cisco 5940 series embedded services router security target · 2011. 12. 15. · cisco 5940 series...

Cisco 5940 Series Embedded Services Router

Security Target

Revision 1.0

May 2011

Cisco 5940 Series Embedded Services Router ST May 2011

2

Table of Contents

1 SECURITY TARGET INTRODUCTION ............................................................................. 6

1.1 ST and TOE Reference ........................................................................................ 6

1.2 Acronyms and Abbreviations ............................................................................... 6

1.3 TOE Overview ..................................................................................................... 7

1.3.1 TOE Product Type ........................................................................................ 7

1.3.2 Supported non-TOE Hardware/ Software/ Firmware ................................... 8

1.4 TOE DESCRIPTION ........................................................................................... 9

1.5 Physical Scope of the TOE................................................................................... 9

1.6 Logical Scope of the TOE .................................................................................... 9

1.6.1 Identification and Authentication ............................................................... 10

1.6.2 Secure Management .................................................................................... 10

1.6.3 Information Flow Control ........................................................................... 11

1.6.4 Intrusion Prevention Services ..................................................................... 12

1.6.5 Cryptography .............................................................................................. 12

1.6.6 Secure Auditing .......................................................................................... 13

1.7 TOE Evaluated Configuration ............................................................................ 13

1.7.1 Excluded Functionality ............................................................................... 14 2 Conformance Claims ............................................................................................................. 15

2.1 Common Criteria Conformance Claim .............................................................. 15

2.2 Protection Profile Conformance ......................................................................... 15

2.2.1 Protection Profile Refinements ................................................................... 15

2.2.2 Protection Profile Additions ....................................................................... 15

2.3 Protection Profile Conformance Claim Rationale .............................................. 16

2.3.1 TOE Appropriateness.................................................................................. 16

2.3.2 TOE Security Problem Definition Consistency .......................................... 17

2.3.3 Statement of Security Objectives Consistency ........................................... 18

2.3.4 Statement of Security Requirements Consistency ...................................... 19 3 SECURITY PROBLEM DEFINITION ................................................................................ 22

3.1 Assumptions ....................................................................................................... 22

3.2 Threats ................................................................................................................ 22

3.3 Organizational Security Policies ........................................................................ 24 4 SECURITY OBJECTIVES ................................................................................................... 25

4.1 Security Objectives for the TOE ........................................................................ 25

4.2 Security Objectives for the Environment ........................................................... 26 5 SECURITY REQUIREMENTS ........................................................................................... 27

5.1 Conventions ........................................................................................................ 27

5.2 TOE Security Functional Requirements ............................................................ 27

5.3 SFRs Drawn from pp_fw_tf_br_v1.1................................................................. 28

5.3.1 Security audit (FAU)................................................................................... 28

5.3.2 Cryptographic Support (FCS) ..................................................................... 30

5.3.3 User data protection (FDP) ......................................................................... 30

5.3.4 Identification and authentication (FIA) ...................................................... 32

5.3.5 Security management (FMT) ...................................................................... 33

5.3.6 Protection of the TSF (FPT) ....................................................................... 34


3

5.4 SFRs in addition to the SFRs found in pp_fw_tf_br_v1.1 ................................. 34

5.4.1 Cryptographic Support (FCS) ..................................................................... 34

5.4.2 User data protection (FDP) ......................................................................... 38

5.4.3 Security management (FMT) ...................................................................... 40

5.4.4 Trusted Path/Channel (FTP) ....................................................................... 40

5.4.5 IDS Component Requirements (IDS) ......................................................... 41

5.5 TOE SFR Dependencies Rationale for SFRs Found in pp_fw_tf_br_v1.1........ 43

5.6 TOE SFR Dependencies for SFRs in addition to the SFRs found in

pp_fw_tf_br_v1.1.......................................................................................................... 43

5.7 Security Assurance Requirements ...................................................................... 44

5.7.1 SAR Requirements...................................................................................... 44

5.7.2 Security Assurance Requirements Rationale .............................................. 45

5.8 Assurance Measures ........................................................................................... 45 6 TOE Summary Specification ................................................................................................ 46

6.1 TOE Security Functional Requirement Measures .............................................. 46

6.2 TOE Bypass and interference/logical tampering Protection Measures .............. 53 7 RATIONALE ........................................................................................................................ 55

7.1 Rationale for TOE Security Objectives .............................................................. 55

7.2 Rationale for the Security Objectives for the Environment ............................... 57

7.3 Rationale for requirements/TOE Objectives ...................................................... 57 Annex A: References ..................................................................................................................... 63


4

List of Tables

Table 1: ST and TOE Identification ................................................................................... 6

Table 2: Acronyms .............................................................................................................. 6

Table 3: IT Environment Components ............................................................................... 8

Table 4: TOE Provided Cryptography ............................................................................. 12

Table 5: Excluded Functionality ...................................................................................... 14

Table 6: Protection Profiles .............................................................................................. 15

Table 7: Protection Profile Refinements ........................................................................... 15

Table 8: Protection Profile Threat Additions .................................................................... 17

Table 9: Protection Profile Security Objective Additions ................................................ 18

Table 10: Protection Profile Security Functional Requirement Additions and Refinements

........................................................................................................................................... 19

Table 11: TOE Assumptions ............................................................................................. 22

Table 12: Threats .............................................................................................................. 22

Table 13: Security Objectives for the TOE....................................................................... 25

Table 14: Security Objectives for the Environment ......................................................... 26

Table 15: Security Functional Requirements .................................................................... 27

Table 16: Security Functional Requirements .................................................................... 29

Table 17: System Events ................................................................................................... 41

Table 18: Dependency Rationale ...................................................................................... 43

Table 19: Assurance Measures ......................................................................................... 44

Table 20: Assurance Measures ......................................................................................... 45

Table 21: How TOE SFRs Measures ................................................................................ 46

Table 22: Threat/Policies/Objectives Mappings ............................................................... 55

Table 23: Threat/Policies/TOE Objectives Rationale ....................................................... 55

Table 24: Threats/Environment Objectives Mappings ..................................................... 57

Table 25: Assumptions/Threats/Objectives Rationale ...................................................... 57

Table 26: Objective to Requirements Mappings .............................................................. 58

Table 27: Objectives to Requirements Rationale.............................................................. 59

Table 28: References......................................................................................................... 63


5

DOCUMENT INTRODUCTION

Prepared By:

Cisco Systems, Inc.

170 West Tasman Dr.

San Jose, CA 95134

This document provides the basis for an evaluation of a specific Target of Evaluation

(TOE), the Cisco 5940 Series Embedded Services Router. This Security Target (ST)

defines a set of assumptions about the aspects of the environment, a list of threats that the

product intends to counter, a set of security objectives, a set of security requirements, and

the IT security functions provided by the TOE which meet the set of requirements.


6

1 SECURITY TARGET INTRODUCTION

The Security Target contains the following sections:

♦ Security Target Introduction [Section 1]

♦ Conformance Claims [Section 2]

♦ Security Problem Definition [Section 3]

♦ Security Objectives [Section 4]

♦ IT Security Requirements [Section 5]

♦ TOE Summary Specification [Section 6]

♦ Rationale [Section 7]

The structure and content of this ST comply with the requirements specified in the

Common Criteria (CC), Part 1, Annex A, and Part 3, Chapter 4.

1.1 ST and TOE Reference

This section provides information needed to identify and control this ST and its TOE.

Table 1: ST and TOE Identification

ST Title Cisco 5940 Series Embedded Services Router Security Target

ST Version 1.0

Publication Date May 2011

Vendor and ST Author Cisco Systems, Inc.

