Ärendetyp 5.3 Diarienummer: 23FMV5101-22
Dokument ID CSEC2023013
Enligt säkerhetsskyddslagen (2018:585)
SEKRETESS
Enligt offentlighets- och
Sekretesslagen (2009:400)
2024-10-08
Försvarets materielverk
Swedish Defence Material Administration
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
Issue: 1.0, 2024-okt-08
Authorisation: Jerry Johansson, Lead certifier , CSEC
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 2 (21)
Table of Contents
1 Executive Summary 3
2 Identification 5
3 Security Policy 6
3.1 Security Audit 6
3.2 Cryptographic Support 6
3.3 User Data Protection 6
3.4 Identification and Authentication 6
3.5 Security Function Management 7
3.6 Protection of the TSF 7
3.7 TOE Access 7
3.8 Trusted Path / Channels 7
4 Assumptions and Clarification of Scope 8
4.1 Assumptions on Usage and Environment 8
4.2 Clarification of Scope 9
5 Architectural Information 13
6 Documentation 14
7 IT Product Testing 15
7.1 Evaluator Testing 15
7.2 Penetration Testing 15
8 Evaluated Configuration 16
9 Results of the Evaluation 17
10 Evaluator Comments and Recommendations 18
11 Glossary 19
12 Bibliography 20
Appendix A Scheme Versions 21
A.1 Scheme/Quality Management System 21
A.2 Scheme Notes 21
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 3 (21)
1 Executive Summary
The Target of Evaluation (TOE) is a networking device comprised of hardware and
software. The TOE provides network traffic management functionality, e.g. local traf-
fic management and access policy management. TOE consists of the software version
17.1.0.1 including SSLO, build 17.1.0.1-0.61.4, installed on one of the following
hardware appliances:
● i4000 model series, including i4600, and i4800
● i5000 model series, including i5600, i5800, and i5820-DF
● i7000 model series, including i7600, i7800, and i7820-DF
● i10000 model series, including i10600, and i10800
● i11000-DS model series, including i11600-DS, and i11800-DS
● i15000 model series, including i15600, i15800 and i15820-DF
● C2400 with B2250
● C4480 with B4450
● R4000 model series, including R4600 and R4800
● R5000 model series, including R5600, R5800, R5900, and R5920-DF
● R10000 model series, including R10600, R10800, R10900, and R10920-DF
● R12000 model series, including R12600DS, R12800DS, and R12900DS
● CX410 with BX110
The TOE hardware appliances above are delivered via common carrier from an au-
thorized subcontractor. The TOE software is downloaded from the F5 website.
The Security Target [ST] claims exact conformance to the PP-Configuration for Net-
work Device and SSL/TLS Inspection Proxy, v1.1 [CFG], which combines the collab-
orative Protection Profile for Network Devices, v2.2e [NDcPP], and the PP-Module
for SSL/TLS Inspection Proxy, v1.1 [MOD].
A list of the NIT technical decisions considered during the evaluation is available in
the ST.
There are seven assumptions being made in the ST regarding the secure usage and the
operational environment of the TOE. The TOE relies on these to counter the seventeen
threats and comply with the two organisational security policies (OSPs) in the ST.
The assumptions, threats, and the OSP are described in chapter 4 Assumptions and
Clarification of Scope.
The evaluation has been performed by atsec information security AB and was com-
pleted in 2024-Sep-23. The evaluation was conducted in accordance with the require-
ments of Common Criteria, version 3.1, release 5, and the Common Methodology for
IT Security Evaluation, version 3.1, release 5. The evaluation meets the requirements
of evaluation assurance level EAL 1, augmented by ASE_SPD.1 Security Problem
Definition, and the Evaluation Activities for the Collaborative Protection Profile for
Network Devices [SD NDcPP], and for the PP-Module for SSL/TLS Inspection Proxy
[SD MOD].
atsec information security AB is a licensed evaluation facility for Common Criteria
under the Swedish Common Criteria Evaluation and Certification Scheme. atsec in-
formation security AB is also accredited by the Swedish accreditation body SWEDAC
according to ISO/IEC 17025 for Common Criteria evaluation.
