ICSA Labs Network Firewall Certification Testing Report Corporate Criteria Version 4.2. Huawei Technologies. USG Series/Eudemon-N Series

Similar documents
1.0 High Availability (HA) Firewall Module Lab Report. Elitecore Technologies Ltd. Cyberoam CR50i Version build 25.

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

Advanced Threat Defense Certification Testing Report. Trend Micro Incorporated Trend Micro Deep Discovery Inspector

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CIS Controls Measures and Metrics for Version 7

CSC Network Security

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Firewall Configuration and Management Policy

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

CIS Controls Measures and Metrics for Version 7

Training UNIFIED SECURITY. Signature based packet analysis

Fundamentals of Network Security v1.1 Scope and Sequence

What to Look for When Evaluating Next-Generation Firewalls


Certification Report

Customer Support: For more information or support, please visit or at Product Release Information...

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Certification Report

ASA Access Control. Section 3

Securing CS-MARS C H A P T E R

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com


Corrigendum 3. Tender Number: 10/ dated

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Paloalto Networks PCNSA EXAM

Information Security Controls Policy

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Indicate whether the statement is true or false.

Client Computing Security Standard (CCSS)

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Virtual Private Network. Network User Guide. Issue 05 Date

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Certification Report

Google Cloud Platform: Customer Responsibility Matrix. April 2017

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

AccessEnforcer Version 4.0 Features List

Huawei esight LogCenter Technical White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 1.0. Date PUBLIC

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Monitoring the Device

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Security in Bomgar Remote Support

Security in the Privileged Remote Access Appliance

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Network Configuration Example

Network Security Policy

Active Directory in Networks Segmented by Firewalls

Fortinet, Inc. Advanced Threat Protection Solution

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Google Cloud Platform: Customer Responsibility Matrix. December 2018

CompTIA E2C Security+ (2008 Edition) Exam Exam.

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Tenable for Palo Alto Networks

Certification Report

Introduction to Cisco ASA Firewall Services

Certification Report

Information Security for Mail Processing/Mail Handling Equipment

Integrating Cyberoam UTM

Step-by-Step Configuration

Windows 10 and the Enterprise. Craig A. Brown Prepared for: GMIS

Cyber Security Requirements for Electronic Safety and Security

Managing Zone-based Firewall Rules

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

COMMON CRITERIA CERTIFICATION REPORT

Internet Security: Firewall

Implementing Firewall Technologies

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Step-by-Step Configuration

SECURITY PRACTICES OVERVIEW

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

Surat Smart City Development Ltd. Surat Municipal Corporation 1

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Dynamic Datacenter Security Solidex, November 2009

Certification Report

SONICWALL SECURITY HEALTH CHECK PSO 2017

The following topics describe how to configure correlation policies and rules.

Certification Report

Symantec Client Security. Integrated protection for network and remote clients.

Brocade MLXe Family Devices with Multi- Service IronWare R

SECURITY & PRIVACY DOCUMENTATION

Certification Report

Security Standards for Information Systems

Systrome Next Gen Firewalls

MODERNIZATION OF AUTOMATIC SURFACE WEATHER OBSERVING SYSTEMS AND NETWORKS TO UTILIZE TCP/IP TECHNOLOGY

Ready Theatre Systems RTS POS

SONICWALL SECURITY HEALTH CHECK SERVICE

Internet Security Firewalls

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Connection Logging. Introduction to Connection Logging

Best Practices for PCI DSS Version 3.2 Network Security Compliance

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

HP High-End Firewalls

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5)

Simple and Powerful Security for PCI DSS

Service Description Safecom Customer Connection Version 3.5

Step-by-Step Configuration

SONICWALL SECURITY HEALTH CHECK SERVICE

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Transcription:

ICSA Labs Huawei Technologies USG Series/Eudemon-N Series 4/20/2015 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 www.icsalabs.com FWXX HUAWEITECH-2015-0420-01

Table of Contents Executive Summary... 1... 1 Customer Provided Product Overview... 1 Scope of Assessment... 1 Summary of Findings... 1 Certification Maintenance... 2 Candidate Firewall Product Components... 2... 2 Hardware... 2 Software... 2 Product Family Description... 2 Product Family Members... 3 Documentation... 4 Candidate Firewall Product Configuration Tested... 4... 4 Candidate Firewall Product Configuration... 4 Required Services Security Policy Transition... 4... 4... 5 Logging... 5... 5... 5 Administration... 6... 6... 6 Persistence... 6... 6... 6 Documentation... 6... 6... 7 Functional and Security Testing... 7... 7... 7 Criteria Violations and Resolutions... 7... 7... 7 Testing Information... 9 Lab Report Date... 9 Test Location... 9 Product Developer s Headquarters... 9 FWXX-HUAWEITECH-2015-0420-01 Page i