TOE Reference Cisco 5940 Series Embedded Services Router

TOE Hardware Models conduction cooled processor module; air cooled processor module

TOE Software Version IOS 15.1(2)GC1

ST Evaluation Status In Evaluation

Keywords Switch, Data Protection, Authentication, Firewall, IDS

1.2 Acronyms and Abbreviations

The following acronyms and abbreviations are used in this Security Target:

Table 2: Acronyms

Acronyms /

Abbreviations

Definition

AAA Administration, Authorization, and Accounting

AES Advanced Encryption Standard

CC Common Criteria for Information Technology Security Evaluation

CEM Common Evaluation Methodology for Information Technology Security

CM Configuration Management

cPCI Compact Peripheral Component Interconnect

DHCP Dynamic Host Configuration Protocol

EAL Evaluation Assurance Level

HTTPS Hyper-Text Transport Protocol Secure

IPS Intrusion Prevention System

ISR Integrated Service Router

IT Information Technology


7

Acronyms /

Abbreviations

Definition

J2 A pin connection type for the backplanes of PCI cards. Not an acronym.

JTAG Joint Test Action Group

OS Operating System

PCI Peripheral Component Interconnect

PP Protection Profile

pp_fw_tf_br_v1.1 U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness

Environments

RJ-45 Registered Jack 45

SHS Secure Hash Standard

SSH Secure Shell

ST Security Target

TCP Transport Control Protocol

TOE Target of Evaluation

TSC TSF Scope of Control

TSF TOE Security Function

TSP TOE Security Policy

WAN Wide Area Network

WIC WAN Interface Card

1.3 TOE Overview

The Cisco 5940 Series Embedded Services Router TOE is a purpose-built, routing

platform that includes firewall, Intrusion Prevention, and VPN functionality. The firewall

functionality included within the TOE provides the functionality specified in the U.S.

Government Protection Profile for Traffic Filter Firewall in Basic Robustness

Environments. The TOE includes one router module that can operate in any CompactPCI

(cPCI) 3 unit (3U) chassis.

1.3.1 TOE Product Type

The Cisco 5940 Series Embedded Services Router is a router platform that provides

connectivity and security services onto a single, secure device. The flexible, compact

form factor of these routers, complemented by Cisco IOS® Software, provides highly

secure data, voice, and video communications to stationary and mobile network nodes

across wired links.

In support of the routing capabilities, the Cisco 5940 Series Embedded Services Router

provides IPSec connection capabilities for VPN enabled clients connecting through the

Cisco 5940 Series Embedded Services Router. The Cisco 5940 Series Embedded

Services Router is also compatible with the GET VPN (using GDOI).

The Cisco 5940 Series Embedded Services Router also supports firewall capabilities

consistent with the U.S. Government Protection Profile for Traffic Filter Firewall in

Basic Robustness Environments. The Cisco 5940 Series Embedded Services Router is a

3U (cPCI) router module solution for protecting the network. The firewall capabilities

provided by the TOE are provided via a stateful packet filtering firewall. A stateful

packet filtering firewall controls the flow of IP traffic by matching information contained

in the headers of connection-oriented or connection-less IP packets against a set of rules


8

specified by the authorized administrator for firewalls. This header information includes

source and destination host (IP) addresses, source and destination port numbers, and the

transport service application protocol (TSAP) held within the data field of the IP packet.

Depending upon the rule and the results of the match, the firewall either passes or drops

the packet. The stateful firewall remembers the state of the connection from information

gleaned from prior packets flowing on the connection and uses it to regulate current

packets. The packet will be denied if the security policy is violated.

In addition to IP header information, the TOE mediates information flows on the basis of

other information, such as the direction (incoming or outgoing) of the packet on any

given firewall network interface. For connection-oriented transport services, the firewall

either permits connections and subsequent packets for the connection or denies the

connection and subsequent packets associated with the connection.

The TOE also includes on the 5940 Series Embedded Services Router modules a

network-based Intrusion Prevention System that monitors traffic in real-time. It can

analyze both the header and content of each packet. The TOE uses a rule-based expert

system to interrogate the packet information to determine the type of attack, be it simple

or complex.

1.3.2 Supported non-TOE Hardware/ Software/ Firmware

The TOE supports (in some cases optionally) the following hardware, software, and

firmware in its environment:

Table 3: IT Environment Components

Component Required Usage/Purpose Description for TOE performance Router Chassis Yes The host chassis for the router provides the power to the module as

well as directly connected Ethernet interfaces via a standard cPCI

backplane. The chassis selected can be any off –the-shelf chassis that

supports 3U cPCI cards.

Rear Transition

Module (RTM)

Yes The RTM supports Input/Ouput connectors through standard RJ-45

connectors, or any other cPCI compatible network connector. The

RTM can be any off-the-shelf module that is a cPCI form factor. It is

installed in the chassis directly opposite the card with which it is to be

used.

Management

Workstation with

SSH Client

Yes This includes any IT Environment Management workstation with a

SSH client installed that is used by the TOE administrator to support

TOE administration through SSH protected channels. Any SSH client

that supports SSH v2 may be used.

AAA Server Yes This includes any IT environment AAA server that provides single-

use authentication mechanisms. This can be any AAA server that

provides single-use authentication. The TOE correctly leverages the

services provided by this AAA server to provide single-use

authentication to administrators.

VPN Peer No This includes any peer with which the TOE participates in VPN

communications. VPN peers may be any device or software client

that supports IPSec v3 communications. Both VPN clients and VPN

gateways are considered VPN peers by the TOE.

NTP Server No The TOE supports communications with an NTP server. A solution


9

Component Required Usage/Purpose Description for TOE performance must be used that supports MD5 hashing of communications with up

to a 32 character key.

Syslog Server Yes A syslog server with the capability to support TCP syslog

communications over an IPSec tunnel is required for use with the

TOE.

Certificate

Authority (CA)

No This includes any IT Environment Certificate Authority on the TOE

network. This can be used to provide the TOE with a valid certificate

during certificate enrollment for IKE authentication.

1.4 TOE DESCRIPTION

This section provides an overview of the Cisco 5940 Series Embedded Services Router

Target of Evaluation (TOE). The TOE is comprised of a single cPCI router module

running IOS 15.1(2)GC1.

1.5 Physical Scope of the TOE

The TOE is a hardware solution obtained from General Dynamics under OEM contract

running the IOS 15.1(2)GC1 software solution. The image name for the 5940 Series

Embedded Services Router TOE is c59xx-adventerprisek9-mz.SPA. The key components

on the board are:

• Freescale MPC8548E processor

• Marvell 88E1145 quad Ethernet transceiver

• Spansion S29GL01GP flash or Numonyx flash chip

Both an air-cooled and a conduction-cooled board exist. Aside from the differences

outlined below, they differ only in cooling mechanism.

The board provides the following external interfaces:

• Serial port.

o Via a connection on the J2 connector on the cPCI backplane on the conduction-cooled model and via direct access RJ-45 port or the J2

connector on the cPCI backplane on the card on the air-cooled model.

• Four Gigabit Ethernet ports, via connections on the J2 connector on the cPCI

backplane.

• PCI interface connection to the backplane. This PCI interface is used to connect to

the RTM

• PCI bus connection to the backplane. This PCI controller is disabled within the

IOS running on the TOE.

• JTAG header. The JTAG will be connected to the J2 connector on the cPCI

backplane. It is to be disabled in the evaluated configuration and not re-enabled.

1.6 Logical Scope of the TOE

The TOE is comprised of several security features. Each of the security features

identified above consists of several security functionalities, as identified below.