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 4 (21)
The certifier monitored the activities of the evaluator by reviewing all successive ver-
sions of the evaluation reports. The certifier determined that the evaluation results
confirm the security claims in the Security Target [ST], and have been reached in
agreement with the requirements of the Common Criteria and the Common Methodol-
ogy for the evaluation assurance level:
EAL 1 + ASE_SPD.1 and in accordance with the Evaluation Activities for the Collab-
orative Protection Profile for Network Devices [SD NDcPP], and for the PP-Module
for SSL/TLS Inspection Proxy [SD MOD].
The technical information in this report is based on the Security Target and the Final
Evaluation Report (FER) produced by atsec information security AB
The certification results only apply to the version of the product indicated in the cer-
tificate, and on the condition that all the stipulations in the Security Target are met.
This certificate is not an endorsement of the IT product by CSEC or any other organ-
isation that recognises or gives effect to this certificate, and no warranty of the IT
product by CSEC or any other organisation that recognises or gives effect to this
certificate is either expressed or implied.
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 5 (21)
2 Identification
Certification Identification
Certification ID CSEC2023013
Name and version of the
certified IT product
F5 BIG-IP 17.1.0.1 including SSLO
build 17.1.0.1–0.61.4
Security Target Identification F5 BIG-IP® 17.1.0.1 including SSLO Security
Target, F5 Inc., 2024-September-09, document
version 7.5
EAL EAL 1 + ASE_SPD.1 (STIP CFG v1.1)
Sponsor F5 Inc.
Developer F5 Inc.
ITSEF atsec information security AB
Common Criteria version 3.1 release 5
CEM version 3.1 release 5
QMS version 2.5.2
Scheme Notes Release 22.0
Recognition Scope CCRA and EA/MLA
Certification date 2024-Oct-11
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 6 (21)
3 Security Policy
The TOE provides the following security services:
• Security Audit
• Cryptographic Support
• User Data Protection
• Identification and Authentication
• Security Function Management
• Protection of the TSF
• TOE Access
• Trusted Path / Channels
3.1 Security Audit
BIG-IP implements syslog capabilities to generate audit records for security-relevant
events. In addition, the BIG-IP protects the audit trail from unauthorized modifications
and loss of audit data due to insufficient space.
3.2 Cryptographic Support
In BIG-IP, cryptographic functionality in the control plane is provided by the
OpenSSL cryptographic module. The BIG-IP provides a secure shell (SSH) to allow
administrators to connect over a dedicated network interface. BIG-IP also implements
the TLS protocol to allow administrators to remotely manage the TOE. BIG-IP im-
plements a TLS client for interactions with other TLS servers. The BIG-IP SSLO
cryptography is provided by the cryptographic module within TMM, also based on
OpenSSL. SSLO implements the TLS protocol with forward proxy capabilities includ-
ing inspection processing, bypassing inspection processing, and blocking unauthorized
sessions.
Both of these cryptographic implementations utilize a cryptographic module which
provides random number generation, key generation, key establishment, key storage,
key destruction, hash operations, encryption/decryption operations, and digital signa-
ture operations. A limited Certification Authority (CA) is also embedded in the BIG-
IP SSLO to issue certificates in order to establish TLS sessions with the monitored cli-
ent and the requested server endpoint
3.3 User Data Protection
The BIG-IP SSLO implements certificate profiles for TLS server certificates issued by
the CA embedded in the TOE, enforces TLS plaintext processing policies, ensures re-
sidual information contained in TLS buffers is not available, protects trusted public
keys and certificates used in SSLO, and performs inspection operations and proxy
functions of SSLO sessions.
3.4 Identification and Authentication
An internal password-based repository is implemented for authentication of manage-
ment users. BIG-IP enforces a strong password policy and disabling user accounts af-
ter a configured number of failed authentication attempts.
