aramco

Previous Issue: New Next Planned Update: TBD of 13 Primary contact Salem, Hussain Abdullah on 966-3-873507813

Copyright©Saudi Aramco 2007. All rights reserved.

Engineering Report

SAER-6123 11 July 2007 Process Automation Networks Firewall Evaluation Criteria Document Responsibility: Process & Control Systems Department

Document Responsibility: Process and Control Systems Dept. SAER-6123 Issue Date: 11 July 2007 Process Automation Networks Next Planned Update: TBD Firewall Evaluation Criteria

of 13

Table of Contents Section T i t l e Page

1 Product Documentation 4

1.1 Required Product Documentation 4

1.2 Additional Documented Coverage 5

1.3 Accurate Documentation 5

1.4 Log Event Dispositions Defined 5

2 Platform Management 5

2.1 Administration 5

2.2 Management Architecture 7

2.3 Persistence 8

3 Functional Security 8

3.1 Security Policy Enforcement 8

3.2 High Availability 9

3.3 Network Access Control 9

3.4 Identity Management 10

3.5 VPN Support 10

3.6 Content Management 10

3.7 Intrusion Detection & Prevention 10

3.8 Firewall Operating Modes 11

4 Logging 11

4.1 Required Log Events 11

4.2 Required Log Data 12

5 Hardware Architecture 13


of 13

Approval Authority:

Approved by: ____________________________ R. A. DE BELLEFEUILLE, Manager (A) Process & Control Systems Department

Lead Engineers: Hussain Al-Salem (P&CSD)

Saad Al-Harbi (P&CSD)

Abdulrahman Al-Shehri (IT)

Bader Al-Dous (IT)


of 13

Executive Summary

The selection of network security products is an integral part of the design, development and maintenance of a network security infrastructure that ensures confidentiality, integrity, and availability of mission critical information. The objective of this effort is to recommend a network security evaluation criteria for product selection that best secures Saudi Aramco Plants Process Automation Networks (PANs).

P&CSD established this initiative to evaluate various plant network firewall technologies for securing PANs.

P&CSD collaborated on this essential milestone with representatives from Plant organizations, Information Technology, and an international security consulting firm. The team developed a unified evaluation criteria for network security systems considerd as a guidelines to evaluate and select a network security product to secure Saudi Aramco PANs.

Firewall Evaluation Criteria

1 Product Documentation

1.1 Required Product Documentation

Candidate firewall must maintain the following types of documentation:

1.1.1 Installation Documentation

The candidate firewall product must include some measure of written and/or electronic guidance indicating how to properly install the candidate firewall product.

1.1.2 Administration Documentation

The candidate firewall product must include all written and/or electronic guidance applicable for administering and maintaining the product.

1.1.3 Command Reference

The candidate firewall must have a well organized electronic command reference guide for an easy reference to all commands

1.1.4 Upgrade and Release Notes


of 13

1.2 Additional Documented Coverage

The written and/or electronic candidate firewall product documentation must indicate:

1.2.1 The minimum hardware requirements for all components of the candidate firewall product.

1.2.1 The base version of all software and firmware components comprising the candidate firewall product.

1.2.1 Whether or not customer support is available.

1.2.1 Where and how customers access customer support, in the event that customer support is available.

1.2.1 Where to obtain patches and how to apply them in the event that patches are required for any component of the candidate firewall product.

1.3 Accurate Documentation

All candidate firewall product documentation must be accurate and up to date.

1.4 Log Event Dispositions Defined

The candidate firewall product must include written and/or electronic guidance defining all possible values that indicate a Disposition of the Event.

2 Platform Management

2.1 Administration

2.1.1 Administrative Functions

Administrative Functions must exist as part of the candidate firewall product to:

2.1.1.1 Configure and change or acquire the date and time

2.1.1.2 Configure and change Authentication Configuration Data

2.1.1.3 Configure and change Remote Administration settings

2.1.1.4 Enable logging of the Required Log Events

2.1.1.5 Review Required Log Data


of 13

2.1.1.6 Must support Network Time Protocol (NTP)

2.1.1.7 Must support encryption for All configuration files

2.1.2 Administrative Interface

The candidate firewall product must include an Administrative Interface from which the Candidate Firewall Product Administrative Functions are accessible.

