SECURITY TARGET FOR THE SECURELOGIX CORPORATION® ETM® (ENTERPRISE TELEPHONY MANAGEMENT) SYSTEM VERSION 4.1 EWA-Canada Document No. 1463-011-D001 Version 1.5, 23 March 2004 Communications Security Establishment Common Criteria Evaluation File Number: 383-4-23 Prepared for: Canadian Common Criteria Scheme Certification Body Communications Security Establishment P.O. Box 9703 Terminal Ottawa, Ontario K1G 3Z4 Prepared by: Electronic Warfare Associates-Canada, Ltd. 55 Metcalfe St., Suite 1600 Ottawa, Ontario K1P 6L5 SECURITY TARGET FOR THE SECURELOGIX CORPORATION® ETM® (ENTERPRISE TELEPHONY MANAGEMENT) SYSTEM VERSION 4.1 Document No. 1463-011-D001 Version 1.5, 23 March 2004 Approved by: Deputy Project Manager: Mark Gauvreau 23 Mar 2004 Project Manager: Erin Connor 23 Mar 2004 Program Director: Paul Zatychec 23 Mar 2004 (Signature) (Date) ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page i of ii TABLE OF CONTENTS 1 INTRODUCTION.........................................................................................................1 1.1 Identification................................................................................................................1 1.2 Overview......................................................................................................................1 1.3 CC Conformance .........................................................................................................3 1.4 Conventions .................................................................................................................3 1.5 Terminology.................................................................................................................3 2 TARGET OF EVALUATION DESCRIPTION.........................................................5 2.1 TOE Security Functional Policies (SFP) .....................................................................9 2.1.1 Telecommunications SFP (TELCO_SFP).........................................................9 2.1.2 Network SFP (NETWORK_SFP)....................................................................10 2.1.3 File Access SFP (FILE_SFP)............................................................................10 2.1.4 Cryptographic SFP (CRYPTO_SFP)..............................................................10 3 TOE SECURITY ENVIRONMENT.........................................................................11 3.1 Assumptions...............................................................................................................11 3.2 Threats........................................................................................................................11 3.2.1 Threats Addressed By The TOE......................................................................11 3.2.2 Threats To Be Addressed By Operating Environment..................................12 4 SECURITY OBJECTIVES........................................................................................14 4.1 TOE Security Objectives ...........................................................................................14 4.2 Environment Security Objectives ..............................................................................15 5 IT SECURITY REQUIREMENTS...........................................................................16 5.1 TOE Security Requirements ......................................................................................16 5.1.1 TOE Security Functional Requirements.........................................................16 5.1.2 TOE Security Assurance Requirements .........................................................34 6 TOE SUMMARY SPECIFICATION .......................................................................35 6.1 TOE Security Functions.............................................................................................35 6.2 Assurance Measures...................................................................................................40 7 PROTECTION PROFILE CLAIMS ........................................................................42 8 RATIONALE...............................................................................................................43 8.1 Security Objectives Rationale....................................................................................43 8.1.1 TOE Security Objectives Rationale.................................................................43 8.1.2 Environment Security Objectives Rationale...................................................46 ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page ii of ii 8.2 Security Requirements Rationale...............................................................................47 8.2.1 Security Functional Requirements Rationale.................................................47 8.2.2 Assurance Requirements Rationale.................................................................51 8.2.3 Rationale for Satisfying Functional Requirement Dependencies .................52 8.2.4 Rationale for Satisfying Assurance Requirement Dependencies..................53 8.2.5 Rationale for Security Functional Refinements .............................................54 8.2.6 Rationale for Audit Exclusions ........................................................................55 8.3 TOE SUMMARY SPECIFICATION RATIONALE................................................56 8.3.1 TOE Security Functions Rationale..................................................................56 8.3.2 TOE Assurance Measures Rationale...............................................................63 9 ACRONYMS AND ABBREVIATIONS...................................................................66 LIST OF FIGURES Figure 1: Example ETM® System Configuration ....................................................................2 Figure 2: TOE Boundary Diagram............................................................................................8 LIST OF TABLES Table 1. Summary of Security Functional Requirements .......................................................16 Table 2. Additional Auditable Events from CC Functional Components...............................19 Table 3. Assurance Requirements for ETM® System............................................................34 Table 4. Mapping of TOE Security Objective to Threats .......................................................43 Table 5. Mapping of Environment Security Objectives to Threats and Assumptions............46 Table 6. Mapping of Security Functional Requirements to TOE Security Objectives...........48 Table 7. Security Functional Requirement Dependencies ......................................................52 Table 8. Security Assurance Requirement Dependencies.......................................................54 Table 9. Rationale for Audit Exclusions.................................................................................56 Table 10. Mapping of TOE Security Functions to Security Functional Requirements ..........57 Table 11. Mapping of Assurance Measures to Security Assurance Requirements.................64 ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 1 of 67 1 INTRODUCTION 1.1 IDENTIFICATION This document details the Security Target (ST) for the SecureLogix Corporation® ETM® System. This ST (version 1.5, dated 23 March 2004) has been prepared by Steven Bowles of EWA-Canada Ltd., in accordance with the Common Criteria for Information Technology Security Evaluation (CC), version 2.1, August 1999 (annotated with interpretations as of 25 October 2002). 1.2 OVERVIEW The ETM® System is designed to protect telecommunications lines from abuse and provide extensive auditing capabilities on all telecommunications line traffic. The ETM® System acts as a voice traffic firewall to protect internal telecommunication resources (telephones, modems, faxes, etc.) from abuse, fraud, and attack. The ETM® System also protects telecommunications traffic from being disclosed by creating encrypted tunnels through the public switched telephone network (PSTN). The system is capable of operating in conjunction with a Private Branch Exchange (PBX), but is not required to do so. The evaluated configuration for the ETM® System v4.1 consists of: a. ETM® Communication Appliances; b. ETM® Management Server; c. TeleAudit® Server; d. Windows/Solaris Operating System; and e. ETM® System Console. The ETM® Management Server and ETM® System Console are both written in the Java® programming language and require a Java® Virtual Machine to be installed on their host PC. All appliances are designed by SecureLogix Corporation using commercially available hardware components and use the Linux1 2.4.21 kernel as the underlying operating system. The ETM® System mediates access between local telecommunication users and external telecommunication users based on rules defined by the administrator. Rule sets are created on the ETM® Management Server, which are then pushed to the appliances. The appliances allow or deny calls based on their respective rule sets. The default behaviour is to allow calls that are not explicitly denied. Whether or not a call is encrypted is also enforced by the rules created on the ETM® Management Server. By default calls are not encrypted. A hardware setting exists for all ETM® 1000-series Appliances, except the AAA Appliance, to determine the default behaviour should an ETM® Communication Appliance fail (e.g., 1 A stripped down version of Linux is used. There is no ftpd, inetd, login prompt or other typical services. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 2 of 67 due to a power outage). ETM® Communication Appliances can be configured to fail-safe (allow all calls) or fail-secure (deny all calls, including emergency numbers). A TeleVPN® Call Shield option is available for the T1 and ISDN PRI versions of the ETM® Communication Appliances. This option allows the ETM® System to encrypt selected telecommunications channels using Triple DES cryptography. Ethernet network links are used to facilitate the following communication channels: a. between the ETM® Communication Appliances and the ETM® Management Server; b. between the ETM® System Console and the ETM® Management Server; and c. between the administrator and appliances. The ETM® System includes an option to encrypt network communication using DES (by default) or Triple DES cryptography. Administrators may also communicate directly with an appliance through its serial port. ETM® Management Server & TeleViewTM Application TeleViewTM Application Hu b Hu b TeleWall® Appliance TeleWall® Appliance with TeleVPN® TeleWall® Appliance with TeleVPN® PB X Mode m Telephon e Fax Mode m PB X Telephon e Corporate WAN PSTN CO CO Mode m Fax Data Connection Telecom Connection Secure Telecom Connection Figure 1: Example ETM® System Configuration The ETM® System Human Machine Interface (HMI) allows the administrator to perform the following functions: a. specify rules governing how telecommunication access is mediated; b. specify the level of network activity displayed; and c. specify what telecommunication activity is logged. The HMI also provides the user with current and historical views of individual calls and their associated level of activity. Extensive reports and graphs may be generated from the historical data. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 3 of 67 Appropriate security measures are expected to exist for the network on which the ETM® System is deployed to protect the communication between components. Appropriate mechanisms must be put in place on the commercial products being used that are external to any SecureLogix Corporation Components. The Target of Evaluation (TOE) consists of the ETM® Management Server, the ETM® System Console, and the ETM® 1000, 2100 and 3200-series Appliances. 1.3 CC CONFORMANCE The ETM® System is conformant with the identified functional requirements specified in Part 2 of the CC. The ETM® System is conformant to the assurance requirements for Evaluation Assurance Level (EAL) 2, as specified in Part 3 of the CC, with the following augmentations: a. ACM_CAP.3 – Authorisation controls; b. ACM_SCP.1 – TOE CM coverage; and c. ALC_DVS.1 – Identification of security measures. 1.4 CONVENTIONS The CC permits four types of operations to be performed on functional requirements: selection, assignment, refinement, and iteration. These operations are identified in this ST in the following manner: • Selection: Indicated by surrounding brackets and italicised text, e.g., [selected item]. • Assignment: Indicated by surrounding brackets and regular text, e.g., [assigned item]. • Refinement: Indicated by underlined text, e.g., refined item. • Iteration: Indicated by assigning a number at the functional component level, e.g., “FDP_ACC.1, Subset access control (1)” and “FDP_ACC.1, Subset access control (2)”. 1.5 TERMINOLOGY The following terminology is used throughout this ST: Administrator An individual that communicates over the network to configure and operate the TOE. Network The TOE protects telecommunications lines but uses a TCP/IP network for internal TOE communications. Network refers to the TCP/IP network. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 4 of 67 Network attacker An unauthorised individual or IT entity that communicates over the network. Telecommunications user An individual or IT entity that communicates over the telecommunications lines. User An administrator, as defined above, unless stated otherwise. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 5 of 67 2 TARGET OF EVALUATION DESCRIPTION The ETM® System is designed to protect telecommunications lines from abuse and provide extensive auditing capabilities on all telecommunications line traffic. The ETM® System acts as a voice traffic firewall to protect internal telecommunication resources (telephones, modems, faxes, etc.) from abuse, fraud, and attack. The system is capable of operating in conjunction with a PBX, but is not required to do so. The evaluated configuration for the ETM® System v4.1 consists of: a. the ETM® Management Server Build 31; b. the TeleAudit® Server Build 31; c. the administrator ETM® System Console Build 31; d. Java® Virtual Machine software, version 1.4.1_05 on both the ETM® Management Server and the ETM® System Console hosts; e. ETM® 1000-series (ETM 1010) Appliance version 4.1.22 configured for Analog Services; f. ETM® 1000-series (ETM 1020) Appliance version 4.1.22 configured for T1 Services; g. ETM® 1000-series (ETM 1030) Appliance version 4.1.22 configured for North American ISDN PRI Services; h. ETM® 1000-series (ETM 1040) Appliance version 4.1.22 configured for Euro (E1) ISDN PRI Services; i. ETM® 1000-series (ETM 1050) Appliance version 4.1.22 configured for AAA Services; j. ETM® 2100-series Appliance version 4.1.22 configured for T1 and/or North American ISDN PRI/SS7 Spans, or Euro (E1) ISDN PRI Spans and with optional TeleVPN® Call Shield v1.0 module; and k. ETM® 3200-series Appliance version 4.1.22 configured for T1 and/or North American ISDN PRI/SS7 Spans, or Euro (E1) ISDN PRI Spans and with optional TeleVPN® Call Shield v1.0 module. The ETM® Management Server, TeleAudit® Server, and ETM® System Console run on Windows® NT 4 SP6a, Windows® 2000 SP3 or SP4, Windows Server 2003, and Solaris™ 7/8 as the operating systems. The ETM® System Console also runs on Windows® XP SP1. These operating systems are included in the TOE. The minimum hardware requirements for the ETM® Management Server, TeleAudit® Server, and ETM® System Console are specified in the ETM® System Installation Guide and Technical Reference provided as part of the ETM® 4.1 Product Code CD-ROM. The administrator uses the ETM® System Console to communicate with the ETM® Management Server, and through it, communicate with an appliance. The administrator may also directly communicate to an appliance through a Telnet server or a serial port on the appliance. The Telnet access to an appliance can be disabled, if desired, and can also be configured to automatically disable for a period of time if the specified number of failed ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 6 of 67 login attempts occur within the configured period of time. The failed login count resets to zero after a successful login. The ETM® System Components (Appliances, ETM® Management Server, TeleAudit® Server, and ETM® System Console) can be distributed across an Ethernet network. The network access security policy requires administrators to provide a valid user ID and password for authentication. Appliances maintain a file of approved IP addresses and only allow telnet communications from these addresses. ETM® Management Servers maintain a file of approved Appliance IP addresses and only allow connections from Appliances at these addresses. ETM® Management Servers also maintain a file of approved remote ETM® System Console IP addresses and only allow communications from consoles at these addresses. The ETM® System Console allows the administrator to manage one or multiple ETM® Systems using graphical windows. The administrator can configure appliances by creating a configuration file on the ETM® Management Server that, in turn, gets pushed to the appliances. Checks are performed on a regular basis to ensure the appliances are executing the latest configuration file as defined (i.e., stored) on the ETM® Management Server. It is important to note that, where possible, any configuration changes to the appliances should be made through the ETM® System Console; otherwise, changes made by communicating directly to the appliances can be overwritten when the next check occurs. (The configuration file on the appliance would be different than that on the ETM® Management Server, so it would be changed to match the ETM® Management Server.) The default telecommunications information flow security policy for ETM® System telecommunications users is “telecommunications that are not explicitly denied, are allowed”. The rule set is traversed from top to bottom, triggering on the first applicable rule. A default rule, which cannot be removed, exists at the top of the rule set to always allow emergency calls (e.g., 911). Administrators can create rules by specifying: a. call source (calling number, or telecommunications user ID for AAA service); b. call destination (called number); c. call type (voice, fax, modem, modem energy2 , STU III, busy, unanswered, data, or undetermined); d. call direction (inbound or outbound); e. days and time of day; f. call duration; g. whether to allow or terminate a call; h. tracks (Log, Real-Time Alert, E-mail, Page, and SNMP Alert); and i. span3 groups4 that are assigned to the Security Policy to enforce rules. 2 Applicable only for the ETM® 2100 and ETM® 3200 Appliance models. 3 A span refers to the interface between an appliance and the telecommunications network. 4 A span group combines related spans into units so they can be managed as a single unit. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 7 of 67 The ETM® System includes the ability to examine the rule set for ambiguous rules (e.g., rules that will never be triggered due to a previous rule). Most of the data produced during the operation of the ETM® System is stored in the ETM® Database, which is part of the ETM® Management Server. The ETM® Database supports both Oracle® 8i (8.1.7) and 9i (9.2). DBMSs are supported on both Windows® and Solaris™. The DBMS used for the ETM® Database can be installed on the same system as an ETM® Management Server or on a separate system. The ETM® Database is part of the TOE. The ETM® Communication Appliances that enforce the policies defined in the ETM® Management Server support different types of telecommunications protocols/services: a. The ETM 1010 Appliances supports analog services; b. The ETM 1020 Appliances supports T1 services; c. The ETM 1030 Appliances supports North American ISDN PRI services; d. The ETM 1040 Appliances supports Euro (E1) ISDN PRI services; e. The ETM 1050 Appliances supports authorisation, authentication, and accounting (AAA) services; and f. The ETM 2100 and 3100-series Appliances support T1 and/or North American PRI/SS7, or Euro PRI telecommunications protocols All appliances are created by SecureLogix Corporation using commercially available hardware components and execute on the Linux 2.4.21 operating system. The appliances can be configured individually or as a group. SecureLogix Corporation has added an extensive set of appliance command line instructions called ETM® System Commands. The ETM® System Command set can be accessed through a Telnet connection, an ASCII command line window opened in the ETM® System Console, or an RS-232 serial (console) link. However, a small subset of the ETM® System Commands can only be performed locally at the appliance through the serial link. The TeleVPN® Call Shield option for ETM® Communication Appliances provides automatic encryption security of selected calls. Given a TeleVPN® Call Shield Appliance at both endpoints of a digital PSTN circuit with a digital network path, a call is encrypted from TeleVPN® to TeleVPN® Appliance (not station to station). Calls are selected for encryption based on the rule set provided by a TeleVPN® Call Shield policy. The policy is created via the ETM® System Console of the ETM® Management Server. The TeleVPN® Call Shield option is only available for the T1 and ISDN PRI configured ETM® Communication Appliance (ETM® 2100 and 3200-series Appliances). The AAA Appliance is used by a user to temporarily enable an ETM® Appliance rule allowing a specific voice/data circuit to be enabled. The telecom user is required to enter a user ID, PIN and destination telephone number to be called. This call will then be allowed if ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 8 of 67 the ETM® System administrator has previously created a rule allowing the call based on a successful AAA user request. An authorised telecommunications user is able to access telecommunications resources in accordance with the TELCO Security Function Policy but only for a set maximum time period, configurable from 0 to 30 minutes. Additionally, access to the telecommunication resources are restricted to a single call during the set maximum time period. If the AAA service user does not call the authorized telecommunication resource within the time specified in the AAA Service configuration, the authorization expires. A hardware setting exists for all ETM® 1000-series Appliances, except the AAA Appliance, to determine the default behaviour should an ETM® System Appliance fail (e.g., due to a power outage). In such cases, policy rules cannot be processed. The hardware setting allows the ETM® Communication Appliances to be configured to either fail-safe (allow all calls) or fail-secure (deny all calls, including emergency numbers). If the AAA Appliance fails, the AAA session is terminated and all AAA services are unavailable. The system can encrypt communications between components using DES or Triple DES cryptography. The ETM® System implementation of DES is based on the specifications in FIPS 46-3 and FIPS 81 and has been awarded certificate numbers 149 and 150 on the DES Validated Implementations list of the Cryptographic Module Validation Program. Similarly, the ETM® System implementation of Triple DES is based on the specifications in FIPS 46-3 and ANSI X9.52-1998 and has been awarded certificate numbers 89 and 90 on the Triple DES Validated Implementations list. Assessment of the cryptographic algorithm implementations does not form part of the CC evaluation but is separately validated under the Cryptographic Module Validation Program. ETM® Management Server & TeleViewTM Application TeleViewTM Application Hu b Hu b TeleWall® Appliance TeleWall® Appliance with TeleVPN® TeleWall® Appliance with TeleVPN® PB X Mode m Telephon e Fax Mode m PB X Telephon e Corporate WAN PSTN CO CO Mode m Fax Data Connection Telecom Connection Secure Telecom Connection TOE Boundary Figure 2: TOE Boundary Diagram ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 9 of 67 TeleAudit® Server gives the ETM® System extensive auditing and reporting capabilities. The level of detail of each audited event is configurable by the administrator; however, each audit record contains a unique identification number, date and time stamp, and the appliance, span or span group which originated the record. Also, all call details (call destination/source; call type, duration, and direction; date and time; telecommunication line specifics; etc.) are recorded. Audit records may be viewed in a report generated using pre-defined or custom templates, or plotted in a graph in the ETM® System Console. Reports may be generated on an automated schedule or as requested. Most of the data produced during the operation of the ETM® System is stored in the ETM® Database, which is part of the ETM® Management Server. The ETM® Database supports both Oracle® 8i and 9i DBMSs5 on both Windows® and Solaris™. The DBMS used for the ETM® Database can be installed on the same system as an ETM® Management Server or on a separate system. Audit records concerning telecommunication information flow and appliance status are generated at the ETM® Communication Appliances and are uploaded to the ETM® Management Server. Each appliance, except the AAA Appliance, contains a memory card that can store the audit records temporarily if the ETM® Management Server is unavailable. The memory cards can hold the audit data in a circular buffer where they will eventually be overwritten with newer records, however there is sufficient memory to hold multiple days of audit logs even under heavy telecommunications traffic. 2.1 TOE SECURITY FUNCTIONAL POLICIES (SFP) The TOE Security Policy (TSP) is comprised of the TELCO, NETWORK, FILE and CRYPTO SFPs that define the rules by which the TOE governs access to its telecommunication, network and file resources, and govern the export/import of cryptographic keys, respectively. 2.1.1 Telecommunications SFP (TELCO_SFP) The ETM® System is required to mediate access between local and external telecommunication users based on rules defined by the administrator. Rulesets are created on the ETM® Management Server, then pushed down to the appliances. The appliances are required to allow or deny calls based on their respective rulesets. Whether or not a call is encrypted will also be enforced by the rules created on the ETM® Management Server. The default telecommunications information flow security policy for ETM® System telecommunications users shall be “telecommunications that are not explicitly denied, are allowed”. The rule set shall be traversed from top to bottom, triggering on the first 5 As no security requirements are allocated to the DBMS, Oracle is considered to be part of the IT environment and is not included in the TOE. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 10 of 67 applicable rule. A default rule, which cannot be removed, shall exist at the top of the rule set to always allow emergency calls (e.g., 911). There is a capability for access control to a AAA Appliance based on security attributes of user ID and PIN. Calls can be selected for encryption based on the rule set provided by a TeleVPN® Call Shield policy. By default calls are not encrypted. 2.1.2 Network SFP (NETWORK_SFP) User ID, password, and source IP address; and cryptographic algorithm and cryptographic key shall be used as security attributes to enforce the NETWORK_SFP. Administrators are authenticated to the TOE using user ID/password enforcing access control. There are information flow control restrictions on client-to-server, appliance-to-server and appliance- to-appliance network communications. This is accomplished by validating IP address and username and password, by authenticating communications with a variable handshake and by encrypting the data with valid a cryptographic key and algorithm. 2.1.3 File Access SFP (FILE_SFP) Only one administrator can be granted access to edit an object at a time. Access to the TOE objects (i.e., data in the database) is controlled by user accounts that specify who is allowed to access the system and which features they are permitted to modify. 2.1.4 Cryptographic SFP (CRYPTO_SFP) The export/import of cryptographic keys is restricted to authorised administrators and processes. The TOE applies encryption to telecommunications channels based on: call direction (inbound or outbound), call source and call destination. The TOE encrypts telecommunications using Triple DES cryptography. TeleVPN® Call Shield enabled ETM® Communication Appliances make use of RSA public/private key pairs to ensure the secure distribution of Triple DES session keys. The appliances export/import the RSA public keys during call setup. All keys are generated by the TOE and are overwritten when no longer required. The TOE can also encrypt communications between components using DES or Triple DES cryptography. Cryptographic keys are manually entered by authorised administrators through the ETM® System Console, overwriting any existing keys. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 11 of 67 3 TOE SECURITY ENVIRONMENT 3.1 ASSUMPTIONS The following conditions are assumed to exist in the operational environment: A.PHYSEC The TOE is physically secure. A.COM Communications between the Management server and database server are protected by the environment and do not need to be explicitly protected by the TOE. A.NOEVIL Administrators are non-hostile and do not attempt to use O/S level administrative privileges to compromise the TOE functionality. 