: Threats/Environment Objectives Mappings Table 25: Assumptions/Threats/Objectives Rationale Table 26: Objective to Requirements Mappings Table 27: Objectives to Requirements Rationale Table 28: References

5 Prepared By: Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA DOCUMENT INTRODUCTION This document provides the basis for an evaluation of a specific Target of Evaluation (TOE), the Cisco 5940 Series Embedded Services Router. This Security Target (ST) defines a set of assumptions about the aspects of the environment, a list of threats that the product intends to counter, a set of security objectives, a set of security requirements, and the IT security functions provided by the TOE which meet the set of requirements. 5

6 1 SECURITY TARGET INTRODUCTION The Security Target contains the following sections: Security Target Introduction [Section 1] Conformance Claims [Section 2] Security Problem Definition [Section 3] Security Objectives [Section 4] IT Security Requirements [Section 5] TOE Summary Specification [Section 6] Rationale [Section 7] The structure and content of this ST comply with the requirements specified in the Common Criteria (CC), Part 1, Annex A, and Part 3, Chapter ST and TOE Reference This section provides information needed to identify and control this ST and its TOE. Table 1: ST and TOE Identification ST Title Cisco 5940 Series Embedded Services Router Security Target ST Version 1.0 Publication Date May 2011 Vendor and ST Author Cisco Systems, Inc. TOE Reference Cisco 5940 Series Embedded Services Router TOE Hardware Models conduction cooled processor module; air cooled processor module TOE Software Version IOS 15.1(2)GC1 ST Evaluation Status In Evaluation Keywords Switch, Data Protection, Authentication, Firewall, IDS 1.2 Acronyms and Abbreviations The following acronyms and abbreviations are used in this Security Target: Acronyms / Abbreviations AAA AES CC CEM CM cpci DHCP EAL HTTPS IPS ISR IT Table 2: Acronyms Definition Administration, Authorization, and Accounting Advanced Encryption Standard Common Criteria for Information Technology Security Evaluation Common Evaluation Methodology for Information Technology Security Configuration Management Compact Peripheral Component Interconnect Dynamic Host Configuration Protocol Evaluation Assurance Level Hyper-Text Transport Protocol Secure Intrusion Prevention System Integrated Service Router Information Technology 6

7 Acronyms / Abbreviations 7 Definition J2 A pin connection type for the backplanes of PCI cards. Not an acronym. JTAG Joint Test Action Group OS Operating System PCI Peripheral Component Interconnect PP Protection Profile pp_fw_tf_br_v1.1 U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments RJ-45 Registered Jack 45 SHS Secure Hash Standard SSH Secure Shell ST Security Target TCP Transport Control Protocol TOE Target of Evaluation TSC TSF Scope of Control TSF TOE Security Function TSP TOE Security Policy WAN Wide Area Network WIC WAN Interface Card 1.3 TOE Overview The Cisco 5940 Series Embedded Services Router TOE is a purpose-built, routing platform that includes firewall, Intrusion Prevention, and VPN functionality. The firewall functionality included within the TOE provides the functionality specified in the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments. The TOE includes one router module that can operate in any CompactPCI (cpci) 3 unit (3U) chassis TOE Product Type The Cisco 5940 Series Embedded Services Router is a router platform that provides connectivity and security services onto a single, secure device. The flexible, compact form factor of these routers, complemented by Cisco IOS Software, provides highly secure data, voice, and video communications to stationary and mobile network nodes across wired links. In support of the routing capabilities, the Cisco 5940 Series Embedded Services Router provides IPSec connection capabilities for VPN enabled clients connecting through the Cisco 5940 Series Embedded Services Router. The Cisco 5940 Series Embedded Services Router is also compatible with the GET VPN (using GDOI). The Cisco 5940 Series Embedded Services Router also supports firewall capabilities consistent with the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments. The Cisco 5940 Series Embedded Services Router is a 3U (cpci) router module solution for protecting the network. The firewall capabilities provided by the TOE are provided via a stateful packet filtering firewall. A stateful packet filtering firewall controls the flow of IP traffic by matching information contained in the headers of connection-oriented or connection-less IP packets against a set of rules