10

1. Identification and Authentication

2. Secure Management

3. VPN and/or Firewall Information Flow Control

4. Intrusion Prevention Services

5. Cryptography

6. Secure Auditing

These features are described in more detail in the subsections below.

1.6.1 Identification and Authentication

The TOE performs two types of authentication: device-level authentication of the remote

device (VPN peers) and user authentication for the administrators of the TOE. Device-

level authentication allows the TOE to establish a secure channel with a trusted peer. The

secure channel is established only after each device authenticates itself. Device-level

authentication is performed via IKE v1/IPSec v3 mutual authentication. The TOE

provides authentication services for all administrators wishing to connect to the TOEs

secure CLI administrative interface. The TOE requires all administrators to authenticate

prior to being granted access to any of the management functionality.

The TOE facilitates single-use authentication for all administrators and external IT

entities attempting to connect to the TOE by invoking an external RADIUS AAA (IT

environment) to provide single-use authentication. The TOE provides single use

authentication to external IT entities through the use of IKE/IPSec mutual authentication.

1.6.2 Secure Management

The TOE provides secure administrative services for management of general TOE

configuration and the security functionality provided by the TOE. All TOE

administration occurs either through a secure SSH session, via terminal server (such as a

Cisco 2811), or via a local console connection. The TOE provides the ability to securely

manage all TOE administrators; all identification and authentication; all audit

functionality of the TOE; all TOE cryptographic functionality; the timestamps maintained

by the TOE (including settings for an NTP server, if used as the timestamp source); TOE

configuration backup and recovery, and the information flow control policies enforced by

the TOE. The TOE supports two separate administrative roles that make up the

authorized administrator: non-privileged Administrator and privileged Administrator.

The TOE also supports external IT entities. These external IT entities are peer routers

that pass network control information (e.g., routing tables) to the TOE. Also included are

any other VPN peers with which the TOE exchanges information, including VPN clients

and VPN gateways.

Once a configured threshold of consecutive authentication failures is reached, the TOE

locks-out the administrator (either privileged or non-privileged) or external IT entity

attempting to log into the TOE until another administrator unlocks their account. No


11

administrator can unlock their own account, therefore there should always be at least two

privileged administrators configured on the device.

1.6.3 Information Flow Control

1.6.3.1 Firewall Information Flow Control

The Cisco 5940 Series Embedded Services Router mediate information flows through the

TOE for unauthenticated information flows. The Information Control functionality of the

TOE allows privileged administrators to set up rules between interfaces of the TOE.

These rules control whether a packet is transferred from one interface to another and/or

transferred encrypted based upon:

1. Presumed address of source subject

2. Presumed address of destination subject

3. Service used

4. Transport layer protocol

5. Network interface on which the connection request occurs and is to depart

Packets will be dropped unless a specific rule or policy in an access control list (ACL)

has been set up to allow the packet to pass. The order of Access Control Entries (ACEs)

in an ACL is important. When the TOE decides whether to forward or drop a packet, the

TOE tests the packet against the ACE in the order in which the entries are listed. After a

match is found, no more ACEs are checked such that if the ACE at the beginning of the

ACL explicitly permits all traffic, no further ACEs are checked. Interface ACLs are

applied first before IPsec negotiations occur in the evaluated configuration.

The TOE ensures that all information flows from the TOE do not contain residual

information from previous traffic. Packets are padded with zeroes. Residual data is

never transmitted from the TOE.

1.6.3.2 VPN Information Flow Control

Cisco 5940 Series Embedded Services Router delivers VPN connections to remote

entities. The VPN process includes remote device authentication, negotiation of specific

cryptographic parameters for the session, and providing a secure connection to and from

the remote device. For inbound or outbound connections with external IT entities that are

capable of supporting VPN (e.g., a VPN Peer), the TOE will establish a secure

connection. For other inbound or outbound traffic a secure connection will not be

established.

1.6.3.3 VLAN Information Flow Control

Cisco 5940 Series Embedded Services Router allows VLAN connections to/from remote

entities. The TOE provides the ability to identify the VLAN the network traffic is

associated with. The TOE then permits or denies the network traffic based on the VLANs


12

configured on the interface the network traffic is received /destined. This policy is

applied after the Firewall policy.

1.6.4 Intrusion Prevention Services

The Cisco 5940 Series Embedded Services Router IOS software Intrusion Prevention

System (IPS) operates as an in-line intrusion detection sensor, watching packets and

sessions as they flow through the router and scanning each packet to match any of the

Cisco IOS IPS signatures. When Cisco IOS IPS detects suspicious activity, it responds

before network security can be compromised and logs the event through Cisco IOS

syslog messages stored in the local buffer and then offloaded to an external syslog server.

The privileged administrator can configure Cisco IOS IPS to choose the appropriate

response to various threats. When packets in a session match a signature, Cisco IOS IPS

can take any of the following actions, as appropriate:

• Send an audit record to a syslog server or a management interface

• Drop the packet

• Reset the connection

• Deny traffic from the source IP address of the attacker for a specified amount of

time

• Deny traffic on the connection for which the signature was seen for a specified

amount of time

For inbound packets the IDS processing is done after firewall policies and then VPN

policies have been applied.

1.6.5 Cryptography

The TOE provides cryptography in support of other Cisco 5940 Series Embedded

Services Router security functionality. This cryptography has been validated for

conformance to the requirements of FIPS 140-2 Level 1. Further details regarding the

FIPS validation can be found in Certificate #1639. The TOE provides cryptography in

support of VPN connections and remote administrative management via SSH. The

cryptographic services provided by the TOE include

Table 4: TOE Provided Cryptography

Cryptographic Method Use within the TOE Internet Key Exchange Used to establish initial IPSec session.

ANSI X9.31 PRNG Used in IPSec session establishment.

AES Used to encrypt IPSec session traffic.

Used to encrypt SSH session traffic.

Group Domain of Interpretation Used in IPSec session establishment.

RSA IKE RSA authentication

DSA SSH host authentication, SSH client authentication

SHA256 IKE


13

1.6.6 Secure Auditing

The Cisco 5940 Series Embedded Services Router provides extensive auditing

capabilities. The TOE can audit events related to cryptographic functionality, information

flow control enforcement, intrusion prevention, identification and authentication, and

administrative actions. The Cisco 5940 Series Embedded Services Router generates an

audit record for each auditable event. These events include a timestamp that can be

provided by the TOE or an optional NTP server in the operational environment. The

Cisco 5940 Series Embedded Services Router provides the privileged administrator with

a sorting and searching capability to improve audit analysis. The privileged administrator

configures auditable events, backs-up and manages audit data storage. The TOE provides

the privileged administrator with a local circular audit trail, also referred to as the Event

Store,and allows for configuration of offload of audit data via TCP syslog to a syslog

server in the operational environment so that audit events are not lost when the Event

Store reaches capacity and begins to overwrite old events.

1.7 TOE Evaluated Configuration

The following figure provides a visual depiction of an example TOE deployment. The

TOE boundary is surrounded with a dashed red line.

The previous figure includes the following:

♦ The 5940 TOE Model (both the conduction-cooled and air-cooled models are

pictured.)


14

♦ IT Environment: Chassis and RTM

♦ IT Environment: (2) VPN Peers

♦ IT Environment: Management Workstation

♦ IT Environment: AAA Server

♦ IT Environment: NTP Server

♦ IT Environment: Syslog Server

1.7.1 Excluded Functionality

The following functional is excluded from the evaluation.

Table 5: Excluded Functionality

Excluded Functionality Exclusion Rationale Non-FIPS 140-2 mode of operation on the router. This mode of operation includes non-FIPS allowed

operations.