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 7 (21)
3.5 Security Function Management
A command line interface (available via the traffic management shell "tmsh"), web-
based GUI ("Configuration utility"), a SOAP-based API ("iControl API"), and a
REST-based API (“iControl REST API”) are offered to administrators for all relevant
configuration of security functionality. The TOE manages configuration objects in a
partition which includes users, server pools, etc. This includes the authentication of
administrators by user name and password, as well as access control based on pre-
defined roles and, optionally, groups of objects ("Profiles"). "Profiles" can be defined
for individual servers and classes of servers that the TOE forwards traffic from clients
to, and for traffic that matches certain characteristics, determining the kind of treat-
ment applicable to that traffic. Management capabilities offered by the TOE include
the definition of templates for certain configuration options. The management func-
tionality also implements roles for separation of duties.
3.6 Protection of the TSF
BIG-IP implements many capabilities to protect the integrity and management of its
own security functionality. These capabilities include the protection of sensitive data,
such as passwords and keys, self-tests, product update verification, and reliable time
stamping.
3.7 TOE Access
Prior to interactive user authentication, the BIG-IP can display an administrative-
defined banner. BIG-IP terminates interactive sessions after an administrator-defined
period of inactivity and allows users to terminate their own authenticated session.
3.8 Trusted Path / Channels
The TOE protects remote connections to its management interfaces with TLS and
SSH. The TOE also protects communication channels with audit servers using TLS.
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 8 (21)
4 Assumptions and Clarification of Scope
4.1 Assumptions on Usage and Environment
The Security Target [ST] makes seven assumptions on the usage and the operational
environment of the TOE.
A.PHYSICAL_PROTECTION
The Network Device is assumed to be physically protected in its operational en-
vironment and not subject to physical attacks that compromise the security and/or in-
terfere with the device’s physical interconnections and correct operation. This protec-
tion is assumed to be sufficient to protect the device and the data it contains. As a re-
sult, the cPP will not include any requirements on physical tamper protection or other
physical attack mitigations. The cPP will not expect the product to defend against
physical access to the device that allows unauthorized entities to extract data, bypass
other controls, or otherwise manipulate the device. For vNDs, this assumption applies
to the physical platform on which the VM runs.
A.LIMITED_FUNCTIONALITY
The device is assumed to provide networking functionality as its core function and not
provide functionality/services that could be deemed as general purpose computing.
For example the device should not provide a computing platform for general purpose
applications (unrelated to networking functionality).
In the case of vNDs, the VS is considered part of the TOE with only one vND in-
stance for each physical hardware platform. The exception being where components of
the distributed TOE run inside more than one virtual machine (VM) on a single VS.
There are no other guest VMs on the physical platform providing non-Network Device
functionality. The assumed functionality of the TOE includes the behavior needed to
satisfy the functional claims of STIPM.
A.NO_THRU_TRAFFIC_PROTECTION
The standard/generic Network Device does not provide any assurance regarding the
protection of traffic that traverses it. The intent is for the network device to protect da-
ta that originates on or is destined to the device itself, to include administrative data
and audit data. Traffic that is traversing the Network Device, destined for another
network entity, is not covered by the NDcPP. It is assumed that this protection will be
covered by cPPs and PP-Modules for particular types of network devices (e.g., fire-
wall). This assumption only applies to the interfaces of the TOE that are defined by
the NDcPP and not STIPM.
A.TRUSTED_ADMINISTRATOR
The Security Administrator(s) for the Network Device are assumed to be trusted and
to act in the best interest of security for the organization. This includes being appro-
priately trained, following policy, and adhering to guidance documentation. Adminis-
trators are trusted to ensure passwords/credentials have sufficient strength and entropy
and to lack malicious intent when administering the device. The Network Device is
not expected to be capable of defending against a malicious Administrator that active-
ly works to bypass or compromise the security of the device.
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 9 (21)
For TOEs supporting X.509v3 certificate-based authentication, the Security Ad-
ministrator(s) are expected to fully validate (e.g. offline verification) any CA cer-
tificate (root CA certificate or intermediate CA certificate) loaded into the TOE’s trust
store (aka 'root store', ' trusted CA Key Store', or similar) as a trust anchor prior to use
(e.g. offline verification).
The functional claims of STIPM offer a limited ability to protect against malicious
administrators, which is not within the scope of the original assumption.
A.REGULAR_UPDATES
The Network Device firmware and software is assumed to be updated by an Adminis-
trator on a regular basis in response to the release of product updates due to known
vulnerabilities.
A.ADMIN_CREDENTIALS_SECURE
The Administrator’s credentials (private key) used to access the Network Device are
protected by the platform on which they reside.
A.RESIDUAL_INFORMATION
The Administrator must ensure that there is no unauthorized access possible for sensi-
tive residual information (e.g., cryptographic keys, keying material, PINs, passwords,
etc.) on networking equipment when the equipment is discarded or removed from its
operational environment.
Residual information is expanded to include information relevant to STIP operation
(e.g. decrypted SSL/TLS payload, ephemeral keys)
4.2 Clarification of Scope
The Security Target contains seventeen threats, which have been considered during
the evaluation.
T.UNAUTHORIZED_ADMINISTRATOR_ACCESS
Threat agents may attempt to gain Administrator access to the Network Device by ne-
farious means such as masquerading as an Administrator to the device, masquerading
as the device to an Administrator, replaying an administrative session (in its entirety,
or selected portions), or performing man-in-the-middle attacks, which would provide
access to the administrative session, or sessions between Network Devices. Success-
fully gaining Administrator access allows malicious actions that compromise the secu-
rity functionality of the device and the network on which it resides.
T.WEAK_CRYPTOGRAPHY
Threat agents may exploit weak cryptographic algorithms or perform a cryptographic
exhaust against the key space. Poorly chosen encryption algorithms, modes, and key
sizes will allow attackers to compromise the algorithms, or brute force exhaust the key
space and give them unauthorized access allowing them to read, manipulate and/or
control the traffic with minimal effort.
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 10 (21)
T.UNTRUSTED_COMMUNICATION_CHANNELS
Threat agents may attempt to target Network Devices that do not use standardized se-
cure tunneling protocols to protect the critical network traffic. Attackers may take ad-
vantage of poorly designed protocols or poor key management to successfully perform
man-in-the-middle attacks, replay attacks, etc. Successful attacks will result in loss of
confidentiality and integrity of the critical network traffic, and potentially could lead
to a compromise of the Network Device itself.
T.WEAK_AUTHENTICATION_ENDPOINTS
Threat agents may take advantage of secure protocols that use weak methods to au-
thenticate the endpoints – e.g., shared password that is guessable or transported as
plaintext. The consequences are the same as a poorly designed protocol, the attacker
could masquerade as the Administrator or another device, and the attacker could insert
themselves into the network stream and perform a man-in-the-middle attack. The re-
sult is the critical network traffic is exposed and there could be a loss of confidentiali-
ty and integrity, and potentially the Network Device itself could be compromised.
T.UPDATE_COMPROMISE
Threat agents may attempt to provide a compromised update of the software or firm-
ware which undermines the security functionality of the device. Non-validated updates
or updates validated using non-secure or weak cryptography leave the update firm-
ware vulnerable to surreptitious alteration.
T.UNDETECTED_ACTIVITY
Threat agents may attempt to access, change, and/or modify the security functionality
of the Network Device without Administrator awareness. This could result in the at-
tacker finding an avenue (e.g., misconfiguration, flaw in the product) to compromise
the device and the Administrator would have no knowledge that the device has been
compromised.
T.SECURITY_FUNCTIONALITY_COMPROMISE
Threat agents may compromise credentials and device data enabling continued access
to the Network Device and its critical data. The compromise of credentials include re-
placing existing credentials with an attacker’s credentials, modifying existing creden-
tials, or obtaining the Administrator or device credentials for use by the attacker.
T.PASSWORD_CRACKING
Threat agents may be able to take advantage of weak administrative passwords to gain
privileged access to the device. Having privileged access to the device provides the at-
tacker unfettered access to the network traffic and may allow them to take advantage
of any trust relationships with other Network Devices.
T.SECURITY_FUNCTIONALITY_FAILURE
An external, unauthorized entity could make use of failed or compromised security
functionality and might therefore subsequently use or abuse security functions without
prior authentication to access, change or modify device data, critical network traffic or
security functionality of the device.