8 specified by the authorized administrator for firewalls. This header information includes source and destination host (IP) addresses, source and destination port numbers, and the transport service application protocol (TSAP) held within the data field of the IP packet. Depending upon the rule and the results of the match, the firewall either passes or drops the packet. The stateful firewall remembers the state of the connection from information gleaned from prior packets flowing on the connection and uses it to regulate current packets. The packet will be denied if the security policy is violated. In addition to IP header information, the TOE mediates information flows on the basis of other information, such as the direction (incoming or outgoing) of the packet on any given firewall network interface. For connection-oriented transport services, the firewall either permits connections and subsequent packets for the connection or denies the connection and subsequent packets associated with the connection. The TOE also includes on the 5940 Series Embedded Services Router modules a network-based Intrusion Prevention System that monitors traffic in real-time. It can analyze both the header and content of each packet. The TOE uses a rule-based expert system to interrogate the packet information to determine the type of attack, be it simple or complex Supported non-toe Hardware/ Software/ Firmware The TOE supports (in some cases optionally) the following hardware, software, and firmware in its environment: Table 3: IT Environment Components Component Required Usage/Purpose Description for TOE performance Router Chassis Yes The host chassis for the router provides the power to the module as well as directly connected Ethernet interfaces via a standard cpci backplane. The chassis selected can be any off the-shelf chassis that Rear Transition Module (RTM) Management Workstation with SSH Client Yes Yes supports 3U cpci cards. The RTM supports Input/Ouput connectors through standard RJ-45 connectors, or any other cpci compatible network connector. The RTM can be any off-the-shelf module that is a cpci form factor. It is installed in the chassis directly opposite the card with which it is to be used. This includes any IT Environment Management workstation with a SSH client installed that is used by the TOE administrator to support TOE administration through SSH protected channels. Any SSH client that supports SSH v2 may be used. AAA Server Yes This includes any IT environment AAA server that provides singleuse authentication mechanisms. This can be any AAA server that provides single-use authentication. The TOE correctly leverages the services provided by this AAA server to provide single-use authentication to administrators. VPN Peer No This includes any peer with which the TOE participates in VPN communications. VPN peers may be any device or software client that supports IPSec v3 communications. Both VPN clients and VPN gateways are considered VPN peers by the TOE. NTP Server No The TOE supports communications with an NTP server. A solution 8

9 Component Required Usage/Purpose Description for TOE performance must be used that supports MD5 hashing of communications with up to a 32 character key. Syslog Server Yes A syslog server with the capability to support TCP syslog communications over an IPSec tunnel is required for use with the Certificate Authority (CA) No 1.4 TOE DESCRIPTION TOE. This includes any IT Environment Certificate Authority on the TOE network. This can be used to provide the TOE with a valid certificate during certificate enrollment for IKE authentication. This section provides an overview of the Cisco 5940 Series Embedded Services Router Target of Evaluation (TOE). The TOE is comprised of a single cpci router module running IOS 15.1(2)GC Physical Scope of the TOE The TOE is a hardware solution obtained from General Dynamics under OEM contract running the IOS 15.1(2)GC1 software solution. The image name for the 5940 Series Embedded Services Router TOE is c59xx-adventerprisek9-mz.spa. The key components on the board are: Freescale MPC8548E processor Marvell 88E1145 quad Ethernet transceiver Spansion S29GL01GP flash or Numonyx flash chip Both an air-cooled and a conduction-cooled board exist. Aside from the differences outlined below, they differ only in cooling mechanism. The board provides the following external interfaces: Serial port. o Via a connection on the J2 connector on the cpci backplane on the conduction-cooled model and via direct access RJ-45 port or the J2 connector on the cpci backplane on the card on the air-cooled model. Four Gigabit Ethernet ports, via connections on the J2 connector on the cpci backplane. PCI interface connection to the backplane. This PCI interface is used to connect to the RTM PCI bus connection to the backplane. This PCI controller is disabled within the IOS running on the TOE. JTAG header. The JTAG will be connected to the J2 connector on the cpci backplane. It is to be disabled in the evaluated configuration and not re-enabled. 1.6 Logical Scope of the TOE The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below. 9