Telnet for management purposes. Telnet passes authentication credentials in clear

text. SSHv2 is to be used instead.

The exclusion of this functionality does not affect compliance to the U.S. Government

Protection Profile for Traffic Filter Firewall in Basic Robustness Environments.


15

2 CONFORMANCE CLAIMS

2.1 Common Criteria Conformance Claim

The TOE and ST are compliant with the Common Criteria (CC) Version 3.1, Revision 3,

dated: July 2009.

The TOE and ST are EAL2 Augmented with ALC_FLR.2 Part 3 conformant.

The TOE and ST are CC Part 2 extended.

2.2 Protection Profile Conformance

This ST claims compliance to the following Common Criteria validated Protection Profiles:

Table 6: Protection Profiles

Protection Profile Version Date U.S. Government Protection Profile for Traffic Filter Firewall in Basic

Robustness Environments (pp_fw_tf_br_v1.1)

1.1 July 25, 2007

2.2.1 Protection Profile Refinements

The following table identifies the refinements made to the Protection Profile and provides

rationale for the refinement:

Table 7: Protection Profile Refinements

Refinement Rationale FAU_GEN.1 Refined to refer to the correct table number and to add an

additional event to the audit table.

FAU_SAR.1 Refined to clarify that privileged administrators are affected.

FMT_SMR.1 Refined to also address External IT entities and to clarify that both

privileged and non-privileged administrators are included.

FIA_ATD.1 Refined to also address External IT entities

FMT_MSA.3(1) Refined to specify the privileged administrator.

FMT_MOF.1 Refined to specify the privileged administrator and what a non-

privileged administrator is able to access.

The names of all of the Objectives on the Environment were changed from O.XXXXX to

OE.XXXXX in this ST.

2.2.2 Protection Profile Additions

The following threats were added to the TOE:

♦ T.UNAUTHORIZED_PEER

♦ T.EAVESDROP

♦ T.VPNMEDIAT

♦ T.VLAN

♦ T.NOHALT

♦ T.FALACT

♦ T.FALREC


16

♦ T.FALASC

♦ T.MISUSE

♦ T.INADVE

♦ T.MISACT

♦ T.INTEGRITY

The following objectives were added to the TOE:

♦ O.CRYPTOGRAPHIC_ FUNCTIONS

♦ O.PEER_AUTHENTICATION

♦ O.INTEGRITY

♦ O.VPNMEDIAT

♦ O.VLAN

♦ O.IDSENS

♦ O.IDANLZ

♦ O.RESPON

The following requirements were added to the set of SFRs on the TOE:

♦ FCS_CKM.4

♦ FCS_COP_(EXT).1

♦ FCS_GDOI_(EXT).1

♦ FCS_IKE_(EXT).1

♦ FDP_IFC.1(2)

♦ FDP_IFF.1(2)

♦ FDP_IFC.1(3)

♦ FDP_IFF.1(3)

♦ FMT_MSA.3(2)

♦ FMT_MSA.3(3)

♦ FMT_SMF.1

♦ FTP_ITC.1

♦ FTP_TRP.1

♦ IDS_SDC_(EXT).1

♦ IDS_ANL_(EXT).1

♦ IDS_RCT_(EXT).1

♦ IDS_RDR_(EXT).1

♦ IDS_STG_(EXT).1

♦ IDS_STG_(EXT).2

2.3 Protection Profile Conformance Claim Rationale

2.3.1 TOE Appropriateness

The TOE provides all of the Traffic Filter Firewall functionality at a level of security

commensurate with that identified in the U.S. Government Protection Profile:

• U.S. Government Protection Profile for Traffic Filter Firewall in Basic

Robustness Environments (pp_fw_tf_br_v1.1)


17

2.3.2 TOE Security Problem Definition Consistency

The Assumptions, Threats, and Organization Security Policies included in the Security

Target represent the Assumptions, Threats, and Organization Security Policies specified

in the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness

Environments for which conformance is claimed verbatim. Several additional Threats are

also included. All concepts covered in the Protection Profile Security Problem Definition

are included in the Security Target. None of the additional Threats contradicts the

functionality specified in the Protection Profile. The additional Threats augment the

firewall functionality specified in the Protection Profiles and discuss additional TOE

functionality that is not addressed in the Protection Profile. The following table identifies

each additional Threat included in the ST and provides rationale for its inclusion in the

Security Target with regards to the claims Protection Profiles.

Table 8: Protection Profile Threat Additions

Threat/OSP Rationale T.UNAUTHORIZED_PEER This threat is associated with VPN functionality. The PP addresses

firewall functionality and not VPN functionality. This VPN

functionality provided to counter this threat does not contradict any of

the functionality required by the PP for which conformance is claimed.

T.EAVESDROP This threat is associated with VPN functionality. The PP addresses




T.VPNMEDIAT This threat is associated with VPN functionality. The PP addresses




T.VLAN This threat is associated with VLAN functionality. The PP addresses

firewall functionality and not VLAN functionality. This VLAN



T.NOHALT

This threat is associated with IDS functionality. The PP addresses

firewall functionality and not IDS functionality. This IDS



T.FALACT This threat is associated with IDS functionality. The PP addresses




T.FALREC This threat is associated with IDS functionality. The PP addresses




T.FALASC This threat is associated with IDS functionality. The PP addresses




T.MISUSE This threat is associated with IDS functionality. The PP addresses





18

Threat/OSP Rationale T.INADVE This threat is associated with IDS functionality. The PP addresses




T.MISACT This threat is associated with IDS functionality. The PP addresses




T.INTEGRITY This threat is associated with VPN functionality. The PP addresses




2.3.3 Statement of Security Objectives Consistency

The Security Objectives included in the Security Target represent the Security Objectives

specified in the U.S. Government Protection Profile for Traffic Filter Firewall in Basic

Robustness Environments for which conformance is claimed verbatim. Several additional

Security Objectives are also included. All concepts covered in the Protection Profile’s

Statement of Security Objectives are included in the Security Target. None of the

additional Security Objectives contradicts the functionality specified in the Protection

Profile. The additional Security Objectives augment the firewall functionality specified

in the Protection Profiles and discuss additional TOE functionality that is not addressed

in the Protection Profile. The following table identifies each additional Security Objective

included in the ST and provides rationale for its inclusion in the Security Target with

regards to the claims Protection Profiles.

Table 9: Protection Profile Security Objective Additions

Security Objective Rationale O.CRYPTOGRAPHIC_ FUNCTIONS This Security Objective augments the cryptographic functionality

discussed in the PP for which conformance is claimed. This policy

does not introduce any functionality that is inconsistent with the

cryptography specified in the PP for which conformance is claimed.

O.PEER_AUTHENTICATION This Security Objective is associated with VPN functionality. The PP

addresses firewall functionality and not VPN functionality. This VPN


the functionality required by the PP for which conformance is

claimed.

O.INTEGRITY This Security Objective is associated with VPN functionality. The PP




claimed.

O.VPNMEDIAT This Security Objective is associated with VPN functionality. The PP




claimed.

O.VLAN This Security Objective is associated with VLAN functionality. The

PP addresses firewall functionality and not VLAN functionality. This

VLAN functionality provided to counter this threat does not contradict


19

Security Objective Rationale any of the functionality required by the PP for which conformance is

claimed.

O.IDSENS

This Security Objective is associated with IPS functionality. The PP

addresses firewall functionality and not IPS functionality. This IPS



claimed.

O.IDANLZ





claimed.

O.RESPON





claimed.