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 11 (21)
T.UNTRUSTED_COMMUNICATION
Untrusted intermediate systems have access to provide unauthorized communications
to the TOE, or to manipulate authorized TLS messages in an attempt to compromise
the TOE, the monitored clients, or the requested servers. Within this PP-Module, the
focus is on an adversary that controls or exploits a requested server that may attempt
to cause the device to inappropriately bypass inspection.
Use of weak cryptography can allow adversary access to plaintext intended by the
monitored clients to be encrypted. Such access could disclose user passwords that fa-
cilitate additional activities against users of monitored clients. Within this PP-Module,
the focus is on the use of weak cryptography and adversary attempts to degrade the
cryptographic operations within the TLS protocol.
External network security devices may communicate with the TOE to apply security
services to the exposed plaintext. An adversary may attempt to gain access the
plaintext via misrouting of traffic or manipulate the traffic in such a way as to cause
unauthorized exposure, denial of service, or corruption of the underlying plaintext.
T.AUDIT
Certificates issued by the device are trusted by monitored clients, and are required for
analysis if traffic processed by the device causes the client to fail or become compro-
mised. Unknown activity related to the issuance and use of certificates can allow an
adversary to mask client exploits through or via the TOE, especially if the device fails
before the incident can be understood.
Unknown activity associated to routing configurations, communications with the
TOE, as well as the decision to bypass inspection of traffic can allow an adversary to
mask attempts to access monitored clients.
T.UNAUTHORIZED_USERS
In addition to managing administrative credentials, authorized users may have role re-
strictions to limit their access to the device’s certification authority functionality. In
addition to the threat of disclosure or modification of authorized user credentials to
users without authorized access to the device, a user with limited access might attempt
to extend their access by gaining access to other user’s credentials.
T.CREDENTIALS
In addition to device credentials used in protected communications, the device main-
tains a trusted certification authority signing key. A malicious user or flawed TOE im-
plementation may cause the disclosure or unauthorized manipulation of the signing
key which can result in unintended certificates, signed executables, or signed data that
would be trusted by monitored clients. Any modification of the signing key can result
in denial of service to inspection capabilities, or to the monitored clients.
T.SERVICES
Manipulation of the device can result in issued certificates being used for unauthorized
purposes or abuse of inspection services. An authorized user (AU) (or adversary able
to gain access to AU credentials) can access or misuse device services, or disclose
sensitive or security critical data.
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 12 (21)
T.DEVICE_FAILURE
Failure of the certification authority component can result in unauthorized or improp-
erly constrained certificates, or the inability to properly manage the validity of issued
certificates. Failure of routing traffic to inspection processing (internal or external) can
result in unauthorized disclosure or modification of traffic, or denial of service to
monitored clients.
T.UNAUTHORIZED_DISCLOSURE
In addition to general threats to network devices, the TOE controls access to sensitive
data that is intended by the monitored client to be encrypted. A malicious user or
flawed TOE implementation could cause data to be transmitted in cleartext for which
a user has a reasonable expectation of confidentiality.
T.INAPPROPRIATE_ACCESS
Decryption services applied to traffic between monitored clients and unintended serv-
ers can violate privacy laws, or disclose unauthorized traffic to inspection processes.
Certification authority signature applied to unauthorized data could facilitate adver-
sary exploits of monitored clients.
The Security Target contains two Organisational Security Policies (OSPs), which have
been considered during the evaluation.
P.ACCESS_BANNER
The TOE shall display an initial banner describing restrictions of use, legal agree-
ments, or any other appropriate information to which users consent by accessing the
TOE.
P.AUTHORIZATION_TO_INSPECT
The authority to inspect client traffic may be limited by law, regulation, or policies
based on the monitored client, requested server, or nature of the traffic. The TOE may
be required to additionally provide a consent to monitor notice for users whose traffic
is inspected by the device, if the monitored client might not provide such a banner.
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 13 (21)
5 Architectural Information
The TOE is separated into two (2) distinct planes, the control plane and the data plane.