10 1. Identification and Authentication 2. Secure Management 3. VPN and/or Firewall Information Flow Control 4. Intrusion Prevention Services 5. Cryptography 6. Secure Auditing These features are described in more detail in the subsections below Identification and Authentication The TOE performs two types of authentication: device-level authentication of the remote device (VPN peers) and user authentication for the administrators of the TOE. Devicelevel authentication allows the TOE to establish a secure channel with a trusted peer. The secure channel is established only after each device authenticates itself. Device-level authentication is performed via IKE v1/ipsec v3 mutual authentication. The TOE provides authentication services for all administrators wishing to connect to the TOEs secure CLI administrative interface. The TOE requires all administrators to authenticate prior to being granted access to any of the management functionality. The TOE facilitates single-use authentication for all administrators and external IT entities attempting to connect to the TOE by invoking an external RADIUS AAA (IT environment) to provide single-use authentication. The TOE provides single use authentication to external IT entities through the use of IKE/IPSec mutual authentication Secure Management The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs either through a secure SSH session, via terminal server (such as a Cisco 2811), or via a local console connection. The TOE provides the ability to securely manage all TOE administrators; all identification and authentication; all audit functionality of the TOE; all TOE cryptographic functionality; the timestamps maintained by the TOE (including settings for an NTP server, if used as the timestamp source); TOE configuration backup and recovery, and the information flow control policies enforced by the TOE. The TOE supports two separate administrative roles that make up the authorized administrator: non-privileged Administrator and privileged Administrator. The TOE also supports external IT entities. These external IT entities are peer routers that pass network control information (e.g., routing tables) to the TOE. Also included are any other VPN peers with which the TOE exchanges information, including VPN clients and VPN gateways. Once a configured threshold of consecutive authentication failures is reached, the TOE locks-out the administrator (either privileged or non-privileged) or external IT entity attempting to log into the TOE until another administrator unlocks their account. No 10

11 administrator can unlock their own account, therefore there should always be at least two privileged administrators configured on the device Information Flow Control Firewall Information Flow Control The Cisco 5940 Series Embedded Services Router mediate information flows through the TOE for unauthenticated information flows. The Information Control functionality of the TOE allows privileged administrators to set up rules between interfaces of the TOE. These rules control whether a packet is transferred from one interface to another and/or transferred encrypted based upon: 1. Presumed address of source subject 2. Presumed address of destination subject 3. Service used 4. Transport layer protocol 5. Network interface on which the connection request occurs and is to depart Packets will be dropped unless a specific rule or policy in an access control list (ACL) has been set up to allow the packet to pass. The order of Access Control Entries (ACEs) in an ACL is important. When the TOE decides whether to forward or drop a packet, the TOE tests the packet against the ACE in the order in which the entries are listed. After a match is found, no more ACEs are checked such that if the ACE at the beginning of the ACL explicitly permits all traffic, no further ACEs are checked. Interface ACLs are applied first before IPsec negotiations occur in the evaluated configuration. The TOE ensures that all information flows from the TOE do not contain residual information from previous traffic. Packets are padded with zeroes. Residual data is never transmitted from the TOE VPN Information Flow Control Cisco 5940 Series Embedded Services Router delivers VPN connections to remote entities. The VPN process includes remote device authentication, negotiation of specific cryptographic parameters for the session, and providing a secure connection to and from the remote device. For inbound or outbound connections with external IT entities that are capable of supporting VPN (e.g., a VPN Peer), the TOE will establish a secure connection. For other inbound or outbound traffic a secure connection will not be established VLAN Information Flow Control Cisco 5940 Series Embedded Services Router allows VLAN connections to/from remote entities. The TOE provides the ability to identify the VLAN the network traffic is associated with. The TOE then permits or denies the network traffic based on the VLANs 11

12 configured on the interface the network traffic is received /destined. This policy is applied after the Firewall policy Intrusion Prevention Services The Cisco 5940 Series Embedded Services Router IOS software Intrusion Prevention System (IPS) operates as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When Cisco IOS IPS detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog messages stored in the local buffer and then offloaded to an external syslog server. The privileged administrator can configure Cisco IOS IPS to choose the appropriate response to various threats. When packets in a session match a signature, Cisco IOS IPS can take any of the following actions, as appropriate: Send an audit record to a syslog server or a management interface Drop the packet Reset the connection Deny traffic from the source IP address of the attacker for a specified amount of time Deny traffic on the connection for which the signature was seen for a specified amount of time For inbound packets the IDS processing is done after firewall policies and then VPN policies have been applied Cryptography The TOE provides cryptography in support of other Cisco 5940 Series Embedded Services Router security functionality. This cryptography has been validated for conformance to the requirements of FIPS Level 1. Further details regarding the FIPS validation can be found in Certificate #1639. The TOE provides cryptography in support of VPN connections and remote administrative management via SSH. The cryptographic services provided by the TOE include Cryptographic Method Internet Key Exchange ANSI 9.31 PRNG AES Group Domain of Interpretation RSA DSA SHA256 Table 4: TOE Provided Cryptography Use within the TOE Used to establish initial IPSec session. Used in IPSec session establishment. Used to encrypt IPSec session traffic. Used to encrypt SSH session traffic. Used in IPSec session establishment. IKE RSA authentication SSH host authentication, SSH client authentication IKE 12