2.3.4 Statement of Security Requirements Consistency

The Security Functional Requirements included in the Security Target represent the

Security Functional Requirements specified in the U.S. Government Protection Profile

for Traffic Filter Firewall in Basic Robustness Environments for which conformance is

claimed verbatim. Several additional Security Functional Requirements are also included.

All concepts covered the Protection Profile’s Statement of Security Requirements are

included in the Security Target. Additionally, the Security Assurance Requirements

included in the Security Target are identical to the Security Assurance Requirements

included in each of the Protection Profiles. None of the additional Security Functional

Requirements contradicts the functionality specified in the Protection Profile. The

additional Security Functional Requirements augment the firewall functionality specified

in the Protection Profiles and discuss additional TOE functionality that is not addressed

in the Protection Profile. The following table identifies each additional Security

Functional Requirement included in the ST and provides rationale for its inclusion in the

Security Target with regards to the claims Protection Profiles.

Table 10: Protection Profile Security Functional Requirement Additions and Refinements

SFR Rationale FAU_GEN.1 This SFR was refined to add an additional event type to be audited and to refer

to the correct table within the requirement wording. This does not contradict

any claims in the PP or weaken the claimed security functionality.

FAU_SAR.1 This SFR was refined to clarify that this instance of “authorized

administrators” applies to privileged administrators. This does not contradict


FMT_SMR.1 This SFR was refined to add a role used elsewhere in the PP SFRS: external

IT entities. This does not contradict any claims in the PP or weaken the

claimed security functionality.

FIA_ATD.1 This SFR was refined to add the authentication attributes for external IT

entities. This does not contradict any claims in the PP or weaken the claimed

security functionality.

FMT_MSA.3(1) This SFR was refined to clarify that this instance of “authorized

administrators” applies to only privileged administrators. This does not


20

SFR Rationale contradict any claims in the PP or weaken the claimed security functionality.

FMT_MOF.1 This SFR was refined to clarify that this instance of “authorized

administrators” applies to privileged administrators. This does not contradict


FCS_CKM.4 This SFR discusses the cryptographic key destruction. This functionality is not

discussed in the Protection Profile for which conformance is claimed.

Cryptographic key destruction does not contradict any of the cryptographic

functionality included in the PP.

FCS_COP_(EXT).1 This SFR discusses random number generation. This functionality is not

discussed in the Protection Profile for which conformance is claimed. Random

number generation does not contradict any of the cryptographic functionality

included in the PP.

FCS_GDOI_(EXT).1 This SFR discusses Group Domain of Interpretation. This functionality is not

discussed in the Protection Profile for which conformance is claimed. Group

Domain of Interpretation does not contradict any of the cryptographic

functionality included in the PP.

FCS_IKE_(EXT).1 This SFR discusses IKE Key establishment. This functionality is not discussed

in the Protection Profile for which conformance is claimed. IKE Key

Establishment does not contradict any of the cryptographic functionality

included in the PP.

FDP_IFC.1(2) This SFR discusses VPN functionality. This functionality is not discussed in

the Protection Profile for which conformance is claimed. VPN functionality

does not contradict any of the information flow control included in the PP.

FDP_IFF.1(2) This SFR discusses VPN functionality. This functionality is not discussed in

the Protection Profile for which conformance is claimed. VPN functionality


FDP_IFC.1(3) This SFR discusses VLAN functionality. This functionality is not discussed in

the Protection Profile for which conformance is claimed. VLAN functionality


FDP_IFF.1(3) This SFR discusses VLAN functionality. This functionality is not discussed in

the Protection Profile for which conformance is claimed. VLAN functionality


FMT_MSA.3(2) This SFR discusses the required security attribute management associated with

VPN controls. The PP for which conformance is claimed does not address

VPN information flow. Therefore it does not address the management of the

security attributes associated with VPNs. This management functionality does

not contradict any of the functionality described in the PP for which

conformance is claimed.

FMT_SMF.1 This SFR discusses the overall security functions associated with secure

management of the TOE. While the PP does not include this SFR, the CCTL

requested its inclusion for consistency with other Security Target.

FTP_ITC.1 This SFR discusses protected communications between a remote syslog and

the TOE. This SFR complements the cryptographic requirements already

included in the SFR for management communications with the TOE. This SFR

does not introduce any functionality that is conflicting with the functionality

required by the PP for which conformance is claimed.

FTP_TRP.1 This SFR discusses trusted paths between a remote workstation and the TOE.

This SFR complements the cryptographic requirements already included in the

SFR for management communications with the TOE. This SFR does not

introduce any functionality that is conflicting with the functionality required

by the PP for which conformance is claimed.

IDS_SDC_(EXT).1 This SFR discusses IDS functionality on the TOE. This SFR does not




21

SFR Rationale IDS_ANL_(EXT).1 This SFR discusses IDS functionality on the TOE. This SFR does not



IDS_RCT_(EXT).1 This SFR discusses IDS functionality on the TOE. This SFR does not



IDS_RDR_(EXT).1 This SFR discusses IDS functionality on the TOE. This SFR does not



IDS_STG_(EXT).1 This SFR discusses IDS functionality on the TOE. This SFR does not



IDS_STG_(EXT).2 This SFR discusses IDS functionality on the TOE. This SFR does not




22

3 SECURITY PROBLEM DEFINITION This chapter identifies the following:

♦ Significant assumptions about the TOE’s operational environment

♦ IT related threats to the organization countered by the TOE

♦ Environmental threats requiring controls to provide sufficient protection

♦ Organizational security policies for the TOE as appropriate.

This document identifies assumptions as A.assumption with “assumption” specifying a

unique name. Threats are identified as T.threat with “threat” specifying a unique name.

3.1 Assumptions

The specific conditions listed in the following subsections are assumed to exist in the

TOE’s environment. These assumptions include both practical realities in the

development of the TOE security requirements and the essential environmental

conditions on the use of the TOE.

Table 11: TOE Assumptions

Assumption Assumption Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness

Environments

A.PHYSEC The TOE is physically secure.

A.LOWEXP The threat of malicious attacks aimed at discovering exploitable vulnerabilities is

considered low.

A.GENPUR There are no general-purpose computing capabilities (e.g., the ability to execute arbitrary

code or applications) and storage repository capabilities on the TOE.

A.PUBLIC The TOE does not host public data.

A.NOEVIL Authorized administrators are non-hostile and follow all administrator guidance; however,

they are capable of error.

A.SINGEN Information can not flow among the internal and external networks unless it passes through

the TOE.

A.DIRECT Human users within the physically secure boundary protecting the TOE may attempt to

access the TOE from some direct connection (e.g., a console port) if the connection is part

of the TOE.

A.NOREMO Human users who are not authorized administrators can not access the TOE remotely from

the internal or external networks.

A.REMACC Authorized administrators may access the TOE remotely from the internal and external

networks.

3.2 Threats

The following table lists the threats addressed by the TOE and the IT Environment. The

assumed level of expertise of the attacker for all the threats identified below is

unsophisticated.

Table 12: Threats

Threat Threat Definition

Threats addressed by the TOE


23

Threat Threat Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness

Environments

T.NOAUTH An unauthorized person may attempt to bypass the security of the TOE so as to

access and use security functions and/or non-security functions provided by the

TOE.

T.REPEAT An unauthorized person may repeatedly try to guess authentication data in order

to use this information to launch attacks on the TOE.

T.REPLAY An unauthorized person may use valid identification and authentication data

obtained to access functions provided by the TOE.

T.ASPOOF An unauthorized person may carry out spoofing in which information flow

through the TOE into a connected network by using a spoofed source address.

T.MEDIAT An unauthorized person may send impermissible information through the TOE

which results in the exploitation of resources on the internal network.