3.2 THREATS The following threats are addressed by either the TOE or the environment. 3.2.1 Threats Addressed By The TOE The threats discussed below are addressed by a compliant TOE. The threat agents are either human users or external IT entities not authorised to use the TOE. The assets that are subject to attack are the telecommunications resources and the ETM® System itself. T.SNIFF A network attacker may observe authentication data or system configuration information during transmission between components of the TOE. T.REPLAY A network attacker may use previously captured or falsified data to authenticate to the TOE or alter its configuration. T.ATKNET A network attacker may attack the TOE appliances using common and known network attack techniques. T.INTRES An unauthorised external telecommunications user may gain access to internal telecommunication resources (telephones, modems, faxes, etc.). T.LISTEN An external telecommunications attacker may eavesdrop on a confidential telephone conversation between two authorized telecommunications users. T.EXTRES An internal telecommunications user may gain unauthorised access to external telecommunications resources (telephones, modems, faxes, telecommunications or internet service providers, etc.). ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 12 of 67 T.MISUSE A telecommunications user may use internal telecommunications resources in an unauthorised manner (make a voice call on a fax line, etc.). T.TOEPRO A telecommunications user or an unauthorized user may bypass, deactivate, corrupt or tamper with TOE security functions. T.ATKVIS A telecommunications user may conduct undetected attack attempts against the TOE. T.TOEDAT A telecommunications user may read, modify, or destroy internal TOE data. T.TOEFCN A telecommunications user or an unauthorized user may access and use security and/or non-security functions of the TOE. T.NONAPP An administrator may be unaware that an unauthorised application, executing on the TOE, is accessing the telecommunications lines or network via TOE interfaces. T.NOCOM An administrator may be unaware that internal TOE communications have failed. Potential causes of communication failures include system failures and denial of service attacks initiated by network attackers. T.AUDEXH An administrator may be unaware that the audit storage on the ETM® Management Server of the TOE has been exhausted. Potential causes for the exhaustion of audit storage include: excessive log traffic generated by high levels of usage by telecommunications users and/or attacks by unauthorized users and network attackers; and improper administration of the audit storage volume. 3.2.2 Threats To Be Addressed By Operating Environment The potential threats discussed below must be countered by procedural measures and/or administrative methods. The threat agents are either human users or external IT entities that are unauthorised to use the TOE. The assets that are subject to attack are telecommunications resources. T.USAGE The TOE may unwittingly be configured, used, and administered in an insecure manner by the administrator. T.BADADM Compromise of the integrity and/or availability of the TOE may occur as a result of an administrator not following proper security procedures. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 13 of 67 T.TROJAN Compromise of the integrity and/or availability of the TOE may occur as a result of an administrator unwittingly introducing a virus or trojan into the system. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 14 of 67 4 SECURITY OBJECTIVES 4.1 TOE SECURITY OBJECTIVES The following are the IT security objectives for the TOE: O.CRYPTO The TOE must protect the confidentiality of authentication and system configuration data using cryptography as it passes between distributed components of the TOE. O.ATKNET The TOE appliances must protect themselves, using authentication and cryptography, against network based attacks generated using common and known network attack techniques. O.MEDTEL The TOE must mediate telecommunications access both inbound and outbound on the telecommunications lines. The TOE shall be capable of allowing or denying the communication based on predefined attributes. O.TELTOE The TOE must not allow unauthorised access to the TOE from the telecommunications interfaces. O.SECTEL The TOE must secure confidential telephone conversations between authorised telecommunications users from eavesdropping. O.COMM The TOE must provide a mechanism to handle internal communication failures. O.AUDCHK The TOE must provide a mechanism that advises the administrator when local audit storage on the ETM® Management Server has been exhausted. O.ADMACC An administer role will exist on the TOE with access control mechanisms such that only authenticated administrators are able to perform security relevant functions. O.HMI The TOE must provide functionality that enables an administrator to effectively manage the TOE and its security functions from its local HMI. O.DSPACT The TOE must display to the administrator the current and recent history of telecommunications activity associated with the telecommunication lines. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 15 of 67 O.AUDIT The TOE must record and store a readable audit trail of TOE telecommunications activity and security relevant events, and permit their review only by authorised administrators. The TOE will be capable of performing audit reduction and triggering alarms, as required by the administrator. O.SELFPRO The TOE must protect itself against attempts by a telecommunications user or an unauthorized user to bypass, deactivate, corrupt, or tamper with TOE security functions. O.AAA The TOE must provide functionality that restricts access to AAA Appliances to authorised telecommunications users. 4.2 ENVIRONMENT SECURITY OBJECTIVES The following are non-IT security objectives that are to be satisfied without imposing technical requirements on the TOE. That is, they will not require the implementation of functions in the TOE hardware and/or software. Thus, they will be satisfied largely through application of procedural or administrative measures. O.GUIDAN The administrator responsible for the TOE must ensure that the TOE is delivered, installed, configured, administered, and operated in a manner that maintains its security. O.AUTHUSR Only authorised administrators are permitted physical access to the TOE. O.NETPRO The administrator responsible for the TOE must ensure that the communications infrastructure available from the environment is configured to provide an appropriate level of protection based on an environmental threat/risk assessment for the distributed client configuration. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 16 of 67 5 IT SECURITY REQUIREMENTS 5.1 TOE SECURITY REQUIREMENTS This section provides functional and assurance requirements that must be satisfied by a compliant TOE. These requirements consist of functional components from Part 2 of the CC and an Evaluation Assurance Level (EAL) containing assurance components from Part 3 of the CC. 5.1.1 TOE Security Functional Requirements The functional security requirements for this ST consist of the components from Part 2 of the CC listed in Table 1. Table 1. Summary of Security Functional Requirements Functional Components Identifier Name FAU_ARP.1 Security alarms FAU_GEN.1 Audit data generation FAU_SAA.1 Potential violation analysis FAU_SAR.1 Audit review FAU_SAR.3 Selectable audit review FAU_SEL.1 Selective audit FAU_STG.1 Protected audit trail storage FAU_STG.3 Action in case of possible audit data loss FCS_CKM.1 Cryptographic key generation FCS_CKM.2 Cryptographic key distribution FCS_CKM.4 Cryptographic key destruction FCS_COP.1 (1) Cryptographic operation FCS_COP.1 (2) Cryptographic operation FDP_ACC.1 (1) Subset access control FDP_ACF.1 (1) Security attribute based access control FDP_ACC.1 (2) Subset access control FDP_ACF.1 (2) Security attribute based access control FDP_ACC.1 (3) Subset access control FDP_ACF.1 (3) Security attribute based access control FDP_ETC.1 Export of user data without security attributes FDP_IFC.1 (1) Subset information flow control FDP_IFF.1 (1) Simple security attributes FDP_IFC.1 (2) Subset information flow control FDP_IFF.1 (2) Simple security attributes ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 17 of 67 Functional Components Identifier Name FDP_ITC.1 Import of user data without security attributes FIA_AFL.1 (1) Authentication failure handling FIA_AFL.1 (2) Authentication failure handling FIA_ATD.1 (1) User attribute definition FIA_ATD.1 (2) User attribute definition FIA_SOS.1 (1) Verification of secrets FIA_SOS.1 (2) Verification of secrets FIA_UAU.1 Timing of authentication FIA_UID.1 Timing of identification FMT_MOF.1 Management of security functions behaviour FMT_MSA.1 (1) Management of security attributes FMT_MSA.1 (2) Management of security attributes FMT_MSA.2 Secure security attributes FMT_MSA.3 Static attribute initialisation FMT_MTD.1 Management of TSF data FMT_SMF.1 Specification of management functions FMT_SMR.1 Security roles FPT_ITT.1 Basic internal TSF data transfer protection FPT_RVM.1 Non-bypassability of the TSP FPT_SEP.1 TSF domain separation FPT_STM.1 Reliable time stamps FTP_TRP.1 Trusted path FAU_ARP.1 Security Alarms FAU_ARP.1.1 – The TSF shall take [one or more of the following actions: audible alarm, SNMP trap, log, email with or without attachments, page to a pager, visual alert] upon detection of a potential security violation. FAU_GEN.1 Audit data generation FAU_GEN.1.1 – The TSF shall be able to generate an audit record of the following auditable events: a. [Start-up and shutdown of the audit functions; b. All auditable events for the [basic] level of audit; c. exhaustion of log storage; d. changes in TOE security function configuration; e. failed and successful logins by administrators to an appliance; f. logins and logouts by administrators to ETM® Management Server; ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 18 of 67 g. failed and successful logins by telecommunications user to an AAA Appliance; h. changes to rule sets that are applied to an appliance; i. the additions/deletions/clones/modifications an administrator performs in the ETM® Management Server; j. appliance and telephone circuit errors; k. requests from unknown appliances; l. detection of an ambiguous rule; m. rule violations; n. AAA user account locked; o. AAA service disconnected; p. second dial tone detected after call answer; and q. communication failure between components]. Application Note: Auditable events for the basic level of audit include all minimum requirements and are identified in Table 2. FAU_GEN.1.2 – The TSF shall record within each audit record at least the following information: a. Date and time of the event, type of event, subject identity (when available), and the outcome (success or failure) of the event; and b. For each audit event type, based on the auditable event definitions of the functional components included in the ST: • [log time; • date; • call start time; • call end time; • call duration; • call direction (inbound or outbound); • phone number; • call source; • call destination; • call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); • “in-call” digits; • call trailing digits; • tracks; • appliance; • span/span group; • text; • call trunk channel; • trunk group; ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 19 of 67 • channel; • name of rule set; • rule number; • rule comment; • unique record ID; • unsuccessful login attempts; • call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.); and • telecommunications users that have authenticated to an AAA Appliance]. Table 2. Additional Auditable Events from CC Functional Components Functional Component Level Auditable Event FAU_ARP.1 Minimum Actions taken due to imminent security violations. Minimum Enabling and disabling of any of the analysis mechanisms. FAU_SAA.1 Minimum Automated responses performed by the tool. FAU_SAR.1 Basic Reading of information from the audit records. FAU_SEL.1 Minimum All modifications to the audit configuration that occur while the audit collection functions are operating. FAU_STG.3 Basic Actions taken due to exceeding of a threshold. Minimum Success and failure of the activity. FCS_CKM.1 Basic The object attribute(s), and object values(s) excluding any sensitive information (e.g. secret or private keys). Minimum Success and failure of the activity. FCS_CKM.2 Basic The object attribute(s), and object values(s) excluding any sensitive information (e.g. secret or private keys). Minimum Success and failure of the activity. FCS_CKM.4 Basic The object attribute(s), and object values(s) excluding any sensitive information (e.g. secret or private keys). Minimum Success and failure, and the type of cryptographic operation. FCS_COP.1 Basic Any applicable cryptographic mode(s) of operation, subject attributes and object attributes. Minimum Successful requests to perform an operation on an object covered by the SFP. FDP_ACF.1 Basic All requests to perform an operation on an object covered by the SFP. Minimum Successful export of information. FDP_ETC.1 Basic All attempts to export information. Minimum Decisions to permit requested information flows. FDP_IFF.1 Basic All decisions on requests for information flow. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 20 of 67 Functional Component Level Auditable Event Minimum Successful import of user data, including any security attributes. FDP_ITC.1 Basic All attempts to import user data, including any security attributes. FIA_AFL.1 Minimum The reaching of the threshold for the unsuccessful authentication attempts and the actions (e.g. disabling of a terminal) taken and the subsequent, if appropriate, restoration to the normal state (e.g. re-enabling of a terminal). Minimum Rejection by the TSF of any tested secret. FIA_SOS.1 Basic Rejection or acceptance by the TSF of any tested secret. Minimum Unsuccessful use of the authentication mechanism. FIA_UAU.1 Basic All use of the authentication mechanism. Minimum Unsuccessful use of the user identification mechanism, including the user identity provided. FIA_UID.1 Basic All use of the user identification mechanism, including the user identity provided. FMT_MOF.1 Basic All modifications in the behaviour of the functions in the TSF. FMT_MSA.1 Basic All modification of the values of security attributes. FMT_MSA.2 Minimum All offered and rejected values of a security attribute. Basic Modifications of the default setting of permissive or restrictive rules. FMT_MSA.3 Basic All modifications of the initial values of security attributes. FMT_MTD.1 Basic All modifications to the values of TSF data. FMT_SMF.1 Minimum Use of the management functions FMT_SMR.1 Minimum Modifications to the group of users that are part of a role FPT_STM.1 Minimum Changes to the time. Minimum Failures of the trusted path functions. Minimum Identification of the user associated with all trusted path failures, if available. Basic All attempted uses of the trusted path functions. FTP_TRP.1 Basic Identification of the user associated with all trusted path invocations, if available. FAU_SAA.1 Potential violation analysis FAU_SAA.1.1 – The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the TSP. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 21 of 67 FAU_SAA.1.2 – The TSF shall enforce the following rules for monitoring audited events: a. Accumulation or combination of [communication failure] known to indicate a potential security violation; b. [administrator-created rules set by configurable security policy, dialling plan and call monitoring definition and based on call source, call destination, call type, call direction, call duration, time of day, and caller ID restricted]. Application Note: “Caller ID restricted” specifies that the rule applies to any call for which the caller has blocked caller ID information. FAU_SAR.1 Audit review FAU_SAR.1.1 – The TSF shall provide [an administrator] with the capability to read [all audit data] from the audit records. FAU_SAR.1.2 –The TSF shall provide the audit records in a manner suitable for the user to interpret the information. FAU_SAR.3 Selectable audit review FAU_SAR.3.1 (1) – The TSF shall provide the ability to perform [searches, ordering] of audit data based on: a. [log time; b. date; c. unsuccessful login attempts; d. call start time; e. call end time; f. call duration; g. call direction (inbound or outbound); h. phone number; i. call source; j. call destination; k. call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); l. “in-call” digits; m. call trailing digits; n. tracks; o. appliance; p. span/span group; q. text; r. call trunk channel; ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 22 of 67 s. trunk group; t. channel; u. name of rule set; v. rule number; w. rule comment; x. unique record ID; y. unsuccessful login attempts; z. call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.); and aa. telecommunications users that have authenticated to an AAA Appliance]. FAU_SAR.3.1 (2) – The TSF shall provide the ability to perform [filtering] of audit data based on: a. [date; b. call direction (inbound or outbound); c. call duration; d. phone number; e. call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); f. “in-call” digits; g. call trailing digits; h. track; i. appliance; j. span/span group; k. text; and l. call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.)]. Application Note: For several of the searchable audit fields, there are sub- types. The reporting tool included with ETM® System allows filters to be used to provide a finer layer of granularity. FAU_SEL.1 Selective audit FAU_SEL.1.1 – The TSF shall be able to include or exclude auditable events from the set of audited events based on the following attributes: a. [event type]. FAU_STG.1 Protected audit trail storage FAU_STG.1.1 – The TSF shall protect the stored audit records from unauthorised deletion. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 23 of 67 FAU_STG.1.2 – The TSF shall be able to [prevent] modifications to the audit records. FAU_STG.3 Action in case of possible audit data loss FAU_STG.3.1 – The TSF shall take [the following action: generate a security message] if the audit trail exceeds [the local storage capacity on the ETM® Management Server]. FCS_CKM.1 Cryptographic key generation FCS_CKM.1.1 – The TSF shall generate keys in accordance with a specific key generation algorithm: a. [RSA public/private key pairs] and specific cryptographic key sizes [1024 bits] that meet the following: [FIPS 186-2 and ANSI X9.31]; and b. [Triple DES symmetric keys] and specific cryptographic key sizes [192 bits] that meet the following: [FIPS 46-3 and ANSI X9.52-1998]. Application Note: Key generation is only applicable to keys used by TeleVPN® Call Shield enabled ETM® Communication Appliances for securing confidential telephone conversations. FCS_CKM.2 Cryptographic key distribution FCS_CKM.2.1 – The TSF shall distribute cryptographic keys in accordance with a specific cryptographic key distribution method [each appliance involved in the call transmits the session key it will use to encrypt telecommunications data to the other appliance encrypted with the other appliance’s RSA public key. The target appliances then decrypt the session key with their RSA private key] that meets the following: [none]. Application Note: This function is only applicable for Triple DES keys used by TeleVPN® Call Shield enabled ETM® Communication Appliances for securing confidential telephone conversations. FCS_CKM.4 Cryptographic key destruction FCS_CKM.4.1 – The TSF shall destroy cryptographic keys in accordance with a specific cryptographic key destruction method [key values are overwritten] that meets the following: [none]. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 24 of 67 FCS_COP.1 Cryptographic operation (1) FCS_COP.1.1(a) - The TSF shall perform [encryption and decryption of all data communications between TOE components] in accordance with a specified cryptographic algorithm [DES in CFB mode for the export version of the ETM® System] and cryptographic key sizes [64 bits] that meet the following: [FIPS 46-3 and FIPS 81]. FCS_COP.1.1(b) - The TSF shall perform [encryption and decryption of all data communications between TOE components] in accordance with a specified cryptographic algorithm [Triple DES in CFB mode for the domestic version of the ETM® System] and cryptographic key sizes [192 bits] that meet the following: [FIPS 46-3 and ANSI X9.52-1998]. Application Note: FCS_COP.1(1) is only applicable to network communications between ETM® System components (ETM® Management Server, ETM® System Console, and ETM® Communication Appliances). FCS_COP.1 Cryptographic operation (2) FCS_COP.1.1(a) - The TSF shall perform [encryption and decryption of session keys between TeleVPN® Call Shield enabled Appliances] in accordance with a specified cryptographic algorithm [RSA] and cryptographic key sizes [1024 bits] that meet the following: [FIPS 186-2 and ANSI X9.31]. FCS_COP.1.1(b) - The TSF shall perform [encryption and decryption of telecommunications data between TeleVPN® Call Shield enabled Appliances as determined by the TELCO_SFP] in accordance with a specified cryptographic algorithm [Triple DES in CFB mode for the domestic version of the ETM® System] and cryptographic key sizes [192 bits] that meet the following: [FIPS 46-3 and ANSI X9.52-1998]. Application Note: FCS_COP.1(2) is only applicable to communications between TeleVPN® Call Shield enabled ETM® Communication Appliances. Implementation of FCS_COP.1(2) is discretionary based on the properties of each call and how these map to the policies defined by the administrator (see FDP_IFF.1). FDP_ACC.1 Subset access control (1) FDP_ACC.1.1 – The TSF shall enforce the [NETWORK_SFP] on [administrators authenticating to the TOE]. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 25 of 67 FDP_ACF.1 Security attribute based access control (1) FDP_ACF.1.1 – The TSF shall enforce the [NETWORK_SFP] to objects based on [user ID, password, and source IP address]. FDP_ACF.1.2 – The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: a. [a user account for ‘user ID’ exists; b. ‘password’ matches the password for the identified user account and has not expired; and c. ‘source IP address’ is included in the list of allowable IP addresses]. FDP_ACF.1.3 – The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [allow access if user is exempted from NETWORK_SFP, specially password expiry]. Application Note: This is an exemption from the password expiry control only. FDP_ACF.1.4 – The TSF shall explicitly deny access of subjects to objects based on the [user account is disabled]. Application Note: The ‘Account disabled’ security attribute prevents login to the system from this account. Note that this setting prevents future logins from this account, but does not terminate an active login. FDP_ACC.1 Subset access control (2) FDP_ACC.1.1 – The TSF shall enforce the [FILE_SFP] on [administrators editing TOE objects]. FDP_ACF.1 Security attribute based access control (2) FDP_ACF.1.1 – The TSF shall enforce the [FILE_SFP] to objects based on [the number of administrators editing an object]. FDP_ACF.1.2 – The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [only one administrator shall be granted access to edit an object at a time]. FDP_ACF.1.3 – The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [none]. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 26 of 67 FDP_ACF.1.4 – The TSF shall explicitly deny access of subjects to objects based on the [none]. FDP_ACC.1 Subset access control (3) FDP_ACC.1.1 – The TSF shall enforce the [TELCO_SFP] on [telecommunications users authenticating to an AAA Appliance]. FDP_ACF.1 Security attribute based access control (3) FDP_ACF.1.1 – The TSF shall enforce the [TELCO_SFP] to objects based on [user ID and PIN]. FDP_ACF.1.2 – The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: a. [the user ID and PIN are valid authorisation credentials for the AAA Appliance; b. access to the object is within a set maximum time period, configurable from 0 to 30 minutes; and c. access to the object is restricted to a single use during the set maximum time period]. FDP_ACF.1.3 – The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4 – The TSF shall explicitly deny access of subjects to objects based on the [none]. FDP_ETC.1 Export of user data without security attributes FDP_ETC.1.1 – The TSF shall enforce the [CRYPTO_SFP] when exporting user data, controlled under the SFP(s), outside of the TSC. FDP_ETC.1.2 – The TSF shall export the user data without the user data’s security attributes. Application Note: RSA public keys are exported by the ETM® Communication Appliances during TeleVPN® Call Shield call setup. FDP_IFC.1 Subset information flow control (1) FDP_IFC.1.1 – The TSF shall enforce the [TELCO_SFP] on a. [subjects: telecommunications channels; and b. operations: circuit request or change]. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 27 of 67 FDP_IFF.1 Simple security attributes (1) FDP_IFF.1.1 – The TSF shall enforce the [TELCO_SFP] based on the following types of subject and information security attributes: [ a. subject security attributes: none; and b. information security attributes: call direction, call type, call source, call destination, call duration, caller ID restricted option, and time of day]. FDP_IFF.1.2 – The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [an administrator-created rule (based on the information security attributes identified in FDP_IFF.1.1) does not explicitly deny the information flow]. Application Note: Rules that deny an information flow based on call duration do not deny the call from starting, but terminate the call once it has reached the specified duration. FDP_IFF.1.3 – The TSF shall enforce the [default TOE behaviour in the event of a TOE failure to be either fail-safe (all calls allowed) or fail-secure (no calls allowed), based on a hardware setting]. Application Note: This only applies to all ETM® 1000 Series Appliances except the AAA Appliance. FDP_IFF.1.4 – The TSF shall provide the following [none]. FDP_IFF.1.5 – The TSF shall explicitly authorise an information flow based on the following rules: [the call destination is an emergency number (i.e., 911)]. FDP_IFF.1.6 – The TSF shall explicitly deny an information flow based on the following rules: [none]. FDP_IFC.1 Subset information flow control (2) FDP_IFC.1.1 – The TSF shall enforce the [NETWORK_SFP] on a. [subjects: network channels; and b. operations: data communications]. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 28 of 67 FDP_IFF.1 Simple security attributes (2) FDP_IFF.1.1 – The TSF shall enforce the [NETWORK_SFP] based on the following types of subject and information security attributes: [ a. subject security attributes: user ID, password, and source IP address; and b. information security attributes: cryptographic algorithm and cryptographic key]. FDP_IFF.1.2 – The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [ a. client to server communications – source IP address is on the allowable IP address list, user ID and password are valid, and communications are encrypted with a valid cryptographic algorithm and key (i.e., DES or Triple DES); b. appliance to server communications – source IP address is on the allowable IP address list and communications are authenticated with a variable handshake and encrypted with a valid cryptographic algorithm and key (i.e., DES or Triple DES); or c. appliance to appliance communications – source IP address is on the allowable IP address list and communications are encrypted with a valid cryptographic algorithm and key (i.e., DES or Triple DES)]. FDP_IFF.1.3 – The TSF shall enforce the [none]. FDP_IFF.1.4 – The TSF shall provide the following [none]. FDP_IFF.1.5 – The TSF shall explicitly authorise an information flow based on the following rules: [none] FDP_IFF.1.6 – The TSF shall explicitly deny an information flow based on the following rules: [none]. FDP_ITC.1 Import of user data without security attributes FDP_ITC.1.1 – The TSF shall enforce the [CRYPTO_SFP] when importing user data, controlled under the SFP, from outside of the TSC. FDP_ITC.1.2 – The TSF shall ignore any security attributes associated with the user data when importing from outside the TSC. FDP_ITC.1.3 – The TSF shall enforce the following rules when importing user data controlled under the SFP from outside the TSC: [none]. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 29 of 67 Application Note: RSA public keys are imported by the ETM® Communication Appliances during TeleVPN® Call Shield call setup. As well, the ETM® System Console allows administrators to manually enter (import) DES/3DES keys used to protect the network link between ETM® Communication Appliances and the ETM® Management Server. FIA_AFL.1 Authentication failure handling (1) FIA_AFL.1.1 – The TSF shall detect when [six] unsuccessful authentication attempts occur related to [administrator login to an appliance via Telnet during a period of ten minutes]. FIA_AFL.1.2 – When the defined number of unsuccessful authentication attempts has been met or surpassed, the TSF shall [generate an audit event and deny the administrator access to the appliance for a period of one hour]. FIA_AFL.1 Authentication failure handling (2) FIA_AFL.1.1 – The TSF shall detect when [a number, configurable from one to ten, of] unsuccessful authentication attempts occur related to [telecommunications user login to an AAA Appliance during a period of time configurable from zero to four weeks]. FIA_AFL.1.2 – When the defined number of unsuccessful authentication attempts has been met or surpassed, the TSF shall [generate an audit event and deny the telecommunications user all access to the AAA Appliance for a period of time configurable from zero minutes to ten weeks, or until explicitly granted by an administrator]. FIA_ATD.1 User attribute definition (1) FIA_ATD.1.1 – The TSF shall maintain the following list of security attributes belonging to individual users: [user ID, password, and privileges (a combination of Allow Server Management; Allow User Modifications; Manage Policies; Manage Telecommunications Configuration; Support Appliance Login via Telnet/Serial; and Call Terminate Capability)]. FIA_ATD.1 User attribute definition (2) FIA_ATD.1.1 – The TSF shall maintain the following list of security attributes belonging to individual telecommunications users: [user ID and PIN]. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 30 of 67 FIA_SOS.1 Verification of secrets (1) FIA_SOS.1.1 – The TSF shall provide a mechanism to verify that secrets meet [a minimum length of eight characters, including at least one change of case and one digit, for administrator passwords]. FIA_SOS.1 Verification of secrets (2) FIA_SOS.1.1 – The TSF shall provide a mechanism to verify that secrets meet [a minimum length of three digits to a maximum length of ten digits for telecommunications users PINs]. FIA_UAU.1 Timing of authentication FIA_UAU.1.1 – The TSF shall allow [any human with physical access to an appliance to gain access to the appliance security functions within a period of time, configurable from zero seconds to two minutes, of appliance start-up] before the user is authenticated. FIA_UAU.1.2 – The TSF shall require each user and telecommunications user accessing an AAA Appliance to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user or telecommunications user. FIA_UID.1 Timing of identification FIA_UID.1.1 – The TSF shall allow [any human with physical access to an appliance to gain access to the appliance security functions within a configurable period of time, from zero seconds to two minutes, of appliance start-up] before the user is identified. FIA_UID.1.2 – The TSF shall require each user and telecommunications user accessing an AAA Appliance to be successfully identified before allowing any other TSF-mediated actions on behalf of that user or telecommunications user. FMT_MOF.1 Management of security functions behaviour FMT_MOF.1.1 – The TSF restrict the ability to [enable, disable] the functions [ a. bypass of the TOE security functions; b. the setting of the various configurations of the TOE security functions; c. the setting of the level of telecommunications activity detail that is displayed; d. the logging of selected telecommunications traffic; ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 31 of 67 e. the capturing of “in-call” digits; f. the display of errors; g. the display of current telecommunications activity; and h. the display of the audit log reports] to [an administrator]. FMT_MSA.1 Management of security attributes (1) FMT_MSA.1.1 – The TSF shall enforce the [NETWORK_SFP] to restrict the ability to a. [delete, [create]] the security attributes [user ID]; and b. [modify, [none]] the security attributes [password, privileges, allowable IP addresses, PIN] to [an administrator]. Application Note: Deleting and creating the security attribute ‘user ID’ is analogous to deleting and creating a user account. FMT_MSA.1 Management of security attributes (2) FMT_MSA.1.1 – The TSF shall enforce the [TELCO_SFP] to restrict the ability to [modify, delete, [create]] the security attributes [groups of phone numbers and groups of specified times of day] to [an administrator]. FMT_MSA.2 Secure security attributes FMT_MSA.2.1 – The TSF shall ensure that only secure values are accepted for security attributes. Application Note: This function is only applicable to keys used by TeleVPN® Call Shield enabled ETM® Communication Appliances for securing confidential telephone conversations. FMT_MSA.3 Static attribute initialisation FMT_MSA.3.1 – The TSF shall enforce the [information flow control TELCO_SFP] to provide [permissive] default values for information flow security attributes that are used to enforce the TELCO_SFP. Application Note: The default rule configuration for the ETM® System is to allow all information flows. An authorised user must create an explicit deny rule in order to restrict any information flows. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 32 of 67 FMT_MSA.3.2 – The TSF shall allow the [administrator] to specify alternative initial values to override the default values when an object or information is created. FMT_MTD.1 Management of TSF data FMT_MTD.1.1 – The TSF shall restrict the ability to a. [query, modify, delete, [none]] the [audit logs]; b. [generate] the [audit reports]; c. [modify, [none]] the [audit level, appliance configuration, and date and time of the host machine and appliance]; d. [display] the [appliance status and current telecommunications activity] to [an administrator]. FMT_SMF.1 Specification of management functions FMT_SMF.1.1 - The TSF shall be capable of performing the following security management functions: a. [object management; b. rule/policy management; and c. user management]. FMT_SMR.1 Security roles FMT_SMR.1.1 – The TSF shall maintain the roles [administrator]. FMT_SMR.1.2 – The TSF shall be able to associate users with roles. FPT_ITT.1 Basic internal TSF data transfer protection FPT_ITT.1.1 – The TSF shall protect TSF data from [disclosure] when it is transmitted between separate parts of the TOE. FPT_RVM.1 Non-bypassability of the TSP FPT_RVM.1.1 - The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 33 of 67 FPT_SEP.1 TSF domain separation FPT_SEP.1.1 - The TSF shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects. FPT_SEP.1.2 - The TSF shall enforce separation between the security domains of subjects in the TSC. FPT_STM.1 Reliable time stamps FPT_STM.1.1 – The TSF shall be able to provide reliable time stamps for its own use. Application Note: In this context, “reliable” means that the chronological order of auditable events is preserved. FTP_TRP.1 Trusted path FTP_TRP.1.1 – The TSF shall provide a communication path between itself and [remote, local] users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from modification or disclosure. FTP_TRP.1.2 – The TSF shall permit [local users, remote users] to initiate communication via the trusted path. FTP_TRP.1.3 – The TSF shall require the use of the trusted path for [[internal TSF data communications]]. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 34 of 67 5.1.2 TOE Security Assurance Requirements The security assurance requirements for EAL 2, as specified in Part 3 of the CC, with the augmentations of ACM_CAP.3, ACM_SCP.1, and ALC_DVS.1 are given in Table 3. Table 3. Assurance Requirements for ETM® System Assurance Components Assurance Class Identifier Name ACM_CAP.3 Authorisation controls (AUGMENTED) Configuration Management ACM_SCP.1 TOE CM coverage (AUGMENTED) ADO_DEL.1 Delivery Procedures Delivery and Operation ADO_IGS.1 Installation, generation, and start-up procedures ADV_FSP.1 Informal functional specification ADV_HLD.1 Descriptive high-level design Development ADV_RCR.1 Informal correspondence demonstration AGD_ADM.1 Administrator guidance Guidance Documents AGD_USR.1 User guidance Life Cycle Support ALC_DVS.1 Identification of security measures (AUGMENTED) ATE_COV.1 Evidence of coverage ATE_FUN.1 Functional Testing Tests ATE_IND.2 Independent testing – sample AVA_SOF.1 Strength of TOE security function evaluation Vulnerability Assessment AVA_VLA.1 Developer vulnerability analysis ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 35 of 67 6 TOE SUMMARY SPECIFICATION This section provides a description of the security functions and assurance measures of the TOE that meet the TOE security requirements. A typical attacker in the intended telecommunications environment for the ETM® System is deemed to possess only limited knowledge of the telecommunications systems and lack the skills and resources required to manipulate telecommunications interfaces. The purpose of the attacks would be to abuse services, use services fraudulently or simply to attack the services to cause service interruptions. The appliances include firewall protection on the network interfaces and the network environment provides additional network protection mechanisms for the ETM® System Console client and ETM® Management Server. Therefore, for an EAL 2 evaluation of the ETM® System, the attack potential to meet or exceed for AVA_SOF.1 calculations is LOW. Any remaining vulnerabilities can be only be exploited by an attacker of moderate or high attack potential. The strength of function claim is therefore SOF-BASIC and applies to F.ADMIN and F.AAA. 6.1 TOE SECURITY FUNCTIONS A description of each of the TOE security functions follows. F.CRYPTO The TOE does provide secure internal data communications through the use of cryptography. The TOE can encrypt communications between components using DES or Triple DES cryptography. Cryptographic keys are manually entered (imported) by authorised administrators through the ETM® System Console, overwriting existing keys. F.NETBLK The TOE does provide security to its appliances from attack through the network. Data is protected from modification or disclosure when it is transmitted between separate parts of the TOE, by validating IP address and user ID and password and by authenticating communications with a variable handshake. F.TELBLK The TOE does block telecommunications access based on: call destination, call source, call type (voice, fax, modem, modem energy, STU III, busy, unanswered, data, or undetermined), call direction (inbound or outbound), call duration and time of day, excluding 911 calls. F.TELALW All other telecommunications traffic not specifically denied in accordance with F.TELBLK, are allowed. F.SECTEL The TOE does secure confidential telephone conversations by encrypting select telecommunications channels. The TOE applies encryption to telecommunications channels based on: call direction (inbound or outbound), ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 36 of 67 call source and call destination. The TOE can encrypt telecommunications using Triple DES cryptography. Triple DES session keys are securely distributed using RSA public/private keys. The TOE appliances export/import (without security attributes) RSA public keys during call setup. All keys are generated by the TOE and are overwritten when no longer required. Application Note: This applies only to ETM® Communication Appliances with the TeleVPN® Call Shield option installed. F.FAIL In the event of TOE failure (such as during a power outage), the TOE does provide an option to either fail-safe (all calls allowed) or fail secure (all calls denied including emergency calls). Application Note: This applies only to ETM® 1000 Series Appliances, except AAA Appliances. F.FAILNOT Upon detection of a potential security violation, the TOE does provide an audible alarm, SNMP trap, log, email with or without attachments, page to a pager or visual alert. F.HMI The TOE does provide the administrator with the capability to perform HMI functions including: a. start-up, shutdown, and configure the TOE security functions; b. select the level of telecommunications activity detail that is displayed to the user; c. view and modify the settings that enable or disable the logging of selected telecommunications traffic; d. enable or disable the capturing of “in-call” digits; e. view on-line administrator guidance; f. modify and set the system time and date; g. archive, modify, create, delete, and display the audit logs; h. display errors; i. display current telecommunications activity; j. change user password; k. change user password expiry; l. add, modify and delete user ID; m. add and delete privileges and IP addresses; n. create, modify and delete phone numbers and time of day; o. modify audit level; p. generate audit reports; q. modify appliance configuration; r. modify date and time of host machine and appliances; s. display appliance status; ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 37 of 67 t. manage server; u. modify users; v. edit policies; w. edit appliance parameters; x. login directly to an appliance; and y. change telecommunications user PIN. F.LOCK The TOE does provide locking of objects to prevent multiple administrators from editing the same object. Locking is provided at the object level. Multiple administrators are able to view but not edit the same object. F.AUDEVT The TOE does generate an audit log of the following events: a. Start-up and shutdown; b. exhaustion of log storage; c. changes in TOE security function configuration; d. failed and successful logins by administrators to an appliance; e. logins and logouts by administrators to ETM® Management Server; f. failed and successful logins by telecommunications user to an AAA Appliance; g. changes to rule sets that are applied to an appliance; h. the additions/deletions/clones/modifications an administrator performs in the ETM® Management Server; i. appliance and telephone circuit errors; j. requests from unknown appliances; k. detection of an ambiguous rule; l. rule violations; m. AAA user account locked; n. AAA service disconnected; o. second dial tone detected after call answer; and p. all other remaining auditable events for the basic level of audit identified in Table 2. F.AUDINF For each audit event entry, the TOE does record, where applicable, the a. Date and time of the event, type of event, subject identity (when available), and the outcome (success or failure) of the event; and b. For each audit event type, based on the auditable event definitions of the functional components included in the ST: • log time; • date; • call start time; • call end time; • call duration; ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 38 of 67 • call direction (inbound or outbound); • phone number; • call source; • call destination; • call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); • “in-call” digits; • call trailing digits; • tracks; • appliance; • span/span group; • text; • call trunk channel; • trunk group; • channel; • name of rule set; • rule number; • rule comment; • unique record ID; • unsuccessful login attempts; • call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.); and • telecommunications users that have authenticated to an AAA Appliance. F.AUDLVL The types of audit events recorded by the TOE is configurable. F.TIME The TOE does provide a reliable time and date for the time stamping audit log entries. F.ALARM The TOE monitors telecommunication traffic and detects events defined by security policies. The TOE does signal the administrator based on a specified event. The types of signals include: audible alarm, SNMP trap, log, email with or without attachments, page to a pager or visual alert . F.AUDRPT The TOE does provide the ability to generate reports of audit data by searching and ordering the following categories: a. log time; b. date; c. unsuccessful login attempts; d. call start time; e. call end time; ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 39 of 67 f. call duration; g. call direction (inbound or outbound); h. phone number; i. call source; j. call destination; k. call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); l. “in-call” digits; m. call trailing digits; n. tracks; o. appliance; p. span/span group; q. text; r. call trunk channel; s. trunk group; t. channel; u. name of rule set; v. rule number; w. rule comment; x. unique record ID; y. call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.); and z. telecommunications users that have authenticated to an AAA Appliance]. F.AUDFLTR The TOE does provide improved granularity of reporting for F.AUDRPT by filtering the sub-types/ranges of audit data based on: a. date; b. call direction (inbound or outbound); c. call duration; d. phone number; e. call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); f. “in-call” digits; g. call trailing digits; h. span/span group; i. appliance; j. track; k. text; and l. call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.). F.AUDSTO The TOE does protect audit data from unauthorised modification or deletion by managing log file size and location. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 40 of 67 F.ADMIN Access to the TOE is restricted to authorised administrators through the use of user ID, password and password expiration, and enforced upon an acceptable IP address. Each administrator does have a set of privileges that only allow the administrators to perform those tasks associated with their duties. A mechanism is provided to verify that administrator passwords meet a minimum of eight characters including one change of case character and one digit. The TOE also enforces temporary account lockout after a set number of failed authentication attempts. F.INIT When TOE security functions are started, the TOE does initialise with the security settings in effect when it was last shutdown. If this saved configuration cannot be loaded or does not exist, the TOE does warn the user via a pop-up dialog that the default configuration is being loaded. F.PROTSF The TOE mediates telephony access as a basic function of the system. Appliances allow or reject calls based on call attributes. Management servers allow or reject appliance client connections based on IP addresses and the DES/3DES encryption key, and allow or reject remote (console) connections based on the originating IP addresses, the DES/3DES encryption key, username and password. Username/password and possibly IP address restrict access to the appliances. Access to the management server and its data is restricted to authorized OS level administrators, database administrators, and ETM® System administrators. ETM® System enforces attribute locking and User Account Permissions. Only authenticated admins possessing appropriate ETM® System permissions are able to modify the DES/3DES keys. Appliances run as a separate domain. The TOE Operating system provides the protected domain for the management server and client software. F.AAA Access to AAA Appliances is restricted to authorised telecommunications users through the use of user ID and PIN. A mechanism is provided to verify that telecommunications user PINs meet a minimum length of three digits up to a maximum of ten digits. The TOE also enforces account lockout after a set number of failed authentication attempts. 6.2 ASSURANCE MEASURES A description of each of the TOE assurance measures follows. M.ID The TOE incorporates a unique version identifier that can be displayed to the user. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 41 of 67 M.SYSTEM The TOE is developed and maintained using a system to ensure only authorised changes are implemented in the evaluated version of the TOE. A list of all TOE documentation and all configuration items required to create the TOE is maintained. M.GETTOE The developer has controlled processes and procedures (for both hardware and software components) whereby the developer ensures that a secure version of the TOE is delivered to a customer. Both the process and procedures are documented. M.SETUP The TOE includes an automated installation and set-up program compatible with the TOE operating system. The installation process is self-explanatory, or provides additional instructions to clearly document the installation process. The default installation results in the secure installation and start-up of the TOE. M.SPEC A high level TOE design and functional specification have been provided by the developer for the evaluation which describes the TOE security functionality, subsystems, interfaces, and policy model. M.TRACE Correspondence mappings are provided by the developer such that the security functionality detailed in the TOE functional specification is upwards traceable to this ST, and downwards traceable to the high level design. M.DOCS Sufficient user and administrator guidance documentation are provided. M.TEST A suitably configured TOE is tested in a controlled environment to confirm that TOE functionality operates as specified, and that the TOE is protected from a representative set of well-known attacks. A mapping between developer test cases and TOE functionality is provided by the developer. The assurance requirements also ensure the TOE functionality is tested in a real- world environment. M.SECASS The developer examines the TOE design to ensure the security functions adequately address perceived threats in the security environment. The results of the examination are documented. Threats include deliberate attempts to disable, bypass, and brute-force attack the TSF. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 42 of 67 7 PROTECTION PROFILE CLAIMS This ST does not claim conformance to a Protection Profile. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 43 of 67 8 RATIONALE This section contains the Rationale arguments and proof. 8.1 SECURITY OBJECTIVES RATIONALE 8.1.1 TOE Security Objectives Rationale Table 4 provides a mapping of TOE Security Objectives to Threats, and is followed by a discussion of how each Threat is addressed by the corresponding TOE Security Objectives. Table 4. Mapping of TOE Security Objective to Threats T.SNIFF T.REPLAY T.ATKNET T.INTRES T.LISTEN T.EXTRES T.MISUSE T.TOEPRO T.ATKVIS T.TOEDAT T.TOEFCN T.NONAPP T.NOCOM T.AUDEXH O.CRYPTO X X O.ATKNET X X O.MEDTEL X X X O.TELTOE X X X O.SECTEL X O.COMM X O.AUDCHK X O.ADMACC X X X O.HMI X X X O.DSPACT X X O.AUDIT X O.SELFPRO X X O.AAA X X X T.SNIFF A network attacker may observe authentication data or system configuration information during transmission between components of the TOE. O.CRYPTO protects the confidentiality of authentication and system configuration data using cryptography as it passes between distributed components of the TOE. T.REPLAY A network attacker may use previously captured or falsified data to authenticate to the TOE or alter its configuration. O.ATKNET protects the TOE appliances against attack from the network. Replay attacks, in appliance to server communications, are countered by the communications being authenticated with a variable handshake and encrypted ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 44 of 67 with valid cryptographic algorithm and key. O.CRYPTO protects the confidentiality of authentication and system configuration data using cryptography as it passes between distributed components of the TOE. Falsified data can not be properly encrypted for use by the TOE since the network attacker does not have access to the cryptographic key. T.ATKNET A network attacker may attack the TOE appliances using common and known network attack techniques. O.ATKNET ensures the TOE appliances protect themselves against attack from the network by authenticating communications with a variable handshake and encrypted communications with valid cryptographic algorithm and key. T.INTRES An unauthorised external telecommunications user may gain access to internal telecommunication resources (telephones, modems, faxes, etc.). O.MEDTEL mediates telecommunications access across the telecommunication lines, preventing unauthorised use of telecommunication resources. O.AAA ensures that only authorised telecommunications users may access AAA Appliances. T.LISTEN An external telecommunications attacker may eavesdrop on a confidential telephone conversation between two authorized telecommunications users. O.SECTEL prevents eavesdropping on confidential telecommunications by securing confidential telecommunications data. T.EXTRES An internal telecommunications user may gain unauthorised access to external telecommunications resources (telephones, modems, faxes, telecommunications or internet service providers, etc.). O.MEDTEL mediates telecommunications access across the telecommunication lines, preventing unauthorised use of telecommunication resources. O.AAA ensures that only authorised telecommunications users may access AAA Appliances. T.MISUSE A telecommunications user may use internal telecommunications resources in an unauthorised manner (make a voice call on a fax line, etc.). O.MEDTEL mediates telecommunications access across the telecommunication lines, preventing unauthorised use of telecommunication resources. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 45 of 67 T.TOEPRO A telecommunications user or an unauthorized user may bypass, deactivate, corrupt or tamper with TOE security functions. O.TELTOE does not allow unauthorised connections to the TOE itself. O.SELFPRO protects the TOE from attempts by a telecommunications user or an unauthorized user to bypass, deactivate, corrupt or tamper with TOE security functions. T.ATKVIS A telecommunications user may conduct undetected attack attempts against the TOE. O.DSPACT and O.HMI display, to the administrator, the current activity associated with telecommunications entities accessing, or attempting to access, the TOE. O.AUDIT records a readable audit trail of allowed and denied telecommunications access attempts, administrator login attempts, and permits the administrator to review the audit log entries. T.TOEDAT A telecommunications user may read, modify, or destroy internal TOE data. O.TELTOE does not allow unauthorised connections to the TOE itself. O.ADMACC restricts access to security functions only to authorised administrators. T.TOEFCN A telecommunications user or an unauthorized user may access and use security and/or non-security functions of the TOE. O.TELTOE does not allow unauthorised connections to the TOE itself. O.ADMACC restricts access to security functions only to authorised administrators. O.HMI permits the administrator to manage the TOE security functions to detect/prevent this threat. O.SELFPRO protects the TOE from tampering by a telecommunications user or an unauthorized user. O.AAA restricts access to AAA Appliances to authorised telecommunications users only. T.NONAPP An administrator may be unaware that an unauthorised application, executing on the TOE, is accessing the telecommunications lines or network via TOE interfaces. O.ADMACC restricts access to security functions only to authorised administrators. O.HMI permits the user to manage the TOE security functions to detect/prevent this threat. O.DSPACT displays to the user the current activity associated with telecommunications entities accessing, or attempting to access, the TOE. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 46 of 67 T.NOCOM An administrator may be unaware that TOE internal communications have failed. Potential causes of communication failures include system failures and denial of service attacks initiated by network attackers. O.COMM ensures the TOE notifies the administrator of an internal communications failure. T.AUDEXH An administrator may be unaware that the audit storage on the ETM® Management Server of the TOE has been exhausted. Potential causes for the exhaustion of audit storage include: excessive log traffic generated by high levels of usage by telecommunications users and/or attacks by unauthorized users and network attackers; and improper administration of the audit storage volume. O.AUDCHK ensures that the TOE notifies the administrator when the audit storage on the ETM® Management Server is exhausted. 8.1.2 Environment Security Objectives Rationale Table 5 provides a mapping of Environment Security Objectives to Assumptions and Threats, and is followed by a discussion of how each Assumption or Threat is addressed by the corresponding Environment Security Objectives. Table 5. Mapping of Environment Security Objectives to Threats and Assumptions A.PHYSEC A.COM A.NOEVIL T.USAGE T.BADADM T.TROJAN O.GUIDAN X X X X O.AUTHUSR X O.NETPRO X A.PHYSEC The TOE is physically secure. O.AUTHUSR ensures that only authorised users be permitted physical access to the TOE. A.COM Communications between the Management server and database server are protected by the environment and do not need to be explicitly protected by the TOE. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 47 of 67 O.NETPRO ensures that the environment protects the communications between Management server and database server. A.NOEVIL Administrators are non-hostile and do not attempt to use O/S level administrative privileges to compromise the TOE functionality. O.GUIDAN ensures that administrators administer and operate the TOE in a manner that maintains its security. T.USAGE The TOE may unwittingly be configured, used, and administered in an insecure manner by the administrator. O.GUIDAN provides administrators with instructions on how to securely maintain the TOE. T.BADADM Compromise of the integrity and/or availability of the TOE may occur as a result of an administrator not following proper security procedures. O.GUIDAN provides administrators with instructions on how to securely maintain the TOE. T.TROJAN Compromise of the integrity and/or availability of the TOE may occur as a result of an administrator unwittingly introducing a virus or trojan into the system. O.GUIDAN provides administrators with instructions on how to securely maintain the TOE. 8.2 SECURITY REQUIREMENTS RATIONALE 8.2.1 Security Functional Requirements Rationale Table 6 provides a mapping of Security Functional Requirements to TOE Security Objectives, and is followed by a discussion of how each IT Security Objective is addressed by the corresponding Security Functional Requirements. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 48 of 67 Table 6. Mapping of Security Functional Requirements to TOE Security Objectives O.CRYPTO O.ATKNET O.MEDTEL O.TELTOE O.SECTEL O.COMM O.AUDCHK O.ADMACC O.HMI O.DSPACT O.AUDIT O.SELFPRO O.AAA FAU_ARP.1 X X FAU_GEN.1 X FAU_SAA.1 X X FAU_SAR.1 X FAU_SAR.3 X FAU_SEL.1 X FAU_STG.1 X FAU_STG.3 X X FCS_CKM.1 X FCS_CKM.2 X FCS_CKM.4 X X FCS_COP.1 (1) X FCS_COP.1 (2) X FDP_ACC.1 (1) X FDP_ACF.1 (1) X FDP_ACC.1 (2) X FDP_ACF.1 (2) X FDP_ACC.1 (3) X X X FDP_ACF.1 (3) X X X FDP_ETC.1 X FDP_IFC.1 (1) X X X FDP_IFF.1 (1) X X X FDP_IFC.1 (2) X FDP_IFF.1 (2) X FDP_ITC.1 X X FIA_AFL.1 (1) X FIA_AFL.1 (2) X FIA_ATD.1 (1) X FIA_ATD.1 (2) X FIA_SOS.1 (1) X FIA_SOS.1 (2) X FIA_UAU.1 X X X FIA_UID.1 X X X FMT_MOF.1 X X X FMT_MSA.1 (1) X FMT_MSA.1 (2) X FMT_MSA.2 X X FMT_MSA.3 X FMT_MTD.1 X X FMT_SMF.1 X FMT_SMR.1 X X FPT_ITT.1 X X FPT_RVM.1 X FPT_SEP.1 X FPT_STM.1 X FTP_TRP.1 X X X O.CRYPTO The TOE must protect the confidentiality of authentication and system configuration data using cryptography as it passes between distributed components of the TOE. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 49 of 67 FCS_COP.1(1) requires a cryptographic operation to be performed in accordance with a specified algorithm and with a cryptographic key of a specified size. FCS_CKM.4 requires cryptographic keys to be overwritten. FTP_TRP.1 requires that internal TOE communications are protected O.ATKNET The TOE appliances must protect themselves, using authentication and cryptography, against network based attacks generated using common and known network attack techniques. FDP_IFC.1 (2), FDP_IFF.1 (2), FPT_ITT.1 and FTP_TRP.1 together require that the TOE protect its appliances against attack from the network. O.MEDTEL The TOE must mediate telecommunications access both inbound and outbound on the telecommunications lines. The TOE shall be capable of allowing or denying the communication based on predefined attributes. FDP_IFC.1 (1) together with FDP_IFF.1 (1) require that the TOE mediate communications across the telecommunications lines based on a combination of default and administrator-defined conditions. O.TELTOE The TOE should not allow unauthorised access to the TOE from the telecommunications interfaces. FDP_ACC.1 (3), FDP_ACF.1 (3), FDP_IFC.1 (1), and FDP_IFF.1 (1) define the only allowed access control security policies which ensure there are no other ways to access the TOE. O.SECTEL The TOE must secure confidential telephone conversations between authorised telecommunications users from eavesdropping. FCS_COP.1(2), FPT_ITT.1 and FTP_TRP.1 together require that the TOE protect confidential telecommunications channels. FCS_CKM.1, FCS_CKM.2, FCS_CKM.4, FDP_ETC.1, FDP_ITC.1 and FMT_MSA.2 define the proper methods for the management and exchange of secrets used to protect confidential telecommunications channels. FDP_IFC.1(1) together with FDP_IFF.1(1) require that the TOE mediate communications across the telecommunications lines based on a combination of default and administrator-defined conditions. O.COMM The TOE must provide a mechanism to handle internal communication failures. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 50 of 67 FAU_ARP.1 and FAU_SAA.1 combine to provide the administrator with real-time notification of a communication failure. O.AUDCHK The TOE must provide a mechanism that advises the administrator when local audit storage on the ETM® Management Server has been exhausted. FAU_STG.3 provides the administrator with notification that the audit storage on the ETM® Management Server has been exhausted. O.ADMACC An administer role will exist on the TOE with access control mechanisms such that only authenticated administrators are able to perform security relevant functions. FDP_ACC.1 (2), FDP_ACF.1 (2), FIA_UAU.1 and FIA_UID.1 ensure that all users are properly identified and authenticated before gaining access to the TOE. FMT_SMR.1 defines the security roles such that the only users are administrators. FIA_ATD.1 (1) are the security attributes which identify administrators and their privileges. FIA_AFL.1 (1) adds extra assurance that attempts to guess the administrator’s password using brute force will be blocked (for Telnet access only). O.HMI The TOE must provide functionality that enables an administrator to effectively manage the TOE and its security functions from its local HMI. FMT_SMF.1 identifies the security management functions that are available in the TSF to the administrator. FMT_MOF.1 provides the administrator with the capability to manage the TOE and its security functions from its local HMI. O.DSPACT The TOE must display to the administrator the current and recent history of telecommunications activity associated with the telecommunications lines. FMT_MOF.1 provides the user with the capability to select the level of telecommunications activity that is displayed on the HMI. O.AUDIT The TOE must record and store a readable audit trail of TOE telecommunications activity and security relevant events, and permit their review only by authorised administrators. The TOE will be capable of performing audit reduction and triggering alarms, as required by the administrator. FAU_GEN.1 and FPT_STM.1 combine to require that a readable audit trail of network activity and security related events is recorded with reliable time stamps. FAU_STG.1 and FAU_STG.3 provide secure storage for the audit ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 51 of 67 data. FAU_SAA.1 and FAU_ARP.1 provide the administrator with additional, real-time notification of some audit events. FAU_SAR.1 and FAU_SAR.3 provide the administrator with the capability to review both a complete and reduced audit trail. FAU_SEL.1 and FMT_MOF.1 combine to provide the administrator with the capability to select what level of network activity is recorded in the audit trail. FMT_MTD.1 restricts access to the audit logs to administrators. O.SELFPRO The TOE must protect itself against attempts by a telecommunications user or an unauthorized user to bypass, deactivate, corrupt, or tamper with TOE security functions. FDP_ACC.1 (1), FDP_ACF.1 (1), FDP_ACC.1 (3), FDP_ACF.1 (3), FDP_ITC.1, FIA_SOS.1 (1), FIA_SOS.1 (2), FIA_UAU.1 and FIA_UID.1 ensure that all users are properly identified and authenticated before gaining access to the TOE. FMT_MSA.1 (1), FMT_MSA.1 (2), FMT_MSA.2, FMT_MSA.3, FMT_SMR.1 and FMT_MTD.1 ensure that all security functions are managed only by administrators who have the correct privileges. FPT_RVM.1 and FPT_SEP.1 ensure that the TSF is protected. O.AAA The TOE must provide functionality that restricts access to AAA Appliances to authorised telecommunications users. FDP_ACC.1 (3), FDP_ACF.1 (3), FIA_UAU.1 and FIA_UID.1 ensure that all telecommunications users are properly identified and authenticated before gaining access to an AAA Appliance. FIA_ATD.1 (2) lists the security attributes which identify telecommunications users. FIA_AFL.1 (2) adds extra assurance that attempts to guess a telecommunications user’s PIN using brute force will be blocked. 8.2.2 Assurance Requirements Rationale The ETM® System is designed to mediate telecommunications traffic over telecommunication lines and be simple enough for an average PC user to manage. An assurance level of EAL 2, structurally tested, was selected as the threat to security is considered to be unsophisticated telecommunications attackers, and the data to be protected consists mainly of system resources (although the ETM® System can prevent data leakage by blocking telecommunications access). Additional augmented assurance requirements (ACM_CAP.3, ACM_SCP.1, and ALC_DVS.1) were added to gain increased security throughout the development of the ETM® System. It is felt that an evaluation at this level provides evidence that the TOE functions in a manner consistent with its documentation, and that it provides useful protection against identified threats. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 52 of 67 8.2.3 Rationale for Satisfying Functional Requirement Dependencies Table 7 identifies the Security Functional Requirements and their immediate dependencies, and also indicates whether the ST explicitly addresses each dependency. All but two of the dependencies for functional components have been met. Table 7. Security Functional Requirement Dependencies ST Requirement Dependencies Dependency Satisfied? FAU_ARP.1 FAU_SAA.1 Y FAU_ GEN.1 FPT_STM.1 Y FAU_SAA.1 FAU_GEN.1 Y FAU_ SAR.1 FAU_GEN.1 Y FAU_SAR.3 FAU_ SAR.1 Y FAU_GEN.1 Y FAU_ SEL.1 FMT_MTD.1 Y FAU_STG.1 FAU_GEN.1 Y FAU_STG.3 FAU_STG.1 Y FCS_CKM.2, or FCS_COP.1 Y, Y (through FCS_COP.1(2)) FCS_CKM.4 Y FCS_CKM.1 FMT_MSA.2 Y FDP_ITC.1, or FCS_CKM.1 Y, Y FCS_CKM.4 Y FCS_CKM.2 FMT_MSA.2 Y FDP_ITC.1, or FCS_CKM.1 Y, Y FCS_CKM.4 FMT_MSA.2 Y FDP_ITC.1, or FCS_CKM.1 Y, N/A FCS_CKM.4 Y FCS_COP.1(1) FMT_MSA.2 N FDP_ITC.1, or FCS_CKM.1 N/A, Y FCS_CKM.4 Y FCS_COP.1(2) FMT_MSA.2 Y FDP_ACC.1 FDP_ACF.1 Y FDP_ACC.1 Y FDP_ACF.1 FMT_ MSA.3 Y FDP_ETC.1 FDP_ACC.1, or FDP_IFC.1 Y, Y FDP_ IFC.1 FDP_IFF.1 Y FDP_IFC.1 Y FDP_ IFF.1 FMT_MSA.3 Y FDP_ACC.1, or FDP_IFC.1 Y, Y FDP_ITC.1 FMT_MSA.3 Y FIA_AFL.1 FIA_UAU.1 Y ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 53 of 67 ST Requirement Dependencies Dependency Satisfied? FIA_ATD.1 – Y FIA_SOS.1 – Y FIA_UAU.1 FIA_UID.1 Y FIA_UID.1 – Y FMT_SMF.1 Y FMT_MOF.1 FMT_SMR.1 Y FDP_ACC.1, or FDP_IFC.1 Y, Y FMT_SMF.1 Y FMT_MSA.1 FMT_SMR.1 Y ADV_SPM.1 N FDP_ACC.1, or FDP_IFC.1 Y, Y FMT_MSA.1 Y FMT_MSA.2 FMT_SMR.1 Y FMT_MSA.1 Y FMT_MSA.3 FMT_SMR.1 Y FMT_SMF.1 Y FMT_MTD.1 FMT_SMR.1 Y FMT_SMF.1 – Y FMT_SMR.1 FIA_UID.1 Y FPT_ITT.1 – Y FPT_RVM.1 – Y FPT_SEP.1 – Y FPT_STM.1 – Y FTP_TRP.1 – Y FMT_MSA.2 For FCS_COP.1(1), this security functional requirement has been excluded because the TSF does not generate the security attributes (i.e., cryptographic keys) itself. Instead the security attributes are manually generated by the administrator in the TOE environment and then loaded into the TOE. The TOE does not validate the key values. ADV_SPM.1 The security functional requirement FCS_COP.1(2) requires that this dependency be examined. This security assurance requirement has been excluded as a FIPS Security Policy documents exist for the cryptographic algorithms employed by the TOE. 8.2.4 Rationale for Satisfying Assurance Requirement Dependencies Table 8 identifies the Security Assurance Requirements and their immediate dependencies, and also indicates whether the ST explicitly addresses each dependency. All dependencies for assurance components have been met. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 54 of 67 Table 8. Security Assurance Requirement Dependencies ST Requirement Dependencies Dependency Satisfied? ACM_CAP.3 ALC_DVS.1 Y ACM_SCP.1 ACM_CAP.3 Y ADO_DEL.1 – Y ADO_IGS.1 AGD_ADM.1 Y ADV_FSP.1 ADV_RCR.1 Y ADV_FSP.1 Y ADV_HLD.1 ADV_RCR.1 Y ADV_RCR.1 – Y AGD_ADM.1 ADV_FSP.1 Y AGD_USR.1 ADV_FSP.1 Y ALC_DVS.1 – Y ADV_FSP.1 Y ATE_COV.1 ATE_FUN.1 Y ATE_FUN.1 – Y ADV_FSP.1 Y AGD_USR.1 Y ATE_IND.2 ATE_FUN.1 Y ADV_FSP.1 Y AVA_SOF.1 ADV_HLD.1 Y ADV_FSP.1 Y ADV_HLD.1 Y AVA_VLA.1 AGD_USR.1 Y 8.2.5 Rationale for Security Functional Refinements FAU_GEN.1 Audit data generation In FAU_GEN.1.2, changed “… at least the following information: … subject identity…” to “… at least the following information: … subject identity (when available)…” as the subject identity is not always available for audit generation. FAU_SAR.3 Selectable audit review Added an additional category to FAU_SAR.3.1 (1) to include filtering of audit data. The original wording of FAU_SAR.3.1 remains unchanged. See application note for FAU_SAR.3 for further details. FIA_ATD.1 User attribute definition (2) In FIA_ATD.1.1, changed “…belonging to individual users” to “…belonging to individual telecommunications users” since the requirement only applies to ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 55 of 67 individuals who communicate over the telecommunications network to operate an AAA Appliance. FIA_UAU.1 Timing of authentication Reworded FIA_UAU.1.1 for clarity and proper English by removing “…on behalf of the user to be performed…”. The original intent of FIA_UAU.1.1 (specifying actions which can be performed before authentication) remains unchanged. In FIA_UAU.1.2, changed the two instances of “user” to “user and telecommunications user accessing an AAA Appliance” and “user or telecommunications user” respectively since only these TOE users authenticate to the TOE. FIA_UID.1 Timing of identification Reworded FIA_UID.1.1 for clarity and proper English by removing “…on behalf of the user to be performed…”. The original intent of FIA_UID.1.1 (specifying actions which can be performed before identification) remains unchanged. In FIA_UID.1.2, changed the two instances of “user” to “user and telecommunications user accessing an AAA Appliance” and “user or telecommunications user” respectively since only these TOE users are required to authenticate to the TOE. FMT_MSA.3 Static Attribute initialisation In FMT_MSA.3.1, changed “…default values for security attributes…” to “…default values for information flow security attributes…” since the requirement only applies to the information flow SFP. In FMT_MSA.3.1, changed “…to enforce the SFP” to “…to enforce the TELCO SFP” since there is more than one SFP and this requirement only applies to the TELCO SFP. 8.2.6 Rationale for Audit Exclusions Table 9 lists events that would normally be subject to audit at the Basic level of audit which are not audited for the indicated reasons: ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 56 of 67 Table 9. Rationale for Audit Exclusions Functional Component Auditable Event Rationale for Exclusion FPT_STM.1 Changes to the time. This audit requirement has not been included because: • The only security functionality that relies on TOE system time is the time stamping of audit log entries. Since the TOE maintains the sequence of audit entries in the log, regardless of changes in system time, any relevant changes in system time would be apparent. • Authorised users or applications executing on the TOE must initiate system time changes. Users are assumed to be knowledgeable of the applications they are running, and hence are aware of changes in system time they initiate. If the operating system itself changes system time (e.g., daylight saving time changes), the user is notified. • System time is maintained by the operating system. In this case, the TOE operating system, Windows® NT, does not support a capability to audit system time changes. 