13 1.6.6 Secure Auditing The Cisco 5940 Series Embedded Services Router provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, information flow control enforcement, intrusion prevention, identification and authentication, and administrative actions. The Cisco 5940 Series Embedded Services Router generates an audit record for each auditable event. These events include a timestamp that can be provided by the TOE or an optional NTP server in the operational environment. The Cisco 5940 Series Embedded Services Router provides the privileged administrator with a sorting and searching capability to improve audit analysis. The privileged administrator configures auditable events, backs-up and manages audit data storage. The TOE provides the privileged administrator with a local circular audit trail, also referred to as the Event Store,and allows for configuration of offload of audit data via TCP syslog to a syslog server in the operational environment so that audit events are not lost when the Event Store reaches capacity and begins to overwrite old events. 1.7 TOE Evaluated Configuration The following figure provides a visual depiction of an example TOE deployment. The TOE boundary is surrounded with a dashed red line. The previous figure includes the following: The 5940 TOE Model (both the conduction-cooled and air-cooled models are pictured.) 13

14 IT Environment: Chassis and RTM IT Environment: (2) VPN Peers IT Environment: Management Workstation IT Environment: AAA Server IT Environment: NTP Server IT Environment: Syslog Server Excluded Functionality The following functional is excluded from the evaluation. Excluded Functionality Non-FIPS mode of operation on the router. Telnet for management purposes. Table 5: Excluded Functionality Exclusion Rationale This mode of operation includes non-fips allowed operations. Telnet passes authentication credentials in clear text. SSHv2 is to be used instead. The exclusion of this functionality does not affect compliance to the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments. 14

15 2 CONFORMANCE CLAIMS 2.1 Common Criteria Conformance Claim The TOE and ST are compliant with the Common Criteria (CC) Version 3.1, Revision 3, dated: July The TOE and ST are EAL2 Augmented with ALC_FLR.2 Part 3 conformant. The TOE and ST are CC Part 2 extended. 2.2 Protection Profile Conformance This ST claims compliance to the following Common Criteria validated Protection Profiles: Table 6: Protection Profiles Protection Profile Version Date U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments (pp_fw_tf_br_v1.1) Protection Profile Refinements July 25, 2007 The following table identifies the refinements made to the Protection Profile and provides rationale for the refinement: FAU_GEN.1 FAU_SAR.1 FMT_SMR.1 FIA_ATD.1 FMT_MSA.3(1) FMT_MOF.1 Refinement Table 7: Protection Profile Refinements Rationale Refined to refer to the correct table number and to add an additional event to the audit table. Refined to clarify that privileged administrators are affected. Refined to also address External IT entities and to clarify that both privileged and non-privileged administrators are included. Refined to also address External IT entities Refined to specify the privileged administrator. Refined to specify the privileged administrator and what a nonprivileged administrator is able to access. The names of all of the Objectives on the Environment were changed from O. to OE. in this ST Protection Profile Additions The following threats were added to the TOE: T.UNAUTHORIZED_PEER T.EAVESDROP T.VPNMEDIAT T.VLAN T.NOHALT T.FALACT T.FALREC

16 T.FALASC T.MISUSE T.INADVE T.MISACT T.INTEGRITY The following objectives were added to the TOE: O.CRYPTOGRAPHIC_ FUNCTIONS O.PEER_AUTHENTICATION O.INTEGRITY O.VPNMEDIAT O.VLAN O.IDSENS O.IDANLZ O.RESPON The following requirements were added to the set of SFRs on the TOE: FCS_CKM.4 FCS_COP_(ET).1 FCS_GDOI_(ET).1 FCS_IKE_(ET).1 FDP_IFC.1(2) FDP_IFF.1(2) FDP_IFC.1(3) FDP_IFF.1(3) FMT_MSA.3(2) FMT_MSA.3(3) FMT_SMF.1 FTP_ITC.1 FTP_TRP.1 IDS_SDC_(ET).1 IDS_ANL_(ET).1 IDS_RCT_(ET).1 IDS_RDR_(ET).1 IDS_STG_(ET).1 IDS_STG_(ET) Protection Profile Conformance Claim Rationale TOE Appropriateness The TOE provides all of the Traffic Filter Firewall functionality at a level of security commensurate with that identified in the U.S. Government Protection Profile: U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments (pp_fw_tf_br_v1.1) 16