T.OLDINF Because of a flaw in the TOE functioning, an unauthorized person may gather

residual information from a previous information flow or internal TOE data by

monitoring the padding of the information flows from the TOE.

T.PROCOM An unauthorized person or unauthorized external IT entity may be able to view,

modify, and/or delete security related information that is sent between a

remotely located authorized administrator and the TOE

T.AUDACC Persons may not be accountable for the actions that they conduct because the

audit records are not reviewed, thus allowing an attacker to escape detection.

T.SELPRO An unauthorized person may read, modify, or destroy security critical TOE

configuration data.

T.AUDFUL An unauthorized person may cause audit records to be lost or prevent future

records from being recorded by taking actions to exhaust audit storage capacity,

thus masking an attackers actions.

In addition to what is included in the U.S. Government Protection Profile for Traffic Filter Firewall in

Basic Robustness Environments

T.UNAUTHORIZED_PEER An unauthorized IT entity may attempt to establish a security association with

the TOE.

T.EAVESDROP A malicious user or process may observe or modify user or TSF data

transmitted to and from the TOE.

T.VPNMEDIAT An unauthorized person may send or receive unauthorized IPSec traffic through

the TOE which results in the exploitation of resources on the internal network.

T.VLAN An attacker may force a packet destined for one VLAN to cross into another

VLAN for which it is not authorized compromising the confidentiality and

integrity of information.

T.NOHALT

An unauthorized user may attempt to compromise the continuity of the System's

collection and analysis functions by halting execution of the TOE.

T.FALACT The TOE may fail to react to identified or suspected vulnerabilities or

inappropriate activity.

T.FALREC The TOE may fail to recognize vulnerabilities or inappropriate activity based on

IDS data received from each data source.

T.FALASC The TOE may fail to identify vulnerabilities or inappropriate activity based on

association of IDS data received from all data sources.

T.MISUSE Unauthorized accesses and activity indicative of misuse may occur on an IT

System the TOE monitors.

T.INADVE Inadvertent activity and access may occur on an IT System the TOE monitors.

T.MISACT Malicious activity, such as introductions of Trojan horses and viruses, may

occur on an IT System the TOE monitors.

T.INTEGRITY An attacker may compromise the integrity of IPSec traffic sent to/from the

TOE.

Threats addressed by the environment


24

Threat Threat Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness

Environments

T.TUSAGE The TOE may be inadvertently configured, used and administered in an

insecure manner by either authorized or unauthorized persons.

3.3 Organizational Security Policies

An organizational security policy is a set of rules, practices, and procedures imposed by

an organization to address its security needs. This ST contains no claims for organizational security policies.


25

4 SECURITY OBJECTIVES

This Chapter identifies the security objectives of the TOE and the IT Environment. The

security objectives identify the responsibilities of the TOE and the TOE’s IT environment

in meeting the security needs.

♦ This document identifies objectives of the TOE as O.objective with objective

specifying a unique name. Objectives that apply to the IT environment are

designated as OE.objective with objective specifying a unique name.

4.1 Security Objectives for the TOE

The following table, Security Objectives for the TOE, identifies the security objectives of

the TOE. These security objectives reflect the stated intent to counter identified threats

and/or comply with any security policies identified. An explanation of the relationship

between the objectives and the threats/policies is provided in the rationale section of this

document.

Table 13: Security Objectives for the TOE

TOE Objective TOE Security Objective Definition Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness

Environments

O.IDAUTH The TOE must uniquely identify and authenticate the claimed identity of all

users, before granting a user access to TOE functions.

O.SINUSE The TOE must prevent the reuse of authentication data for users attempting to

authenticate at the TOE from a connected network.

O.MEDIAT The TOE must mediate the flow of all information from users on a connected

network to users on another connected network, and must ensure that residual

information from a previous information flow is not transmitted in any way.

O.SECSTA Upon initial start-up of the TOE or recovery from an interruption in TOE

service, the TOE must not compromise its resources or those of any connected

network.

O.ENCRYP The TOE must protect the confidentiality of its dialogue with an authorized

administrator through encryption, if the TOE allows administration to occur

remotely from a connected network.

O.SELPRO The TOE must protect itself against attempts by unauthorized users to bypass,

deactivate, or tamper with TOE security functions.

O.AUDREC The TOE must provide a means to record a readable audit trail of security-

related events, with accurate dates and times, and a means to search and sort

the audit trail based on relevant attributes.

O.ACCOUN The TOE must provide user accountability for information flows through the

TOE and for authorized administrator use of security functions related to audit.

O.SECFUN The TOE must provide functionality that enables an authorized administrator

to use the TOE security functions, and must ensure that only authorized

administrators are able to access such functionality.

O.LIMEXT The TOE must provide the means for an authorized administrator to control

and limit access to TOE security functions by an authorized external IT entity.



O.CRYPTOGRAPHIC_

FUNCTIONS

The TOE shall provide cryptographic functions to provide confidentiality for

TSF data that is transmitted to and from the TOE.


26

TOE Objective TOE Security Objective Definition O.PEER_AUTHENTICATION The TOE will authenticate each peer TOE that attempts to establish a security

association with the TOE.

O.INTEGRITY The TOE must be able to protect the integrity of data transmitted to a peer via

encryption and provide IPSec authentication for such data. Upon receipt of

data from a peer, the TOE must be able to decrypt the data and verify that the

received data accurately represents the data that was originally transmitted.

O.VPNMEDIAT The TOE must mediate the flow of all IPSec traffic through the TOE and must

ensure that residual information from a previous IPSec traffic flow is not

transmitted in any way.

O.VLAN The TOE must provide a means for the logical separation of Virtual LANs to

ensure that packets flows are restricted to their authorized Virtual LANs

ensuring VLAN separation is achieved.

O.IDSENS

The Sensor must collect and store information about all events that are

indicative of inappropriate activity that may have resulted from misuse, access,

or malicious activity of IT System assets and the IDS.

O.IDANLZ The Analyzer must accept data from IDS Sensors and then apply analytical

processes and information to derive conclusions about intrusions (past, present,

or future).

O.RESPON The TOE must respond appropriately to analytical conclusions.

4.2 Security Objectives for the Environment

All of the assumptions stated in section 3.1 are considered to be security objectives for

the environment. The following are the Protection Profile non-IT security objectives,

which, in addition to those assumptions, are to be satisfied without imposing technical

requirements on the TOE. That is, they will not require the implementation of functions

in the TOE hardware and/or software. Thus, they will be satisfied largely through

application of procedural or administrative measures.

Table 14: Security Objectives for the Environment

Environment

Security Objective

IT Environment Security Objective Definition

Reproduced from the U.S. Government Protection Profile for Traffic Filter Firewall in Basic Robustness

Environments

A.PHYSEC The TOE is physically secure.

A.LOWEXP The threat of malicious attacks aimed at discovering exploitable vulnerabilities is

considered low.

A.GENPUR There are no general-purpose computing capabilities (e.g., the ability to execute

arbitrary code or applications) and storage repository capabilities on the TOE.

A.PUBLIC The TOE does not host public data.

A.NOEVIL Authorized administrators are non-hostile and follow all administrator guidance;

however, they are capable of error.

A.SINGEN Information can not flow among the internal and external networks unless it passes

through the TOE.

A.DIRECT Human users within the physically secure boundary protecting the TOE may

attempt to access the TOE from some direct connection (e.g., a console port) if the

connection is part of the TOE.

A.NOREMO Human users who are not authorized administrators can not access the TOE

remotely from the internal or external networks.

A.REMACC Authorized administrators may access the TOE remotely from the internal and

external networks.