The control plane validates, stores, and passes configuration data to all necessary sys-
tems. It also provides all administrative access to the TOE. The data plane passes user
traffic through the TOE.
The TOE implements and supports the following network protocols: TLS (client and
server), SSH, HTTPS, FTP. The TOE protects remote connections to its management
interfaces with TLS and SSH. The TOE also protects communication channels with
audit servers using TLS (TLSv1.1 and TLSv1.2). The cryptographic functionality im-
plemented in the TOE is provided by OpenSSL.
The TOE is divided into the following subsystems:
• F5 Device Hardware,
• F5 platform layer for rSeries or VELOS devices,
• Traffic Management Operating System (TMOS),
• Traffic Management Micro-kernel (TMM),
• SSL Orchestrator (SSLO), and
• Local Traffic Manager (LTM).
BIG-IP Subsystems for F5 devices (except rSeries and VELOS)
BIG-IP subsystems for F5 rSeries and VELOS devices
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 14 (21)
6 Documentation
The main guide to installing the TOE into the evaluated configuration is:
[ECG] BIG-IP Common Criteria Evaluation Configuration Guide BIG-IP
Release 17.1.0.1 Including SSLO
The [ST], section 1.6.3.2 provides a full list of the guidance documents that are part of
the TOE.
The TOE documentation is collected in an ISO file that can be downloaded via https
from the F5 website.
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 15 (21)
7 IT Product Testing
7.1 Evaluator Testing
The cryptographic testing was performed within the Cryptographic Algorithm Valida-
tion Program (CAVP). The CAVP certificates covers all TOE hardware appliances.
All other tests were performed on the i7800, r5900, and the r12900 models, and on the
VELOS CX410 with BX410, all with the software build 17.1.0.1-0.61.4.
The evaluator testing was successful and did not reveal any errors.
7.2 Penetration Testing
Portscanning was performed to find open ports that should not be open on the i7800,
r5900, and the r12900 models, and on the VELOS CX410 with BX410, all with the
software build 17.1.0.1-0.61.4.
No discrepancies were found during the penetration testing
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 16 (21)
8 Evaluated Configuration
The following configuration specifics apply to the evaluated configuration of the
TOE:
• Appliance mode is licensed. Appliance mode disables root access to the TOE
operating system and disables bash shell.
• Certificate validation is performed using CRLs.
• Disabled interfaces:
- All command shells other than tmsh are disabled. For example, bash and other
user-serviceable shells are excluded.
- Management of the TOE via SNMP is disabled.
- Management of the TOE via the appliance's LCD display is disabled. (applicable
to F5 devices)
- Remote (i.e., SSH) access to the Lights Out / Always On Management
capabilities of the system is disabled. (applicable to F5 devices)
- SSH client
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 17 (21)
9 Results of the Evaluation
The evaluators applied each work unit of the Common Methodology [CEM] within
the scope of the evaluation, and concluded that the TOE meets the security objectives
stated in the Security Target [ST] for an attack potential of Basic.
The evaluators also applied all assurance activities implied by the PP-Configuration
[CFG], the collaborative PP [NDcPP] and the STIP PP-Module [MOD].
The certifier reviewed the work of the evaluators and determined that the evaluation
was conducted in accordance with the Common Criteria [CC] and the evaluation ac-
tivities implied by the PP-Configuration [CFG], the collaborative PP [NDcPP] and the
STIP PP-Module [MOD].
The evaluators' overall verdict is PASS.
The verdicts for the respective assurance classes and components are summarised in
the following table:
Assurance Class/Family Short name Verdict
Development ADV PASS
Functional Specification ADV_FSP.1 PASS
Guidance Documents AGD PASS
Operational User Guidance AGD_OPE.1 PASS
Preparative Procedures AGD_PRE.1 PASS
Life-cycle Support ALC PASS
CM Capabilities ALC_CMC.1 PASS
CM Scope ALC_CMS.1 PASS
Security Target Evaluation ASE PASS
ST Introduction ASE_INT.1 PASS
Conformance Claims ASE_CCL.1 PASS
Security Problem Definition ASE_SPD.1 PASS
Security Objectives ASE_OBJ.1 PASS
Extended Components Definition ASE_ECD.1 PASS
Security Requirements ASE_REQ.1 PASS
TOE Summary Specification ASE_TSS.1 PASS
Tests ATE PASS
Independent Testing ATE_IND.1 PASS
Vulnerability Assessment AVA PASS
Vulnerability Analysis AVA_VAN.1 PASS
Evaluation Activities for the NDcPP PASS
Evaluation Activities for the STIP PP-Module PASS
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 18 (21)
10 Evaluator Comments and Recommendations
None.