17 2.3.2 TOE Security Problem Definition Consistency The Assumptions, Threats, and Organization Security Policies included in the Security Target represent the Assumptions, Threats, and Organization Security Policies specified in the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments for which conformance is claimed verbatim. Several additional Threats are also included. All concepts covered in the Protection Profile Security Problem Definition are included in the Security Target. None of the additional Threats contradicts the functionality specified in the Protection Profile. The additional Threats augment the firewall functionality specified in the Protection Profiles and discuss additional TOE functionality that is not addressed in the Protection Profile. The following table identifies each additional Threat included in the ST and provides rationale for its inclusion in the Security Target with regards to the claims Protection Profiles. Threat/OSP T.UNAUTHORIZED_PEER T.EAVESDROP T.VPNMEDIAT T.VLAN T.NOHALT T.FALACT T.FALREC T.FALASC T.MISUSE Table 8: Protection Profile Threat Additions Rationale This threat is associated with VPN functionality. The PP addresses firewall functionality and not VPN functionality. This VPN functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This threat is associated with VPN functionality. The PP addresses firewall functionality and not VPN functionality. This VPN functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This threat is associated with VPN functionality. The PP addresses firewall functionality and not VPN functionality. This VPN functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This threat is associated with VLAN functionality. The PP addresses firewall functionality and not VLAN functionality. This VLAN functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This threat is associated with IDS functionality. The PP addresses firewall functionality and not IDS functionality. This IDS functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This threat is associated with IDS functionality. The PP addresses firewall functionality and not IDS functionality. This IDS functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This threat is associated with IDS functionality. The PP addresses firewall functionality and not IDS functionality. This IDS functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This threat is associated with IDS functionality. The PP addresses firewall functionality and not IDS functionality. This IDS functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This threat is associated with IDS functionality. The PP addresses firewall functionality and not IDS functionality. This IDS functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. 17

18 T.INADVE T.MISACT T.INTEGRITY Threat/OSP Rationale This threat is associated with IDS functionality. The PP addresses firewall functionality and not IDS functionality. This IDS functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This threat is associated with IDS functionality. The PP addresses firewall functionality and not IDS functionality. This IDS functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This threat is associated with VPN functionality. The PP addresses firewall functionality and not VPN functionality. This VPN functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed Statement of Security Objectives Consistency The Security Objectives included in the Security Target represent the Security Objectives specified in the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments for which conformance is claimed verbatim. Several additional Security Objectives are also included. All concepts covered in the Protection Profile s Statement of Security Objectives are included in the Security Target. None of the additional Security Objectives contradicts the functionality specified in the Protection Profile. The additional Security Objectives augment the firewall functionality specified in the Protection Profiles and discuss additional TOE functionality that is not addressed in the Protection Profile. The following table identifies each additional Security Objective included in the ST and provides rationale for its inclusion in the Security Target with regards to the claims Protection Profiles. Security Objective O.CRYPTOGRAPHIC_ FUNCTIONS O.PEER_AUTHENTICATION O.INTEGRITY O.VPNMEDIAT O.VLAN Table 9: Protection Profile Security Objective Additions Rationale This Security Objective augments the cryptographic functionality discussed in the PP for which conformance is claimed. This policy does not introduce any functionality that is inconsistent with the cryptography specified in the PP for which conformance is claimed. This Security Objective is associated with VPN functionality. The PP addresses firewall functionality and not VPN functionality. This VPN functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This Security Objective is associated with VPN functionality. The PP addresses firewall functionality and not VPN functionality. This VPN functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This Security Objective is associated with VPN functionality. The PP addresses firewall functionality and not VPN functionality. This VPN functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This Security Objective is associated with VLAN functionality. The PP addresses firewall functionality and not VLAN functionality. This VLAN functionality provided to counter this threat does not contradict 18