27

Environment

Security Objective

IT Environment Security Objective Definition

OE.GUIDAN The TOE must be delivered, installed, administered, and operated in a manner that

maintains security.

OE.ADMTRA Authorized administrators are trained as to establishment and maintenance of

security policies and practices.



OE.NTP The IT environment may be configured with an NTP server that is able to provide

reliable time to the TOE. The communications must be protected using MD5

hashing with up to a 32 character key.

OE.SYSLOG The IT environment must supply a syslog server capable of receiving TCP syslog

information over an IPSec tunnel.

5 SECURITY REQUIREMENTS

This section identifies the Security Functional Requirements for the TOE. The Security

Functional Requirements included in this section are derived from Part 2 of the Common Criteria

for Information Technology Security Evaluation, Version 3.1, Revision 3, dated: July 2009.

5.1 Conventions The CC defines operations on Security Functional Requirements: assignments, selections,

assignments within selections and refinements. This document uses the following font

conventions to identify the operations defined by the CC:

• Assignment: Indicated by showing the value in square brackets, [ assignment_value ];

• Refinement made by PP author: Indicated with bold text and strikethroughs, if necessary;

• Refinement made by ST author: Indicated with bold italicized text and strikethroughs, if

necessary;

• Selection: Indicated with italicized text;

• Iteration: Indicated by appending the iteration number in parenthesis, e.g., (1), (2), (3).

Explicitly stated SFRs are identified by having a label ‘(EXT)’ after the requirement name for

TOE SFRs.

5.2 TOE Security Functional Requirements

This section identifies the Security Functional Requirements for the TOE. The TOE Security

Functional Requirements that appear in the following table are described in more detail in the

following subsections.

Table 15: Security Functional Requirements

Functional Component

SFR Component ID Component Name Security Functional Requirements Drawn from pp_fw_tf_br_v1.1

FMT_SMR.1 Security roles

FIA_ATD.1 User attribute definition

FIA_UID.2 User identification before any action


28

Functional Component FIA_UAU.1 Timing of authentication

FIA_AFL.1 Authentication failure handling

FIA_UAU.4 Single-use authentication mechanisms

FDP_IFC.1 (1) Subset information flow control

FDP_IFF.1 (1) Simple security attributes

FMT_MSA.3 (1) Static attribute initialization

FDP_RIP.1 Subset residual information protection

FCS_COP.1 Cryptographic operation

FAU_GEN.1 Audit data generation

FAU_SAR.1 Audit review

FAU_SAR.3 Selectable audit review

FAU_STG.1 Protected audit trail storage

FAU_STG.4 Prevention of audit data loss

FMT_MOF.1 Management of security functions behavior

FPT_STM.1 Reliable time stamps

SFRs in addition to the SFRs found in pp_fw_tf_br_v1.1

FCS_CKM.4 Cryptographic Key Destruction

FCS_COP_(EXT).1 Explicit: Random Number Generation

FCS_GDOI_(EXT).1 Group Domain of Interpretation

FCS_IKE_(EXT).1 Internet Key Exchange







FMT_SMF.1 Specification of Management Functions

FTP_ITC.1 Inter-TSF trusted channel

FTP_TRP.1 Trusted path

IDS_SDC_(EXT).1 System data collection

IDS_ANL_(EXT).1 Analyzer analysis

IDS_RCT_(EXT).1 Analyzer react

IDS_RDR_(EXT).1 Restricted data review

IDS_STG_(EXT).1 Guarantee of system data availability

IDS_STG_(EXT).2 Prevention of system data loss

5.3 SFRs Drawn from pp_fw_tf_br_v1.1

5.3.1 Security audit (FAU)

FAU_GEN.1 Audit data generation

FAU_GEN.1.1 - Refinement: The TSF shall be able to generate an audit record of the

following auditable events:

a) Start-up and shutdown of the audit functions;

b) All relevant auditable events for the minimal or basic level of audit specified in

Table 5.2; and

c) [the event in the following tTable 5.2 listed at the "extended" level].


29

FAU_GEN.1.2 - Refinement: The TSF shall record within each audit record at least the

following information:

a) Date and time of the event, type of event, subjects identities, outcome (success or

failure) of the event; and

b) For each audit event type, based on the auditable event definitions of the

functional components included in the PP/ST, [information specified in column

four of the following tTable 5.2].

Table 16: Security Functional Requirements

SFR Level Auditable Event Additional Contents FMT_SMR.1 minimal Modifications to the group of users

that are part of the authorized

administrator role.

The identity of the authorized

administrator performing the

modification and the user identity

being associated with the authorized

administrator role.

FIA_UID.2 basic All use of the user identification

mechanism

The user identities provided to the

TOE

FIA_UAU.1 basic Any use of the authentication mechanism. The user identities provided to the

TOE

FIA_AFL.1 minimal The reaching of the threshold for

unsuccessful authentication attempts and

the subsequent restoration by the

authorized administrator of the user’s

capability to authenticate.

The identity of the offending user and

the authorized administrator

FDP_IFF.1(1

)

basic All decisions on requests for information

flow.

The presumed addresses of the source

and destination subject.

FDP_IFF.1(

2)

minimal Errors during IPSec processing, errors

during TLS processing

The presumed addresses of the

source and destination subject.

FCS_COP.1 minimal Success and failure, and the type of

cryptographic operation

The identity of the external IT entity

attempting to perform the

cryptographic operation

FPT_STM.1 minimal Changes to the time. The identity of the authorized


operation.

FMT_MOF.1 extended Use of the functions listed in this

requirement pertaining to audit.

The identity of the authorized


operation.

FAU_SAR.1 Audit review

FAU_SAR.1.1 - Refinement: The TSF shall provide [an authorized administrator

(privileged)] with the capability to read [all audit trail data] from the audit records.

FAU_SAR.1.2 - The TSF shall provide the audit records in a manner suitable for the user

to interpret the information.

FAU_SAR.3 Selectable audit review


30

FAU_SAR.3.1 - The TSF shall provide the ability to perform searches and sorting of

audit data based on:

a) [presumed subject address;

b) ranges of dates;

c) ranges of times;

d) ranges of addresses].

FAU_STG.1 Protected audit trail storage

FAU_STG.1.1 - The TSF shall protect the stored audit records from unauthorized

deletion.

FAU_STG.1.2 - The TSF shall be able to prevent modifications to the audit records.

FAU_STG.4 Prevention of audit data loss

FAU_STG.4.1 - The TSF shall prevent auditable events, except those taken by the

authorized administrator and [shall limit the number of audit records lost] if the audit

trail is full.

5.3.2 Cryptographic Support (FCS)

FCS_COP.1 Cryptographic operation

FCS_COP.1.1 - The TSF shall perform [encryption of remote authorized administrator

sessions] in accordance with a specified cryptographic algorithm:

• [AES (Advanced Encryption Standard as specified in FIPS 197) encryption (as

specified in SP 800-67)] and cryptographic key sizes [that are at least 128 binary digits in

length] that meet the following: [FIPS PUB 140-2 (Level 1)].

5.3.3 User data protection (FDP)

FDP_IFC.1(1) Subset information flow control

FDP_IFC.1.1(1) - The TSF shall enforce the [UNAUTHENTICATED SFP] on:

a) [subjects: unauthenticated external IT entities that send and receive information

through the TOE to one another;

b) information: traffic sent through the TOE from one subject to another;

c) operation: pass information].

FDP_IFF.1(1) Simple security attributes

FDP_IFF.1.1(1) - The TSF shall enforce the [UNAUTHENTICATED SFP] based on at

least the following types of subject and information security attributes:

a) [subject security attributes:

• presumed address;


31

• [configured zone];

b) information security attributes:

• presumed address of source subject;

• presumed address of destination subject;

• transport layer protocol;

• TOE interface on which traffic arrives and departs;

• service;

• [No other attributes].