Executive Summary The goal of ICSA Labs is to significantly increase user and enterprise trust in information security products and solutions. For more than 18 years, ICSA Labs, an independent division of Verizon Business, has been providing credible, independent, 3rd party security product testing and certification for many of the world s top security product developers and service providers. Enterprises worldwide rely on ICSA Labs to set and apply objective testing and certification criteria for measuring product compliance and performance. ICSA Labs manages and facilitates technology consortia that focus on emerging, well-defined technologies. The consortia provide for information exchanges among industry leading developers, and for the development of product testing and certification programs and standards. For more information about ICSA Labs, please visit www.icsalabs.com. Customer Provided Product Overview The USG Series and Eudemon-N Series, provide simple, unified network security for carrier, enterprises, organizations, and data centers. Fine-grained application-layer protection and service acceleration reduce TCO. Integrated firewall, intrusion prevention, antivirus, and data leak prevention enable high-performance throughput. Analyzing service traffic in six dimensions and automatically generating security policy suggestions to combat threats. Scope of Assessment The set of criteria that vendor-submitted products are tested against is an industry-accepted standard to which a consortium of firewall vendors, end users, and ICSA Labs contributed. This standard has evolved over the years into its present iteration version 4.2 of The Modular Firewall Certification Criteria. During and following initial testing, products remain continuously deployed within this lab environment, which closely approximates the real Internet to ensure more realistic firewall testing. Products are available for and regularly subjected to supplemental testing as new attack techniques emerge and vulnerabilities become known. Only products that continue to meet the criteria under these circumstances retain certification. Successful firewall product testing culminates in the writing of a report that documents the results of each phase of testing. It also documents the product components submitted by the vendor, any additional configuration used by ICSA Labs to meet the requirements, patches or updates generated during testing, and the mandatory and optional criteria modules against which the product was tested. Summary of Findings The Candidate Firewall Product met all the criteria elements in the Baseline and Corporate module and therefore has attained ICSA Labs Firewall Certification. The Candidate Firewall Product will remain continuously deployed at ICSA Labs for the length of the testing contract and will be periodically checked as new attacks and vulnerabilities are discovered. In the event that the Candidate Firewall Product is found susceptible to new attacks or vulnerabilities during a check, ICSA Labs will work with the vendor to resolve the problems in order for the Candidate Firewall Product to maintain its ICSA Labs Firewall Certification. FWXX-HUAWEITECH-2015-0420-01 Page 1 of 9

Certification Maintenance The Candidate Firewall Product, like all products and product groups that are granted ICSA Labs Firewall Certification, will remain certified on this and future released versions of the product for the length of the testing contract. Future versions will be certified since the product is continuously deployed at ICSA Labs and subjected to periodic spot-checks on the most current product version. Three circumstances will cause the Candidate Firewall Product to have its ICSA Labs Firewall Certification revoked: 1. The Candidate Firewall Product vendor withdraws from the ICSA Labs Firewall Certification Program. 2. The product fails a periodic spot-check and The Candidate Firewall Product vendor subsequently fails to provide an adequate fix within a prescribed length of time. 3. The product fails to meet the next full test cycle against the current version of the criteria. Candidate Firewall Product Components The term Candidate Firewall Product or CFP refers to the complete system submitted by the vendor for certification testing including all documentation, hardware, firmware, software, host operating systems, and management systems. Common network services such as Syslog, DNS, NTP, etc. are provided by ICSA Labs and are not considered part of the CFP. Hardware USG6370 Eudemon 1000E-N7 Software Initially, testing began with software version V100R001C10SPC201T. Due to violations reported by ICSA Labs, Huawei provided updates to address the violations. Testing was successfully completed with version V100R001C10SPC208T. The products require the use of the esight Log Center for capturing log messages. esight Log Center utilized version V200R003C10SPC200 throughout testing. Product Family Description This section lists the members of the certified product family. A representative set of models was submitted for testing and listed in the Hardware section above. In order to submit a family of products for certification, the vendor must attest that: The vendor designs and maintains control over the entire set of hardware, firmware, and software for each member of the product family. The vendor software, including but not limited to the functional software and the operating system software, is uniform across the product family. The management interface(s) for the members of the product family are uniform and completely consistent. Each member in the product family has an equivalent set of functionality. The functional, integration, and regression testing conducted by the vendor is uniform and consistent across the product family. FWXX-HUAWEITECH-2015-0420-01 Page 2 of 9