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 19 (21)
11 Glossary
ADC Application Delivery Controller
AFM Advanced Firewall Manager
APM Access Policy Manager
CA Certificate Authority
CC Common Criteria
CEM Common Evaluation Methodology
CLI Command Line Interface
CRL Certificate Revocation List
GUI Graphical User Interface
HTTP Hypertext Transfer Protocol
HTTPS HTTP Secure
IP Internet Protocol
IPv4 Internet Protocol version 4
IPv6 Internet Protocol version 6
LTM Local Traffic Manager
NDcPP Network Device Collaborative Protection Profile
OS Operating System
PP Protection Profile
SHA Secure HashAlgorithm
SSH Secure Shell
ST Security Target
TCP Transmission Control Protocol
TLS Transport Layer Security
TOE Target of Evaluation
TMM Traffic Management Microkernel
TMOS Traffic Management Operating System
tmsh Traffic management shell
TSF TOE Security Functions
TSFI TSF Interface
UDP User Datagram Protocol
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 20 (21)
12 Bibliography
ST F5 BIG-IP® 17.1.0.1 including SSLO Security Target, F5 Inc.,
2024-September-09, document version 7.5
ECG BIG-IP Common Criteria Evaluation Configuration Guide BIG-IP
Release 17.1.0.1 Including SSLO
CFG PP-Configuration for Network Device and SSL/TLS Inspection Proxy,
2023-10-06, document version 1.1, (STIP CFG)
NDcPP collaborative Protection Profile for Network Devices, 2020-03-23,
document version 2.2e
SD NDcPP Supporting Document - Evaluation Activities for Network Device
cPP, 2019-12-20, document version 2.2
MOD PP-Module for SSL/TLS Inspection Proxy Version 1.1,
2022-11-17 document version 1.1 (STIP PP-MOD)
SD MOD Supporting Document Mandatory Technical Document
PP-Module for SSL/TLS Inspection Proxy, 2022-11-17,
document version 1.1
CCpart1 Common Criteria for Information Technology Security Evaluation,
Part 1, version 3.1 revision 5, CCMB-2017-04-001
CCpart2 Common Criteria for Information Technology Security Evaluation,
Part 2, version 3.1 revision 5, CCMB-2017-04-002
CCpart3 Common Criteria for Information Technology Security Evaluation,
Part 3, version 3.1 revision 5, CCMB-2017-04-003
CC CCpart1 + CCpart2 + CCpart3
CEM Common Methodology for Information Technology Security
Evaluation, version 3.1 revision 5, CCMB-2017-04-004
Swedish Certification Body for IT Security
Certification Report F5 BIG-IP v17.1.0.1 SSLO
23FMV5101-22 1.0 2024-10-08
CSEC2023013 21 (21)
Appendix A Scheme Versions
During the certification the following versions of the Swedish Common Criteria Eval-
uation and Certification scheme have been used.
A.1 Scheme/Quality Management System
Version Introduced Impact of changes
2.5.2 2024-06-14 None.
2.5.1 2024-02-29 None.
2.5 2024-01-25 None.
2.4.1 Application Original version
A.2 Scheme Notes
Scheme Note 18 - ST Requirements
Scheme Note 21 - NIAP PP Certifications
Scheme Note 22 - Vulnerability assessment
Scheme Note 23 - Evaluation reports for NIAP PPs and cPPs
Scheme Note 25 - Use of CAVP-tests in CC evaluations
Scheme Note 27 - ST requirements at the time of application for certification
Scheme Note 28 - Updated procedures for application, evaluation ad certification