2.1.2.1 Must Support SSH and SSL.

2.1.2.2 Must be Web based.

2.1.2.3 Must be fully managed through the console.

2.1.2.4 Must support exempt interfaces concept.

2.1.3 Administrative Interface Authentication

To access the Administrative Functions, the candidate firewall product must have the capability to require authentication through an Administrative Interface using an Authentication Mechanism. Authentication must support the following technology:

2.1.3.1 RADIUS

2.1.3.2 PKI personal certificates

2.1.3.3 Local authentication

2.1.4 Role Based Access Control

2.1.4.1 Candidate firewall must support the following multi level access:

● Administrator level

● Operator level

● Monitoring level

● Virtual firewall

2.1.4.2 Support simultaneous logins of multiple administrators with different access levels.

2.1.4.3 Auditing for all administrator actins must be supported so that IP and administrator username are logged with the description


of 13

of the event itself.

2.2 Management Architecture

2.2.1 The entire firewall configuration must be done from the management system so that no direct connection is needed to the firewall gateway.

2.2.2 The firewall configuration must be done in two steps so that the changes made can be first reviewed before they are applied to the firewall.

2.2.3 Capability to perform all the configurations using Graphical User Interface (GUI).

2.2.4 Capability to perform all the configurations using Command Line Interface (CLI).

2.2.5 Management and log servers must be running on separate systems for security performance issues.

2.2.6 Management console must have full support for IDS/IPS including complete configuration of integrated IDS/IPS.

2.2.7 Complete configurations of all firewalls must be backed up and easily restored by the management console.

2.2.8 Management console must be scalable to large number of firewalls

2.2.9 Management console must include full patch management for managed firewalls

2.2.10 Management system must have complete reporting and searching capabilities.

2.2.11 Management system must have full accounting capabilities to document all alerts and configuration changes.

2.2.12 Management system must support configuration templates to be used as a startup configuration for newly deployed firewalls

2.2.13 Management systems must support at least one of the following platforms:

● Windows

● Solaris

● Linux


of 13

2.3 Persistence

2.3.1 Security Policy Persistence

When electrical power is reapplied after being lost or removed from the candidate Firewall Product, the candidate firewall product must do one of the following:

2.3.1.1 Enforce the same security policy that was being enforced prior to the loss or removal of power

2.3.1.2 Enforce a deny-all security policy, while including an Administrative Function(s) capable of restoring the Candidate Firewall Product to the same security policy that was being enforced prior to the loss or removal of power.

2.3.2 Log Persistence

In the event that electrical power is lost or removed from the candidate firewall product, all required log data for all required log events not in transit between candidate firewall product components must persist and remain the same when electrical power is reapplied.

2.3.3 Authentication Configuration Data Persistence

In the event that electrical power is lost or removed from the candidate firewall product, all authentication configuration data must persist and remain the same when electrical power is reapplied.

2.3.4 Remote Administration Configuration PersistenceError! Bookmark not defined.

In the event that electrical power is lost or removed from the candidate firewall product, remote administration settings must remain configured the same when electrical power is reapplied.