19 O.IDSENS O.IDANLZ O.RESPON Security Objective Rationale any of the functionality required by the PP for which conformance is claimed. This Security Objective is associated with IPS functionality. The PP addresses firewall functionality and not IPS functionality. This IPS functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This Security Objective is associated with IPS functionality. The PP addresses firewall functionality and not IPS functionality. This IPS functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed. This Security Objective is associated with IPS functionality. The PP addresses firewall functionality and not IPS functionality. This IPS functionality provided to counter this threat does not contradict any of the functionality required by the PP for which conformance is claimed Statement of Security Requirements Consistency The Security Functional Requirements included in the Security Target represent the Security Functional Requirements specified in the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments for which conformance is claimed verbatim. Several additional Security Functional Requirements are also included. All concepts covered the Protection Profile s Statement of Security Requirements are included in the Security Target. Additionally, the Security Assurance Requirements included in the Security Target are identical to the Security Assurance Requirements included in each of the Protection Profiles. None of the additional Security Functional Requirements contradicts the functionality specified in the Protection Profile. The additional Security Functional Requirements augment the firewall functionality specified in the Protection Profiles and discuss additional TOE functionality that is not addressed in the Protection Profile. The following table identifies each additional Security Functional Requirement included in the ST and provides rationale for its inclusion in the Security Target with regards to the claims Protection Profiles. FAU_GEN.1 FAU_SAR.1 FMT_SMR.1 FIA_ATD.1 Table 10: Protection Profile Security Functional Requirement Additions and Refinements SFR FMT_MSA.3(1) 19 Rationale This SFR was refined to add an additional event type to be audited and to refer to the correct table within the requirement wording. This does not contradict any claims in the PP or weaken the claimed security functionality. This SFR was refined to clarify that this instance of authorized administrators applies to privileged administrators. This does not contradict any claims in the PP or weaken the claimed security functionality. This SFR was refined to add a role used elsewhere in the PP SFRS: external IT entities. This does not contradict any claims in the PP or weaken the claimed security functionality. This SFR was refined to add the authentication attributes for external IT entities. This does not contradict any claims in the PP or weaken the claimed security functionality. This SFR was refined to clarify that this instance of authorized administrators applies to only privileged administrators. This does not

20 SFR FMT_MOF.1 FCS_CKM.4 FCS_COP_(ET).1 FCS_GDOI_(ET).1 FCS_IKE_(ET).1 FDP_IFC.1(2) FDP_IFF.1(2) FDP_IFC.1(3) FDP_IFF.1(3) FMT_MSA.3(2) FMT_SMF.1 FTP_ITC.1 FTP_TRP.1 IDS_SDC_(ET).1 Rationale contradict any claims in the PP or weaken the claimed security functionality. This SFR was refined to clarify that this instance of authorized administrators applies to privileged administrators. This does not contradict any claims in the PP or weaken the claimed security functionality. This SFR discusses the cryptographic key destruction. This functionality is not discussed in the Protection Profile for which conformance is claimed. Cryptographic key destruction does not contradict any of the cryptographic functionality included in the PP. This SFR discusses random number generation. This functionality is not discussed in the Protection Profile for which conformance is claimed. Random number generation does not contradict any of the cryptographic functionality included in the PP. This SFR discusses Group Domain of Interpretation. This functionality is not discussed in the Protection Profile for which conformance is claimed. Group Domain of Interpretation does not contradict any of the cryptographic functionality included in the PP. This SFR discusses IKE Key establishment. This functionality is not discussed in the Protection Profile for which conformance is claimed. IKE Key Establishment does not contradict any of the cryptographic functionality included in the PP. This SFR discusses VPN functionality. This functionality is not discussed in the Protection Profile for which conformance is claimed. VPN functionality does not contradict any of the information flow control included in the PP. This SFR discusses VPN functionality. This functionality is not discussed in the Protection Profile for which conformance is claimed. VPN functionality does not contradict any of the information flow control included in the PP. This SFR discusses VLAN functionality. This functionality is not discussed in the Protection Profile for which conformance is claimed. VLAN functionality does not contradict any of the information flow control included in the PP. This SFR discusses VLAN functionality. This functionality is not discussed in the Protection Profile for which conformance is claimed. VLAN functionality does not contradict any of the information flow control included in the PP. This SFR discusses the required security attribute management associated with VPN controls. The PP for which conformance is claimed does not address VPN information flow. Therefore it does not address the management of the security attributes associated with VPNs. This management functionality does not contradict any of the functionality described in the PP for which conformance is claimed. This SFR discusses the overall security functions associated with secure management of the TOE. While the PP does not include this SFR, the CCTL requested its inclusion for consistency with other Security Target. This SFR discusses protected communications between a remote syslog and the TOE. This SFR complements the cryptographic requirements already included in the SFR for management communications with the TOE. This SFR does not introduce any functionality that is conflicting with the functionality required by the PP for which conformance is claimed. This SFR discusses trusted paths between a remote workstation and the TOE. This SFR complements the cryptographic requirements already included in the SFR for management communications with the TOE. This SFR does not introduce any functionality that is conflicting with the functionality required by the PP for which conformance is claimed. This SFR discusses IDS functionality on the TOE. This SFR does not introduce any functionality that is conflicting with the functionality required by the PP for which conformance is claimed. 20

21 SFR IDS_ANL_(ET).1 IDS_RCT_(ET).1 IDS_RDR_(ET).1 IDS_STG_(ET).1 IDS_STG_(ET).2 Rationale This SFR discusses IDS functionality on the TOE. This SFR does not introduce any functionality that is conflicting with the functionality required by the PP for which conformance is claimed. This SFR discusses IDS functionality on the TOE. This SFR does not introduce any functionality that is conflicting with the functionality required by the PP for which conformance is claimed. This SFR discusses IDS functionality on the TOE. This SFR does not introduce any functionality that is conflicting with the functionality required by the PP for which conformance is claimed. This SFR discusses IDS functionality on the TOE. This SFR does not introduce any functionality that is conflicting with the functionality required by the PP for which conformance is claimed. This SFR discusses IDS functionality on the TOE. This SFR does not introduce any functionality that is conflicting with the functionality required by the PP for which conformance is claimed. 21

22 3 SECURITY PROBLEM DEFINITION This chapter identifies the following: Significant assumptions about the TOE s operational environment IT related threats to the organization countered by the TOE Environmental threats requiring controls to provide sufficient protection Organizational security policies for the TOE as appropriate. This document identifies assumptions as A.assumption with assumption specifying a unique name. Threats are identified as T.threat with threat specifying a unique name. 3.1 Assumptions The specific conditions listed in the following subsections are assumed to exist in the TOE s environment. These assumptions include both practical realities in the development of the TOE security requirements and the essential environmental conditions on the use of the TOE. Assumption Table 11: TOE Assumptions Assumption Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments A.PHYSEC The TOE is physically secure. A.LOWEP The threat of malicious attacks aimed at discovering exploitable vulnerabilities is considered low. A.GENPUR There are no general-purpose computing capabilities (e.g., the ability to execute arbitrary code or applications) and storage repository capabilities on the TOE. A.PUBLIC The TOE does not host public data. A.NOEVIL Authorized administrators are non-hostile and follow all administrator guidance; however, they are capable of error. A.SINGEN Information can not flow among the internal and external networks unless it passes through the TOE. A.DIRECT Human users within the physically secure boundary protecting the TOE may attempt to access the TOE from some direct connection (e.g., a console port) if the connection is part of the TOE. A.NOREMO Human users who are not authorized administrators can not access the TOE remotely from the internal or external networks. A.REMACC Authorized administrators may access the TOE remotely from the internal and external networks. 3.2 Threats The following table lists the threats addressed by the TOE and the IT Environment. The assumed level of expertise of the attacker for all the threats identified below is unsophisticated. Threat Threats addressed by the TOE Table 12: Threats 22 Threat Definition