FDP_IFF.1.2(1) - The TSF shall permit an information flow between a controlled subject

and another controlled subject via a controlled operation if the following rules hold:

a) [Subjects on an internal network can cause information to flow through the TOE

to another connected network if:

• all the information security attribute values are unambiguously permitted

by the information flow security policy rules, where such rules may be

composed from all possible combinations of the values of the information

flow security attributes, created by the authorized administrator;

• the presumed address of the source subject, in the information, translates

to an internal network address;

• and the presumed address of the destination subject, in the information,

translates to an address on the other connected network.

b) Subjects on the external network can cause information to flow through the TOE

to another connected network if:

• all the information security attribute values are unambiguously permitted

by the information flow security policy rules, where such rules may be

composed from all possible combinations of the values of the information

flow security attributes, created by the authorized administrator;

• the presumed address of the source subject, in the information, translates

to an external network address;

• and the presumed address of the destination subject, in the information,

translates to an address on the other connected network.]

FDP_IFF.1.3(1) - The TSF shall enforce the [none].

FDP_IFF.1.4(1) - The TSF shall provide the following [none].

FDP_IFF.1.5(1) - The TSF shall explicitly authorize an information flow based on the

following rules: [none].

FDP_IFF.1.6(1) - The TSF shall explicitly deny an information flow based on the

following rules:

a) [The TOE shall reject requests for access or services where the information

arrives on an external TOE interface, and the presumed address of the source

subject is an external IT entity on an internal network;


32

b) The TOE shall reject requests for access or services where the information arrives

on an internal TOE interface, and the presumed address of the source subject is an

external IT entity on the external network;

c) The TOE shall reject requests for access or services where the information arrives

on either an internal or external TOE interface, and the presumed address of the

source subject is an external IT entity on a broadcast network;

d) The TOE shall reject requests for access or services where the information arrives

on either an internal or external TOE interface, and the presumed address of the

source subject is an external IT entity on the loopback network.]

FDP_RIP.1 Subset residual information protection

FDP_RIP.1.1 - The TSF shall ensure that any previous information content of a resource

is made unavailable upon the allocation of the resource to the following objects:

[resources that are used by the subjects of the TOE to communicate through the TOE to

other subjects].

5.3.4 Identification and authentication (FIA)

FIA_ATD.1 User attribute definition

FIA_ATD.1.1 - Refinement: The TSF shall maintain the following list of security

attributes belonging to individual users:

a) [For TOE administrators a. identity;

b. association of a human user with the authorized administrator role;

c. User Password

b) For External IT entities a. subject identity (IP address/Host Name);

b. IKE Security Attributes].

.

FIA_UID.2 User identification before any action

FIA_UID.2.1 -The TSF shall require each user to identify itself before allowing any other

TSF-mediated actions on behalf of that user.

FIA_UAU.1 Timing of authentication

FIA_UAU.1.1 - The TSF shall allow [identification as stated in FIA_UID.2] on behalf of

the authorized administrator or authorized external IT entity accessing the TOE to be

performed before the authorized administrator or authorized external IT entity is

authenticated.


33

FIA_UAU.1.2 - The TSF shall require each authorized administrator or authorized

external IT entity to be successfully authenticated before allowing any other TSF-

mediated actions on behalf of that authorized administrator or authorized IT entity.

FIA_AFL.1 Authentication failure handling

FIA_AFL.1.1 - The TSF shall detect when [a settable, non-zero number between 1 and

25] of unsuccessful authentication attempts occur related to [external IT entities

attempting to authenticate from an internal or external network.]

FIA_AFL.1.2 - When the defined number of unsuccessful authentication attempts has

been met or surpassed, the TSF shall [prevent the offending external IT entity from

successfully authenticating until an authorized administrator takes some action to make

authentication possible for the external IT entity in question.]

FIA_UAU.4 Single-use authentication mechanisms

FIA_UAU.4.1 - The TSF shall prevent reuse of authentication data related to

[authentication attempts from either an internal or external network by:

a) authorized administrators;

b) authorized external IT entities].

5.3.5 Security management (FMT)

FMT_SMR.1 Security roles

FMT_SMR.1.1 - Refinement: The TSF shall maintain the role [authorized

(privileged/non-privileged) administrator, External IT entities].

FMT_SMR.1.2 - The TSF shall be able to associate human users with the authorized

administrator role.

FMT_MSA.3(1) Static attribute initialization

FMT_MSA.3.1(1) - The TSF shall enforce the [UNAUTHENTICATED SFP] to provide

restrictive default values for information flow security attributes that are used to enforce

the SFP.

FMT_MSA.3.2(1) - Refinement: The TSF shall allow the [authorized privileged

administrator] to specify alternative initial values to override the default values when an

object or information is created.

FMT_MOF.1 Management of security functions behavior

FMT_MOF.1.1 - Refinement: The TSF shall restrict the ability to perform the

functions:

a) [start-up and shutdown;


34

b) create, delete, modify, and view information flow security policy rules that permit

or deny information flows;

c) create, delete, modify, and view user attribute values defined in FIA_ATD.1;

d) enable and disable single-use authentication mechanisms in FIA_UAU.4 (if the

TOE supports authorized IT entities and/or remote administration from either an

internal or external network);

e) modify and set the threshold for the number of permitted authentication attempt

failures (if the TOE supports authorized IT entities and/or remote administration

from either an internal or external network);

f) restore authentication capabilities for users that have met or exceeded the

threshold for permitted authentication attempt failures (if the TOE supports

authorized IT entities and/or remote administration from either an internal or

external network);

g) enable and disable external IT entities from communicating to the TOE (if the

TOE supports authorized external IT entities);

h) modify and set the time and date;

i) archive, create, delete, empty, and review the audit trail;

j) backup of user attribute values, information flow security policy rules, and audit

trail data, where the backup capability shall be supported by automated tools;

k) recover to the state following the last backup;

l) additionally, if the TSF supports remote administration from either an internal or

external network:

• enable and disable remote administration from internal and external

networks;

• restrict addresses from which remote administration can be performed;

m) [manipulate the security attributes referenced in the VPN information flow

polices;

n) manipulate the security attributes referenced in the VLAN information flow

polices

o) enable, disable, and modify the IPS settings on the box]].

to [an authorized privileged administrator].

5.3.6 Protection of the TSF (FPT)

FPT_STM.1 Reliable time stamps

FPT_STM.1.1 - The TSF shall be able to provide reliable time stamps for its own use.

5.4 SFRs in addition to the SFRs found in pp_fw_tf_br_v1.1

5.4.1 Cryptographic Support (FCS)

FCS_CKM.4 Cryptographic Key Destruction

FCS_CKM.4.1 - The TSF shall destroy cryptographic keys in accordance with specified

cryptographic key destruction method [zeroization] that meets the following: [Key


35

zeroization requirements of FIPS PUB 140-2, “Security Requirements for Cryptographic

Modules”].

FCS_COP_(EXT).1 Explicit: Random Number Generation

FCS_COP_(EXT).1.1 - The TSF shall perform all Random Number Generation used by

the cryptographic functionality of the TSF using a FIPS-approved Random Number

Generator implemented in a FIPS-approved crypto module running in a FIPS-approved

mode.

Extended Requirements Rationale – FCS_COP_(EXT).1:

A. Class – The FCS class of SFRs id

cisco 5940 series embedded services router security target · 2011. 12. 15. · cisco 5940 series...

Documents