3 Functional Security

3.1 Security Policy Enforcement

3.1.1 Must support the concept of security policy template which contains all global security rules

3.1.2 Must support different rule based policies depending on protocol type or destination address


of 13

3.1.3 Must support object groups based on IP addresses, service port (TCP,UDP) and message type (ICMP)

3.1.4 Must support nested groups (multilevel groups)

3.2 High Availability

3.2.1 Must support stateful failover for all types of running connections

3.2.2 Must have the capability for customizing failover events which trigger failover

3.2.3 Must support Active\Active and Active\Standby modes

3.2.4 All Configurations must be replicated on standby through special links

3.2.5 All heartbeat links must be configurable based on time intervals to achieve different failover response

3.2.6 Must support up to sub second failover

3.3 Network Access Control

3.3.1 Must support multiple security levels for different security zones

3.3.2 Must support simple Packet Filtering

3.3.3 Must support stateful Inspection

3.3.4 Must support smart Proxies

3.3.5 Must support application gateways for common services (http, ftp, telnet)

3.3.6 Must Static/Dynamic Network Address Translation (NAT) and Port Address Translation (PAT)

3.3.7 Must support static routing, Multicast, Dynamic routing (OSPF, RIP) and Policy routing

3.3.8 Must support multiple Ethernet 10/100/1000 Mbps interfaces with 1 Gbps performance as a minimum

3.3.9 Must support VLAN tagging (802.1Q)

3.3.10 Must support full Authentication Authorization and Accounting (AAA) model (RADIUS)


of 13

3.4 Identity Management

3.4.1 Support Security Token (RSA)

3.4.2 Support PKI (Entrust)

3.4.3 Support LDAP

3.4.4 Support Active Directory through AAA server

3.5 VPN Support

3.5.1 Support IPSEC VPN

3.5.2 Support all well known symmetric encryption algorithms (DES, 3DES, AES128 & 256, Blowfish …etc.)

3.5.3 Support all types of message digest algorithms (MD5, SHA-1)

3.5.4 Support all authentication headers (AH, HMAC, ESP)

3.5.5 Support all Diffie-Hellman groups

3.6 Content Management

Candidate firewall should have the ability to support content filtering for:

3.6.1 Web applications (ActiveX)

3.6.2 Mail applications (MIME sweeping)

3.6.3 Antivirus detection and prevention.

3.7 Intrusion Detection & Prevention

3.7.1 Ability to support the detection of following types of attacks:

● Exploit attacks

● Denial-of-Service (DoS) attacks

● Reconnaissance

● Misuse

3.7.2 Support automatic IDS signature update

3.7.3 Support customized signatures

3.7.4 Support packet re-assembly and inspect for known fragment attacks


of 13

3.7.5 Support the following detection mechanisms:

● Protocol decode

● Anomaly detection

● Heuristics

● Simple pattern matching

● Stateful pattern recognition

3.8 Firewall Operating Modes

3.8.1 Ability to support Routed mode of operation (IP address based interfaces)

3.8.1 Ability to support bridged mode of operation (Transparent Interfaces)

3.8.3 Ability to run multiple virtual firewalls

4 Logging

4.1 Required Log Events

The Candidate Firewall Product must have the capability, though it does not have to be enabled by default, to log the following event types:

4.1.1 All permitted inbound access requests from public network clients that use a service identified in the security policy hosted on the Candidate Firewall Product itself or on a private or service network server.

4.1.2 All permitted outbound access requests from private and service network clients that use a service identified in the security policy on a public network server.

4.1.3 All access requests from private, service and public network clients to traverse the candidate firewall product that violate the security policy.

4.1.4 All access requests from private, service and public network clients to send traffic to the candidate firewall product itself that violate the security policy.

4.1.5 All attempts to authenticate at an Administrative Interface on the candidate firewall product itself.

4.1.6 All access requests from private, service and public network clients to send traffic to the Candidate Firewall Product itself on the port or ports used for Remote Administration.


of 13

4.1.7 Each startup of the system itself or of the security policy enforcement.

4.1.8 All manually entered changes to the system clock, after the Candidate Firewall Product is active.

4.2 Required Log Data

For each Required Log Event, the following log data elements must, when applicable, be accurately captured in a log:

4.2.1 Date and Time – when the event occurred;

● The date recorded by the candidate firewall product for each event in the log must consist of the four-digit year, the month and the date.

● The time recorded by the candidate firewall product for each event in the log must consist of the hour, the minute and the second.

4.2.2 Protocol – indicated in the IP header field

4.2.3 Source IP Address – from the candidate firewall product’s perspective

4.2.4 Destination IP Address – from the candidate firewall product’s perspective

4.2.5 Source Port (TCP and UDP)

4.2.6 Destination Port (TCP and UDP)

4.2.7 Message Type (e.g., ICMP)

4.2.8 Disposition of the Events

4.2.9 Statement of success or failure to authenticate at an Administrative Interface.

4.2.10 Failed authentication attempts must include the reason for the failure.

4.2.11 The date and time recorded in the log by the Candidate Firewall Product must reflect the exact date and must minimally reflect the exact second in time that the event occurred.

4.2.12 All Required Log Data corresponding to all Required Log Events must be available for review upon demand and presented in a human readable format while preserving the relative sequence of events.

4.2.13 Candidate firewall must support syslog protocol.


of 13

5 Hardware Architecture

5.1 All the mentioned features are preferred to be integrated in a single box

5.2 Must support rack mounting

5.3 Must be powered by AC/DC source

5.4 Must be hardware certified (ICSA and Common Criteria) Revision Summary 11 July 2007 New Saudi Aramco Engineering Report.

aramco

Documents