23 Threat Threat Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments T.NOAUTH An unauthorized person may attempt to bypass the security of the TOE so as to access and use security functions and/or non-security functions provided by the TOE. T.REPEAT An unauthorized person may repeatedly try to guess authentication data in order to use this information to launch attacks on the TOE. T.REPLAY An unauthorized person may use valid identification and authentication data obtained to access functions provided by the TOE. T.ASPOOF An unauthorized person may carry out spoofing in which information flow through the TOE into a connected network by using a spoofed source address. T.MEDIAT An unauthorized person may send impermissible information through the TOE which results in the exploitation of resources on the internal network. T.OLDINF Because of a flaw in the TOE functioning, an unauthorized person may gather residual information from a previous information flow or internal TOE data by monitoring the padding of the information flows from the TOE. T.PROCOM An unauthorized person or unauthorized external IT entity may be able to view, modify, and/or delete security related information that is sent between a remotely located authorized administrator and the TOE T.AUDACC Persons may not be accountable for the actions that they conduct because the audit records are not reviewed, thus allowing an attacker to escape detection. T.SELPRO An unauthorized person may read, modify, or destroy security critical TOE configuration data. T.AUDFUL An unauthorized person may cause audit records to be lost or prevent future records from being recorded by taking actions to exhaust audit storage capacity, thus masking an attackers actions. In addition to what is included in the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments T.UNAUTHORIZED_PEER An unauthorized IT entity may attempt to establish a security association with the TOE. T.EAVESDROP A malicious user or process may observe or modify user or TSF data transmitted to and from the TOE. T.VPNMEDIAT An unauthorized person may send or receive unauthorized IPSec traffic through the TOE which results in the exploitation of resources on the internal network. T.VLAN An attacker may force a packet destined for one VLAN to cross into another VLAN for which it is not authorized compromising the confidentiality and integrity of information. T.NOHALT An unauthorized user may attempt to compromise the continuity of the System's collection and analysis functions by halting execution of the TOE. T.FALACT The TOE may fail to react to identified or suspected vulnerabilities or inappropriate activity. T.FALREC The TOE may fail to recognize vulnerabilities or inappropriate activity based on IDS data received from each data source. T.FALASC The TOE may fail to identify vulnerabilities or inappropriate activity based on association of IDS data received from all data sources. T.MISUSE Unauthorized accesses and activity indicative of misuse may occur on an IT System the TOE monitors. T.INADVE Inadvertent activity and access may occur on an IT System the TOE monitors. T.MISACT Malicious activity, such as introductions of Trojan horses and viruses, may occur on an IT System the TOE monitors. T.INTEGRITY An attacker may compromise the integrity of IPSec traffic sent to/from the TOE. Threats addressed by the environment 23

24 Threat Threat Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments T.TUSAGE The TOE may be inadvertently configured, used and administered in an insecure manner by either authorized or unauthorized persons. 3.3 Organizational Security Policies An organizational security policy is a set of rules, practices, and procedures imposed by an organization to address its security needs. This ST contains no claims for organizational security policies. 24

25 4 SECURITY OBJECTIVES This Chapter identifies the security objectives of the TOE and the IT Environment. The security objectives identify the responsibilities of the TOE and the TOE s IT environment in meeting the security needs. This document identifies objectives of the TOE as O.objective with objective specifying a unique name. Objectives that apply to the IT environment are designated as OE.objective with objective specifying a unique name. 4.1 Security Objectives for the TOE The following table, Security Objectives for the TOE, identifies the security objectives of the TOE. These security objectives reflect the stated intent to counter identified threats and/or comply with any security policies identified. An explanation of the relationship between the objectives and the threats/policies is provided in the rationale section of this document. TOE Objective Table 13: Security Objectives for the TOE TOE Security Objective Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments O.IDAUTH The TOE must uniquely identify and authenticate the claimed identity of all users, before granting a user access to TOE functions. O.SINUSE The TOE must prevent the reuse of authentication data for users attempting to authenticate at the TOE from a connected network. O.MEDIAT The TOE must mediate the flow of all information from users on a connected network to users on another connected network, and must ensure that residual information from a previous information flow is not transmitted in any way. O.SECSTA Upon initial start-up of the TOE or recovery from an interruption in TOE service, the TOE must not compromise its resources or those of any connected network. O.ENCRYP The TOE must protect the confidentiality of its dialogue with an authorized administrator through encryption, if the TOE allows administration to occur remotely from a connected network. O.SELPRO The TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with TOE security functions. O.AUDREC The TOE must provide a means to record a readable audit trail of securityrelated events, with accurate dates and times, and a means to search and sort the audit trail based on relevant attributes. O.ACCOUN The TOE must provide user accountability for information flows through the TOE and for authorized administrator use of security functions related to audit. O.SECFUN The TOE must provide functionality that enables an authorized administrator to use the TOE security functions, and must ensure that only authorized administrators are able to access such functionality. O.LIMET The TOE must provide the means for an authorized administrator to control and limit access to TOE security functions by an authorized external IT entity. In addition to what is included in the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness Environments O.CRYPTOGRAPHIC_ The TOE shall provide cryptographic functions to provide confidentiality for FUNCTIONS TSF data that is transmitted to and from the TOE. 25