Product Family Members USG6305 USG6306 USG6308 USG6310 USG6320 USG6330 USG6350 USG6360 USG6370 USG6380 USG6390 USG6507 USG6510-SJJ USG6530 USG6550 USG6570 USG6620 USG6630 USG6650 USG6660 USG6670 USG6680 Eudemon200E-N1D Eudemon200E-N1 Eudemon200E-N2 Eudemon200E-N3 Eudemon200E-N5 Eudemon1000E-N3 Eudemon1000E-N5 Eudemon1000E-N6 Eudemon1000E-N7 Eudemon1000E-N7E FWXX-HUAWEITECH-2015-0420-01 Page 3 of 9

Documentation To satisfy documentation requirements, Huawei Technologies provided ICSA Labs with the following documents in order to assist in the installation, configuration, and administration of the CFP: USG6000 Series & NGFW Module Product Documentation version V100R001C20SPC500 (Windows CHM file) Eudemon 300&500&1000 Product Documentation Library version 05 (HDX file) esight Product Documentation Dated 2015-01-28 (Windows CHM file) Documentation defining log event dispositions was found in: USG6000 Series & NGFW Module Product Documentation version V100R001C20SPC500 (Windows CHM file) Eudemon 300&500&1000 Product Documentation Library version 05 (HDX file) Candidate Firewall Product Configuration Tested Firewall products can be configured different ways; therefore, ICSA Labs may face many configuration related decisions before adding a single security policy rule on the CFP. During testing, ICSA Labs attempted to exploit the CFP, so configuration decisions were made to prevent exploitation. Candidate Firewall Product Configuration ICSA Labs installed and configured the CFP following the vendor s supplied documentation. Any special configuration or deviations from the documentation that were necessary to execute a test or meet a requirement are documented in this section. The CFP was configured in straight-thru mode for both inbound and outbound connections. The CFP supports DNS forwarding for internal clients, but DNS forwarding was not enabled. Additional configurations were performed to prepare for testing: The following commands were used using the CLI Console which is at the bottom right of each page of the Administrative interface: ftp behavior bounce detect enable firewall defend (all options) Required Services Security Policy Transition Each phase of CFP testing is performed predominantly while enforcing a particular security policy. Firewall products must be configurable to minimally enforce the security policy specified in The Modular Firewall Certification Criteria, referred to as the Required Services Security Policy or RSSP. The RSSP permits a set of common Internet services inbound and outbound while dropping or denying all other network service traffic. FWXX-HUAWEITECH-2015-0420-01 Page 4 of 9

ICSA Labs performed port scans followed by additional scans and other tests to ensure that the CFP was indeed configured according to the RSSP and that no other TCP, UDP, ICMP, or other IP protocol traffic was permitted to or through the CFP in either direction. After performing the scans mentioned above, ICSA Labs verified that the CFP properly handled the outbound and inbound configured service requests. ICSA Labs also confirmed that no other traffic was permitted to traverse the CFP in either direction that would violate the configured security policy. The table below contains a description of the RSSP configuration. The Traffic Direction column specifies whether the configured security policy allowed the traffic to enter the private network (Inbound) or the public network (Outbound). Protocol Port/MsgType Service Name Traffic Direction TCP 21 FTP Inbound/Outbound TCP 80 HTTP Inbound/Outbound TCP 443 HTTPS Inbound/Outbound TCP 25 SMTP Inbound/Outbound UDP 53 DNS Inbound/Outbound TCP 110 POP3 Inbound/Outbound TCP 143 IMAP Inbound/Outbound TCP 23 Telnet Outbound The CFP met all RSSP requirements. No violations were found in this area throughout testing. Logging The CFP is required to provide an extensive logging capability. In practice, this degree of logging may not be enabled at all times or by default; however, the capability must exist on CFP in the event that detailed logging is needed. ICSA Labs tested the logging functionality provided by the CFP ensuring that all permitted and denied traffic was logged for traffic sent both to and through the product. Other events that must be logged are system startups, time changes, access control rule changes, and administrative login attempts. ICSA Labs either configured the local logging mechanism or a remote logging mechanism such as syslog. For all logged events ICSA Labs verified that all required log data were recorded. The CFP has the ability to store logs on either the product itself or send the logs to a remote esight host. To meet specific persistence requirements, the CFP was configured to send log to the remote esight host. The following log examples show a valid outbound DNS lookup which was taken from the esight Log Center: Received at: 2015-04-16 11:01:47 Log Source: Eudemon 1000E-N7 Level: Information FWXX-HUAWEITECH-2015-0420-01 Page 5 of 9