8.3 TOE SUMMARY SPECIFICATION RATIONALE 8.3.1 TOE Security Functions Rationale Table 10 provides a mapping of TOE Security Functions to Security Functional Requirements and is followed by a discussion of how each Security Functional Requirement is addressed by the corresponding Security Function. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 57 of 67 FTP_TRP.1 X X FPT_SMT.1 X X FPT_SEP.1 X FPT_RVM.1 X FPT_ITT.1 X FMT_SMR.1 X X FMT_SMF.1 X FMT_MTD.1 X FMT_MSA.3 X FMT_MSA.2 X FMT_MSA.1(1)&(2) X FMT_MOF.1 X FIA_UID.1 X X FIA_UAU.1 X X FIA_SOS.1(1)&(2) X X FIA_ATD.1(2) X FIA_ATD.1(1) X FIA_AFL.1(2) X FIA_AFL.1(1) X FDP_ITC.1 X X FDP_IFF.1(2) X X FDP_IFC.1(2) X FDP_IFF.1(1) X X X X FDP_IFC.1(1) X X X X FDP_ETC.1 X FDP_ACF.1(3) X FDP_ACC.1(3) X FDP_ACF.1(2) X FDP_ACC.1(2) X FDP_ACF.1(1) X FDP_ACC.1(1) X FCS_COP.1(2) X FCS_COP.1(1) X FCS_CKM.4 X X FCS_CKM.2 X FCS_CKM.1 X FAU_STG.3 X X FAU_STG.1 X X FAU_SEL.1 X FAU_SAR.3 X X FAU_SAR.1 X X FAU_SAA.1 X X FAU_GEN.1 X X X FAU_ARP.1 X X F.CRYPTO F.NETBLK F.TELBLK F.TELALW F.SECTEL F.FAIL F.FAILNOT F.HMI F.LOCK F.AUDEVT F.AUDINF F.AUDLVL F.TIME F.ALARM F.AUDRPT F.AUDFLTR F.AUDSTO F.ADMIN F.INIT F.PROTSF F.AAA Table 10. Mapping of TOE Security Functions to Security Functional Requirements ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 58 of 67 FAU_ARP.1 Security Alarms F.ALARM and F.FAILNOT combine to satisfy the requirements for detecting security violations based on administrator created rules and TOE communication failure respectively. FAU_GEN.1 Audit data generation F.AUDEVT, F.AUDINF, and F.TIME combine to satisfy the requirement for the generation of audit data for the specified set of TOE events. FAU_SAA Potential violation analysis F.ALARM and F.FAILNOT combine to satisfy the requirements for detecting security violations based on administrator created rules and TOE communication failure respectively. FAU_SAR.1 Audit review F.AUDRPT and F.AUDFLTR combine to satisfy the requirements for the reviewing of audit data by providing a capability for report generation and filtering. FAU_SAR.3 Selectable audit review F.AUDRPT and F.AUDFLTR combine to satisfy the requirements for the selectable reviewing of audit data. FAU_SEL.1 Selective audit F.AUDLVL satisfies the requirement for the selectable recording of audit data. FAU_STG.1 Protected audit trail storage F.AUDSTO satisfies the requirement for protected storage of audit data by managing log file size and location. F.ADMIN protects the integrity of audit data by limiting access to authorised administrators. FAU_STG.3 Action in case of possible audit data loss F.AUDEVT and F.ALARM combine to satisfy the requirement for protected storage of audit data by generating a security message and alarm in the event of possible audit data loss. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 59 of 67 FCS_CKM.1 Cryptographic key generation F.SECTEL satisfies the requirement to generate keys used in securing confidential telecommunication channels. The TOE can generate RSA public/private key pairs or symmetric keys used in Triple DES cryptography. FCS_CKM.2 Cryptographic key distribution F.SECTEL satisfies the requirement to exchange Triple DES session keys used to secure confidential telecommunication channels. The TOE protects the session keys by encrypting them with the RSA public key of the intended target. FCS_CKM.4 Cryptographic key destruction F.CRYPTO and F.SECTEL satisfy the requirement to overwrite existing cryptographic key values. FCS_COP.1 Cryptographic operation (1) F.CRYPTO satisfies this requirement for cryptographic operations that are used to protect the confidentiality of internal data communications. The TOE can encrypt communications using DES (for internal data communications only) or Triple DES cryptography. FCS_COP.1 Cryptographic operation (2) F.SECTEL satisfies the requirement for cryptographic operations that are used to secure confidential telecommunication channels. The TOE securely distribute session keys using RSA cryptography and can encrypt communications using Triple DES cryptography. FDP_ACC.1 Subset access control (1) F.ADMIN satisfies the requirement for access control to the TOE through authentication of administrators. FDP_ACF.1 Security attribute based access control (1) F.ADMIN satisfies the requirement for access control to the TOE based on security attributes of user name, password, password expiry, and IP address. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 60 of 67 FDP_ACC.1 Subset access control (2) F.LOCK satisfies the requirement for access control for the editing of TOE objects. FDP_ACF.1 Security attribute based access control (2) F.LOCK satisfies the requirement for access control to the TOE and it’s objects based on number of concurrent users by preventing users from editing the same object. FDP_ACC.1 Subset access control (3) F.AAA satisfies the requirement for access control of an AAA Appliance through authentication of telecommunications users. FDP_ACF.1 Security attribute based access control (3) F.AAA satisfies the requirement for access control to an AAA Appliance based on security attributes of user ID and PIN. FDP_ETC.1 Export of user data without security attributes F.SECTEL satisfies this requirement to restrict the export of cryptographic keys to authorised processes. FDP_IFC.1 Subset information flow control (1) F.SECTEL, F.TELBLK, F.TELALW, and F.FAIL combine to satisfy the requirement to enforce information flow control on external IT entities that send and receive information across the telecommunications lines, based on security attributes. Telecommunication calls are allowed, blocked, or encrypted based on call attributes. In the event of TOE failure, fail-safe or fail-secure operation is allowed (for 1000 series Appliances). FDP_IFF.1 Simple security attributes (1) F.SECTEL, F.TELBLK, F.TELALW, and F.FAIL combine to satisfy the requirement to enforce information flow control on external IT entities that send and receive information across the telecommunication lines, based on security attributes. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 61 of 67 FDP_IFC.1 Subset information flow control (2) F.NETBLK satisfies the requirement to enforce information flow control on external IT entities that send and receive information across the network, based on security attributes. FDP_IFF.1 Simple security attributes (2) F.NETBLK and F.CRYPTO satisfy the requirement to enforce information flow control on external IT entities that send and receive information across the network, based on security attributes. Data is protected from modification or disclosure when it is transmitted between separate parts of the TOE by validating IP address and username and password, by authenticating communications with a variable handshake and by encrypting the data with valid a cryptographic key and algorithm. FDP_ITC.1 Import of user data without security attributes F.ADMIN and F.SECTEL satisfy this requirement to restrict the import of cryptographic keys to authorised administrators and processes. FIA_AFL.1 Authentication failure handling (1) F.ADMIN satisfies the requirement to restrict access to authorised administrators by temporarily turning off access to the TOE (Telnet to sensor only) after a set number of failed login attempts FIA_AFL.1 Authentication failure handling (2) F.AAA satisfies the requirement to restrict access to AAA Appliances to authorised telecommunications users by turning off access after a set number of failed login attempts FIA_ATD.1 User attribute definition (1) F.ADMIN satisfies the requirement for user attributes. FIA_ATD.1 User attribute definition (2) F.AAA satisfies the requirement for telecommunications user attributes. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 62 of 67 FIA_SOS.1 Verification of secrets (1) & (2) F.ADMIN and F.AAA satisfies the requirement for quality metrics of secrets (user attributes). FIA_UAU.1 Timing of authentication F.ADMIN and F.AAA satisfy the requirement for user authentication. FIA_UID.1 Timing of identification F.ADMIN and F.AAA satisfy the requirement for user identification. FMT_MOF.1 Management of security functions behaviour F.HMI satisfies the requirement for the TOE to provide the user with the capability to manage the security functions of the TOE through external interfaces. FMT_MSA.1 Management of security attributes (1) & (2) F.HMI satisfies the requirement for the TOE to provide the user with the capability to manage the security attributes of the TOE. FMT_MSA.2 Secure security attributes F.SECTEL satisfies the requirement for the TOE to ensure that only secure values are accepted for security attributes. FMT_MSA.3 Static attribute initialisation F.INIT satisfies the requirement for the default TOE configuration. FMT_MTD.1 Management of TSF data F.HMI satisfies the requirement for the TOE to provide the user with the capability to manage the TSF data. FMT_SMF.1 Specification of management functions F.HMI satisfies the requirement for the TSF to be capable of performing specific security management functions. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 63 of 67 FMT_SMR.1 Security Roles F.ADMIN satisfies the requirement for various (administrator) security roles and F.HMI satisfies the requirement for the TOE to provide the administrator with the capability to manage the security attributes of the TOE. FPT_ITT.1 Basic internal TSF data transfer protection F.NETBLK satisfies the requirement to protect TSF data when transmitted between separate components of the TOE. FPT_RVM.1 Non-bypassability of the TSP F.PROTSF satisfies the requirement for the TOE to ensure the non- bypassability of the TSP. FPT_SEP.1 TSF domain separation F.PROTSF satisfies the requirement for the TOE to protect the TSF through domain separation. FPT_STM.1 Reliable time stamps F.AUDINF and F.TIME combine to satisfy the requirement for the TOE to provide a reliable time and date for the time stamping audit log entries. FTP_TRP.1 Trusted Path F.NETBLK and F.CRYPTO satisfy the requirement to provide a trusted path to the TOE appliances. 8.3.2 TOE Assurance Measures Rationale Table 11 provides a mapping of Assurance Measures to Security Assurance Requirements and is followed by a short discussion of how the Security Assurance Requirements are addressed by the corresponding Assurance Measures. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 64 of 67 Table 11. Mapping of Assurance Measures to Security Assurance Requirements ACM_CAP.3 ACM_SCP.1 ADO_DEL.1 ADO_IGS.1 ADV_FSP.1 ADV_HLD.1 ADV_RCR.1 AGD_ADM.1 AGD_USR.1 ALC_DVS.1 ATE_COV.1 ATE_FUN.1 ATE_IND.2 AVA_SOF.1 AVA_VLA.1 M.ID X M.SYSTEM X X X M.GETTOE X M.SETUP X M.SPEC X X M.TRACE X M.DOCS X X M.TEST X X X X M.SECASS X X ACM_CAP.3 Authorisation controls M.ID and M.SYSTEM combine to satisfy the requirement for configuration management. ACM_SCP.1 TOE CM coverage M.SYSTEM satisfies the requirement for CM tracking of all TOE configuration items and associated documentation. ADO_DEL.1 Delivery procedures M.GETTOE satisfies the requirement for delivery procedures. ADO_IGS.1 Installation, generation, and start-up procedures M.SETUP satisfies the requirement for installation, generation, and start-up procedures. ADV_FSP.1 Informal functional specification M.SPEC satisfies the requirement for a functional specification. ADV_HLD.1 Descriptive high-level design M.SPEC satisfies the requirement for a high-level design specification. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 65 of 67 ADV_RCR.1 Informal correspondence demonstration M.TRACE satisfies the requirement for design specifications that are consistent throughout the documentation. AGD_ADM.1 Administrator guidance M.DOCS satisfies the requirement for administrator guidance documentation. AGD_USR.1 User guidance M.DOCS satisfies the requirement for user guidance documentation. ALC_DVS.1 Identification of security measures M.SYSTEM satisfies the requirement for TOE developmental security. ATE_COV.1 Evidence of coverage M.TEST satisfies the requirement for evidence that all TOE security functions have been tested. ATE_FUN.1 Functional testing M.TEST satisfies the requirement for evidence that TOE security functions have been tested. ATE_IND.2 Independent testing – sample M.TEST satisfies the requirement for evidence that TOE security functions have been tested. AVA_SOF.1 Strength of TOE security function evaluation M.SECASS satisfies the requirement for evidence that all TOE security functions have been examined to ensure their strength against threats. AVA_VLA.1 Developer vulnerability analysis M.TEST and M.SECASS combine to satisfy the requirement for evidence that the TOE has been examined and tested in an effort to discover vulnerabilities. ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 66 of 67 9 ACRONYMS AND ABBREVIATIONS Acronym Definition AAA Authorisation, Authentication, and Accounting ANSI American National Standards Institute ASCII American Standard Code for Information Interchange CC Common Criteria for Information Technology Security Evaluation CD-ROM Compact Disc, read-only-memory CFB Cipher-feedback mode CM Configuration Management CO Central Office (Telecommunication provider) CRYPTO Cryptography CRYPTO_SFP CRYPTO Security Functional Policy DBMS DataBase Management System DES Data Encryption Standard E1 E-carrier First level EAL Evaluation Assurance Level ETM® Enterprise Telephony Management FIPS Federal Information Processing Standards HMI Human Machine Interface ID Identification IP Internet Protocol ISDN Integrated Services Digital Network IT Information Technology NETWORK_SFP NETWORK Security Functional Policy PBX Private Branch Exchange PC Personal Computer PIN Personal Identification Number PRI Primary Rate Interface PSTN Public Switched Telephone Network RS-232 Recommended Standard-232 SFP Security Functional Policy SNMP Simple Network Management Protocol ETM® System v4.1 Security Target Doc No: 1463-011-D001 Version: 1.5 Date: 23 Mar 04 Page 67 of 67 Acronym Definition SOF Strength of Function SP6A Service Pack Six A – for Windows NT 4.0 SS7 Signalling System 7 ST Security Target STU Secure Telephone Unit TELCO Telecommunications TELCO_SFP TELCO Security Functional Policy T1 T-carrier First level TCP Transmission Control Protocol TOE Target of Evaluation TSF TOE Security Functions TSP TOE Security Policy VPN Virtual Private Network Windows® NT Windows® New Technology