Action: Permit Source IP Address:Port: 205.160.94.66:53 Destination IP Address:Port: 172.26.10.250:53 Policy ID: 4 Policy Name: RSSPOut VPN Instance: inter-zone: trust-untrust Direction: NA Details: protocol=17 source-ip=205.160.94.66 source-port=53 destination-ip=172.26.10.250 destinationport=53 interzone-trust-untrust, policy=4 The CFP did not initially meet all of the logging requirements. Please see the Criteria Violations and Resolutions section for more details about the violations and how they were resolved. Administration Firewall products often have more than a single method by which administration is possible. Whether the product can be administered remotely using vendor provided administration software, from a web browser based interface, via some non-networked connection such as a serial port, or some other means, authentication must be possible before access to administrative functions is granted. ICSA Labs tested not only that authentication mechanisms existed but also that they could not be bypassed and that the remote administration traffic was encrypted. The CFP was remotely administered from a separate management network using the available webbased GUI via HTTPS and locally via a console connection. Attempts to bypass the authentication mechanism for all means of administration were unsuccessful. The CFP met all administration requirements. No violations were found in this area throughout testing. Persistence Power outages, electrical storms, and inadvertent power losses should not cause the CFP to lose valuable information such as the remote administration configuration, security policy being enforced, log data, time and date, and authentication data. This section documents the findings of ICSA Labs testing of the CFP against the persistence requirements. The CFP continued to maintain its configuration, settings, data, and enforcement of the security policy when power was restored following a forced power outage. The CFP met all persistence requirements. No violations were found in this area throughout testing. Documentation The CFP documentation should be accurate and applicable to the version tested in providing appropriate guidance for installation, administration, among other information. FWXX-HUAWEITECH-2015-0420-01 Page 6 of 9

ICSA Labs determined the CFP documentation provided adequate and accurate guidance throughout testing for installation and administration. The CFP met all documentation requirements. No violations were found in this area throughout testing. Functional and Security Testing Once configured to enforce a security policy the CFP must properly permit the services allowed by that policy. In this case, properly means that the service functions correctly. The CFP must be capable of preventing well-known, potentially harmful behavior found in some network protocols while at the same time maintaining compliance with applicable network protocol standards in all other ways. In the event of a conflict, the product must be configurable for the more secure option. During functional testing ICSA Labs checked to ensure proper protocol behavior for the permitted services. During security testing, ICSA Labs used commercial, in-house, and freely available testing tools to attack and probe the CFP. ICSA Labs used these tools to attempt to defeat or circumvent the security policy enforced by the CFP. Additionally, using trivial Denial-of-Service and fragmentation attacks ICSA Labs attempted to overwhelm or bypass the CFP. Since there is overlap between functional and security testing, the results of both phases of testing are presented here. The CFP was not susceptible to attacks launched inbound and outbound to and through the CFP, including fragmentation and trivial Denial-of-Service attacks, while properly providing the required functional services. The CFP did not initially meet all of the Functional and Security requirements. Please see the Criteria Violations and Resolutions section for more details about the violation and how it was resolved. Criteria Violations and Resolutions In the event that ICSA Labs uncovers criteria violations while testing the CFP, the vendor must make repairs before testing can be completed and certification granted. The section that follows documents all criteria violations discovered during testing. The following Logging criteria violations were found by ICSA Labs during testing. Updates were submitted by Huawei Technologies to address the violations which were then successfully tested: The CFP did not properly log Active or Passive FTP connections. The CFP did not properly log various ICMP packets. The CFP did not log valid or invalid Administrative HTTPS connections. The CFP did not log the destination IP address for Administrative SSH/Telnet connections. The CFP did not properly log raw IP protocol packets. FWXX-HUAWEITECH-2015-0420-01 Page 7 of 9

The following Functional and Security criteria violation was found by ICSA Labs during testing. Updates were submitted by Huawei Technologies to address the violation which was then successfully tested: The CFP was susceptible to various ICMP replay attacks. The CFP was susceptible to an FTP bounce attack. FWXX-HUAWEITECH-2015-0420-01 Page 8 of 9

Testing Information This report is issued by the authority of the Managing Director, ICSA Labs. Tests are done under normal operating conditions. Lab Report Date April 20, 2015 Please visit www.icsalabs.com for the most current information about this and other products. Test Location ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 Product Developer s Headquarters Huawei Technologies Huawei Plaza,No.3, Shang Di Xin Xi Road Haidian District,Beijing,100085 China The test methods used to produce this report are accredited and meet the requirements of ISO/IEC 17025 as verified by the ANSI-ASQ National Accreditation Board/ACLASS. Refer to certificate and scope of accreditation number AT 1423. Testing reports shall not be reproduced except in full, without prior written approval of ICSA Labs. FWXX-HUAWEITECH-2015-0420-01 Page 9 of 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback